1 /* $Cambridge: exim/src/src/dns.c,v 1.21 2009/11/16 19:50:36 nm4 Exp $ */
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
7 /* Copyright (c) University of Cambridge 1995 - 2009 */
8 /* See the file NOTICE for conditions of use and distribution. */
10 /* Functions for interfacing with the DNS. */
15 /* Function declaration needed for mutual recursion when A6 records
20 static void dns_complete_a6(dns_address ***, dns_answer *, dns_record *,
26 /*************************************************
28 *************************************************/
30 /* This function is called instead of res_search() when Exim is running in its
31 test harness. It recognizes some special domain names, and uses them to force
32 failure and retry responses (optionally with a delay). Otherwise, it calls an
33 external utility that mocks-up a nameserver, if it can find the utility.
34 If not, it passes its arguments on to res_search(). The fake nameserver may
35 also return a code specifying that the name should be passed on.
37 Background: the original test suite required a real nameserver to carry the
38 test zones, whereas the new test suit has the fake server for portability. This
42 domain the domain name
43 type the DNS record type
44 answerptr where to put the answer
45 size size of the answer area
47 Returns: length of returned data, or -1 on error (h_errno set)
51 fakens_search(uschar *domain, int type, uschar *answerptr, int size)
53 int len = Ustrlen(domain);
54 int asize = size; /* Locally modified */
58 uschar *aptr = answerptr; /* Locally modified */
61 /* Remove terminating dot. */
63 if (domain[len - 1] == '.') len--;
64 Ustrncpy(name, domain, len);
68 /* This code, for forcing TRY_AGAIN and NO_RECOVERY, is here so that it works
69 for the old test suite that uses a real nameserver. When the old test suite is
70 eventually abandoned, this code could be moved into the fakens utility. */
72 if (len >= 14 && Ustrcmp(endname - 14, "test.again.dns") == 0)
74 int delay = Uatoi(name); /* digits at the start of the name */
75 DEBUG(D_dns) debug_printf("Return from DNS lookup of %s (%s) faked for testing\n",
76 name, dns_text_type(type));
79 DEBUG(D_dns) debug_printf("delaying %d seconds\n", delay);
86 if (len >= 13 && Ustrcmp(endname - 13, "test.fail.dns") == 0)
88 DEBUG(D_dns) debug_printf("Return from DNS lookup of %s (%s) faked for testing\n",
89 name, dns_text_type(type));
90 h_errno = NO_RECOVERY;
94 /* Look for the fakens utility, and if it exists, call it. */
96 (void)string_format(utilname, sizeof(utilname), "%s/../bin/fakens",
99 if (stat(CS utilname, &statbuf) >= 0)
105 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) using fakens\n",
106 name, dns_text_type(type));
109 argv[1] = spool_directory;
111 argv[3] = dns_text_type(type);
114 pid = child_open(argv, NULL, 0000, &infd, &outfd, FALSE);
116 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to run fakens: %s",
121 while (asize > 0 && (rc = read(outfd, aptr, asize)) > 0)
124 aptr += rc; /* Don't modify the actual arguments, because they */
125 asize -= rc; /* may need to be passed on to res_search(). */
129 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "read from fakens failed: %s",
132 switch(child_close(pid, 0))
135 case 1: h_errno = HOST_NOT_FOUND; return -1;
136 case 2: h_errno = TRY_AGAIN; return -1;
138 case 3: h_errno = NO_RECOVERY; return -1;
139 case 4: h_errno = NO_DATA; return -1;
140 case 5: /* Pass on to res_search() */
141 DEBUG(D_dns) debug_printf("fakens returned PASS_ON\n");
145 /* fakens utility not found, or it returned "pass on" */
147 DEBUG(D_dns) debug_printf("passing %s on to res_search()\n", domain);
149 return res_search(CS domain, C_IN, type, answerptr, size);
154 /*************************************************
155 * Initialize and configure resolver *
156 *************************************************/
158 /* Initialize the resolver and the storage for holding DNS answers if this is
159 the first time we have been here, and set the resolver options.
162 qualify_single TRUE to set the RES_DEFNAMES option
163 search_parents TRUE to set the RES_DNSRCH option
169 dns_init(BOOL qualify_single, BOOL search_parents)
171 if ((_res.options & RES_INIT) == 0)
173 DEBUG(D_resolver) _res.options |= RES_DEBUG; /* For Cygwin */
175 DEBUG(D_resolver) _res.options |= RES_DEBUG;
178 _res.options &= ~(RES_DNSRCH | RES_DEFNAMES);
179 _res.options |= (qualify_single? RES_DEFNAMES : 0) |
180 (search_parents? RES_DNSRCH : 0);
181 if (dns_retrans > 0) _res.retrans = dns_retrans;
182 if (dns_retry > 0) _res.retry = dns_retry;
185 if (dns_use_edns0 >= 0)
188 _res.options |= RES_USE_EDNS0;
190 _res.options &= ~RES_USE_EDNS0;
192 debug_printf("Coerced resolver EDNS0 support %s.\n",
193 dns_use_edns0 ? "on" : "off");
196 if (dns_use_edns0 >= 0)
198 debug_printf("Unable to %sset EDNS0 without resolver support.\n",
199 dns_use_edns0 ? "" : "un");
205 /*************************************************
206 * Build key name for PTR records *
207 *************************************************/
209 /* This function inverts an IP address and adds the relevant domain, to produce
210 a name that can be used to look up PTR records.
213 string the IP address as a string
214 buffer a suitable buffer, long enough to hold the result
220 dns_build_reverse(uschar *string, uschar *buffer)
222 uschar *p = string + Ustrlen(string);
225 /* Handle IPv4 address */
228 if (Ustrchr(string, ':') == NULL)
232 for (i = 0; i < 4; i++)
235 while (ppp > string && ppp[-1] != '.') ppp--;
236 Ustrncpy(pp, ppp, p - ppp);
241 Ustrcpy(pp, "in-addr.arpa");
244 /* Handle IPv6 address; convert to binary so as to fill out any
245 abbreviation in the textual form. */
252 (void)host_aton(string, v6);
254 /* The original specification for IPv6 reverse lookup was to invert each
255 nibble, and look in the ip6.int domain. The domain was subsequently
256 changed to ip6.arpa. */
258 for (i = 3; i >= 0; i--)
261 for (j = 0; j < 32; j += 4)
263 sprintf(CS pp, "%x.", (v6[i] >> j) & 15);
267 Ustrcpy(pp, "ip6.arpa.");
269 /* Another way of doing IPv6 reverse lookups was proposed in conjunction
270 with A6 records. However, it fell out of favour when they did. The
271 alternative was to construct a binary key, and look in ip6.arpa. I tried
272 to make this code do that, but I could not make it work on Solaris 8. The
273 resolver seems to lose the initial backslash somehow. However, now that
274 this style of reverse lookup has been dropped, it doesn't matter. These
275 lines are left here purely for historical interest. */
277 /**************************************************
281 for (i = 0; i < 4; i++)
283 sprintf(pp, "%08X", v6[i]);
286 Ustrcpy(pp, "].ip6.arpa.");
287 **************************************************/
296 /*************************************************
297 * Get next DNS record from answer block *
298 *************************************************/
300 /* Call this with reset == RESET_ANSWERS to scan the answer block, reset ==
301 RESET_AUTHORITY to scan the authority records, reset == RESET_ADDITIONAL to
302 scan the additional records, and reset == RESET_NEXT to get the next record.
303 The result is in static storage which must be copied if it is to be preserved.
306 dnsa pointer to dns answer block
307 dnss pointer to dns scan block
308 reset option specifing what portion to scan, as described above
310 Returns: next dns record, or NULL when no more
314 dns_next_rr(dns_answer *dnsa, dns_scan *dnss, int reset)
316 HEADER *h = (HEADER *)dnsa->answer;
319 /* Reset the saved data when requested to, and skip to the first required RR */
321 if (reset != RESET_NEXT)
323 dnss->rrcount = ntohs(h->qdcount);
324 dnss->aptr = dnsa->answer + sizeof(HEADER);
326 /* Skip over questions; failure to expand the name just gives up */
328 while (dnss->rrcount-- > 0)
330 namelen = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
331 dnss->aptr, (DN_EXPAND_ARG4_TYPE) &(dnss->srr.name), DNS_MAXNAME);
332 if (namelen < 0) { dnss->rrcount = 0; return NULL; }
333 dnss->aptr += namelen + 4; /* skip name & type & class */
336 /* Get the number of answer records. */
338 dnss->rrcount = ntohs(h->ancount);
340 /* Skip over answers if we want to look at the authority section. Also skip
341 the NS records (i.e. authority section) if wanting to look at the additional
344 if (reset == RESET_ADDITIONAL) dnss->rrcount += ntohs(h->nscount);
346 if (reset == RESET_AUTHORITY || reset == RESET_ADDITIONAL)
348 while (dnss->rrcount-- > 0)
350 namelen = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
351 dnss->aptr, (DN_EXPAND_ARG4_TYPE) &(dnss->srr.name), DNS_MAXNAME);
352 if (namelen < 0) { dnss->rrcount = 0; return NULL; }
353 dnss->aptr += namelen + 8; /* skip name, type, class & TTL */
354 GETSHORT(dnss->srr.size, dnss->aptr); /* size of data portion */
355 dnss->aptr += dnss->srr.size; /* skip over it */
357 dnss->rrcount = (reset == RESET_AUTHORITY)
358 ? ntohs(h->nscount) : ntohs(h->arcount);
362 /* The variable dnss->aptr is now pointing at the next RR, and dnss->rrcount
363 contains the number of RR records left. */
365 if (dnss->rrcount-- <= 0) return NULL;
367 /* If expanding the RR domain name fails, behave as if no more records
370 namelen = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, dnss->aptr,
371 (DN_EXPAND_ARG4_TYPE) &(dnss->srr.name), DNS_MAXNAME);
372 if (namelen < 0) { dnss->rrcount = 0; return NULL; }
374 /* Move the pointer past the name and fill in the rest of the data structure
375 from the following bytes. */
377 dnss->aptr += namelen;
378 GETSHORT(dnss->srr.type, dnss->aptr); /* Record type */
379 dnss->aptr += 6; /* Don't want class or TTL */
380 GETSHORT(dnss->srr.size, dnss->aptr); /* Size of data portion */
381 dnss->srr.data = dnss->aptr; /* The record's data follows */
382 dnss->aptr += dnss->srr.size; /* Advance to next RR */
384 /* Return a pointer to the dns_record structure within the dns_answer. This is
385 for convenience so that the scans can use nice-looking for loops. */
393 /*************************************************
394 * Turn DNS type into text *
395 *************************************************/
397 /* Turn the coded record type into a string for printing. All those that Exim
398 uses should be included here.
400 Argument: record type
401 Returns: pointer to string
409 case T_A: return US"A";
410 case T_MX: return US"MX";
411 case T_AAAA: return US"AAAA";
412 case T_A6: return US"A6";
413 case T_TXT: return US"TXT";
414 case T_PTR: return US"PTR";
415 case T_SOA: return US"SOA";
416 case T_SRV: return US"SRV";
417 case T_NS: return US"NS";
418 case T_CNAME: return US"CNAME";
419 default: return US"?";
425 /*************************************************
426 * Cache a failed DNS lookup result *
427 *************************************************/
429 /* We cache failed lookup results so as not to experience timeouts many
430 times for the same domain. We need to retain the resolver options because they
431 may change. For successful lookups, we rely on resolver and/or name server
439 Returns: the return code
443 dns_return(uschar *name, int type, int rc)
445 tree_node *node = store_get_perm(sizeof(tree_node) + 290);
446 sprintf(CS node->name, "%.255s-%s-%lx", name, dns_text_type(type),
449 (void)tree_insertnode(&tree_dns_fails, node);
455 /*************************************************
456 * Do basic DNS lookup *
457 *************************************************/
459 /* Call the resolver to look up the given domain name, using the given type,
460 and check the result. The error code TRY_AGAIN is documented as meaning "non-
461 Authoritive Host not found, or SERVERFAIL". Sometimes there are badly set
462 up nameservers that produce this error continually, so there is the option of
463 providing a list of domains for which this is treated as a non-existent
467 dnsa pointer to dns_answer structure
469 type type of DNS record required (T_A, T_MX, etc)
471 Returns: DNS_SUCCEED successful lookup
472 DNS_NOMATCH name not found (NXDOMAIN)
473 or name contains illegal characters (if checking)
474 or name is an IP address (for IP address lookup)
475 DNS_NODATA domain exists, but no data for this type (NODATA)
476 DNS_AGAIN soft failure, try again later
481 dns_basic_lookup(dns_answer *dnsa, uschar *name, int type)
489 uschar node_name[290];
491 /* DNS lookup failures of any kind are cached in a tree. This is mainly so that
492 a timeout on one domain doesn't happen time and time again for messages that
493 have many addresses in the same domain. We rely on the resolver and name server
494 caching for successful lookups. */
496 sprintf(CS node_name, "%.255s-%s-%lx", name, dns_text_type(type),
498 previous = tree_search(tree_dns_fails, node_name);
499 if (previous != NULL)
501 DEBUG(D_dns) debug_printf("DNS lookup of %.255s-%s: using cached value %s\n",
502 name, dns_text_type(type),
503 (previous->data.val == DNS_NOMATCH)? "DNS_NOMATCH" :
504 (previous->data.val == DNS_NODATA)? "DNS_NODATA" :
505 (previous->data.val == DNS_AGAIN)? "DNS_AGAIN" :
506 (previous->data.val == DNS_FAIL)? "DNS_FAIL" : "??");
507 return previous->data.val;
510 /* If configured, check the hygene of the name passed to lookup. Otherwise,
511 although DNS lookups may give REFUSED at the lower level, some resolvers
512 turn this into TRY_AGAIN, which is silly. Give a NOMATCH return, since such
513 domains cannot be in the DNS. The check is now done by a regular expression;
514 give it space for substring storage to save it having to get its own if the
515 regex has substrings that are used - the default uses a conditional.
517 This test is omitted for PTR records. These occur only in calls from the dnsdb
518 lookup, which constructs the names itself, so they should be OK. Besides,
519 bitstring labels don't conform to normal name syntax. (But the aren't used any
522 For SRV records, we omit the initial _smtp._tcp. components at the start. */
524 #ifndef STAND_ALONE /* Omit this for stand-alone tests */
526 if (check_dns_names_pattern[0] != 0 && type != T_PTR && type != T_TXT)
528 uschar *checkname = name;
529 int ovector[3*(EXPAND_MAXN+1)];
531 if (regex_check_dns_names == NULL)
532 regex_check_dns_names =
533 regex_must_compile(check_dns_names_pattern, FALSE, TRUE);
535 /* For an SRV lookup, skip over the first two components (the service and
536 protocol names, which both start with an underscore). */
540 while (*checkname++ != '.');
541 while (*checkname++ != '.');
544 if (pcre_exec(regex_check_dns_names, NULL, CS checkname, Ustrlen(checkname),
545 0, PCRE_EOPT, ovector, sizeof(ovector)/sizeof(int)) < 0)
548 debug_printf("DNS name syntax check failed: %s (%s)\n", name,
549 dns_text_type(type));
550 host_find_failed_syntax = TRUE;
555 #endif /* STAND_ALONE */
557 /* Call the resolver; for an overlong response, res_search() will return the
558 number of bytes the message would need, so we need to check for this case. The
559 effect is to truncate overlong data.
561 On some systems, res_search() will recognize "A-for-A" queries and return
562 the IP address instead of returning -1 with h_error=HOST_NOT_FOUND. Some
563 nameservers are also believed to do this. It is, of course, contrary to the
564 specification of the DNS, so we lock it out. */
570 type == T_A || type == T_AAAA) &&
571 string_is_ip_address(name, NULL) != 0)
574 /* If we are running in the test harness, instead of calling the normal resolver
575 (res_search), we call fakens_search(), which recognizes certain special
576 domains, and interfaces to a fake nameserver for certain special zones. */
578 if (running_in_test_harness)
579 dnsa->answerlen = fakens_search(name, type, dnsa->answer, MAXPACKET);
581 dnsa->answerlen = res_search(CS name, C_IN, type, dnsa->answer, MAXPACKET);
583 if (dnsa->answerlen > MAXPACKET)
585 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) resulted in overlong packet (size %d), truncating to %d.\n",
586 name, dns_text_type(type), dnsa->answerlen, MAXPACKET);
587 dnsa->answerlen = MAXPACKET;
590 if (dnsa->answerlen < 0) switch (h_errno)
593 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave HOST_NOT_FOUND\n"
594 "returning DNS_NOMATCH\n", name, dns_text_type(type));
595 return dns_return(name, type, DNS_NOMATCH);
598 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave TRY_AGAIN\n",
599 name, dns_text_type(type));
601 /* Cut this out for various test programs */
603 save = deliver_domain;
604 deliver_domain = name; /* set $domain */
605 rc = match_isinlist(name, &dns_again_means_nonexist, 0, NULL, NULL,
606 MCL_DOMAIN, TRUE, NULL);
607 deliver_domain = save;
610 DEBUG(D_dns) debug_printf("returning DNS_AGAIN\n");
611 return dns_return(name, type, DNS_AGAIN);
613 DEBUG(D_dns) debug_printf("%s is in dns_again_means_nonexist: returning "
614 "DNS_NOMATCH\n", name);
615 return dns_return(name, type, DNS_NOMATCH);
617 #else /* For stand-alone tests */
618 return dns_return(name, type, DNS_AGAIN);
622 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave NO_RECOVERY\n"
623 "returning DNS_FAIL\n", name, dns_text_type(type));
624 return dns_return(name, type, DNS_FAIL);
627 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave NO_DATA\n"
628 "returning DNS_NODATA\n", name, dns_text_type(type));
629 return dns_return(name, type, DNS_NODATA);
632 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave unknown DNS error %d\n"
633 "returning DNS_FAIL\n", name, dns_text_type(type), h_errno);
634 return dns_return(name, type, DNS_FAIL);
637 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) succeeded\n",
638 name, dns_text_type(type));
646 /************************************************
647 * Do a DNS lookup and handle CNAMES *
648 ************************************************/
650 /* Look up the given domain name, using the given type. Follow CNAMEs if
651 necessary, but only so many times. There aren't supposed to be CNAME chains in
652 the DNS, but you are supposed to cope with them if you find them.
654 The assumption is made that if the resolver gives back records of the
655 requested type *and* a CNAME, we don't need to make another call to look up
656 the CNAME. I can't see how it could return only some of the right records. If
657 it's done a CNAME lookup in the past, it will have all of them; if not, it
660 If fully_qualified_name is not NULL, set it to point to the full name
661 returned by the resolver, if this is different to what it is given, unless
662 the returned name starts with "*" as some nameservers seem to be returning
663 wildcards in this form.
666 dnsa pointer to dns_answer structure
667 name domain name to look up
668 type DNS record type (T_A, T_MX, etc)
669 fully_qualified_name if not NULL, return the returned name here if its
670 contents are different (i.e. it must be preset)
672 Returns: DNS_SUCCEED successful lookup
673 DNS_NOMATCH name not found
674 DNS_NODATA no data found
675 DNS_AGAIN soft failure, try again later
680 dns_lookup(dns_answer *dnsa, uschar *name, int type, uschar **fully_qualified_name)
683 uschar *orig_name = name;
685 /* Loop to follow CNAME chains so far, but no further... */
687 for (i = 0; i < 10; i++)
690 dns_record *rr, cname_rr, type_rr;
694 /* DNS lookup failures get passed straight back. */
696 if ((rc = dns_basic_lookup(dnsa, name, type)) != DNS_SUCCEED) return rc;
698 /* We should have either records of the required type, or a CNAME record,
699 or both. We need to know whether both exist for getting the fully qualified
700 name, but avoid scanning more than necessary. Note that we must copy the
701 contents of any rr blocks returned by dns_next_rr() as they use the same
702 area in the dnsa block. */
704 cname_rr.data = type_rr.data = NULL;
705 for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
707 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
709 if (rr->type == type)
711 if (type_rr.data == NULL) type_rr = *rr;
712 if (cname_rr.data != NULL) break;
714 else if (rr->type == T_CNAME) cname_rr = *rr;
717 /* For the first time round this loop, if a CNAME was found, take the fully
718 qualified name from it; otherwise from the first data record, if present. */
720 if (i == 0 && fully_qualified_name != NULL)
722 if (cname_rr.data != NULL)
724 if (Ustrcmp(cname_rr.name, *fully_qualified_name) != 0 &&
725 cname_rr.name[0] != '*')
726 *fully_qualified_name = string_copy_dnsdomain(cname_rr.name);
728 else if (type_rr.data != NULL)
730 if (Ustrcmp(type_rr.name, *fully_qualified_name) != 0 &&
731 type_rr.name[0] != '*')
732 *fully_qualified_name = string_copy_dnsdomain(type_rr.name);
736 /* If any data records of the correct type were found, we are done. */
738 if (type_rr.data != NULL) return DNS_SUCCEED;
740 /* If there are no data records, we need to re-scan the DNS using the
741 domain given in the CNAME record, which should exist (otherwise we should
742 have had a failure from dns_lookup). However code against the possibility of
745 if (cname_rr.data == NULL) return DNS_FAIL;
746 datalen = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
747 cname_rr.data, (DN_EXPAND_ARG4_TYPE)data, 256);
748 if (datalen < 0) return DNS_FAIL;
751 DEBUG(D_dns) debug_printf("CNAME found: change to %s\n", name);
752 } /* Loop back to do another lookup */
754 /*Control reaches here after 10 times round the CNAME loop. Something isn't
757 log_write(0, LOG_MAIN, "CNAME loop for %s encountered", orig_name);
766 /************************************************
767 * Do a DNS lookup and handle virtual types *
768 ************************************************/
770 /* This function handles some invented "lookup types" that synthesize feature
771 not available in the basic types. The special types all have negative values.
772 Positive type values are passed straight on to dns_lookup().
775 dnsa pointer to dns_answer structure
776 name domain name to look up
777 type DNS record type (T_A, T_MX, etc or a "special")
778 fully_qualified_name if not NULL, return the returned name here if its
779 contents are different (i.e. it must be preset)
781 Returns: DNS_SUCCEED successful lookup
782 DNS_NOMATCH name not found
783 DNS_NODATA no data found
784 DNS_AGAIN soft failure, try again later
789 dns_special_lookup(dns_answer *dnsa, uschar *name, int type,
790 uschar **fully_qualified_name)
792 if (type >= 0) return dns_lookup(dnsa, name, type, fully_qualified_name);
794 /* The "mx hosts only" type doesn't require any special action here */
796 if (type == T_MXH) return dns_lookup(dnsa, name, T_MX, fully_qualified_name);
798 /* Find nameservers for the domain or the nearest enclosing zone, excluding the
806 int rc = dns_lookup(dnsa, d, T_NS, fully_qualified_name);
807 if (rc != DNS_NOMATCH && rc != DNS_NODATA) return rc;
808 while (*d != 0 && *d != '.') d++;
809 if (*d++ == 0) break;
814 /* Try to look up the Client SMTP Authorization SRV record for the name. If
815 there isn't one, search from the top downwards for a CSA record in a parent
816 domain, which might be making assertions about subdomains. If we find a record
817 we set fully_qualified_name to whichever lookup succeeded, so that the caller
818 can tell whether to look at the explicit authorization field or the subdomain
823 uschar *srvname, *namesuff, *tld, *p;
824 int priority, weight, port;
830 DEBUG(D_dns) debug_printf("CSA lookup of %s\n", name);
832 srvname = string_sprintf("_client._smtp.%s", name);
833 rc = dns_lookup(dnsa, srvname, T_SRV, NULL);
834 if (rc == DNS_SUCCEED || rc == DNS_AGAIN)
836 if (rc == DNS_SUCCEED) *fully_qualified_name = name;
840 /* Search for CSA subdomain assertion SRV records from the top downwards,
841 starting with the 2nd level domain. This order maximizes cache-friendliness.
842 We skip the top level domains to avoid loading their nameservers and because
843 we know they'll never have CSA SRV records. */
845 namesuff = Ustrrchr(name, '.');
846 if (namesuff == NULL) return DNS_NOMATCH;
849 limit = dns_csa_search_limit;
851 /* Use more appropriate search parameters if we are in the reverse DNS. */
853 if (strcmpic(namesuff, US".arpa") == 0)
855 if (namesuff - 8 > name && strcmpic(namesuff - 8, US".in-addr.arpa") == 0)
861 else if (namesuff - 4 > name && strcmpic(namesuff - 4, US".ip6.arpa") == 0)
870 DEBUG(D_dns) debug_printf("CSA TLD %s\n", tld);
872 /* Do not perform the search if the top level or 2nd level domains do not
873 exist. This is quite common, and when it occurs all the search queries would
874 go to the root or TLD name servers, which is not friendly. So we check the
875 AUTHORITY section; if it contains the root's SOA record or the TLD's SOA then
876 the TLD or the 2LD (respectively) doesn't exist and we can skip the search.
877 If the TLD and the 2LD exist but the explicit CSA record lookup failed, then
878 the AUTHORITY SOA will be the 2LD's or a subdomain thereof. */
880 if (rc == DNS_NOMATCH)
882 /* This is really gross. The successful return value from res_search() is
883 the packet length, which is stored in dnsa->answerlen. If we get a
884 negative DNS reply then res_search() returns -1, which causes the bounds
885 checks for name decompression to fail when it is treated as a packet
886 length, which in turn causes the authority search to fail. The correct
887 packet length has been lost inside libresolv, so we have to guess a
888 replacement value. (The only way to fix this properly would be to
889 re-implement res_search() and res_query() so that they don't muddle their
890 success and packet length return values.) For added safety we only reset
891 the packet length if the packet header looks plausible. */
893 HEADER *h = (HEADER *)dnsa->answer;
894 if (h->qr == 1 && h->opcode == QUERY && h->tc == 0
895 && (h->rcode == NOERROR || h->rcode == NXDOMAIN)
896 && ntohs(h->qdcount) == 1 && ntohs(h->ancount) == 0
897 && ntohs(h->nscount) >= 1)
898 dnsa->answerlen = MAXPACKET;
900 for (rr = dns_next_rr(dnsa, &dnss, RESET_AUTHORITY);
902 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
903 if (rr->type != T_SOA) continue;
904 else if (strcmpic(rr->name, US"") == 0 ||
905 strcmpic(rr->name, tld) == 0) return DNS_NOMATCH;
909 for (i = 0; i < limit; i++)
913 /* Scan through the IPv6 reverse DNS in chunks of 16 bits worth of IP
914 address, i.e. 4 hex chars and 4 dots, i.e. 8 chars. */
916 if (namesuff <= name) return DNS_NOMATCH;
919 /* Find the start of the preceding domain name label. */
921 if (--namesuff <= name) return DNS_NOMATCH;
922 while (*namesuff != '.');
924 DEBUG(D_dns) debug_printf("CSA parent search at %s\n", namesuff + 1);
926 srvname = string_sprintf("_client._smtp.%s", namesuff + 1);
927 rc = dns_lookup(dnsa, srvname, T_SRV, NULL);
928 if (rc == DNS_AGAIN) return rc;
929 if (rc != DNS_SUCCEED) continue;
931 /* Check that the SRV record we have found is worth returning. We don't
932 just return the first one we find, because some lower level SRV record
933 might make stricter assertions than its parent domain. */
935 for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
937 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
939 if (rr->type != T_SRV) continue;
941 /* Extract the numerical SRV fields (p is incremented) */
943 GETSHORT(priority, p);
947 /* Check the CSA version number */
948 if (priority != 1) continue;
950 /* If it's making an interesting assertion, return this response. */
953 *fully_qualified_name = namesuff + 1;
961 /* Control should never reach here */
968 /* Support for A6 records has been commented out since they were demoted to
969 experimental status at IETF 51. */
971 #if HAVE_IPV6 && defined(SUPPORT_A6)
973 /*************************************************
974 * Search DNS block for prefix RRs *
975 *************************************************/
977 /* Called from dns_complete_a6() to search an additional section or a main
978 answer section for required prefix records to complete an IPv6 address obtained
979 from an A6 record. For each prefix record, a recursive call to dns_complete_a6
980 is made, with a new copy of the address so far.
983 dnsa the DNS answer block
984 which RESET_ADDITIONAL or RESET_ANSWERS
985 name name of prefix record
986 yptrptr pointer to the pointer that points to where to hang the next
987 dns_address structure
988 bits number of bits we have already got
989 bitvec the bits we have already got
991 Returns: TRUE if any records were found
995 dns_find_prefix(dns_answer *dnsa, int which, uschar *name, dns_address
996 ***yptrptr, int bits, uschar *bitvec)
1002 for (rr = dns_next_rr(dnsa, &dnss, which);
1004 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
1007 if (rr->type != T_A6 || strcmpic(rr->name, name) != 0) continue;
1009 memcpy(cbitvec, bitvec, sizeof(cbitvec));
1010 dns_complete_a6(yptrptr, dnsa, rr, bits, cbitvec);
1018 /*************************************************
1019 * Follow chains of A6 records *
1020 *************************************************/
1022 /* A6 records may be incomplete, with pointers to other records containing more
1023 bits of the address. There can be a tree structure, leading to a number of
1024 addresses originating from a single initial A6 record.
1027 yptrptr pointer to the pointer that points to where to hang the next
1028 dns_address structure
1029 dnsa the current DNS answer block
1030 rr the RR we have at present
1031 bits number of bits we have already got
1032 bitvec the bits we have already got
1038 dns_complete_a6(dns_address ***yptrptr, dns_answer *dnsa, dns_record *rr,
1039 int bits, uschar *bitvec)
1041 static uschar bitmask[] = { 0xff, 0xfe, 0xfc, 0xf8, 0xf0, 0xe0, 0xc0, 0x80 };
1042 uschar *p = (uschar *)(rr->data);
1043 int prefix_len, suffix_len;
1049 /* The prefix length is the first byte. It defines the prefix which is missing
1050 from the data in this record as a number of bits. Zero means this is the end of
1051 a chain. The suffix is the data in this record; only sufficient bytes to hold
1052 it are supplied. There may be zero bytes. We have to ignore trailing bits that
1053 we have already obtained from earlier RRs in the chain. */
1055 prefix_len = *p++; /* bits */
1056 suffix_len = (128 - prefix_len + 7)/8; /* bytes */
1058 /* If the prefix in this record is greater than the prefix in the previous
1059 record in the chain, we have to ignore the record (RFC 2874). */
1061 if (prefix_len > 128 - bits) return;
1063 /* In this little loop, the number of bits up to and including the current byte
1064 is held in k. If we have none of the bits in this byte, we can just or it into
1065 the current data. If we have all of the bits in this byte, we skip it.
1066 Otherwise, some masking has to be done. */
1068 for (i = suffix_len - 1, j = 15, k = 8; i >= 0; i--)
1070 int required = k - bits;
1071 if (required >= 8) bitvec[j] |= p[i];
1072 else if (required > 0) bitvec[j] |= p[i] & bitmask[required];
1073 j--; /* I tried putting these in the "for" statement, but gcc muttered */
1074 k += 8; /* about computed values not being used. */
1077 /* If the prefix_length is zero, we are at the end of a chain. Build a
1078 dns_address item with the current data, hang it onto the end of the chain,
1079 adjust the hanging pointer, and we are done. */
1081 if (prefix_len == 0)
1083 dns_address *new = store_get(sizeof(dns_address) + 50);
1084 inet_ntop(AF_INET6, bitvec, CS new->address, 50);
1087 *yptrptr = &(new->next);
1091 /* Prefix length is not zero. Reset the number of bits that we have collected
1092 so far, and extract the chain name. */
1094 bits = 128 - prefix_len;
1098 while ((i = *p++) != 0)
1100 if (chainptr != chain) *chainptr++ = '.';
1101 memcpy(chainptr, p, i);
1108 /* Now scan the current DNS response record to see if the additional section
1109 contains the records we want. This processing can be cut out for testing
1112 if (dns_find_prefix(dnsa, RESET_ADDITIONAL, chainptr, yptrptr, bits, bitvec))
1115 /* No chain records were found in the current DNS response block. Do a new DNS
1116 lookup to try to find these records. This opens up the possibility of DNS
1117 failures. We ignore them at this point; if all branches of the tree fail, there
1118 will be no addresses at the end. */
1120 if (dns_lookup(&cdnsa, chainptr, T_A6, NULL) == DNS_SUCCEED)
1121 (void)dns_find_prefix(&cdnsa, RESET_ANSWERS, chainptr, yptrptr, bits, bitvec);
1123 #endif /* HAVE_IPV6 && defined(SUPPORT_A6) */
1128 /*************************************************
1129 * Get address(es) from DNS record *
1130 *************************************************/
1132 /* The record type is either T_A for an IPv4 address or T_AAAA (or T_A6 when
1133 supported) for an IPv6 address. In the A6 case, there may be several addresses,
1134 generated by following chains. A recursive function does all the hard work. A6
1135 records now look like passing into history, so the code is only included when
1136 explicitly asked for.
1139 dnsa the DNS answer block
1142 Returns: pointer a chain of dns_address items
1146 dns_address_from_rr(dns_answer *dnsa, dns_record *rr)
1148 dns_address *yield = NULL;
1150 #if HAVE_IPV6 && defined(SUPPORT_A6)
1151 dns_address **yieldptr = &yield;
1154 dnsa = dnsa; /* Stop picky compilers warning */
1157 if (rr->type == T_A)
1159 uschar *p = (uschar *)(rr->data);
1160 yield = store_get(sizeof(dns_address) + 20);
1161 (void)sprintf(CS yield->address, "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
1168 else if (rr->type == T_A6)
1170 memset(bitvec, 0, sizeof(bitvec));
1171 dns_complete_a6(&yieldptr, dnsa, rr, 0, bitvec);
1173 #endif /* SUPPORT_A6 */
1177 yield = store_get(sizeof(dns_address) + 50);
1178 inet_ntop(AF_INET6, (uschar *)(rr->data), CS yield->address, 50);
1181 #endif /* HAVE_IPV6 */