From 0fbd9bff71b47e3a32e54629c3f67e7eda1812fe Mon Sep 17 00:00:00 2001 From: Phil Pennock Date: Sat, 23 Mar 2013 19:46:22 -0400 Subject: [PATCH 1/1] Rename dns_use_dnssec to dns_dnssec_ok. This per Tony's suggestion; this makes it clearer that we are merely setting resolver flags, not performing validation ourselves. Well, clearer to those who understand DNSSEC. For everyone else, they'll still be dependent upon a forthcoming new chapter to the Specification. --- doc/doc-txt/ChangeLog | 4 ++++ doc/doc-txt/NewStuff | 5 +++-- src/src/dns.c | 14 +++++++------- src/src/globals.c | 2 +- src/src/globals.h | 2 +- src/src/readconf.c | 2 +- 6 files changed, 17 insertions(+), 12 deletions(-) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index a2e204d34..abaee5659 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -181,6 +181,10 @@ PP/18 OpenSSL made graceful with empty tls_verify_certificates setting. unset was to force an expansion failure. That still works, and an empty string is now equivalent. +PP/19 Renamed DNSSEC-enabling option to "dns_dnssec_ok", to make it + clearer that Exim is using the DO (DNSSEC OK) EDNS0 resolver flag, + not performing validation itself. + Exim version 4.80.1 ------------------- diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index 47c5f6fec..ab8589e53 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -32,10 +32,11 @@ Version 4.82 Unless you really know what you are doing, leave it alone. 4. If not built with DISABLE_DNSSEC, Exim now has the main option - dns_use_dnssec; if set to 1 then Exim will initialise the resolver library + dns_dnssec_ok; if set to 1 then Exim will initialise the resolver library to send the DO flag to your recursive resolver. If you have a recursive resolver, which can set the Authenticated Data (AD) flag in results, Exim - can now detect this. + can now detect this. Exim does not perform validation itself, instead + relying upon a trusted path to the resolver. Current status: work-in-progress; $sender_host_dnssec variable added. diff --git a/src/src/dns.c b/src/src/dns.c index 95db52686..820adff01 100644 --- a/src/src/dns.c +++ b/src/src/dns.c @@ -206,28 +206,28 @@ if (dns_use_edns0 >= 0) # ifndef RES_USE_EDNS0 # error Have RES_USE_DNSSEC but not RES_USE_EDNS0? Something hinky ... # endif -if (dns_use_dnssec >= 0) +if (dns_dnssec_ok >= 0) { - if (dns_use_edns0 == 0 && dns_use_dnssec != 0) + if (dns_use_edns0 == 0 && dns_dnssec_ok != 0) { DEBUG(D_resolver) - debug_printf("CONFLICT: dns_use_edns0 forced false, dns_use_dnssec forced true!\n"); + debug_printf("CONFLICT: dns_use_edns0 forced false, dns_dnssec_ok forced true, ignoring latter!\n"); } else { - if (dns_use_dnssec) + if (dns_dnssec_ok) resp->options |= RES_USE_DNSSEC; else resp->options &= ~RES_USE_DNSSEC; DEBUG(D_resolver) debug_printf("Coerced resolver DNSSEC support %s.\n", - dns_use_dnssec ? "on" : "off"); + dns_dnssec_ok ? "on" : "off"); } } # else -if (dns_use_dnssec >= 0) +if (dns_dnssec_ok >= 0) DEBUG(D_resolver) debug_printf("Unable to %sset DNSSEC without resolver support.\n", - dns_use_dnssec ? "" : "un"); + dns_dnssec_ok ? "" : "un"); # endif #endif /* DISABLE_DNSSEC */ diff --git a/src/src/globals.c b/src/src/globals.c index 5db858bfc..a4898fe3f 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -597,7 +597,7 @@ BOOL dns_csa_use_reverse = TRUE; uschar *dns_ipv4_lookup = NULL; int dns_retrans = 0; int dns_retry = 0; -int dns_use_dnssec = -1; /* <0 = not coerced */ +int dns_dnssec_ok = -1; /* <0 = not coerced */ int dns_use_edns0 = -1; /* <0 = not coerced */ uschar *dnslist_domain = NULL; uschar *dnslist_matched = NULL; diff --git a/src/src/globals.h b/src/src/globals.h index 8d83be710..df6132266 100644 --- a/src/src/globals.h +++ b/src/src/globals.h @@ -353,7 +353,7 @@ extern BOOL dns_csa_use_reverse; /* Check CSA in reverse DNS? (non-standar extern uschar *dns_ipv4_lookup; /* For these domains, don't look for AAAA (or A6) */ extern int dns_retrans; /* Retransmission time setting */ extern int dns_retry; /* Number of retries */ -extern int dns_use_dnssec; /* When constructing DNS query, set DO flag */ +extern int dns_dnssec_ok; /* When constructing DNS query, set DO flag */ extern int dns_use_edns0; /* Coerce EDNS0 support on/off in resolver. */ extern uschar *dnslist_domain; /* DNS (black) list domain */ extern uschar *dnslist_matched; /* DNS (black) list matched key */ diff --git a/src/src/readconf.c b/src/src/readconf.c index bba532594..77836d157 100644 --- a/src/src/readconf.c +++ b/src/src/readconf.c @@ -219,7 +219,7 @@ static optionlist optionlist_config[] = { { "dns_ipv4_lookup", opt_stringptr, &dns_ipv4_lookup }, { "dns_retrans", opt_time, &dns_retrans }, { "dns_retry", opt_int, &dns_retry }, - { "dns_use_dnssec", opt_int, &dns_use_dnssec }, + { "dns_dnssec_ok", opt_int, &dns_dnssec_ok }, { "dns_use_edns0", opt_int, &dns_use_edns0 }, /* This option is now a no-op, retained for compability */ { "drop_cr", opt_bool, &drop_cr }, -- 2.30.2