https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7875
Bug ID: 7875
Summary: AskDNS plugin does not correctly handle CNAMEs leading
to TXTs
Product: Spamassassin
Version: 3.4.4
Hardware: PC
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: Plugins
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: Undefined
Summary: When the ASkDNS plugin requests a TXT record but gets back both a
CNAME and a TXT, it doesn't ignore the CNAME answer in the result, which then
makes it not handle the TXT answer properly.
Detail: I have a rule that looks like this:
askdns __DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT
/^v=DMARC1;.*\bp=reject;/
I noticed this rule did not match a lookup for "_dmarc.dhl.com", even though it
should:
$ dig _dmarc.dhl.com TXT
...
;; ANSWER SECTION:
_dmarc.dhl.com. 269 IN CNAME reject.valimail.dmarc.dhl.com.
reject.valimail.dmarc.dhl.com. 340 IN TXT "v=DMARC1; p=reject; fo=0;
rua=mailto:[email protected],mailto:[email protected];";
Some debugging suggests this is because of the CNAME in the answer. The loop in
lines 567-640 of AskDNS.pm runs once for the CNAME answer and a second time for
the TXT answer. Line 602 of that block looks like:
next if !defined $qtype || $query_type ne $qtype;
In this case, $qtype is the qtype from the original DNS *request* that was
made, which is always "TXT". And $query_type is the type from the SpamAssassin
rule, which is also always "TXT". So the code will always check "TXT ne TXT",
find it's false, and the "next" will never trigger.
The code should be checking one of these against the qtype of each DNS *reply*,
so it calls "next" to skip the loop when it sees the CNAME. Changing that line
to this fixes it:
next if !defined $qtype || $rr_type ne $qtype;
--
You are receiving this mail because:
You are the assignee for the bug.
