On Mon, Jan 27, 2014 at 03:55:06PM +0000, Viktor Dukhovni wrote: > Step 1: DNSSEC support > ----------------------- >
Finally, peeking at http://git.exim.org/exim.git/blob/HEAD:/src/src/dns.c I must admit that I don't understand the CNAME handling logic in the dns_lookup() function. If it is not somewhat wrong, it probably can be made less confusing. A DNS reply can contain multiple CNAME records: $ dig +noall +ans -t a www.paypal.com www.paypal.com. 300 IN CNAME www.paypal.com.akadns.net. www.paypal.com.akadns.net. 30 IN CNAME wlb.paypal.com.akadns.net. wlb.paypal.com.akadns.net. 30 IN CNAME active-www.paypal.com. active-www.paypal.com. 300 IN A 173.0.84.34 active-www.paypal.com. 300 IN A 173.0.88.34 active-www.paypal.com. 300 IN A 173.0.88.2 active-www.paypal.com. 300 IN A 173.0.84.2 It seems to me that the fully_qualified_name will be taken from the left side of the last CNAME record in the reply (i.e. will be "wlb.paypal.com.akadns.net"), which is probably not what's intended. This is the function that will probably also need to capture the "rname", which in this case is "active-www.paypal.com", while the "qname" (your fully_qualified_name I think) is "www.paypal.com". It will need to take a flags argument that temporarily sets and before returning restores a subset of the resolver options. It will likely be useful to return a linked list of extracted results, rather than leave the caller to re-parse the raw answer from the resolver. The digest algorithm agility logic for DANE and processing of "unusable" records, ... will be easier if the reply list can be manipulated to discard selected records. Speaking of fully-qualified names, it is important that lookups of MX records, MX hostnames (and later TLSA records) disable RES_DEFNAMES and RES_DNSRCH. DNS names used with DANE need to be "absolute". Thus "qname" MUST be equal to the lookup input name for all the queries in question. -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
