Add docs and massage coding standards for dns_trust_aa

3 files changed, 61 insertions, 34 deletions

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 09ce793b0..fefc8e3f3 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -11745,6 +11745,9 @@ a dnsdb lookup expansion, dnslookup router or smtp transport.
 It will be empty if &(DNSSEC)& was not requested,
 &"no"& if the result was not labelled as authenticated data
 and &"yes"& if it was.
+Results that are labelled as authoritive answer that match
+the $%dns_trust_aa%& configuration variable count also
+as authenticated data.
 
 .vitem &$mailstore_basename$&
 .vindex "&$mailstore_basename$&"
@@ -13586,6 +13589,7 @@ See also the &'Policy controls'& section above.
 .row &%dns_ipv4_lookup%&             "only v4 lookup for these domains"
 .row &%dns_retrans%&                 "parameter for resolver"
 .row &%dns_retry%&                   "parameter for resolver"
+.row &%dns_trust_aa%&                "nameservers trusted as authentic"
 .row &%dns_use_edns0%&               "parameter for resolver"
 .row &%hold_domains%&                "hold delivery for these domains"
 .row &%local_interfaces%&            "for routing checks"
@@ -14283,6 +14287,23 @@ See also the &%slow_lookup_log%& option.
 See &%dns_retrans%& above.
 
 
+.option dns_trust_aa main domain list&!! unset
+.cindex "DNS" "resolver options"
+.cindex "DNS" "DNSSEC"
+If this option is set then lookup results marked with an AA bit
+(Authoratative Answer) are trusted when they come from one
+of the listed domains, as if they were marked as having been
+DNSSEC-verified.
+
+Use this option only if you talk directly to the resolver
+for your local domains, and list only it.
+It is needed when the resolver does not return an AD bit
+for its local domains.
+The first SOA or NS record appearing in the results is compared
+against the option value.
+
+
+.cindex "DNS" "resolver options"
 .option dns_use_edns0 main integer -1
 .cindex "DNS" "resolver options"
 .cindex "DNS" "EDNS0"
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 3c58b42ef..a0002b620 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -40,6 +40,9 @@ Version 4.86
 13. Main option "tls_eccurve" for selecting an Elliptic Curve for TLS.
     Patch originally by Wolfgang Breyha.
 
+14. Main option "dns_trust_aa" for trusting your local nameserver at the
+    same level as DNSSEC.
+
 
 Version 4.85
 ------------
diff --git a/src/src/dns.c b/src/src/dns.c
index 29078dacd..4f84bfc45 100644
--- a/src/src/dns.c
+++ b/src/src/dns.c
@@ -403,22 +403,24 @@ return &(dnss->srr);
 
 
 /* Extract the AUTHORITY info from the answer. If the
- * answer isn't authoritive (AA) we do not extract anything.
- * We've to search for SOA or NS records, since there may be
- * other records (e.g. NSEC3) too.
- */
-static const uschar*
-dns_extract_auth_name(const dns_answer *dnsa)	/* FIXME: const dns_answer */
+answer isn't authoritive (AA) we do not extract anything.
+We've to search for SOA or NS records, since there may be
+other records (e.g. NSEC3) too.
+*/
+
+static const uschar *
+dns_extract_auth_name(const dns_answer * dnsa)	/* FIXME: const dns_answer */
 {
-    dns_scan dnss;
-    dns_record *rr;
-    HEADER *h = (HEADER *) dnsa->answer;
-    if (!h->nscount || !h->aa) return NULL;
-    for (rr = dns_next_rr((dns_answer*) dnsa, &dnss, RESET_AUTHORITY);
-	 rr;
-	 rr = dns_next_rr((dns_answer*) dnsa, &dnss, RESET_NEXT))
-      if (rr->type == T_SOA || rr->type == T_NS) return rr->name;
-    return NULL;
+dns_scan dnss;
+dns_record * rr;
+HEADER * h = (HEADER *) dnsa->answer;
+
+if (!h->nscount || !h->aa) return NULL;
+for (rr = dns_next_rr((dns_answer*) dnsa, &dnss, RESET_AUTHORITY);
+     rr;
+     rr = dns_next_rr((dns_answer*) dnsa, &dnss, RESET_NEXT))
+  if (rr->type == T_SOA || rr->type == T_NS) return rr->name;
+return NULL;
 }
 
 
@@ -444,31 +446,32 @@ DEBUG(D_dns)
   debug_printf("DNSSEC support disabled at build-time; dns_is_secure() false\n");
 return FALSE;
 #else
-HEADER *h = (HEADER *) dnsa->answer;
+HEADER * h = (HEADER *) dnsa->answer;
+const uschar * auth_name;
+const uschar * trusted;
 
 if (h->ad) return TRUE;
-else
-  {
-  /* If the resolver we ask is authoritive for the domain in question, it
-  * may not set the AD but the AA bit. If we explicitly trust
-  * the resolver for that domain (via a domainlist in dns_trust_aa),
-  * we return TRUE to indicate a secure answer.
-  */
-  const uschar *auth_name;
-  const uschar *trusted;
 
-  if (!h->aa || !dns_trust_aa) return FALSE;
+/* If the resolver we ask is authoritive for the domain in question, it
+* may not set the AD but the AA bit. If we explicitly trust
+* the resolver for that domain (via a domainlist in dns_trust_aa),
+* we return TRUE to indicate a secure answer.
+*/
 
-  trusted = expand_string(dns_trust_aa);
-  auth_name = dns_extract_auth_name(dnsa);
-  if (OK != match_isinlist(auth_name, &trusted, 0, NULL, NULL, MCL_DOMAIN, TRUE, NULL)) 
-    return FALSE;
+if (  !h->aa
+   || !dns_trust_aa
+   || !*(trusted = expand_string(dns_trust_aa))
+   || !(auth_name = dns_extract_auth_name(dnsa))
+   || OK != match_isinlist(auth_name, &trusted, 0, NULL, NULL,
+			    MCL_DOMAIN, TRUE, NULL) 
+   )
+  return FALSE;
 
-  DEBUG(D_dns)
-    debug_printf("DNS faked the AD bit (got AA and matched with dns_trust_aa (%s in %s))\n", auth_name, dns_trust_aa);
+DEBUG(D_dns) debug_printf("DNS faked the AD bit "
+  "(got AA and matched with dns_trust_aa (%s in %s))\n",
+  auth_name, dns_trust_aa);
 
-  return TRUE;
-}
+return TRUE;
 #endif
 }