DANE: do not check dns_again_means_nonexist for TLSA results of TRY_AGAIN

3 files changed, 32 insertions, 14 deletions

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 946f55b11..9243bd3f9 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -15621,7 +15621,12 @@ by a setting such as this:
 .code
 dns_again_means_nonexist = *.in-addr.arpa
 .endd
-This option applies to all DNS lookups that Exim does. It also applies when the
+This option applies to all DNS lookups that Exim does,
+.new
+except for TLSA lookups (where knowing about such failures
+is security-relevant).
+.wen
+It also applies when the
 &[gethostbyname()]& or &[getipnodebyname()]& functions give temporary errors,
 since these are most likely to be caused by DNS lookup problems. The
 &(dnslookup)& router has some options of its own for controlling what happens
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index f51a23c9c..45834756b 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -98,6 +98,10 @@ JH/20 Bug 2954: (OpenSSL) Fix setting of explicit EC curve/group.  Previously
       this always failed, probably leading to the usual downgrade to in-clear
       connections.
 
+JH/20 Fix TLSA lookups.  Previously dns_again_means_nonexist would affect
+      SERVFAIL results, which breaks the downgrade resistance of DANE.  Change
+      to not checking that list for these looks.
+
 
 Exim version 4.96
 -----------------
diff --git a/src/src/dns.c b/src/src/dns.c
index 2355409ec..d39b4b590 100644
--- a/src/src/dns.c
+++ b/src/src/dns.c
@@ -907,21 +907,30 @@ if (dnsa->answerlen < 0) switch (h_errno)
 
     /* Cut this out for various test programs */
 #ifndef STAND_ALONE
-    if (try_again_recursion)
+    /* Permitting dns_again_means nonexist for TLSA lookups breaks the
+    doewngrade resistance of dane, so avoid for those. */
+
+    if (type == T_TLSA)
+      rc = FAIL;
+    else
       {
-      log_write(0, LOG_MAIN|LOG_PANIC,
-	"dns_again_means_nonexist recursion seen for %s (assuming nonexist)",
-	name);
-      return dns_fail_return(name, type, dns_expire_from_soa(dnsa, type), DNS_NOMATCH);
-      }
+      if (try_again_recursion)
+	{
+	log_write(0, LOG_MAIN|LOG_PANIC,
+	  "dns_again_means_nonexist recursion seen for %s"
+	  " (assuming nonexist)", name);
+	return dns_fail_return(name, type, dns_expire_from_soa(dnsa, type),
+			      DNS_NOMATCH);
+	}
 
-    try_again_recursion = TRUE;
-    save_domain = deliver_domain;
-    deliver_domain = string_copy(name);  /* set $domain */
-    rc = match_isinlist(name, CUSS &dns_again_means_nonexist, 0,
-      &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL);
-    deliver_domain = save_domain;
-    try_again_recursion = FALSE;
+      try_again_recursion = TRUE;
+      save_domain = deliver_domain;
+      deliver_domain = string_copy(name);  /* set $domain */
+      rc = match_isinlist(name, CUSS &dns_again_means_nonexist, 0,
+	&domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL);
+      deliver_domain = save_domain;
+      try_again_recursion = FALSE;
+      }
 
     if (rc != OK)
       {