SA Bugzilla – Bug 7875
AskDNS plugin does not correctly handle CNAMEs leading to TXTs
Last modified: 2021-03-09 20:15:39 UTC
Summary: When the ASkDNS plugin requests a TXT record but gets back both a CNAME and a TXT, it doesn't ignore the CNAME answer in the result, which then makes it not handle the TXT answer properly. Detail: I have a rule that looks like this: askdns __DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=reject;/ I noticed this rule did not match a lookup for "_dmarc.dhl.com", even though it should: $ dig _dmarc.dhl.com TXT ... ;; ANSWER SECTION: _dmarc.dhl.com. 269 IN CNAME reject.valimail.dmarc.dhl.com. reject.valimail.dmarc.dhl.com. 340 IN TXT "v=DMARC1; p=reject; fo=0; rua=mailto:dmarc-reports@dhl.com,mailto:dmarc_agg@vali.email;" Some debugging suggests this is because of the CNAME in the answer. The loop in lines 567-640 of AskDNS.pm runs once for the CNAME answer and a second time for the TXT answer. Line 602 of that block looks like: next if !defined $qtype || $query_type ne $qtype; In this case, $qtype is the qtype from the original DNS *request* that was made, which is always "TXT". And $query_type is the type from the SpamAssassin rule, which is also always "TXT". So the code will always check "TXT ne TXT", find it's false, and the "next" will never trigger. The code should be checking one of these against the qtype of each DNS *reply*, so it calls "next" to skip the loop when it sees the CNAME. Changing that line to this fixes it: next if !defined $qtype || $rr_type ne $qtype;
As a followup to this, this change is more correct for line 602: next if !defined $qtype || (defined $rr_type && $rr_type ne $qtype); Otherwise what I originally suggested can generate "uninitialized value $rr_type in string" warnings in some cases.
I also seem to have this problem if I use a DNAME record like this in db.local: sendgrid-id IN DNAME sendgrid-id.LICENSEKEY.invaluement.com. sendgrid-efd IN DNAME sendgrid-efd.LICENSEKEY.invaluement.com. and in Esp.cf: ifplugin Mail::SpamAssassin::Plugin::AskDNS askdns RBL_SENDGRID_ID _SENDGRIDID_.sendgrid-id.localhost A 127.0.0.2 # askdns RBL_SENDGRID_ID _SENDGRIDID_.sendgrid-id.<LICENSEKEY>.invaluement.com A 127.0.0.2 describe RBL_SENDGRID_ID Sendgrid Id blacklist tflags RBL_SENDGRID_ID net askdns RBL_SENDGRID_DOM _SENDGRIDDOM_.sendgrid-efd.localhost A 127.0.0.2 # askdns RBL_SENDGRID_DOM _SENDGRIDDOM_.sendgrid-efd.<LICENSEKEY>.invaluement.com A 127.0.0.2 describe RBL_SENDGRID_DOM Sendgrid domain blacklist tflags RBL_SENDGRID_DOM net meta RBL_SENDGRID (RBL_SENDGRID_ID || RBL_SENDGRID_DOM) describe RBL_SENDGRID Invaluement Sendgrid blacklist score RBL_SENDGRID 7.5 endif # Mail::SpamAssassin::Plugin::AskDNS If I uncomment the dbg message on line 594, I absolutely see the 127.0.0.2 response, but it doesn't get picked up in the loop below.
The whole $qtype comparison completely unnecessary and breaks stuff, RR comparison is done later here in if: !grep($_ eq 'ANY' || $_ eq $rr_type, @$answer_types_ref) ) { # skip remaining tests on wrong RR type .. which allows for ANY / multiple RR type queries to work too. I spend some time looking through the code carefully, this should be safe to remove for 3.4.. $pms->{askdns_map_dnskey_to_rules}{$dnskey}[$j++] = undef; It fixes this bug and the multiple response bug discussed in Bug 7777. Similar fixes committed to trunk also: Sending spamassassin-3.4/lib/Mail/SpamAssassin/Plugin/AskDNS.pm Sending trunk/lib/Mail/SpamAssassin/Plugin/AskDNS.pm Transmitting file data ..done Committing transaction... Committed revision 1887305.
Duh, should allow multiple hits.. Sending spamassassin-3.4/lib/Mail/SpamAssassin/Plugin/AskDNS.pm Transmitting file data .done Committing transaction... Committed revision 1887306.