Dnssec Module

Marius Zbihlei



Table of Contents

1. Admin Guide
1. Overview
2. Dependencies
2.1. Kamailio Modules
2.2. External Libraries or Applications
3. Parameters
3.1. general_query_flags (integer)

List of Examples

1.1. Set enable_full_lr parameter

Chapter 1. Admin Guide

1. Overview

The module replaces the common system dns resolver functions from core with the DNSSEC wrappers provided by libval. Practically, by loading the module, Kamailio will make use of extensions to DNS which provide origin authentication of DNS data, authenticated denial of existence, and data integrity.

There is no module parameter that should be set nor fuction that has to be executed by the configuration file. Existing SIP server deployments can be updated to use DNSSEC by loading this module and setting appropriate DNS server to the operating system.

Installing libval can be done from https://www.dnssec-tools.org.

More details about DNSSEC are available at: http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions.

2. Dependencies

2.1. Kamailio Modules

The following modules must be loaded before this module:

  • No dependencies on other Kamailio modules.

2.2. External Libraries or Applications

The following libraries or applications must be installed before running Kamailio with this module loaded:

3. Parameters

3.1. general_query_flags (integer)

Set this parameter to an integer value containing of an ORed result of one or more of the following values (constant present only for documentation process, as they are mostly mapped to libval flags).Setting this parameter will cause the libval defaults to be completely overwritten

QUERY_DONT_VALIDATE == 1<<0 causes the validator to disable validation for this query.

QUERY_IGNORE_SKEW == 1<<1 causes the validator to disable checking signature inception and expiration times on RRSIGs.

QUERY_AC_DETAIL == 1<<2 causes the validator to copy the authentication chain details into the val_rc_answer member within the returned val_result_chain structure.

QUERY_NO_DLV == 1<<3 causes the validator to disable DLV processing for this query. This is only available if the libval(3) library has been compiled with DLV support.

QUERY_NO_EDNS0_FALLBACK = 1<<4 In querying various name servers, libsres will also attempt multiple EDNS0 sizes, ending with a query that has EDNS0 disabled (i.e. no CD bit set). This option causes libval to disable EDNS0 fallback for the query.

QUERY_RECURSE == 1<<5 forces libval to recursively answer the query by iteratively querying various name servers in the delegation hierarchy, instead of requesting this information from any caching name server that may be configured in dnsval.conf

SKIP_RESOLVER == 1<<6 forces libval to only look at its cache while trying to resolve a name.

SKIP_CACHE == 1<<7 forces libval to ignore cached data while trying to resolve a name.

Default value is 0(no changes)

Example 1.1. Set enable_full_lr parameter

 ...
 modparam("dnssec", "general_query_flags", 1) # QUERY_DONT_VALIDATE disable validation  
 modparam("dnssec", "general_query_flags", 10) # QUERY_IGNORE_SKEW | QUERY_NO_DLV
 ...