10 Oct
2012
10 Oct
'12
9:50 p.m.
10 okt 2012 kl. 20:08 skrev Daniel-Constantin Mierla <miconda(a)gmail.com>om>:
Hello,
thanks for this addition. Few comments:
1) not really important -- I guess is "validator/validator.h" part of the
external library, but might be better to be included with square brackets, it is more
common when including from standard paths, rather from local folders. Like:
#include <validator/validator.h>
2) from past experiences, it very unlikely people will start using it if they have to
recompile with different flags. On the other hand, the core should not be dependent on
such specific library (which seems it is not that spread across distros at this time
anyhow). Looking at the patch, it is practically about returning a struct hostent pointer
and checking a status parameter.
My proposal is to:
- make a module that will have some wrappers around the dnssec functions. This wrappers
should not have the dnssec specific parameters, returning the hostent and setting an
integer (given as pointer) status parameter, in case the core needs to know more about the
dnssec result
- core can still have the USE_DNSSEC define just in case one wants to disable it
completely
- core will have a structure with pointers to the wrapper functions for dnssec
- when loaded, the dnssec module will set the values of the function pointers in the
core
- core may get a new parameter use_dnnsec to enable/disable usage of dnssec from config
file (although this can be redundant, such decision could be by loadind/not loading dnssec
module)
This does not look like big effort, considering the patch, and I think will make dnssec
easier to experiment with for a larger user base. Similar mechanism is used more or less
for tls and in other modules that needed to act in the core, but had exotic dependencies
or functionalities (e.g., msrp module sets some callbacks in tcp receive code).
What do you think?
For me it seems like a good architecture proposal.
We do need more DNSsec aware software in SIP and I believe it will mean a lot for SIP
security soon.
/O
Cheers,
Daniel
On 10/10/12 4:56 PM, Marius Zbihlei wrote:
Module: sip-router
Branch: master
Commit: 73103df8fcffa0f92dfc4699c52d5dd9474084ea
URL:
http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=73103df…
Author: Marius Zbihlei <marius.zbihlei(a)1and1.ro>
Committer: Marius Zbihlei <marius.zbihlei(a)1and1.ro>
Date: Wed Oct 10 17:53:02 2012 +0300
Core: added DNSSEC support for DNS queries
This is available by setting the USE_DNSSEC compile flag. It requires libval-threads and
libres (part of dnssec-tools dnssec-tools.org)
The custom resolvers were replaced by val_gethostbyname, val_gethostbyname and
val_res_query (for SRV).
[...]
--
Daniel-Constantin Mierla - http://www.asipto.com
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio Advanced Training, Berlin, Nov 5-8, 2012 - http://asipto.com/u/kat
Kamailio Advanced Training, Miami, USA, Nov 12-14, 2012 - http://asipto.com/u/katu
_______________________________________________
sr-dev mailing list
sr-dev(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev