Hello all,
First of all sorry for the broken build. I was 100% sure that it will no be enabled in
master.I thought I have tested. I will fix it first thing in the morning...
So, on Debian/Ubuntu and now it seems in RHEL the devel headers and libraries are not
installed. I had to download them from
dnssec-tools.org. Other than that, just enabling
the flag should allow for DNSSEC queries. The failure of the validate method is actually
controlled by dnsval.conf. If a zone is not signed, than the validate method will silently
ignore the error and permit validation. If set to untrusted, any name that is not
explicitly signed will fail. At the moment I just print an informal message in the log.
When I have tested the patch, it seemed that there aren't a lot of DNSSEC aware
servers, and even if they are, the TLD's are not signed... So for now the USE_DNSSEC
must be disabled
Marius
________________________________________
From: sr-dev-bounces(a)lists.sip-router.org [sr-dev-bounces(a)lists.sip-router.org] On Behalf
Of Peter Dunkley [peter.dunkley(a)crocodile-rcs.com]
Sent: Wednesday, October 10, 2012 7:27 PM
To: Development mailing list of the sip-router project
Subject: Re: [sr-dev] git:master: Core: added DNSSEC support for DNS queries
I've had a bit more luck...
On Fedora the package dnssec-tools-libs-devel fixes the build problems, but for
CentOS/RHEL the dnssec packages are not part of the standard distribution (they are in
EPEL). So as things stand the master build of Kamailio core (with default options) is
broken for Enterprise Linux based OSes.
Regards,
Peter
On Wed, 2012-10-10 at 17:14 +0100, Peter Dunkley wrote:
Hi,
DNSSEC seems to be enabled by default in master now.
My builds (on Fedora and CentOS) are now failing with:
/usr/bin/ld: cannot find -lval-threads
/usr/bin/ld: cannot find -lsres
collect2: error: ld returned 1 exit status
make: *** [kamailio] Error 1
I am not sure which packages to install to fix this - I don't they are actually in the
default repos. Would it be possible to make the default behaviour not to build DNSSEC?
Thanks,
Peter
On Wed, 2012-10-10 at 16:56 +0200, Marius Zbihlei wrote:
Module: sip-router
Branch: master
Commit: 73103df8fcffa0f92dfc4699c52d5dd9474084ea
URL:
http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=73103df…
Author: Marius Zbihlei
<marius.zbihlei@1and1.ro<mailto:marius.zbihlei@1and1.ro>>
Committer: Marius Zbihlei
<marius.zbihlei@1and1.ro<mailto:marius.zbihlei@1and1.ro>>
Date: Wed Oct 10 17:53:02 2012 +0300
Core: added DNSSEC support for DNS queries
This is available by setting the USE_DNSSEC compile flag. It requires libval-threads and
libres (part of dnssec-tools
dnssec-tools.org)
The custom resolvers were replaced by val_gethostbyname, val_gethostbyname and
val_res_query (for SRV).
---
Makefile.defs | 9 +++++++--
resolve.c | 18 ++++++++++++++++++
resolve.h | 22 ++++++++++++++++++++++
3 files changed, 47 insertions(+), 2 deletions(-)
diff --git a/Makefile.defs b/Makefile.defs
index 1645c34..2b7f332 100644
--- a/Makefile.defs
+++ b/Makefile.defs
@@ -1,4 +1,4 @@
-# $Id$
+
#
# makefile defs (CC, LD,a.s.o)
#
@@ -1751,7 +1751,12 @@ ifeq ($(OS), linux)
LIBS+=-lpthread
endif
endif
- # check for >= 2.5.44
+ ifeq (,$(findstring -DUSE_DNSSEC, $(C_DEFS)))
+ LIBS+=-lval-threads -lcrypto -lsres -lpthread
+$(info "using libval for DNSSEC validation")
+ endif
+ # check for >= 2.5.44
+
ifeq ($(shell [ $(OSREL_N) -ge 2005044 ] && echo has_epoll), has_epoll)
ifeq ($(NO_EPOLL),)
C_DEFS+=-DHAVE_EPOLL
diff --git a/resolve.c b/resolve.c
index 17772b7..36a2992 100644
--- a/resolve.c
+++ b/resolve.c
@@ -713,6 +713,10 @@ struct rdata* get_record(char* name, int type, int flags)
int name_len;
struct rdata* fullname_rd;
+#ifdef USE_DNSSEC
+ val_status_t val_status;
+#endif
+
if (cfg_get(core, core_cfg, dns_search_list)==0) {
search_list_used=0;
name_len=0;
@@ -722,7 +726,21 @@ struct rdata* get_record(char* name, int type, int flags)
}
fullname_rd=0;
+#ifndef USE_DNSSEC
size=res_search(name, C_IN, type, buff.buff, sizeof(buff));
+#else
+ size=val_res_query((val_context_t *) NULL,
+ (char *) name,
+ (int) C_IN,
+ (int) type,
+ (unsigned char *) buff.buff,
+ (int) sizeof(buff),
+ &val_status);
+ if(!val_istrusted(val_status)){
+ LOG(L_INFO, "INFO: got not trusted record when resolving
%s\n",name);
+ }
+#endif
+
if (unlikely(size<0)) {
DBG("get_record: lookup(%s, %d) failed\n", name, type);
goto not_found;
diff --git a/resolve.h b/resolve.h
index 8ce68e6..66fd3ff 100644
--- a/resolve.h
+++ b/resolve.h
@@ -58,6 +58,10 @@
#include "dns_wrappers.h"
#endif
+#ifdef USE_DNSSEC
+#include "validator/validator.h"
+#endif
+
/* define RESOLVE_DBG for debugging info (very noisy) */
#define RESOLVE_DBG
/* define NAPTR_DBG for naptr related debugging info (very noisy) */
@@ -400,6 +404,9 @@ static inline struct hostent* _resolvehost(char* name)
#endif
#endif
#ifdef DNS_IP_HACK
+#ifdef USE_DNSSEC
+ val_status_t val_status;
+#endif
struct ip_addr* ip;
str s;
@@ -430,7 +437,15 @@ static inline struct hostent* _resolvehost(char* name)
#endif
#endif
/* ipv4 */
+#ifndef USE_DNSSEC
he=gethostbyname(name);
+#else
+ he=val_gethostbyname( (val_context_t *) 0, name, &val_status);
+ if(!val_istrusted(val_status)){
+ LOG(L_INFO, "INFO: got not trusted record when resolving
%s\n",name);
+ }
+#endif
+
#ifdef USE_IPV6
if(he==0 && cfg_get(core, core_cfg, dns_try_ipv6)){
#ifndef DNS_IP_HACK
@@ -438,7 +453,14 @@ skip_ipv4:
#endif
/*try ipv6*/
#ifdef HAVE_GETHOSTBYNAME2
+ #ifndef USE_DNSSEC
he=gethostbyname2(name, AF_INET6);
+ #else
+ he=val_gethostbyname2((val_context_t*)0, name, AF_INET6,
&val_status);
+ if(!val_istrusted(val_status)){
+ LOG(L_INFO, "INFO: got not trusted record when resolving
%s\n",name);
+ }
+ #endif //!USE_DNSSEC
#elif defined HAVE_GETIPNODEBYNAME
/* on solaris 8 getipnodebyname has a memory leak,
* after some time calls to it will fail with err=3
_______________________________________________
sr-dev mailing list
sr-dev@lists.sip-router.org<mailto:sr-dev@lists.sip-router.org>
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
_______________________________________________
sr-dev mailing list
sr-dev@lists.sip-router.org<mailto:sr-dev@lists.sip-router.org>
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
--
Peter Dunkley
Technical Director
Crocodile RCS Ltd