10 Oct
2012
10 Oct
'12
5:56 p.m.
Module: sip-router
Branch: master
Commit: 73103df8fcffa0f92dfc4699c52d5dd9474084ea
URL:
http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=73103df…
Author: Marius Zbihlei <marius.zbihlei(a)1and1.ro>
Committer: Marius Zbihlei <marius.zbihlei(a)1and1.ro>
Date: Wed Oct 10 17:53:02 2012 +0300
Core: added DNSSEC support for DNS queries
This is available by setting the USE_DNSSEC compile flag. It requires libval-threads and
libres (part of dnssec-tools dnssec-tools.org)
The custom resolvers were replaced by val_gethostbyname, val_gethostbyname and
val_res_query (for SRV).
---
Makefile.defs | 9 +++++++--
resolve.c | 18 ++++++++++++++++++
resolve.h | 22 ++++++++++++++++++++++
3 files changed, 47 insertions(+), 2 deletions(-)
diff --git a/Makefile.defs b/Makefile.defs
index 1645c34..2b7f332 100644
--- a/Makefile.defs
+++ b/Makefile.defs
@@ -1,4 +1,4 @@
-# $Id$
+
#
# makefile defs (CC, LD,a.s.o)
#
@@ -1751,7 +1751,12 @@ ifeq ($(OS), linux)
LIBS+=-lpthread
endif
endif
- # check for >= 2.5.44
+ ifeq (,$(findstring -DUSE_DNSSEC, $(C_DEFS)))
+ LIBS+=-lval-threads -lcrypto -lsres -lpthread
+$(info "using libval for DNSSEC validation")
+ endif
+ # check for >= 2.5.44
+
ifeq ($(shell [ $(OSREL_N) -ge 2005044 ] && echo has_epoll), has_epoll)
ifeq ($(NO_EPOLL),)
C_DEFS+=-DHAVE_EPOLL
diff --git a/resolve.c b/resolve.c
index 17772b7..36a2992 100644
--- a/resolve.c
+++ b/resolve.c
@@ -713,6 +713,10 @@ struct rdata* get_record(char* name, int type, int flags)
int name_len;
struct rdata* fullname_rd;
+#ifdef USE_DNSSEC
+ val_status_t val_status;
+#endif
+
if (cfg_get(core, core_cfg, dns_search_list)==0) {
search_list_used=0;
name_len=0;
@@ -722,7 +726,21 @@ struct rdata* get_record(char* name, int type, int flags)
}
fullname_rd=0;
+#ifndef USE_DNSSEC
size=res_search(name, C_IN, type, buff.buff, sizeof(buff));
+#else
+ size=val_res_query((val_context_t *) NULL,
+ (char *) name,
+ (int) C_IN,
+ (int) type,
+ (unsigned char *) buff.buff,
+ (int) sizeof(buff),
+ &val_status);
+ if(!val_istrusted(val_status)){
+ LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);
+ }
+#endif
+
if (unlikely(size<0)) {
DBG("get_record: lookup(%s, %d) failed\n", name, type);
goto not_found;
diff --git a/resolve.h b/resolve.h
index 8ce68e6..66fd3ff 100644
--- a/resolve.h
+++ b/resolve.h
@@ -58,6 +58,10 @@
#include "dns_wrappers.h"
#endif
+#ifdef USE_DNSSEC
+#include "validator/validator.h"
+#endif
+
/* define RESOLVE_DBG for debugging info (very noisy) */
#define RESOLVE_DBG
/* define NAPTR_DBG for naptr related debugging info (very noisy) */
@@ -400,6 +404,9 @@ static inline struct hostent* _resolvehost(char* name)
#endif
#endif
#ifdef DNS_IP_HACK
+#ifdef USE_DNSSEC
+ val_status_t val_status;
+#endif
struct ip_addr* ip;
str s;
@@ -430,7 +437,15 @@ static inline struct hostent* _resolvehost(char* name)
#endif
#endif
/* ipv4 */
+#ifndef USE_DNSSEC
he=gethostbyname(name);
+#else
+ he=val_gethostbyname( (val_context_t *) 0, name, &val_status);
+ if(!val_istrusted(val_status)){
+ LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);
+ }
+#endif
+
#ifdef USE_IPV6
if(he==0 && cfg_get(core, core_cfg, dns_try_ipv6)){
#ifndef DNS_IP_HACK
@@ -438,7 +453,14 @@ skip_ipv4:
#endif
/*try ipv6*/
#ifdef HAVE_GETHOSTBYNAME2
+ #ifndef USE_DNSSEC
he=gethostbyname2(name, AF_INET6);
+ #else
+ he=val_gethostbyname2((val_context_t*)0, name, AF_INET6, &val_status);
+ if(!val_istrusted(val_status)){
+ LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);
+ }
+ #endif //!USE_DNSSEC
#elif defined HAVE_GETIPNODEBYNAME
/* on solaris 8 getipnodebyname has a memory leak,
* after some time calls to it will fail with err=3
10 Oct
10 Oct
7:01 p.m.
10 okt 2012 kl. 16:56 skrev Marius Zbihlei <marius.zbihlei(a)1and1.ro>ro>:
Core: added DNSSEC support for DNS queries
This is available by setting the USE_DNSSEC compile flag. It requires libval-threads and
libres (part of dnssec-tools dnssec-tools.org)
The custom resolvers were replaced by val_gethostbyname, val_gethostbyname and
val_res_query (for SRV).
Wow!
I did not see that coming. GREAT stuff, Marius!!!!
I would, if possible, get a return code when sending a SIP message out that indicates this
failure.
THANK YOU!
/O
7:07 p.m.
2012/10/10 Olle E. Johansson <oej(a)edvina.net>et>:
I did not see that coming. GREAT stuff, Marius!!!!
I would, if possible, get a return code when sending a SIP message out that indicates
this failure.
THANK YOU!
Olle, some people (i.e... me) would appreciate a good blog post from
you explaining all this DNSSEC stuf and how it applies to SIP ;)
--
Iñaki Baz Castillo
<ibc(a)aliax.net>
7:15 p.m.
10 okt 2012 kl. 18:07 skrev Iñaki Baz Castillo <ibc(a)aliax.net>et>:
2012/10/10 Olle E. Johansson <oej(a)edvina.net>et>:
Some people are going to listen to some people and write it down.
Here's an old one but it does need updates:
http://www.voip-forum.com/opensource/2011-03/sipdane/
/O
I did not see that coming. GREAT stuff,
Marius!!!!
I would, if possible, get a return code when sending a SIP message out that indicates
this failure.
THANK YOU!
Olle, some people (i.e... me) would appreciate a good blog post from
you explaining all this DNSSEC stuf and how it applies to SIP ;)
7:06 p.m.
Hi!
10 okt 2012 kl. 16:56 skrev Marius Zbihlei <marius.zbihlei(a)1and1.ro>ro>:
This is available by setting the USE_DNSSEC compile
flag. It requires libval-threads and libres (part of dnssec-tools dnssec-tools.org)
The custom resolvers were replaced by val_gethostbyname, val_gethostbyname and
val_res_query (for SRV).
I did not see this information being added to Makefile, INSTALL or any other document.
Adding Documentation is generally a GOOD THING (TM) :-)
/O
7:14 p.m.
Hi,
DNSSEC seems to be enabled by default in master now.
My builds (on Fedora and CentOS) are now failing with:
/usr/bin/ld: cannot find -lval-threads
/usr/bin/ld: cannot find -lsres
collect2: error: ld returned 1 exit status
make: *** [kamailio] Error 1
I am not sure which packages to install to fix this - I don't they are
actually in the default repos. Would it be possible to make the default
behaviour not to build DNSSEC?
Thanks,
Peter
On Wed, 2012-10-10 at 16:56 +0200, Marius Zbihlei wrote:
Module: sip-router
Branch: master
Commit: 73103df8fcffa0f92dfc4699c52d5dd9474084ea
URL:
http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=73103df…
Author: Marius Zbihlei <marius.zbihlei(a)1and1.ro>
Committer: Marius Zbihlei <marius.zbihlei(a)1and1.ro>
Date: Wed Oct 10 17:53:02 2012 +0300
Core: added DNSSEC support for DNS queries
This is available by setting the USE_DNSSEC compile flag. It requires libval-threads and
libres (part of dnssec-tools dnssec-tools.org)
The custom resolvers were replaced by val_gethostbyname, val_gethostbyname and
val_res_query (for SRV).
---
Makefile.defs | 9 +++++++--
resolve.c | 18 ++++++++++++++++++
resolve.h | 22 ++++++++++++++++++++++
3 files changed, 47 insertions(+), 2 deletions(-)
diff --git a/Makefile.defs b/Makefile.defs
index 1645c34..2b7f332 100644
--- a/Makefile.defs
+++ b/Makefile.defs
@@ -1,4 +1,4 @@
-# $Id$
+
#
# makefile defs (CC, LD,a.s.o)
#
@@ -1751,7 +1751,12 @@ ifeq ($(OS), linux)
LIBS+=-lpthread
endif
endif
- # check for >= 2.5.44
+ ifeq (,$(findstring -DUSE_DNSSEC, $(C_DEFS)))
+ LIBS+=-lval-threads -lcrypto -lsres -lpthread
+$(info "using libval for DNSSEC validation")
+ endif
+ # check for >= 2.5.44
+
ifeq ($(shell [ $(OSREL_N) -ge 2005044 ] && echo has_epoll), has_epoll)
ifeq ($(NO_EPOLL),)
C_DEFS+=-DHAVE_EPOLL
diff --git a/resolve.c b/resolve.c
index 17772b7..36a2992 100644
--- a/resolve.c
+++ b/resolve.c
@@ -713,6 +713,10 @@ struct rdata* get_record(char* name, int type, int flags)
int name_len;
struct rdata* fullname_rd;
+#ifdef USE_DNSSEC
+ val_status_t val_status;
+#endif
+
if (cfg_get(core, core_cfg, dns_search_list)==0) {
search_list_used=0;
name_len=0;
@@ -722,7 +726,21 @@ struct rdata* get_record(char* name, int type, int flags)
}
fullname_rd=0;
+#ifndef USE_DNSSEC
size=res_search(name, C_IN, type, buff.buff, sizeof(buff));
+#else
+ size=val_res_query((val_context_t *) NULL,
+ (char *) name,
+ (int) C_IN,
+ (int) type,
+ (unsigned char *) buff.buff,
+ (int) sizeof(buff),
+ &val_status);
+ if(!val_istrusted(val_status)){
+ LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);
+ }
+#endif
+
if (unlikely(size<0)) {
DBG("get_record: lookup(%s, %d) failed\n", name, type);
goto not_found;
diff --git a/resolve.h b/resolve.h
index 8ce68e6..66fd3ff 100644
--- a/resolve.h
+++ b/resolve.h
@@ -58,6 +58,10 @@
#include "dns_wrappers.h"
#endif
+#ifdef USE_DNSSEC
+#include "validator/validator.h"
+#endif
+
/* define RESOLVE_DBG for debugging info (very noisy) */
#define RESOLVE_DBG
/* define NAPTR_DBG for naptr related debugging info (very noisy) */
@@ -400,6 +404,9 @@ static inline struct hostent* _resolvehost(char* name)
#endif
#endif
#ifdef DNS_IP_HACK
+#ifdef USE_DNSSEC
+ val_status_t val_status;
+#endif
struct ip_addr* ip;
str s;
@@ -430,7 +437,15 @@ static inline struct hostent* _resolvehost(char* name)
#endif
#endif
/* ipv4 */
+#ifndef USE_DNSSEC
he=gethostbyname(name);
+#else
+ he=val_gethostbyname( (val_context_t *) 0, name, &val_status);
+ if(!val_istrusted(val_status)){
+ LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);
+ }
+#endif
+
#ifdef USE_IPV6
if(he==0 && cfg_get(core, core_cfg, dns_try_ipv6)){
#ifndef DNS_IP_HACK
@@ -438,7 +453,14 @@ skip_ipv4:
#endif
/*try ipv6*/
#ifdef HAVE_GETHOSTBYNAME2
+ #ifndef USE_DNSSEC
he=gethostbyname2(name, AF_INET6);
+ #else
+ he=val_gethostbyname2((val_context_t*)0, name, AF_INET6, &val_status);
+ if(!val_istrusted(val_status)){
+ LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);
+ }
+ #endif //!USE_DNSSEC
#elif defined HAVE_GETIPNODEBYNAME
/* on solaris 8 getipnodebyname has a memory leak,
* after some time calls to it will fail with err=3
_______________________________________________
sr-dev mailing list
sr-dev(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
--
Peter Dunkley
Technical Director
Crocodile RCS Ltd
7:27 p.m.
I've had a bit more luck...
On Fedora the package dnssec-tools-libs-devel fixes the build problems,
but for CentOS/RHEL the dnssec packages are not part of the standard
distribution (they are in EPEL). So as things stand the master build of
Kamailio core (with default options) is broken for Enterprise Linux
based OSes.
Regards,
Peter
On Wed, 2012-10-10 at 17:14 +0100, Peter Dunkley wrote:
Hi,
DNSSEC seems to be enabled by default in master now.
My builds (on Fedora and CentOS) are now failing with:
/usr/bin/ld: cannot find -lval-threads
/usr/bin/ld: cannot find -lsres
collect2: error: ld returned 1 exit status
make: *** [kamailio] Error 1
I am not sure which packages to install to fix this - I don't they are
actually in the default repos. Would it be possible to make the
default behaviour not to build DNSSEC?
Thanks,
Peter
On Wed, 2012-10-10 at 16:56 +0200, Marius Zbihlei wrote:
--
Peter Dunkley
Technical Director
Crocodile RCS Ltd
Module: sip-router
Branch: master
Commit: 73103df8fcffa0f92dfc4699c52d5dd9474084ea
URL:
http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=73103df…
Author: Marius Zbihlei <marius.zbihlei(a)1and1.ro>
Committer: Marius Zbihlei <marius.zbihlei(a)1and1.ro>
Date: Wed Oct 10 17:53:02 2012 +0300
Core: added DNSSEC support for DNS queries
This is available by setting the USE_DNSSEC compile flag. It requires libval-threads and
libres (part of dnssec-tools dnssec-tools.org)
The custom resolvers were replaced by val_gethostbyname, val_gethostbyname and
val_res_query (for SRV).
---
Makefile.defs | 9 +++++++--
resolve.c | 18 ++++++++++++++++++
resolve.h | 22 ++++++++++++++++++++++
3 files changed, 47 insertions(+), 2 deletions(-)
diff --git a/Makefile.defs b/Makefile.defs
index 1645c34..2b7f332 100644
--- a/Makefile.defs
+++ b/Makefile.defs
@@ -1,4 +1,4 @@
-# $Id$
+
#
# makefile defs (CC, LD,a.s.o)
#
@@ -1751,7 +1751,12 @@ ifeq ($(OS), linux)
LIBS+=-lpthread
endif
endif
- # check for >= 2.5.44
+ ifeq (,$(findstring -DUSE_DNSSEC, $(C_DEFS)))
+ LIBS+=-lval-threads -lcrypto -lsres -lpthread
+$(info "using libval for DNSSEC validation")
+ endif
+ # check for >= 2.5.44
+
ifeq ($(shell [ $(OSREL_N) -ge 2005044 ] && echo has_epoll), has_epoll)
ifeq ($(NO_EPOLL),)
C_DEFS+=-DHAVE_EPOLL
diff --git a/resolve.c b/resolve.c
index 17772b7..36a2992 100644
--- a/resolve.c
+++ b/resolve.c
@@ -713,6 +713,10 @@ struct rdata* get_record(char* name, int type, int flags)
int name_len;
struct rdata* fullname_rd;
+#ifdef USE_DNSSEC
+ val_status_t val_status;
+#endif
+
if (cfg_get(core, core_cfg, dns_search_list)==0) {
search_list_used=0;
name_len=0;
@@ -722,7 +726,21 @@ struct rdata* get_record(char* name, int type, int flags)
}
fullname_rd=0;
+#ifndef USE_DNSSEC
size=res_search(name, C_IN, type, buff.buff, sizeof(buff));
+#else
+ size=val_res_query((val_context_t *) NULL,
+ (char *) name,
+ (int) C_IN,
+ (int) type,
+ (unsigned char *) buff.buff,
+ (int) sizeof(buff),
+ &val_status);
+ if(!val_istrusted(val_status)){
+ LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);
+ }
+#endif
+
if (unlikely(size<0)) {
DBG("get_record: lookup(%s, %d) failed\n", name, type);
goto not_found;
diff --git a/resolve.h b/resolve.h
index 8ce68e6..66fd3ff 100644
--- a/resolve.h
+++ b/resolve.h
@@ -58,6 +58,10 @@
#include "dns_wrappers.h"
#endif
+#ifdef USE_DNSSEC
+#include "validator/validator.h"
+#endif
+
/* define RESOLVE_DBG for debugging info (very noisy) */
#define RESOLVE_DBG
/* define NAPTR_DBG for naptr related debugging info (very noisy) */
@@ -400,6 +404,9 @@ static inline struct hostent* _resolvehost(char* name)
#endif
#endif
#ifdef DNS_IP_HACK
+#ifdef USE_DNSSEC
+ val_status_t val_status;
+#endif
struct ip_addr* ip;
str s;
@@ -430,7 +437,15 @@ static inline struct hostent* _resolvehost(char* name)
#endif
#endif
/* ipv4 */
+#ifndef USE_DNSSEC
he=gethostbyname(name);
+#else
+ he=val_gethostbyname( (val_context_t *) 0, name, &val_status);
+ if(!val_istrusted(val_status)){
+ LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);
+ }
+#endif
+
#ifdef USE_IPV6
if(he==0 && cfg_get(core, core_cfg, dns_try_ipv6)){
#ifndef DNS_IP_HACK
@@ -438,7 +453,14 @@ skip_ipv4:
#endif
/*try ipv6*/
#ifdef HAVE_GETHOSTBYNAME2
+ #ifndef USE_DNSSEC
he=gethostbyname2(name, AF_INET6);
+ #else
+ he=val_gethostbyname2((val_context_t*)0, name, AF_INET6, &val_status);
+ if(!val_istrusted(val_status)){
+ LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);
+ }
+ #endif //!USE_DNSSEC
#elif defined HAVE_GETIPNODEBYNAME
/* on solaris 8 getipnodebyname has a memory leak,
* after some time calls to it will fail with err=3
_______________________________________________
sr-dev mailing list
sr-dev(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
_______________________________________________
sr-dev mailing list
sr-dev(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
7:42 p.m.
Hello all,
First of all sorry for the broken build. I was 100% sure that it will no be enabled in
master.I thought I have tested. I will fix it first thing in the morning...
So, on Debian/Ubuntu and now it seems in RHEL the devel headers and libraries are not
installed. I had to download them from dnssec-tools.org. Other than that, just enabling
the flag should allow for DNSSEC queries. The failure of the validate method is actually
controlled by dnsval.conf. If a zone is not signed, than the validate method will silently
ignore the error and permit validation. If set to untrusted, any name that is not
explicitly signed will fail. At the moment I just print an informal message in the log.
When I have tested the patch, it seemed that there aren't a lot of DNSSEC aware
servers, and even if they are, the TLD's are not signed... So for now the USE_DNSSEC
must be disabled
Marius
________________________________________
From: sr-dev-bounces(a)lists.sip-router.org [sr-dev-bounces(a)lists.sip-router.org] On Behalf
Of Peter Dunkley [peter.dunkley(a)crocodile-rcs.com]
Sent: Wednesday, October 10, 2012 7:27 PM
To: Development mailing list of the sip-router project
Subject: Re: [sr-dev] git:master: Core: added DNSSEC support for DNS queries
I've had a bit more luck...
On Fedora the package dnssec-tools-libs-devel fixes the build problems, but for
CentOS/RHEL the dnssec packages are not part of the standard distribution (they are in
EPEL). So as things stand the master build of Kamailio core (with default options) is
broken for Enterprise Linux based OSes.
Regards,
Peter
On Wed, 2012-10-10 at 17:14 +0100, Peter Dunkley wrote:
Hi,
DNSSEC seems to be enabled by default in master now.
My builds (on Fedora and CentOS) are now failing with:
/usr/bin/ld: cannot find -lval-threads
/usr/bin/ld: cannot find -lsres
collect2: error: ld returned 1 exit status
make: *** [kamailio] Error 1
I am not sure which packages to install to fix this - I don't they are actually in the
default repos. Would it be possible to make the default behaviour not to build DNSSEC?
Thanks,
Peter
On Wed, 2012-10-10 at 16:56 +0200, Marius Zbihlei wrote:
Module: sip-router
Branch: master
Commit: 73103df8fcffa0f92dfc4699c52d5dd9474084ea
URL:
http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=73103df…
Author: Marius Zbihlei
<marius.zbihlei@1and1.ro<mailto:marius.zbihlei@1and1.ro>>
Committer: Marius Zbihlei
<marius.zbihlei@1and1.ro<mailto:marius.zbihlei@1and1.ro>>
Date: Wed Oct 10 17:53:02 2012 +0300
Core: added DNSSEC support for DNS queries
This is available by setting the USE_DNSSEC compile flag. It requires libval-threads and
libres (part of dnssec-tools dnssec-tools.org)
The custom resolvers were replaced by val_gethostbyname, val_gethostbyname and
val_res_query (for SRV).
---
Makefile.defs | 9 +++++++--
resolve.c | 18 ++++++++++++++++++
resolve.h | 22 ++++++++++++++++++++++
3 files changed, 47 insertions(+), 2 deletions(-)
diff --git a/Makefile.defs b/Makefile.defs
index 1645c34..2b7f332 100644
--- a/Makefile.defs
+++ b/Makefile.defs
@@ -1,4 +1,4 @@
-# $Id$
+
#
# makefile defs (CC, LD,a.s.o)
#
@@ -1751,7 +1751,12 @@ ifeq ($(OS), linux)
LIBS+=-lpthread
endif
endif
- # check for >= 2.5.44
+ ifeq (,$(findstring -DUSE_DNSSEC, $(C_DEFS)))
+ LIBS+=-lval-threads -lcrypto -lsres -lpthread
+$(info "using libval for DNSSEC validation")
+ endif
+ # check for >= 2.5.44
+
ifeq ($(shell [ $(OSREL_N) -ge 2005044 ] && echo has_epoll), has_epoll)
ifeq ($(NO_EPOLL),)
C_DEFS+=-DHAVE_EPOLL
diff --git a/resolve.c b/resolve.c
index 17772b7..36a2992 100644
--- a/resolve.c
+++ b/resolve.c
@@ -713,6 +713,10 @@ struct rdata* get_record(char* name, int type, int flags)
int name_len;
struct rdata* fullname_rd;
+#ifdef USE_DNSSEC
+ val_status_t val_status;
+#endif
+
if (cfg_get(core, core_cfg, dns_search_list)==0) {
search_list_used=0;
name_len=0;
@@ -722,7 +726,21 @@ struct rdata* get_record(char* name, int type, int flags)
}
fullname_rd=0;
+#ifndef USE_DNSSEC
size=res_search(name, C_IN, type, buff.buff, sizeof(buff));
+#else
+ size=val_res_query((val_context_t *) NULL,
+ (char *) name,
+ (int) C_IN,
+ (int) type,
+ (unsigned char *) buff.buff,
+ (int) sizeof(buff),
+ &val_status);
+ if(!val_istrusted(val_status)){
+ LOG(L_INFO, "INFO: got not trusted record when resolving
%s\n",name);
+ }
+#endif
+
if (unlikely(size<0)) {
DBG("get_record: lookup(%s, %d) failed\n", name, type);
goto not_found;
diff --git a/resolve.h b/resolve.h
index 8ce68e6..66fd3ff 100644
--- a/resolve.h
+++ b/resolve.h
@@ -58,6 +58,10 @@
#include "dns_wrappers.h"
#endif
+#ifdef USE_DNSSEC
+#include "validator/validator.h"
+#endif
+
/* define RESOLVE_DBG for debugging info (very noisy) */
#define RESOLVE_DBG
/* define NAPTR_DBG for naptr related debugging info (very noisy) */
@@ -400,6 +404,9 @@ static inline struct hostent* _resolvehost(char* name)
#endif
#endif
#ifdef DNS_IP_HACK
+#ifdef USE_DNSSEC
+ val_status_t val_status;
+#endif
struct ip_addr* ip;
str s;
@@ -430,7 +437,15 @@ static inline struct hostent* _resolvehost(char* name)
#endif
#endif
/* ipv4 */
+#ifndef USE_DNSSEC
he=gethostbyname(name);
+#else
+ he=val_gethostbyname( (val_context_t *) 0, name, &val_status);
+ if(!val_istrusted(val_status)){
+ LOG(L_INFO, "INFO: got not trusted record when resolving
%s\n",name);
+ }
+#endif
+
#ifdef USE_IPV6
if(he==0 && cfg_get(core, core_cfg, dns_try_ipv6)){
#ifndef DNS_IP_HACK
@@ -438,7 +453,14 @@ skip_ipv4:
#endif
/*try ipv6*/
#ifdef HAVE_GETHOSTBYNAME2
+ #ifndef USE_DNSSEC
he=gethostbyname2(name, AF_INET6);
+ #else
+ he=val_gethostbyname2((val_context_t*)0, name, AF_INET6,
&val_status);
+ if(!val_istrusted(val_status)){
+ LOG(L_INFO, "INFO: got not trusted record when resolving
%s\n",name);
+ }
+ #endif //!USE_DNSSEC
#elif defined HAVE_GETIPNODEBYNAME
/* on solaris 8 getipnodebyname has a memory leak,
* after some time calls to it will fail with err=3
_______________________________________________
sr-dev mailing list
sr-dev@lists.sip-router.org<mailto:sr-dev@lists.sip-router.org>
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
_______________________________________________
sr-dev mailing list
sr-dev@lists.sip-router.org<mailto:sr-dev@lists.sip-router.org>
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
--
Peter Dunkley
Technical Director
Crocodile RCS Ltd
8:05 p.m.
It seems I had a typo. Because I can't commit right now, can somebody apply the patch
below.
Thanks!
Marius
diff --git a/Makefile.defs b/Makefile.defs
index 2b7f332..039ca33 100644
--- a/Makefile.defs
+++ b/Makefile.defs
@@ -1751,7 +1751,7 @@ ifeq ($(OS), linux)
LIBS+=-lpthread
endif
endif
- ifeq (,$(findstring -DUSE_DNSSEC, $(C_DEFS)))
+ ifneq (,$(findstring -DUSE_DNSSEC, $(C_DEFS)))
LIBS+=-lval-threads -lcrypto -lsres -lpthread
$(info "using libval for DNSSEC validation")
endif
________________________________________
From: sr-dev-bounces(a)lists.sip-router.org [sr-dev-bounces(a)lists.sip-router.org] On Behalf
Of Marius Zbihlei [marius.zbihlei(a)1and1.ro]
Sent: Wednesday, October 10, 2012 7:42 PM
To: Development mailing list of the sip-router project
Subject: Re: [sr-dev] git:master: Core: added DNSSEC support for DNS queries
Hello all,
First of all sorry for the broken build. I was 100% sure that it will no be enabled in
master.I thought I have tested. I will fix it first thing in the morning...
So, on Debian/Ubuntu and now it seems in RHEL the devel headers and libraries are not
installed. I had to download them from dnssec-tools.org. Other than that, just enabling
the flag should allow for DNSSEC queries. The failure of the validate method is actually
controlled by dnsval.conf. If a zone is not signed, than the validate method will silently
ignore the error and permit validation. If set to untrusted, any name that is not
explicitly signed will fail. At the moment I just print an informal message in the log.
When I have tested the patch, it seemed that there aren't a lot of DNSSEC aware
servers, and even if they are, the TLD's are not signed... So for now the USE_DNSSEC
must be disabled
Marius
________________________________________
From: sr-dev-bounces(a)lists.sip-router.org [sr-dev-bounces(a)lists.sip-router.org] On Behalf
Of Peter Dunkley [peter.dunkley(a)crocodile-rcs.com]
Sent: Wednesday, October 10, 2012 7:27 PM
To: Development mailing list of the sip-router project
Subject: Re: [sr-dev] git:master: Core: added DNSSEC support for DNS queries
I've had a bit more luck...
On Fedora the package dnssec-tools-libs-devel fixes the build problems, but for
CentOS/RHEL the dnssec packages are not part of the standard distribution (they are in
EPEL). So as things stand the master build of Kamailio core (with default options) is
broken for Enterprise Linux based OSes.
Regards,
Peter
On Wed, 2012-10-10 at 17:14 +0100, Peter Dunkley wrote:
Hi,
DNSSEC seems to be enabled by default in master now.
My builds (on Fedora and CentOS) are now failing with:
/usr/bin/ld: cannot find -lval-threads
/usr/bin/ld: cannot find -lsres
collect2: error: ld returned 1 exit status
make: *** [kamailio] Error 1
I am not sure which packages to install to fix this - I don't they are actually in the
default repos. Would it be possible to make the default behaviour not to build DNSSEC?
Thanks,
Peter
On Wed, 2012-10-10 at 16:56 +0200, Marius Zbihlei wrote:
Module: sip-router
Branch: master
Commit: 73103df8fcffa0f92dfc4699c52d5dd9474084ea
URL:
http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=73103df…
Author: Marius Zbihlei
<marius.zbihlei@1and1.ro<mailto:marius.zbihlei@1and1.ro>>
Committer: Marius Zbihlei
<marius.zbihlei@1and1.ro<mailto:marius.zbihlei@1and1.ro>>
Date: Wed Oct 10 17:53:02 2012 +0300
Core: added DNSSEC support for DNS queries
This is available by setting the USE_DNSSEC compile flag. It requires libval-threads and
libres (part of dnssec-tools dnssec-tools.org)
The custom resolvers were replaced by val_gethostbyname, val_gethostbyname and
val_res_query (for SRV).
---
Makefile.defs | 9 +++++++--
resolve.c | 18 ++++++++++++++++++
resolve.h | 22 ++++++++++++++++++++++
3 files changed, 47 insertions(+), 2 deletions(-)
diff --git a/Makefile.defs b/Makefile.defs
index 1645c34..2b7f332 100644
--- a/Makefile.defs
+++ b/Makefile.defs
@@ -1,4 +1,4 @@
-# $Id$
+
#
# makefile defs (CC, LD,a.s.o)
#
@@ -1751,7 +1751,12 @@ ifeq ($(OS), linux)
LIBS+=-lpthread
endif
endif
- # check for >= 2.5.44
+ ifeq (,$(findstring -DUSE_DNSSEC, $(C_DEFS)))
+ LIBS+=-lval-threads -lcrypto -lsres -lpthread
+$(info "using libval for DNSSEC validation")
+ endif
+ # check for >= 2.5.44
+
ifeq ($(shell [ $(OSREL_N) -ge 2005044 ] && echo has_epoll), has_epoll)
ifeq ($(NO_EPOLL),)
C_DEFS+=-DHAVE_EPOLL
diff --git a/resolve.c b/resolve.c
index 17772b7..36a2992 100644
--- a/resolve.c
+++ b/resolve.c
@@ -713,6 +713,10 @@ struct rdata* get_record(char* name, int type, int flags)
int name_len;
struct rdata* fullname_rd;
+#ifdef USE_DNSSEC
+ val_status_t val_status;
+#endif
+
if (cfg_get(core, core_cfg, dns_search_list)==0) {
search_list_used=0;
name_len=0;
@@ -722,7 +726,21 @@ struct rdata* get_record(char* name, int type, int flags)
}
fullname_rd=0;
+#ifndef USE_DNSSEC
size=res_search(name, C_IN, type, buff.buff, sizeof(buff));
+#else
+ size=val_res_query((val_context_t *) NULL,
+ (char *) name,
+ (int) C_IN,
+ (int) type,
+ (unsigned char *) buff.buff,
+ (int) sizeof(buff),
+ &val_status);
+ if(!val_istrusted(val_status)){
+ LOG(L_INFO, "INFO: got not trusted record when resolving
%s\n",name);
+ }
+#endif
+
if (unlikely(size<0)) {
DBG("get_record: lookup(%s, %d) failed\n", name, type);
goto not_found;
diff --git a/resolve.h b/resolve.h
index 8ce68e6..66fd3ff 100644
--- a/resolve.h
+++ b/resolve.h
@@ -58,6 +58,10 @@
#include "dns_wrappers.h"
#endif
+#ifdef USE_DNSSEC
+#include "validator/validator.h"
+#endif
+
/* define RESOLVE_DBG for debugging info (very noisy) */
#define RESOLVE_DBG
/* define NAPTR_DBG for naptr related debugging info (very noisy) */
@@ -400,6 +404,9 @@ static inline struct hostent* _resolvehost(char* name)
#endif
#endif
#ifdef DNS_IP_HACK
+#ifdef USE_DNSSEC
+ val_status_t val_status;
+#endif
struct ip_addr* ip;
str s;
@@ -430,7 +437,15 @@ static inline struct hostent* _resolvehost(char* name)
#endif
#endif
/* ipv4 */
+#ifndef USE_DNSSEC
he=gethostbyname(name);
+#else
+ he=val_gethostbyname( (val_context_t *) 0, name, &val_status);
+ if(!val_istrusted(val_status)){
+ LOG(L_INFO, "INFO: got not trusted record when resolving
%s\n",name);
+ }
+#endif
+
#ifdef USE_IPV6
if(he==0 && cfg_get(core, core_cfg, dns_try_ipv6)){
#ifndef DNS_IP_HACK
@@ -438,7 +453,14 @@ skip_ipv4:
#endif
/*try ipv6*/
#ifdef HAVE_GETHOSTBYNAME2
+ #ifndef USE_DNSSEC
he=gethostbyname2(name, AF_INET6);
+ #else
+ he=val_gethostbyname2((val_context_t*)0, name, AF_INET6,
&val_status);
+ if(!val_istrusted(val_status)){
+ LOG(L_INFO, "INFO: got not trusted record when resolving
%s\n",name);
+ }
+ #endif //!USE_DNSSEC
#elif defined HAVE_GETIPNODEBYNAME
/* on solaris 8 getipnodebyname has a memory leak,
* after some time calls to it will fail with err=3
_______________________________________________
sr-dev mailing list
sr-dev@lists.sip-router.org<mailto:sr-dev@lists.sip-router.org>
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
_______________________________________________
sr-dev mailing list
sr-dev@lists.sip-router.org<mailto:sr-dev@lists.sip-router.org>
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
--
Peter Dunkley
Technical Director
Crocodile RCS Ltd
_______________________________________________
sr-dev mailing list
sr-dev(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
9:08 p.m.
Hello,
thanks for this addition. Few comments:
1) not really important -- I guess is "validator/validator.h" part of
the external library, but might be better to be included with square
brackets, it is more common when including from standard paths, rather
from local folders. Like:
#include <validator/validator.h>
2) from past experiences, it very unlikely people will start using it if
they have to recompile with different flags. On the other hand, the core
should not be dependent on such specific library (which seems it is not
that spread across distros at this time anyhow). Looking at the patch,
it is practically about returning a struct hostent pointer and checking
a status parameter.
My proposal is to:
- make a module that will have some wrappers around the dnssec
functions. This wrappers should not have the dnssec specific parameters,
returning the hostent and setting an integer (given as pointer) status
parameter, in case the core needs to know more about the dnssec result
- core can still have the USE_DNSSEC define just in case one wants to
disable it completely
- core will have a structure with pointers to the wrapper functions for
dnssec
- when loaded, the dnssec module will set the values of the function
pointers in the core
- core may get a new parameter use_dnnsec to enable/disable usage of
dnssec from config file (although this can be redundant, such decision
could be by loadind/not loading dnssec module)
This does not look like big effort, considering the patch, and I think
will make dnssec easier to experiment with for a larger user base.
Similar mechanism is used more or less for tls and in other modules that
needed to act in the core, but had exotic dependencies or
functionalities (e.g., msrp module sets some callbacks in tcp receive code).
What do you think?
Cheers,
Daniel
On 10/10/12 4:56 PM, Marius Zbihlei wrote:
Module: sip-router
Branch: master
Commit: 73103df8fcffa0f92dfc4699c52d5dd9474084ea
URL:
http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=73103df…
Author: Marius Zbihlei <marius.zbihlei(a)1and1.ro>
Committer: Marius Zbihlei <marius.zbihlei(a)1and1.ro>
Date: Wed Oct 10 17:53:02 2012 +0300
Core: added DNSSEC support for DNS queries
This is available by setting the USE_DNSSEC compile flag. It requires libval-threads and
libres (part of dnssec-tools dnssec-tools.org)
The custom resolvers were replaced by val_gethostbyname, val_gethostbyname and
val_res_query (for SRV).
[...]
--
Daniel-Constantin Mierla - http://www.asipto.com
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio Advanced Training, Berlin, Nov 5-8, 2012 - http://asipto.com/u/kat
Kamailio Advanced Training, Miami, USA, Nov 12-14, 2012 - http://asipto.com/u/katu
9:30 p.m.
Hello all,
Glad to see that there is such interest for the DNSSEC support. Thanks guys for the
feedback and suggestions and sorry for the typo :)
Daniel, you are right. There are several other improvements that can be done.. For example
runtime configuration of policy using the resolve context in the dnsval.conf file
(specify domains if they are trusted or not etc). This type of configuration is indeed
better in a modparam statement than a core keyword, so I will move the calls to a
dedicated module.
Cheers,
Marius
________________________________________
From: Daniel-Constantin Mierla [miconda(a)gmail.com]
Sent: Wednesday, October 10, 2012 9:08 PM
To: Development mailing list of the sip-router project
Cc: Marius Zbihlei
Subject: Re: [sr-dev] git:master: Core: added DNSSEC support for DNS queries
Hello,
thanks for this addition. Few comments:
1) not really important -- I guess is "validator/validator.h" part of
the external library, but might be better to be included with square
brackets, it is more common when including from standard paths, rather
from local folders. Like:
#include <validator/validator.h>
2) from past experiences, it very unlikely people will start using it if
they have to recompile with different flags. On the other hand, the core
should not be dependent on such specific library (which seems it is not
that spread across distros at this time anyhow). Looking at the patch,
it is practically about returning a struct hostent pointer and checking
a status parameter.
My proposal is to:
- make a module that will have some wrappers around the dnssec
functions. This wrappers should not have the dnssec specific parameters,
returning the hostent and setting an integer (given as pointer) status
parameter, in case the core needs to know more about the dnssec result
- core can still have the USE_DNSSEC define just in case one wants to
disable it completely
- core will have a structure with pointers to the wrapper functions for
dnssec
- when loaded, the dnssec module will set the values of the function
pointers in the core
- core may get a new parameter use_dnnsec to enable/disable usage of
dnssec from config file (although this can be redundant, such decision
could be by loadind/not loading dnssec module)
This does not look like big effort, considering the patch, and I think
will make dnssec easier to experiment with for a larger user base.
Similar mechanism is used more or less for tls and in other modules that
needed to act in the core, but had exotic dependencies or
functionalities (e.g., msrp module sets some callbacks in tcp receive code).
What do you think?
Cheers,
Daniel
On 10/10/12 4:56 PM, Marius Zbihlei wrote:
Module: sip-router
Branch: master
Commit: 73103df8fcffa0f92dfc4699c52d5dd9474084ea
URL:
http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=73103df…
Author: Marius Zbihlei <marius.zbihlei(a)1and1.ro>
Committer: Marius Zbihlei <marius.zbihlei(a)1and1.ro>
Date: Wed Oct 10 17:53:02 2012 +0300
Core: added DNSSEC support for DNS queries
This is available by setting the USE_DNSSEC compile flag. It requires libval-threads and
libres (part of dnssec-tools dnssec-tools.org)
The custom resolvers were replaced by val_gethostbyname, val_gethostbyname and
val_res_query (for SRV).
[...]
--
Daniel-Constantin Mierla - http://www.asipto.com
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio Advanced Training, Berlin, Nov 5-8, 2012 - http://asipto.com/u/kat
Kamailio Advanced Training, Miami, USA, Nov 12-14, 2012 - http://asipto.com/u/katu
9:50 p.m.
10 okt 2012 kl. 20:08 skrev Daniel-Constantin Mierla <miconda(a)gmail.com>om>:
Hello,
thanks for this addition. Few comments:
1) not really important -- I guess is "validator/validator.h" part of the
external library, but might be better to be included with square brackets, it is more
common when including from standard paths, rather from local folders. Like:
#include <validator/validator.h>
2) from past experiences, it very unlikely people will start using it if they have to
recompile with different flags. On the other hand, the core should not be dependent on
such specific library (which seems it is not that spread across distros at this time
anyhow). Looking at the patch, it is practically about returning a struct hostent pointer
and checking a status parameter.
My proposal is to:
- make a module that will have some wrappers around the dnssec functions. This wrappers
should not have the dnssec specific parameters, returning the hostent and setting an
integer (given as pointer) status parameter, in case the core needs to know more about the
dnssec result
- core can still have the USE_DNSSEC define just in case one wants to disable it
completely
- core will have a structure with pointers to the wrapper functions for dnssec
- when loaded, the dnssec module will set the values of the function pointers in the
core
- core may get a new parameter use_dnnsec to enable/disable usage of dnssec from config
file (although this can be redundant, such decision could be by loadind/not loading dnssec
module)
This does not look like big effort, considering the patch, and I think will make dnssec
easier to experiment with for a larger user base. Similar mechanism is used more or less
for tls and in other modules that needed to act in the core, but had exotic dependencies
or functionalities (e.g., msrp module sets some callbacks in tcp receive code).
What do you think?
For me it seems like a good architecture proposal.
We do need more DNSsec aware software in SIP and I believe it will mean a lot for SIP
security soon.
/O
Cheers,
Daniel
On 10/10/12 4:56 PM, Marius Zbihlei wrote:
Module: sip-router
Branch: master
Commit: 73103df8fcffa0f92dfc4699c52d5dd9474084ea
URL:
http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=73103df…
Author: Marius Zbihlei <marius.zbihlei(a)1and1.ro>
Committer: Marius Zbihlei <marius.zbihlei(a)1and1.ro>
Date: Wed Oct 10 17:53:02 2012 +0300
Core: added DNSSEC support for DNS queries
This is available by setting the USE_DNSSEC compile flag. It requires libval-threads and
libres (part of dnssec-tools dnssec-tools.org)
The custom resolvers were replaced by val_gethostbyname, val_gethostbyname and
val_res_query (for SRV).
[...]
--
Daniel-Constantin Mierla - http://www.asipto.com
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio Advanced Training, Berlin, Nov 5-8, 2012 - http://asipto.com/u/kat
Kamailio Advanced Training, Miami, USA, Nov 12-14, 2012 - http://asipto.com/u/katu
_______________________________________________
sr-dev mailing list
sr-dev(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev 
11 Oct
11 Oct
5:40 p.m.
Hi Marius!
What's the benefit of having DNSSEC validation in Kamailio instead of
having it in the respective recursive DNS server? I think most people
which operate a SIP proxy do also have a resolving name server within
their names. It may happen that bugfixes in DNSSEC libraries require to
rebuild/restart your SIP proxy, instead of just updating the local recurser.
regards
Klaus
On 10.10.2012 16:56, Marius Zbihlei wrote:
Module: sip-router
Branch: master
Commit: 73103df8fcffa0f92dfc4699c52d5dd9474084ea
URL:
http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=73103df…
Author: Marius Zbihlei <marius.zbihlei(a)1and1.ro>
Committer: Marius Zbihlei <marius.zbihlei(a)1and1.ro>
Date: Wed Oct 10 17:53:02 2012 +0300
Core: added DNSSEC support for DNS queries
This is available by setting the USE_DNSSEC compile flag. It requires libval-threads and
libres (part of dnssec-tools dnssec-tools.org)
The custom resolvers were replaced by val_gethostbyname, val_gethostbyname and
val_res_query (for SRV).
---
Makefile.defs | 9 +++++++--
resolve.c | 18 ++++++++++++++++++
resolve.h | 22 ++++++++++++++++++++++
3 files changed, 47 insertions(+), 2 deletions(-)
diff --git a/Makefile.defs b/Makefile.defs
index 1645c34..2b7f332 100644
--- a/Makefile.defs
+++ b/Makefile.defs
@@ -1,4 +1,4 @@
-# $Id$
+
#
# makefile defs (CC, LD,a.s.o)
#
@@ -1751,7 +1751,12 @@ ifeq ($(OS), linux)
LIBS+=-lpthread
endif
endif
- # check for >= 2.5.44
+ ifeq (,$(findstring -DUSE_DNSSEC, $(C_DEFS)))
+ LIBS+=-lval-threads -lcrypto -lsres -lpthread
+$(info "using libval for DNSSEC validation")
+ endif
+ # check for >= 2.5.44
+
ifeq ($(shell [ $(OSREL_N) -ge 2005044 ] && echo has_epoll), has_epoll)
ifeq ($(NO_EPOLL),)
C_DEFS+=-DHAVE_EPOLL
diff --git a/resolve.c b/resolve.c
index 17772b7..36a2992 100644
--- a/resolve.c
+++ b/resolve.c
@@ -713,6 +713,10 @@ struct rdata* get_record(char* name, int type, int flags)
int name_len;
struct rdata* fullname_rd;
+#ifdef USE_DNSSEC
+ val_status_t val_status;
+#endif
+
if (cfg_get(core, core_cfg, dns_search_list)==0) {
search_list_used=0;
name_len=0;
@@ -722,7 +726,21 @@ struct rdata* get_record(char* name, int type, int flags)
}
fullname_rd=0;
+#ifndef USE_DNSSEC
size=res_search(name, C_IN, type, buff.buff, sizeof(buff));
+#else
+ size=val_res_query((val_context_t *) NULL,
+ (char *) name,
+ (int) C_IN,
+ (int) type,
+ (unsigned char *) buff.buff,
+ (int) sizeof(buff),
+ &val_status);
+ if(!val_istrusted(val_status)){
+ LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);
+ }
+#endif
+
if (unlikely(size<0)) {
DBG("get_record: lookup(%s, %d) failed\n", name, type);
goto not_found;
diff --git a/resolve.h b/resolve.h
index 8ce68e6..66fd3ff 100644
--- a/resolve.h
+++ b/resolve.h
@@ -58,6 +58,10 @@
#include "dns_wrappers.h"
#endif
+#ifdef USE_DNSSEC
+#include "validator/validator.h"
+#endif
+
/* define RESOLVE_DBG for debugging info (very noisy) */
#define RESOLVE_DBG
/* define NAPTR_DBG for naptr related debugging info (very noisy) */
@@ -400,6 +404,9 @@ static inline struct hostent* _resolvehost(char* name)
#endif
#endif
#ifdef DNS_IP_HACK
+#ifdef USE_DNSSEC
+ val_status_t val_status;
+#endif
struct ip_addr* ip;
str s;
@@ -430,7 +437,15 @@ static inline struct hostent* _resolvehost(char* name)
#endif
#endif
/* ipv4 */
+#ifndef USE_DNSSEC
he=gethostbyname(name);
+#else
+ he=val_gethostbyname( (val_context_t *) 0, name, &val_status);
+ if(!val_istrusted(val_status)){
+ LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);
+ }
+#endif
+
#ifdef USE_IPV6
if(he==0 && cfg_get(core, core_cfg, dns_try_ipv6)){
#ifndef DNS_IP_HACK
@@ -438,7 +453,14 @@ skip_ipv4:
#endif
/*try ipv6*/
#ifdef HAVE_GETHOSTBYNAME2
+ #ifndef USE_DNSSEC
he=gethostbyname2(name, AF_INET6);
+ #else
+ he=val_gethostbyname2((val_context_t*)0, name, AF_INET6, &val_status);
+ if(!val_istrusted(val_status)){
+ LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);
+ }
+ #endif //!USE_DNSSEC
#elif defined HAVE_GETIPNODEBYNAME
/* on solaris 8 getipnodebyname has a memory leak,
* after some time calls to it will fail with err=3
_______________________________________________
sr-dev mailing list
sr-dev(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
5:54 p.m.
On 10/11/2012 05:40 PM, Klaus Darilion wrote:
Hi Marius!
What's the benefit of having DNSSEC validation in Kamailio instead of
having it in the respective recursive DNS server? I think most people
which operate a SIP proxy do also have a resolving name server within
their names. It may happen that bugfixes in DNSSEC libraries require to
rebuild/restart your SIP proxy, instead of just updating the local recurser.
I
imagined a situation in which you don't trust your resolver, even in
same LAN. Due to ARP poisoning, DNS request (even your local resolver
issues external requests) can be spoofed and incorrect data can be returned.
I think using bind locally as a resolved indeed eliminates this issue,
but with DNS caching in place I fail to see the reason of using a local
DNS resolver, instead one can use a network resolver. Just a little more
flexibility.
Marius
regards
Klaus
--
Zbihlei Marius
Head of
Linux Development Services Romania
1&1 Internet Development srl Tel KA: 754-9152
Str Mircea Eliade 18 Tel RO: +40-31-223-9152
Sect 1, Bucuresti mailto: marius.zbihlei(a)1and1.ro
71295, Romania
12 Oct
12 Oct
9:46 a.m.
11 okt 2012 kl. 16:54 skrev Marius Zbihlei <marius.zbihlei(a)1and1.ro>ro>:
On 10/11/2012 05:40 PM, Klaus Darilion wrote:
With DANE, a new RFC, Kamailio will validate SSL certificates in a DNS-sec secured DNS
zone. Feels good
to be able to have control over the validation and get detailed error codes. And not have
to trust an
external software for security validation.
We should still be able to use an external resolver, of course.
/O
Hi Marius!
What's the benefit of having DNSSEC validation in Kamailio instead of
having it in the respective recursive DNS server? I think most people
which operate a SIP proxy do also have a resolving name server within
their names. It may happen that bugfixes in DNSSEC libraries require to
rebuild/restart your SIP proxy, instead of just updating the local recurser.
I
imagined a situation in which you don't trust your resolver, even in same LAN. Due to
ARP poisoning, DNS request (even your local resolver issues external requests) can be
spoofed and incorrect data can be returned.
I think using bind locally as a resolved indeed eliminates this issue, but with DNS
caching in place I fail to see the reason of using a local DNS resolver, instead one can
use a network resolver. Just a little more flexibility. 
13 Oct
13 Oct
2:19 p.m.
Gnutls' design for dane seems to be the right approach in general for
apps which want to do dnssec validation: provide options for whether
to respect resolv.conf and whether to cache results. Its libdane links
to libunbound but allows apps to choose whether to tell libunbound to
parse resolv.conf and whether to cache results.
Apps which have config file should make those options start-time configurable.
-JimC
--
James Cloos <cloos(a)jhcloos.com> OpenPGP: 1024D/ED7DAEA6
2:34 p.m.
13 okt 2012 kl. 13:19 skrev James Cloos <cloos(a)jhcloos.com>om>:
Gnutls' design for dane seems to be the right
approach in general for
apps which want to do dnssec validation: provide options for whether
to respect resolv.conf and whether to cache results. Its libdane links
to libunbound but allows apps to choose whether to tell libunbound to
parse resolv.conf and whether to cache results.
Apps which have config file should make those options start-time configurable.
That sounds reasonable. What's the architecture for OpenSSL?
/O
25 Oct
25 Oct
4:51 p.m.
On 12.10.2012 08:46, Olle E. Johansson wrote:
11 okt 2012 kl. 16:54 skrev Marius Zbihlei <marius.zbihlei(a)1and1.ro>ro>:
FYI - ldns supports now DANE.
regards
Klaus
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello Everyone,
I am pleased to announce that version 1.6.14 of ldns is now available.
This release has more bugfixes than normally because of the code
reviews from CZ.NIC and Paul Wouters. Thank you!
We have many improvements in the pyldns contribution from Karel Slany
which are now listed in its own Changelog file in contrib/python (and
below).
The most notably new feature is DANE support (RFC6698). New functions
for verifying and constructing TLSA resource records have been added.
The example tool, ldns-dane, has been added to demonstrate the new
functions and for the general usability of DANE operation.
I hope this release will be useful for you and that you will keep us
informed of your experiences.
Best regards,
Willem Toorop
link: http://www.nlnetlabs.nl/downloads/ldns/ldns-1.6.14.tar.gz
sha1: 2ef5fbf33b25d2f7b736c332ebccc0862dd12d02
Changelog:
==========
* DANE support (RFC6698), including ldns-dane example tool.
* Configurable default CA certificate repository for ldns-dane with
--with-ca-file=CAFILE and --with-ca-path=CAPATH
* Configurable default trust anchor with --with-trust-anchor=FILE
for drill, ldns-verify-zone and ldns-dane
* bugfix #474: Define socklen_t when undefined (like in Win32)
* bugfix #473: Dead code removal and resource leak fix in drill
* bugfix #471: Let ldns_resolver_push_dnssec_anchor accept DS RR's too.
* Various bugfixes from code reviews from CZ.NIC and Paul Wouters
* ldns-notify TSIG option argument checking
* Let ldns_resolver_nameservers_randomize keep nameservers and rtt's
in sync.
* Let ldns_pkt_push_rr now return false on (memory) errors.
* Make buffer_export comply to documentation and fix buffer2str
* Various improvements and fixes of pyldns from Katel Slany
now documented in their own Changelog.
* bugfix: Make ldns_resolver_pop_nameserver clear the array when
there was only one.
* bugfix #459: Remove ldns_symbols and export symbols based on regex
* bugfix #458: Track all newly created signatures when signing.
* bugfix #454: Only set -g and -O2 CFLAGS when no CFLAGS was given.
* bugfix #457: Memory leak fix for ldns_key_new_frm_algorithm.
* pyldns memory handling fixes and the python3/ldns-signzone.py
examples script contribution from Karel Slany.
* bugfix #450: Base # bytes for P, G and Y (T) on the guaranteed
to be bigger (or equal) P in ldns_key_dsa2bin.
* bugfix #449: Deep free cloned rdf's in ldns_tsig_mac_new.
* bugfix #448: Copy nameserver value (in stead of reference) of the
answering nameserver to the answer packet in ldns_send_buffer, so
the original value may be deep freed with the ldns_resolver struct.
* New -0 option for ldns-read-zone to replace inception, expiration
and signature rdata fields with (null). Thanks Paul Wouters.
* New -p option for ldns-read-zone to prepend-pad SOA serial to take
up ten characters.
* Return error if printing RR fails due to unknown/null RDATA.
pyldns Changelog:
=================
* Added rich comparison methods for ldns_dname, ldns_rdf, ldns_rr and
ldns_rr_list classes.
* Added deprecation warnings into ldns_rr.new_frm_fp() and
ldns_rr.new_frm_fp_l() and others.
* Fixed ldns_rr.set_rdf(), which may cause memory leaks, because it
returns new objects (in the scope of Python). Also it leaked memory,
when the call was not successful.
* Fixed ldns_get_rr_list_hosts_frm_file, marked as newobject.
* Fixed ldns_rr_list.cat() to return bool as mentioned in documentation.
* Fixed ldns_rr_list_cat_clone, marked as newobject.
* Fixed ldns_rr_list.new_frm_file(). Exception argument was invalid.
* Fixed ldns_rr_list.push_rr() to return bool as mentioned in
documentation.
* Fixed ldns_rr_list.push_rr_list() to return bool as mentioned in
documentation.
* Fixed ldns_rr_list.set_rr(), which caused memory corruption, double
free problems and memory leaks. (The wrapper used original function
instead of its push cloned variant which was missing.)
* Fixed ldns_rr_list.set_rr_count(), added python exception raise in
order to avoid assertion failure.
* Fixed ldns_rr_list.subtype_by_rdf(), marked as newobject.
* Added ldns_rr.to_canonical(), ldns_rr.is_question(),
ldns_rr.type_by_name(), ldns_rr.class_by_name(), ldns_rr_list.new(),
ldns_rr.set_question().
* Modified ldns_rr_list.owner() and ldns_rr.owner(), now returns
ldns_dname.
* Fixed assertion failures for several methods when receiving incorrect
but syntactically valid arguments (i.e., ldns_rr.a_address(),
ldns_rr.dnskey_algorithm(), ldns_rr.dnskey_flags(),
ldns_rr.dnskey_key(), ldns_rr.dnskey_protocol(),
ldns_rr.mx_exchange(), ldns_rr.mx_preference(), ldns_rr.ns_nsdname(),
ldns_rr.owner(), ldns_rr.rdf(), ldns_rr.rrsig_algorithm(),
ldns_rr.rrsig_expiration(), ldns_rr.rrsig_inception(),
ldns_rr.rrsig_keytag(), ldns_rr.rrsig_labels(),
ldns_rr.rrsig_origttl(),
ldns_rr.rrsig_sig(), ldns_rr.rrsig_signame(),
ldns_rr.rrsig_typecovered(), ldns_rr_list.owner(), ldns_rr_list.rr())
* Fixed ldns_rr.a_address(), which was asserting when called
on non A or AAAA type rr. Now returns None when fails.
* Added scripts for testing the basic functionality of the ldns_rr,
ldns_rr_descriptor and ldns_rr_list class code.
* Improved documentation of ldns_rr, ldns_rr_descriptor and
ldns_rr_list.
* Fixed automatic conversion from Python string to ldns_rdf and
ldns_dname. Caused memory corruption when using Python 3.
* The Python 3 wrapper code now raises TypeError instead of ValueError
when receiving a non FILE * argument when it should be a FILE *.
* Fixed wrong handling of _ldns_rr_list_free() and
_ldns_rr_list_deep_free() when compiling with LDNS_DEBUG directive.
* Fixed malfunctioning ldns.ldns_rdf_new_frm_fp_l().
* Fixed malfunctioning ldns_drf.absolute() and ldns_dname.absolute().
* Marked several functions related to ldns_rdf and ldns_buffer as
returning new objects.
* Method operating on ldns_dnames and returning dname ldns_rdfs now
return ldns_dname instances.
* Improved documentation of ldns_buffer, ldns_rdf and ldns_dname
classes.
* Methods ldns_buffer.available() and ldns_buffer.available_at() now
return bool types as described in the documentation.
* Added scripts for testing the basic functionality of the ldns_buffer,
ldns_rdf, ldns_dname class code.
* Added deprecation warnings to ldns_rdf methods operating on dname
rdfs. The user is encouraged to converts dname ldns_rdfs to
ldns_dnames.
* Extended ldns_dname constructor to accept ldns_rdfs containing dnames.
On 10/11/2012 05:40 PM, Klaus Darilion wrote:
With DANE, a new RFC, Kamailio will validate SSL certificates in a DNS-sec secured DNS
zone. Feels good
to be able to have control over the validation and get detailed error codes. And not have
to trust an
external software for security validation. Hi Marius!
What's the benefit of having DNSSEC validation in Kamailio instead of
having it in the respective recursive DNS server? I think most people
which operate a SIP proxy do also have a resolving name server within
their names. It may happen that bugfixes in DNSSEC libraries require to
rebuild/restart your SIP proxy, instead of just updating the local recurser.
I
imagined a situation in which you don't trust your resolver, even in same LAN. Due to
ARP poisoning, DNS request (even your local resolver issues external requests) can be
spoofed and incorrect data can be returned.
I think using bind locally as a resolved indeed eliminates this issue, but with DNS
caching in place I fail to see the reason of using a local DNS resolver, instead one can
use a network resolver. Just a little more flexibility. -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iQIcBAEBAgAGBQJQhqP/AAoJEOX4+CEvd6SYmYAP/1LoH5b5Re32DmpX44hUdQ4c
KbW6wG+/L1LuTTaWy7hX7DGsHQ2j8IyPZdaI1ZnoKYhudadLM3RF/QZKr5Kd3hoy
YEWlbCdpQ8INMzl0j5ak7aBRkbvkveFJL1Ya8d3p9CSdUQR2hLTNiwjp3s+c31pk
dnD/XqZ0ggfu3dDJhPXxCvAwl8hVqsVE3kUDVCKNezYrw88Sda+DCeu7Rl/Fefyq
vBLBg2WjuRrtT5icuTFcMq339/zHp45EGglYxG2a9e1mOKHVmhrTUmPsoDXtaxLc
13j6zTywxeWgRWW1t/2n4/bg4sLDsv5jYQxtpb2iQtJ1VHjYWQxhqNbikW6N2kha
vyubIv0ecdIbTtLMYT9vUmfb8CKFezggHqd9/W0cGGZNMuZjDLgFfUwKdWKNeKRT
Odg5JhVk1OfhkCzY3EvfsjccLzSZHUssPbI45YJaPrv+T13TgFdnBv5ufLP7NfpR
NNSqf9pn+YF7IKgj/9cU7Q3WW1HOwaVspL2lFhfvJlirsX1yKp/eigQeNa5bCSfl
7I5F2gGc14+E7moQByvQ75EkOkdlJ/Owq1t8/6IMWNldb2Vn9awDqaS9AfV9LQKN
g/8qQHNwQ5idbxA48fNcyhhMY8bUMJiGOo+AWKAcBWdMKTLVIKdiswEC8O7o4aJ9
MPug3EFbN6n5YzCQNIaZ
=csYG
-----END PGP SIGNATURE-----
_______________________________________________
ldns-users mailing list
ldns-users(a)open.nlnetlabs.nl
http://open.nlnetlabs.nl/mailman/listinfo/ldns-users
4411
days inactive
4426
days old
18 comments
8 participants
participants (8)
-
Daniel-Constantin Mierla -
Henning Westerholt -
Iñaki Baz Castillo -
James Cloos -
Klaus Darilion -
Marius Zbihlei -
Olle E. Johansson -
Peter Dunkley