13 May
2016
13 May
'16
9:48 p.m.
In the interest of sharing and promoting DNSSEC, I was recently stumped
on a problem where I noticed I could not call sip:test.echo@sip5060.net
without disabling the dnssec.so module in my kamailio.cfg. The last
time I had tried the sip5060 echo test was several months ago, and in
the intervening time, I had applied the numerous debian package updates.
Thus, I could not isolate the cause of the problem to one of the many
package updates such as kamailio 4.4.x, libval, my own DNSSEC dns
server, etc... My initial only clue was kamailio's syslog messages:
May 12 18:02:49 tensor /usr/sbin/kamailio[24128]: ERROR: tm [ut.h:296]:
uri2dst2(): ERROR: uri2dst: failed to resolve "sip5060.net"
:unresolvable A or AAAA request (-7)
May 12 18:02:49 tensor /usr/sbin/kamailio[24128]: ERROR: tm
[t_fwd.c:1712]: t_forward_nonack(): ERROR: t_forward_nonack: failure to
add branches
May 12 18:02:49 tensor /usr/sbin/kamailio[24128]: ERROR: sl
[sl_funcs.c:363]: sl_reply_error(): ERROR: sl_reply_error used:
Unresolvable destination (478/SL)
To summarize the problem, I found that kamailio's dnssec.so was failing
queries to domains that were not DNSSEC protected such as sip5060.net.
This behavior is a bug, since sip5060.net is in this case, provably not
participating in DNSSEC from the toplevel "net." zone [1].
The fix was to provide a default configuration file to libval, which was
somehow not included in Debian's libval15 package. I created the
following configuration from the default dnsval.conf in the source
distribution:
https://dnssec-tools.org/download/dnsval-2.2.tar.gz
https://dnssec-tools.org/download/dnsval-2.2.tar.gz.asc
as well as their wiki:
https://www.dnssec-tools.org/wiki/index.php/Dnsval.conf
cat << 'EOF' > /etc/dnssec-tools/dnsval.conf
##################################
# Global Options
##################################
global-options
trust-oob-answers yes
# I'm running a DNSSEC nameserver locally,
# so 4 KiB queries to localhost should be OK:
edns0-size 4096
env-policy disable
app-policy disable
rec-fallback no
;
: trust-anchor
. DS 19036 8 2
49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
;
: zone-security-expectation
. validate
;
: provably-insecure-status
. trusted
;
: clock-skew
. 0
;
EOF
In summary: I find it odd that a default dnsval.conf was not included
with my system's normal installation of the "libval15:amd64" package,
version 2.2-4. After providing dnsval.conf, kamailio's dnssec.so was
happy again.
Side notes:
* To identify the directory for dnsval.conf, run
libval-config --dnsval-config
On Debian, libval-config is in the libval-dev pacakge, and this package
includes a man page for dnsval.conf as well.
* To test your libval and dnsval.conf, try
dt-validate -s
On Debian, dt-validate is in the libval-bin package.
- David
[1] -- Authenticated denial of existence:
https://tools.ietf.org/html/rfc5155
https://tools.ietf.org/html/rfc7129
And for sip5060.net, there's an NSEC3 record in the top level net. zone
proving non-existance of sip5060.net DS records:
http://dnsviz.net/d/sip5060.net/dnssec/
Translation: sip5060.net provably not enabled DNSEC.
17 May
17 May
9:59 a.m.
Hello,
thanks for providing all the details getting the dnssec sorted out with
dnsval.conf. It is really useful.
If you have the time, would be good to add those details in the readme
file for dnssec -- you cna make a pull request for the file
modules/dnssec/doc/dnssec_admin.xml
The alternative would be to add to the wiki:
- https://www.kamailio.org/wiki/tutorials/dns/dnssec
Cheers,
Daniel
On 13/05/16 20:48, David Holl wrote:
In the interest of sharing and promoting DNSSEC, I was
recently
stumped on a problem where I noticed I could not call
sip:test.echo@sip5060.net without disabling the dnssec.so module in my
kamailio.cfg. The last time I had tried the sip5060 echo test was
several months ago, and in the intervening time, I had applied the
numerous debian package updates. Thus, I could not isolate the cause
of the problem to one of the many package updates such as kamailio
4.4.x, libval, my own DNSSEC dns server, etc... My initial only clue
was kamailio's syslog messages:
May 12 18:02:49 tensor /usr/sbin/kamailio[24128]: ERROR: tm
[ut.h:296]: uri2dst2(): ERROR: uri2dst: failed to resolve
"sip5060.net" :unresolvable A or AAAA request (-7)
May 12 18:02:49 tensor /usr/sbin/kamailio[24128]: ERROR: tm
[t_fwd.c:1712]: t_forward_nonack(): ERROR: t_forward_nonack: failure
to add branches
May 12 18:02:49 tensor /usr/sbin/kamailio[24128]: ERROR: sl
[sl_funcs.c:363]: sl_reply_error(): ERROR: sl_reply_error used:
Unresolvable destination (478/SL)
To summarize the problem, I found that kamailio's dnssec.so was
failing queries to domains that were not DNSSEC protected such as
sip5060.net. This behavior is a bug, since sip5060.net is in this
case, provably not participating in DNSSEC from the toplevel "net."
zone [1].
The fix was to provide a default configuration file to libval, which
was somehow not included in Debian's libval15 package. I created the
following configuration from the default dnsval.conf in the source
distribution:
https://dnssec-tools.org/download/dnsval-2.2.tar.gz
https://dnssec-tools.org/download/dnsval-2.2.tar.gz.asc
as well as their wiki:
https://www.dnssec-tools.org/wiki/index.php/Dnsval.conf
cat << 'EOF' > /etc/dnssec-tools/dnsval.conf
##################################
# Global Options ##################################
global-options
trust-oob-answers yes
# I'm running a DNSSEC nameserver locally,
# so 4 KiB queries to localhost should be OK:
edns0-size 4096
env-policy disable
app-policy disable
rec-fallback no
;
: trust-anchor
. DS 19036 8 2
49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
;
: zone-security-expectation
. validate
;
: provably-insecure-status
. trusted
;
: clock-skew
. 0
;
EOF
In summary: I find it odd that a default dnsval.conf was not included
with my system's normal installation of the "libval15:amd64" package,
version 2.2-4. After providing dnsval.conf, kamailio's dnssec.so was
happy again.
Side notes:
* To identify the directory for dnsval.conf, run
libval-config --dnsval-config
On Debian, libval-config is in the libval-dev pacakge, and this
package includes a man page for dnsval.conf as well.
* To test your libval and dnsval.conf, try
dt-validate -s
On Debian, dt-validate is in the libval-bin package.
- David
[1] -- Authenticated denial of existence:
https://tools.ietf.org/html/rfc5155
https://tools.ietf.org/html/rfc7129
And for sip5060.net, there's an NSEC3 record in the top level net.
zone proving non-existance of sip5060.net DS records:
http://dnsviz.net/d/sip5060.net/dnssec/
Translation: sip5060.net provably not enabled DNSEC.
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
http://www.asipto.com
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio World Conference, Berlin, May 18-20, 2016 - http://www.kamailioworld.com
3111
days inactive
3115
days old
1 comments
2 participants
participants (2)
-
Daniel-Constantin Mierla -
David Holl