Kamailio SIP Server Wiki

User Tools

Site Tools

Trace: dnssec
tutorials:dns:dnssec

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
tutorials:dns:dnssec [2013/04/21 12:32] – [Adding SIP Users] micondatutorials:dns:dnssec [2013/04/25 10:49] (current) mariuszbihlei
Line 1: Line 1:
-====== Kamailio with DNSEC ======+====== Kamailio with DNSSEC ======
  
-The **dnssec** module was added during the development of v4.1.0 (expected to be released later in 2013). Therefore this tutorial presents how to add DNSSEC module in the default configuration file of Kamailio, following GIT installation guidelines.+The **dnssec** module in Kamailio was added during the development of v4.1.0 (expected to be released later in 2013). Therefore this tutorial presents how to add DNSSEC module in the default configuration file of Kamailio, following GIT installation guidelines.
  
 In short, this tutorial focuses on: In short, this tutorial focuses on:
Line 8: Line 8:
   * add DNSSEC support to configuration file   * add DNSSEC support to configuration file
  
-Note: Ubuntu 12.04 was chosen because dnssec tools devel library are provided for this distribution.+**Note:** the DNSSEC module is several days old at the time of writing initial version of this tutorial. For any assistance, email to **<sr-users [at] sip-router.org>** -- it is a public mailing list that requires subscription, see more details at: 
 + 
 +  * http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users 
 + 
 +**Note:** Ubuntu 12.04 was chosen because dnssec tools devel library are provided for this distribution, making the installation of the required dependencies much easier. There are packages for other Linux distribution (e.g., Fedora), most of the steps provided in this tutorial being valid (the rest have to updated for the specifics of the distribution, e.g., how to install packages, create system users or init.d scripts).
 ===== About DNSSEC ===== ===== About DNSSEC =====
  
Line 29: Line 33:
 ==== DNSSEC Tools Devel Libraries Installation ==== ==== DNSSEC Tools Devel Libraries Installation ====
  
-You need these libraries to compile Kamailio's DNSSEC module. You can download the libraries from:+You need DNSSEC tools devel libraries to compile Kamailio's DNSSEC module. You can download the libraries from:
  
   * http://dnssec-tools.org/download/#gotoBinaries   * http://dnssec-tools.org/download/#gotoBinaries
Line 38: Line 42:
 dns-validator_2.0-1_i386.deb dns-validator_2.0-1_i386.deb
 libval-threads_2.0-1_i386.deb libval-threads_2.0-1_i386.deb
-libsres_2.0-1_i386.deb 
 libval-threads-dev_2.0-1_i386.deb libval-threads-dev_2.0-1_i386.deb
 +libsres_2.0-1_i386.deb
 libsres-dev_2.0-1_i386.deb libsres-dev_2.0-1_i386.deb
 </code> </code>
Line 184: Line 188:
  
 <code> <code>
-/usr/local/src/kamailio-devel/kamailio/pkg/kamailio/deb/debian/kamailio.init+  /usr/local/src/kamailio-devel/kamailio/pkg/kamailio/deb/debian/kamailio.init
 </code> </code>
  
 +The default file for init.d script is provided at:
  
-Next is a script to install it: 
-Just copy the init file into the /etc/init.d/kamailio. Then change the permisions: 
  
 <code> <code>
-  cp /usr/local/src/kamailio-devel/kamailio/pkg/kamailio/deb/debian/kamailio.init /etc/init.d/kamailio +  /usr/local/src/kamailio-devel/kamailio/pkg/kamailio/debian/kamailio.default
-  chmod 755 /etc/init.d/kamailio +
-  cp /usr/local/src/kamailio-devel/pkg/kamailio/debian/kamailio.default /etc/default/kamailio+
 </code> </code>
  
-Edit the file **/etc/init.d/kamailio** to update the $DAEMON value: +Run next command to deploy the init.d scripts:
-<code> +
-  DAEMON=/usr/local/sbin/kamailio +
-</code> +
- +
-Edit the file **/etc/default/kamailio** and set:+
  
 <code> <code>
-  RUN_KAMAILIO=yes+  make install-initd-debian
 </code> </code>
  
-You can edit the other options at your convenience. +It will create also user and group **kamailio**, plus runtime directory **/var/run/kamailio**.
- +
-Create the directory for pid file: +
- +
-<code> +
-mkdir -p /var/run/kamailio +
-</code> +
- +
-Default setting is to run Kamailio as user "kamailio" and group "kamailio". For that you need to create the user: +
- +
-<code> +
-adduser --quiet --system --group --disabled-password \ +
-        --shell /bin/false --gecos "Kamailio"+
-        --home /var/run/kamailio kamailio +
- +
-# set ownership to /var/run/kamailio +
-chown kamailio:kamailio /var/run/kamailio +
-</code>+
  
-Then you can start/stop Kamailio using the following commands:+Now Kamailio can be started or stopped with:
  
 <code> <code>
Line 234: Line 213:
 </code> </code>
  
-===== Update Kamailio Configuration File =====+ 
 +===== Update Kamailio Config File =====
  
 Next step is to enable user authentication, persistent location service and add dnssec module. You have to edit the configuration file. Next step is to enable user authentication, persistent location service and add dnssec module. You have to edit the configuration file.
Line 242: Line 222:
 </code> </code>
  
-Follow the instruction in the comments to enable usage of MySQL. Basically you have to add several lines at the top of config file, like:+Follow the instruction in the comments to enable usage of MySQL. Basically you have to add several lines at the top of config file (but after the first line), like:
  
 <code> <code>
Line 253: Line 233:
  
 ==== Add DNSSEC Module ==== ==== Add DNSSEC Module ====
 +
 +The README of DNSSEC module is available at:
 +
 +  * http://kamailio.org/docs/modules/devel/modules/dnssec.html
  
 You have to load dnssec module in kamailio.cfg: You have to load dnssec module in kamailio.cfg:
Line 263: Line 247:
  
 The module does not require any parameter, you are ready to use the configuration file now. The module does not require any parameter, you are ready to use the configuration file now.
 +
 +Start Kamailio with:
 +
 +<code>
 +/etc/init.d/kamailio start
 +</code>
 +
 +===== DNS Server DNSSEC Enabled =====
 +
 +This tutorial does not include yet (left for future updates) how to setup a DNSSEC-enabled DNS server, there are many useful resources on the web. Among them:
 +
 +  * http://www.howtoforge.com/configuring-dnssec-on-bind9-9.7.3-on-debian-squeeze-ubuntu-11.10
 +  * http://wiki.wsartori.com/wiki/The_Perfect_BIND_DNS_Server_DNSSEC_enabled
 +===== Testing =====
 +
 +One way to test is to setup two instances of Kamailio, one serving domainA.com and the second domainB.com.
 +
 +Then alice@domainA.com can call bob@domainB.com. Kamailio instance serving domainA.com will do DNS lookup do discover the IP address of domainB.com
 +
 +One easy way to test is to use a Open DNS resolver that provides Recursive DNSSEC capabilities. One of those is 8.8.8.8 ( Google Open DNS). 
 +As per the FAQ, DNSSEC support is enabled (https://developers.google.com/speed/public-dns/faq#dnssec)
 +
 +Edit /etc/resolv.conf and modify your nameserver definition to have 'nameserver 8.8.8.8'.
 +
 +Launch Kamailio with DNSSEC module enabled and try to send a SIP package to the domain www.dnssec-failed.org. DNS resolving for this domain should fail, as it is a test domain which provides an incorrect signature. Kamailio should report:
 +"0(70805) INFO: dnssec [dnssec_func.c:145]: invalid domain www.dnssec-failed.org reason VAL_UNTRUSTED_ANSWER"
 +
 +
 +
 +
 +
 +
 +
 +
 +===== Remarks =====
 +
 +  * setup of a DNS server with DNSSEC support is left for future updates of this tutorial
 +  * the DNSSEC module overwrites the API in the core for doing DNS queries, therefore is nothing else required to do apart of loading the module
 +  * Kamailio will do a DNS query each time it has to forward a SIP request based on hostname
tutorials/dns/dnssec.1366547575.txt.gz · Last modified: 2013/04/21 12:32 by miconda
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki