On 12.10.2012 08:46, Olle E. Johansson wrote:
11 okt 2012 kl. 16:54 skrev Marius Zbihlei marius.zbihlei@1and1.ro:
On 10/11/2012 05:40 PM, Klaus Darilion wrote:
Hi Marius!
What's the benefit of having DNSSEC validation in Kamailio instead of having it in the respective recursive DNS server? I think most people which operate a SIP proxy do also have a resolving name server within their names. It may happen that bugfixes in DNSSEC libraries require to rebuild/restart your SIP proxy, instead of just updating the local recurser.
I imagined a situation in which you don't trust your resolver, even in same LAN. Due to ARP poisoning, DNS request (even your local resolver issues external requests) can be spoofed and incorrect data can be returned.
I think using bind locally as a resolved indeed eliminates this issue, but with DNS caching in place I fail to see the reason of using a local DNS resolver, instead one can use a network resolver. Just a little more flexibility.
With DANE, a new RFC, Kamailio will validate SSL certificates in a DNS-sec secured DNS zone. Feels good to be able to have control over the validation and get detailed error codes. And not have to trust an external software for security validation.
FYI - ldns supports now DANE.
regards Klaus
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello Everyone,
I am pleased to announce that version 1.6.14 of ldns is now available.
This release has more bugfixes than normally because of the code reviews from CZ.NIC and Paul Wouters. Thank you!
We have many improvements in the pyldns contribution from Karel Slany which are now listed in its own Changelog file in contrib/python (and below).
The most notably new feature is DANE support (RFC6698). New functions for verifying and constructing TLSA resource records have been added. The example tool, ldns-dane, has been added to demonstrate the new functions and for the general usability of DANE operation.
I hope this release will be useful for you and that you will keep us informed of your experiences.
Best regards,
Willem Toorop
link: http://www.nlnetlabs.nl/downloads/ldns/ldns-1.6.14.tar.gz sha1: 2ef5fbf33b25d2f7b736c332ebccc0862dd12d02
Changelog: ========== * DANE support (RFC6698), including ldns-dane example tool. * Configurable default CA certificate repository for ldns-dane with --with-ca-file=CAFILE and --with-ca-path=CAPATH * Configurable default trust anchor with --with-trust-anchor=FILE for drill, ldns-verify-zone and ldns-dane * bugfix #474: Define socklen_t when undefined (like in Win32) * bugfix #473: Dead code removal and resource leak fix in drill * bugfix #471: Let ldns_resolver_push_dnssec_anchor accept DS RR's too. * Various bugfixes from code reviews from CZ.NIC and Paul Wouters * ldns-notify TSIG option argument checking * Let ldns_resolver_nameservers_randomize keep nameservers and rtt's in sync. * Let ldns_pkt_push_rr now return false on (memory) errors. * Make buffer_export comply to documentation and fix buffer2str * Various improvements and fixes of pyldns from Katel Slany now documented in their own Changelog. * bugfix: Make ldns_resolver_pop_nameserver clear the array when there was only one. * bugfix #459: Remove ldns_symbols and export symbols based on regex * bugfix #458: Track all newly created signatures when signing. * bugfix #454: Only set -g and -O2 CFLAGS when no CFLAGS was given. * bugfix #457: Memory leak fix for ldns_key_new_frm_algorithm. * pyldns memory handling fixes and the python3/ldns-signzone.py examples script contribution from Karel Slany. * bugfix #450: Base # bytes for P, G and Y (T) on the guaranteed to be bigger (or equal) P in ldns_key_dsa2bin. * bugfix #449: Deep free cloned rdf's in ldns_tsig_mac_new. * bugfix #448: Copy nameserver value (in stead of reference) of the answering nameserver to the answer packet in ldns_send_buffer, so the original value may be deep freed with the ldns_resolver struct. * New -0 option for ldns-read-zone to replace inception, expiration and signature rdata fields with (null). Thanks Paul Wouters. * New -p option for ldns-read-zone to prepend-pad SOA serial to take up ten characters. * Return error if printing RR fails due to unknown/null RDATA.
pyldns Changelog: ================= * Added rich comparison methods for ldns_dname, ldns_rdf, ldns_rr and ldns_rr_list classes. * Added deprecation warnings into ldns_rr.new_frm_fp() and ldns_rr.new_frm_fp_l() and others. * Fixed ldns_rr.set_rdf(), which may cause memory leaks, because it returns new objects (in the scope of Python). Also it leaked memory, when the call was not successful. * Fixed ldns_get_rr_list_hosts_frm_file, marked as newobject. * Fixed ldns_rr_list.cat() to return bool as mentioned in documentation. * Fixed ldns_rr_list_cat_clone, marked as newobject. * Fixed ldns_rr_list.new_frm_file(). Exception argument was invalid. * Fixed ldns_rr_list.push_rr() to return bool as mentioned in documentation. * Fixed ldns_rr_list.push_rr_list() to return bool as mentioned in documentation. * Fixed ldns_rr_list.set_rr(), which caused memory corruption, double free problems and memory leaks. (The wrapper used original function instead of its push cloned variant which was missing.) * Fixed ldns_rr_list.set_rr_count(), added python exception raise in order to avoid assertion failure. * Fixed ldns_rr_list.subtype_by_rdf(), marked as newobject. * Added ldns_rr.to_canonical(), ldns_rr.is_question(), ldns_rr.type_by_name(), ldns_rr.class_by_name(), ldns_rr_list.new(), ldns_rr.set_question(). * Modified ldns_rr_list.owner() and ldns_rr.owner(), now returns ldns_dname. * Fixed assertion failures for several methods when receiving incorrect but syntactically valid arguments (i.e., ldns_rr.a_address(), ldns_rr.dnskey_algorithm(), ldns_rr.dnskey_flags(), ldns_rr.dnskey_key(), ldns_rr.dnskey_protocol(), ldns_rr.mx_exchange(), ldns_rr.mx_preference(), ldns_rr.ns_nsdname(), ldns_rr.owner(), ldns_rr.rdf(), ldns_rr.rrsig_algorithm(), ldns_rr.rrsig_expiration(), ldns_rr.rrsig_inception(), ldns_rr.rrsig_keytag(), ldns_rr.rrsig_labels(), ldns_rr.rrsig_origttl(), ldns_rr.rrsig_sig(), ldns_rr.rrsig_signame(), ldns_rr.rrsig_typecovered(), ldns_rr_list.owner(), ldns_rr_list.rr()) * Fixed ldns_rr.a_address(), which was asserting when called on non A or AAAA type rr. Now returns None when fails. * Added scripts for testing the basic functionality of the ldns_rr, ldns_rr_descriptor and ldns_rr_list class code. * Improved documentation of ldns_rr, ldns_rr_descriptor and ldns_rr_list. * Fixed automatic conversion from Python string to ldns_rdf and ldns_dname. Caused memory corruption when using Python 3. * The Python 3 wrapper code now raises TypeError instead of ValueError when receiving a non FILE * argument when it should be a FILE *. * Fixed wrong handling of _ldns_rr_list_free() and _ldns_rr_list_deep_free() when compiling with LDNS_DEBUG directive. * Fixed malfunctioning ldns.ldns_rdf_new_frm_fp_l(). * Fixed malfunctioning ldns_drf.absolute() and ldns_dname.absolute(). * Marked several functions related to ldns_rdf and ldns_buffer as returning new objects. * Method operating on ldns_dnames and returning dname ldns_rdfs now return ldns_dname instances. * Improved documentation of ldns_buffer, ldns_rdf and ldns_dname classes. * Methods ldns_buffer.available() and ldns_buffer.available_at() now return bool types as described in the documentation. * Added scripts for testing the basic functionality of the ldns_buffer, ldns_rdf, ldns_dname class code. * Added deprecation warnings to ldns_rdf methods operating on dname rdfs. The user is encouraged to converts dname ldns_rdfs to ldns_dnames. * Extended ldns_dname constructor to accept ldns_rdfs containing dnames.
_______________________________________________ ldns-users mailing list ldns-users@open.nlnetlabs.nl http://open.nlnetlabs.nl/mailman/listinfo/ldns-users