Hi,
DNSSEC seems to be enabled by default in master now.
My builds (on Fedora and CentOS) are now failing with: /usr/bin/ld: cannot find -lval-threads /usr/bin/ld: cannot find -lsres collect2: error: ld returned 1 exit status make: *** [kamailio] Error 1
I am not sure which packages to install to fix this - I don't they are actually in the default repos. Would it be possible to make the default behaviour not to build DNSSEC?
Thanks,
Peter
On Wed, 2012-10-10 at 16:56 +0200, Marius Zbihlei wrote:
Module: sip-router Branch: master Commit: 73103df8fcffa0f92dfc4699c52d5dd9474084ea URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=73103df8...
Author: Marius Zbihlei marius.zbihlei@1and1.ro Committer: Marius Zbihlei marius.zbihlei@1and1.ro Date: Wed Oct 10 17:53:02 2012 +0300
Core: added DNSSEC support for DNS queries
This is available by setting the USE_DNSSEC compile flag. It requires libval-threads and libres (part of dnssec-tools dnssec-tools.org) The custom resolvers were replaced by val_gethostbyname, val_gethostbyname and val_res_query (for SRV).
Makefile.defs | 9 +++++++-- resolve.c | 18 ++++++++++++++++++ resolve.h | 22 ++++++++++++++++++++++ 3 files changed, 47 insertions(+), 2 deletions(-)
diff --git a/Makefile.defs b/Makefile.defs index 1645c34..2b7f332 100644 --- a/Makefile.defs +++ b/Makefile.defs @@ -1,4 +1,4 @@ -# $Id$
# # makefile defs (CC, LD,a.s.o) # @@ -1751,7 +1751,12 @@ ifeq ($(OS), linux) LIBS+=-lpthread endif endif
- # check for >= 2.5.44
- ifeq (,$(findstring -DUSE_DNSSEC, $(C_DEFS)))
LIBS+=-lval-threads -lcrypto -lsres -lpthread+$(info "using libval for DNSSEC validation")
- endif
# check for >= 2.5.44- ifeq ($(shell [ $(OSREL_N) -ge 2005044 ] && echo has_epoll), has_epoll) ifeq ($(NO_EPOLL),) C_DEFS+=-DHAVE_EPOLL
diff --git a/resolve.c b/resolve.c index 17772b7..36a2992 100644 --- a/resolve.c +++ b/resolve.c @@ -713,6 +713,10 @@ struct rdata* get_record(char* name, int type, int flags) int name_len; struct rdata* fullname_rd;
+#ifdef USE_DNSSEC
- val_status_t val_status;
+#endif
- if (cfg_get(core, core_cfg, dns_search_list)==0) { search_list_used=0; name_len=0;
@@ -722,7 +726,21 @@ struct rdata* get_record(char* name, int type, int flags) } fullname_rd=0;
+#ifndef USE_DNSSEC size=res_search(name, C_IN, type, buff.buff, sizeof(buff)); +#else
- size=val_res_query((val_context_t *) NULL,
(char *) name,(int) C_IN,(int) type,(unsigned char *) buff.buff,(int) sizeof(buff),&val_status);- if(!val_istrusted(val_status)){
LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);- }
+#endif
- if (unlikely(size<0)) { DBG("get_record: lookup(%s, %d) failed\n", name, type); goto not_found;
diff --git a/resolve.h b/resolve.h index 8ce68e6..66fd3ff 100644 --- a/resolve.h +++ b/resolve.h @@ -58,6 +58,10 @@ #include "dns_wrappers.h" #endif
+#ifdef USE_DNSSEC +#include "validator/validator.h" +#endif
/* define RESOLVE_DBG for debugging info (very noisy) */ #define RESOLVE_DBG /* define NAPTR_DBG for naptr related debugging info (very noisy) */ @@ -400,6 +404,9 @@ static inline struct hostent* _resolvehost(char* name) #endif #endif #ifdef DNS_IP_HACK +#ifdef USE_DNSSEC
- val_status_t val_status;
+#endif struct ip_addr* ip; str s;
@@ -430,7 +437,15 @@ static inline struct hostent* _resolvehost(char* name) #endif #endif /* ipv4 */ +#ifndef USE_DNSSEC he=gethostbyname(name); +#else
- he=val_gethostbyname( (val_context_t *) 0, name, &val_status);
- if(!val_istrusted(val_status)){
LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);- }
+#endif
#ifdef USE_IPV6 if(he==0 && cfg_get(core, core_cfg, dns_try_ipv6)){ #ifndef DNS_IP_HACK @@ -438,7 +453,14 @@ skip_ipv4: #endif /*try ipv6*/ #ifdef HAVE_GETHOSTBYNAME2
#ifndef USE_DNSSEC#elsehe=val_gethostbyname2((val_context_t*)0, name, AF_INET6, &val_status);if(!val_istrusted(val_status)){LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);}#endif //!USE_DNSSEC
- after some time calls to it will fail with err=3
sr-dev mailing list sr-dev@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev