Module: sip-router Branch: master Commit: 73103df8fcffa0f92dfc4699c52d5dd9474084ea URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=73103df8...
Author: Marius Zbihlei marius.zbihlei@1and1.ro Committer: Marius Zbihlei marius.zbihlei@1and1.ro Date: Wed Oct 10 17:53:02 2012 +0300
Core: added DNSSEC support for DNS queries
This is available by setting the USE_DNSSEC compile flag. It requires libval-threads and libres (part of dnssec-tools dnssec-tools.org) The custom resolvers were replaced by val_gethostbyname, val_gethostbyname and val_res_query (for SRV).
---
Makefile.defs | 9 +++++++-- resolve.c | 18 ++++++++++++++++++ resolve.h | 22 ++++++++++++++++++++++ 3 files changed, 47 insertions(+), 2 deletions(-)
diff --git a/Makefile.defs b/Makefile.defs index 1645c34..2b7f332 100644 --- a/Makefile.defs +++ b/Makefile.defs @@ -1,4 +1,4 @@ -# $Id$ + # # makefile defs (CC, LD,a.s.o) # @@ -1751,7 +1751,12 @@ ifeq ($(OS), linux) LIBS+=-lpthread endif endif - # check for >= 2.5.44 + ifeq (,$(findstring -DUSE_DNSSEC, $(C_DEFS))) + LIBS+=-lval-threads -lcrypto -lsres -lpthread +$(info "using libval for DNSSEC validation") + endif + # check for >= 2.5.44 + ifeq ($(shell [ $(OSREL_N) -ge 2005044 ] && echo has_epoll), has_epoll) ifeq ($(NO_EPOLL),) C_DEFS+=-DHAVE_EPOLL diff --git a/resolve.c b/resolve.c index 17772b7..36a2992 100644 --- a/resolve.c +++ b/resolve.c @@ -713,6 +713,10 @@ struct rdata* get_record(char* name, int type, int flags) int name_len; struct rdata* fullname_rd; +#ifdef USE_DNSSEC + val_status_t val_status; +#endif + if (cfg_get(core, core_cfg, dns_search_list)==0) { search_list_used=0; name_len=0; @@ -722,7 +726,21 @@ struct rdata* get_record(char* name, int type, int flags) } fullname_rd=0;
+#ifndef USE_DNSSEC size=res_search(name, C_IN, type, buff.buff, sizeof(buff)); +#else + size=val_res_query((val_context_t *) NULL, + (char *) name, + (int) C_IN, + (int) type, + (unsigned char *) buff.buff, + (int) sizeof(buff), + &val_status); + if(!val_istrusted(val_status)){ + LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name); + } +#endif + if (unlikely(size<0)) { DBG("get_record: lookup(%s, %d) failed\n", name, type); goto not_found; diff --git a/resolve.h b/resolve.h index 8ce68e6..66fd3ff 100644 --- a/resolve.h +++ b/resolve.h @@ -58,6 +58,10 @@ #include "dns_wrappers.h" #endif
+#ifdef USE_DNSSEC +#include "validator/validator.h" +#endif + /* define RESOLVE_DBG for debugging info (very noisy) */ #define RESOLVE_DBG /* define NAPTR_DBG for naptr related debugging info (very noisy) */ @@ -400,6 +404,9 @@ static inline struct hostent* _resolvehost(char* name) #endif #endif #ifdef DNS_IP_HACK +#ifdef USE_DNSSEC + val_status_t val_status; +#endif struct ip_addr* ip; str s;
@@ -430,7 +437,15 @@ static inline struct hostent* _resolvehost(char* name) #endif #endif /* ipv4 */ +#ifndef USE_DNSSEC he=gethostbyname(name); +#else + he=val_gethostbyname( (val_context_t *) 0, name, &val_status); + if(!val_istrusted(val_status)){ + LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name); + } +#endif + #ifdef USE_IPV6 if(he==0 && cfg_get(core, core_cfg, dns_try_ipv6)){ #ifndef DNS_IP_HACK @@ -438,7 +453,14 @@ skip_ipv4: #endif /*try ipv6*/ #ifdef HAVE_GETHOSTBYNAME2 + #ifndef USE_DNSSEC he=gethostbyname2(name, AF_INET6); + #else + he=val_gethostbyname2((val_context_t*)0, name, AF_INET6, &val_status); + if(!val_istrusted(val_status)){ + LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name); + } + #endif //!USE_DNSSEC #elif defined HAVE_GETIPNODEBYNAME /* on solaris 8 getipnodebyname has a memory leak, * after some time calls to it will fail with err=3
10 okt 2012 kl. 16:56 skrev Marius Zbihlei marius.zbihlei@1and1.ro:
Core: added DNSSEC support for DNS queries
This is available by setting the USE_DNSSEC compile flag. It requires libval-threads and libres (part of dnssec-tools dnssec-tools.org) The custom resolvers were replaced by val_gethostbyname, val_gethostbyname and val_res_query (for SRV).
Wow!
I did not see that coming. GREAT stuff, Marius!!!!
I would, if possible, get a return code when sending a SIP message out that indicates this failure.
THANK YOU! /O
2012/10/10 Olle E. Johansson oej@edvina.net:
I did not see that coming. GREAT stuff, Marius!!!!
I would, if possible, get a return code when sending a SIP message out that indicates this failure.
THANK YOU!
Olle, some people (i.e... me) would appreciate a good blog post from you explaining all this DNSSEC stuf and how it applies to SIP ;)
10 okt 2012 kl. 18:07 skrev Iñaki Baz Castillo ibc@aliax.net:
2012/10/10 Olle E. Johansson oej@edvina.net:
I did not see that coming. GREAT stuff, Marius!!!!
I would, if possible, get a return code when sending a SIP message out that indicates this failure.
THANK YOU!
Olle, some people (i.e... me) would appreciate a good blog post from you explaining all this DNSSEC stuf and how it applies to SIP ;)
Some people are going to listen to some people and write it down.
Here's an old one but it does need updates:
http://www.voip-forum.com/opensource/2011-03/sipdane/
/O
Hi!
10 okt 2012 kl. 16:56 skrev Marius Zbihlei marius.zbihlei@1and1.ro:
This is available by setting the USE_DNSSEC compile flag. It requires libval-threads and libres (part of dnssec-tools dnssec-tools.org) The custom resolvers were replaced by val_gethostbyname, val_gethostbyname and val_res_query (for SRV).
I did not see this information being added to Makefile, INSTALL or any other document.
Adding Documentation is generally a GOOD THING (TM) :-)
/O
Hi,
DNSSEC seems to be enabled by default in master now.
My builds (on Fedora and CentOS) are now failing with: /usr/bin/ld: cannot find -lval-threads /usr/bin/ld: cannot find -lsres collect2: error: ld returned 1 exit status make: *** [kamailio] Error 1
I am not sure which packages to install to fix this - I don't they are actually in the default repos. Would it be possible to make the default behaviour not to build DNSSEC?
Thanks,
Peter
On Wed, 2012-10-10 at 16:56 +0200, Marius Zbihlei wrote:
Module: sip-router Branch: master Commit: 73103df8fcffa0f92dfc4699c52d5dd9474084ea URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=73103df8...
Author: Marius Zbihlei marius.zbihlei@1and1.ro Committer: Marius Zbihlei marius.zbihlei@1and1.ro Date: Wed Oct 10 17:53:02 2012 +0300
Core: added DNSSEC support for DNS queries
This is available by setting the USE_DNSSEC compile flag. It requires libval-threads and libres (part of dnssec-tools dnssec-tools.org) The custom resolvers were replaced by val_gethostbyname, val_gethostbyname and val_res_query (for SRV).
Makefile.defs | 9 +++++++-- resolve.c | 18 ++++++++++++++++++ resolve.h | 22 ++++++++++++++++++++++ 3 files changed, 47 insertions(+), 2 deletions(-)
diff --git a/Makefile.defs b/Makefile.defs index 1645c34..2b7f332 100644 --- a/Makefile.defs +++ b/Makefile.defs @@ -1,4 +1,4 @@ -# $Id$
# # makefile defs (CC, LD,a.s.o) # @@ -1751,7 +1751,12 @@ ifeq ($(OS), linux) LIBS+=-lpthread endif endif
- # check for >= 2.5.44
- ifeq (,$(findstring -DUSE_DNSSEC, $(C_DEFS)))
LIBS+=-lval-threads -lcrypto -lsres -lpthread+$(info "using libval for DNSSEC validation")
- endif
# check for >= 2.5.44- ifeq ($(shell [ $(OSREL_N) -ge 2005044 ] && echo has_epoll), has_epoll) ifeq ($(NO_EPOLL),) C_DEFS+=-DHAVE_EPOLL
diff --git a/resolve.c b/resolve.c index 17772b7..36a2992 100644 --- a/resolve.c +++ b/resolve.c @@ -713,6 +713,10 @@ struct rdata* get_record(char* name, int type, int flags) int name_len; struct rdata* fullname_rd;
+#ifdef USE_DNSSEC
- val_status_t val_status;
+#endif
- if (cfg_get(core, core_cfg, dns_search_list)==0) { search_list_used=0; name_len=0;
@@ -722,7 +726,21 @@ struct rdata* get_record(char* name, int type, int flags) } fullname_rd=0;
+#ifndef USE_DNSSEC size=res_search(name, C_IN, type, buff.buff, sizeof(buff)); +#else
- size=val_res_query((val_context_t *) NULL,
(char *) name,(int) C_IN,(int) type,(unsigned char *) buff.buff,(int) sizeof(buff),&val_status);- if(!val_istrusted(val_status)){
LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);- }
+#endif
- if (unlikely(size<0)) { DBG("get_record: lookup(%s, %d) failed\n", name, type); goto not_found;
diff --git a/resolve.h b/resolve.h index 8ce68e6..66fd3ff 100644 --- a/resolve.h +++ b/resolve.h @@ -58,6 +58,10 @@ #include "dns_wrappers.h" #endif
+#ifdef USE_DNSSEC +#include "validator/validator.h" +#endif
/* define RESOLVE_DBG for debugging info (very noisy) */ #define RESOLVE_DBG /* define NAPTR_DBG for naptr related debugging info (very noisy) */ @@ -400,6 +404,9 @@ static inline struct hostent* _resolvehost(char* name) #endif #endif #ifdef DNS_IP_HACK +#ifdef USE_DNSSEC
- val_status_t val_status;
+#endif struct ip_addr* ip; str s;
@@ -430,7 +437,15 @@ static inline struct hostent* _resolvehost(char* name) #endif #endif /* ipv4 */ +#ifndef USE_DNSSEC he=gethostbyname(name); +#else
- he=val_gethostbyname( (val_context_t *) 0, name, &val_status);
- if(!val_istrusted(val_status)){
LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);- }
+#endif
#ifdef USE_IPV6 if(he==0 && cfg_get(core, core_cfg, dns_try_ipv6)){ #ifndef DNS_IP_HACK @@ -438,7 +453,14 @@ skip_ipv4: #endif /*try ipv6*/ #ifdef HAVE_GETHOSTBYNAME2
#ifndef USE_DNSSEC#elsehe=val_gethostbyname2((val_context_t*)0, name, AF_INET6, &val_status);if(!val_istrusted(val_status)){LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);}#endif //!USE_DNSSEC
- after some time calls to it will fail with err=3
sr-dev mailing list sr-dev@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
I've had a bit more luck...
On Fedora the package dnssec-tools-libs-devel fixes the build problems, but for CentOS/RHEL the dnssec packages are not part of the standard distribution (they are in EPEL). So as things stand the master build of Kamailio core (with default options) is broken for Enterprise Linux based OSes.
Regards,
Peter
On Wed, 2012-10-10 at 17:14 +0100, Peter Dunkley wrote:
Hi,
DNSSEC seems to be enabled by default in master now.
My builds (on Fedora and CentOS) are now failing with: /usr/bin/ld: cannot find -lval-threads /usr/bin/ld: cannot find -lsres collect2: error: ld returned 1 exit status make: *** [kamailio] Error 1
I am not sure which packages to install to fix this - I don't they are actually in the default repos. Would it be possible to make the default behaviour not to build DNSSEC?
Thanks,
Peter
On Wed, 2012-10-10 at 16:56 +0200, Marius Zbihlei wrote:
Module: sip-router Branch: master Commit: 73103df8fcffa0f92dfc4699c52d5dd9474084ea URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=73103df8...
Author: Marius Zbihlei marius.zbihlei@1and1.ro Committer: Marius Zbihlei marius.zbihlei@1and1.ro Date: Wed Oct 10 17:53:02 2012 +0300
Core: added DNSSEC support for DNS queries
This is available by setting the USE_DNSSEC compile flag. It requires libval-threads and libres (part of dnssec-tools dnssec-tools.org) The custom resolvers were replaced by val_gethostbyname, val_gethostbyname and val_res_query (for SRV).
Makefile.defs | 9 +++++++-- resolve.c | 18 ++++++++++++++++++ resolve.h | 22 ++++++++++++++++++++++ 3 files changed, 47 insertions(+), 2 deletions(-)
diff --git a/Makefile.defs b/Makefile.defs index 1645c34..2b7f332 100644 --- a/Makefile.defs +++ b/Makefile.defs @@ -1,4 +1,4 @@ -# $Id$
# # makefile defs (CC, LD,a.s.o) # @@ -1751,7 +1751,12 @@ ifeq ($(OS), linux) LIBS+=-lpthread endif endif
- # check for >= 2.5.44
- ifeq (,$(findstring -DUSE_DNSSEC, $(C_DEFS)))
LIBS+=-lval-threads -lcrypto -lsres -lpthread+$(info "using libval for DNSSEC validation")
- endif
# check for >= 2.5.44- ifeq ($(shell [ $(OSREL_N) -ge 2005044 ] && echo has_epoll), has_epoll) ifeq ($(NO_EPOLL),) C_DEFS+=-DHAVE_EPOLL
diff --git a/resolve.c b/resolve.c index 17772b7..36a2992 100644 --- a/resolve.c +++ b/resolve.c @@ -713,6 +713,10 @@ struct rdata* get_record(char* name, int type, int flags) int name_len; struct rdata* fullname_rd;
+#ifdef USE_DNSSEC
- val_status_t val_status;
+#endif
- if (cfg_get(core, core_cfg, dns_search_list)==0) { search_list_used=0; name_len=0;
@@ -722,7 +726,21 @@ struct rdata* get_record(char* name, int type, int flags) } fullname_rd=0;
+#ifndef USE_DNSSEC size=res_search(name, C_IN, type, buff.buff, sizeof(buff)); +#else
- size=val_res_query((val_context_t *) NULL,
(char *) name,(int) C_IN,(int) type,(unsigned char *) buff.buff,(int) sizeof(buff),&val_status);- if(!val_istrusted(val_status)){
LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);- }
+#endif
- if (unlikely(size<0)) { DBG("get_record: lookup(%s, %d) failed\n", name, type); goto not_found;
diff --git a/resolve.h b/resolve.h index 8ce68e6..66fd3ff 100644 --- a/resolve.h +++ b/resolve.h @@ -58,6 +58,10 @@ #include "dns_wrappers.h" #endif
+#ifdef USE_DNSSEC +#include "validator/validator.h" +#endif
/* define RESOLVE_DBG for debugging info (very noisy) */ #define RESOLVE_DBG /* define NAPTR_DBG for naptr related debugging info (very noisy) */ @@ -400,6 +404,9 @@ static inline struct hostent* _resolvehost(char* name) #endif #endif #ifdef DNS_IP_HACK +#ifdef USE_DNSSEC
- val_status_t val_status;
+#endif struct ip_addr* ip; str s;
@@ -430,7 +437,15 @@ static inline struct hostent* _resolvehost(char* name) #endif #endif /* ipv4 */ +#ifndef USE_DNSSEC he=gethostbyname(name); +#else
- he=val_gethostbyname( (val_context_t *) 0, name, &val_status);
- if(!val_istrusted(val_status)){
LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);- }
+#endif
#ifdef USE_IPV6 if(he==0 && cfg_get(core, core_cfg, dns_try_ipv6)){ #ifndef DNS_IP_HACK @@ -438,7 +453,14 @@ skip_ipv4: #endif /*try ipv6*/ #ifdef HAVE_GETHOSTBYNAME2
#ifndef USE_DNSSEC#elsehe=val_gethostbyname2((val_context_t*)0, name, AF_INET6, &val_status);if(!val_istrusted(val_status)){LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);}#endif //!USE_DNSSEC
- after some time calls to it will fail with err=3
sr-dev mailing list sr-dev@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
sr-dev mailing list sr-dev@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
Hello all,
First of all sorry for the broken build. I was 100% sure that it will no be enabled in master.I thought I have tested. I will fix it first thing in the morning...
So, on Debian/Ubuntu and now it seems in RHEL the devel headers and libraries are not installed. I had to download them from dnssec-tools.org. Other than that, just enabling the flag should allow for DNSSEC queries. The failure of the validate method is actually controlled by dnsval.conf. If a zone is not signed, than the validate method will silently ignore the error and permit validation. If set to untrusted, any name that is not explicitly signed will fail. At the moment I just print an informal message in the log.
When I have tested the patch, it seemed that there aren't a lot of DNSSEC aware servers, and even if they are, the TLD's are not signed... So for now the USE_DNSSEC must be disabled
Marius ________________________________________ From: sr-dev-bounces@lists.sip-router.org [sr-dev-bounces@lists.sip-router.org] On Behalf Of Peter Dunkley [peter.dunkley@crocodile-rcs.com] Sent: Wednesday, October 10, 2012 7:27 PM To: Development mailing list of the sip-router project Subject: Re: [sr-dev] git:master: Core: added DNSSEC support for DNS queries
I've had a bit more luck...
On Fedora the package dnssec-tools-libs-devel fixes the build problems, but for CentOS/RHEL the dnssec packages are not part of the standard distribution (they are in EPEL). So as things stand the master build of Kamailio core (with default options) is broken for Enterprise Linux based OSes.
Regards,
Peter
On Wed, 2012-10-10 at 17:14 +0100, Peter Dunkley wrote: Hi,
DNSSEC seems to be enabled by default in master now.
My builds (on Fedora and CentOS) are now failing with: /usr/bin/ld: cannot find -lval-threads /usr/bin/ld: cannot find -lsres collect2: error: ld returned 1 exit status make: *** [kamailio] Error 1
I am not sure which packages to install to fix this - I don't they are actually in the default repos. Would it be possible to make the default behaviour not to build DNSSEC?
Thanks,
Peter
On Wed, 2012-10-10 at 16:56 +0200, Marius Zbihlei wrote:
Module: sip-router Branch: master Commit: 73103df8fcffa0f92dfc4699c52d5dd9474084ea URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=73103df8...
Author: Marius Zbihlei <marius.zbihlei@1and1.romailto:marius.zbihlei@1and1.ro> Committer: Marius Zbihlei <marius.zbihlei@1and1.romailto:marius.zbihlei@1and1.ro> Date: Wed Oct 10 17:53:02 2012 +0300
Core: added DNSSEC support for DNS queries
This is available by setting the USE_DNSSEC compile flag. It requires libval-threads and libres (part of dnssec-tools dnssec-tools.org) The custom resolvers were replaced by val_gethostbyname, val_gethostbyname and val_res_query (for SRV).
---
Makefile.defs | 9 +++++++-- resolve.c | 18 ++++++++++++++++++ resolve.h | 22 ++++++++++++++++++++++ 3 files changed, 47 insertions(+), 2 deletions(-)
diff --git a/Makefile.defs b/Makefile.defs index 1645c34..2b7f332 100644 --- a/Makefile.defs +++ b/Makefile.defs @@ -1,4 +1,4 @@ -# $Id$ + # # makefile defs (CC, LD,a.s.o) # @@ -1751,7 +1751,12 @@ ifeq ($(OS), linux) LIBS+=-lpthread endif endif - # check for >= 2.5.44 + ifeq (,$(findstring -DUSE_DNSSEC, $(C_DEFS))) + LIBS+=-lval-threads -lcrypto -lsres -lpthread +$(info "using libval for DNSSEC validation") + endif + # check for >= 2.5.44 + ifeq ($(shell [ $(OSREL_N) -ge 2005044 ] && echo has_epoll), has_epoll) ifeq ($(NO_EPOLL),) C_DEFS+=-DHAVE_EPOLL diff --git a/resolve.c b/resolve.c index 17772b7..36a2992 100644 --- a/resolve.c +++ b/resolve.c @@ -713,6 +713,10 @@ struct rdata* get_record(char* name, int type, int flags) int name_len; struct rdata* fullname_rd;
+#ifdef USE_DNSSEC + val_status_t val_status; +#endif + if (cfg_get(core, core_cfg, dns_search_list)==0) { search_list_used=0; name_len=0; @@ -722,7 +726,21 @@ struct rdata* get_record(char* name, int type, int flags) } fullname_rd=0;
+#ifndef USE_DNSSEC size=res_search(name, C_IN, type, buff.buff, sizeof(buff)); +#else + size=val_res_query((val_context_t *) NULL, + (char *) name, + (int) C_IN, + (int) type, + (unsigned char *) buff.buff, + (int) sizeof(buff), + &val_status); + if(!val_istrusted(val_status)){ + LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name); + } +#endif + if (unlikely(size<0)) { DBG("get_record: lookup(%s, %d) failed\n", name, type); goto not_found; diff --git a/resolve.h b/resolve.h index 8ce68e6..66fd3ff 100644 --- a/resolve.h +++ b/resolve.h @@ -58,6 +58,10 @@ #include "dns_wrappers.h" #endif
+#ifdef USE_DNSSEC +#include "validator/validator.h" +#endif + /* define RESOLVE_DBG for debugging info (very noisy) */ #define RESOLVE_DBG /* define NAPTR_DBG for naptr related debugging info (very noisy) */ @@ -400,6 +404,9 @@ static inline struct hostent* _resolvehost(char* name) #endif #endif #ifdef DNS_IP_HACK +#ifdef USE_DNSSEC + val_status_t val_status; +#endif struct ip_addr* ip; str s;
@@ -430,7 +437,15 @@ static inline struct hostent* _resolvehost(char* name) #endif #endif /* ipv4 */ +#ifndef USE_DNSSEC he=gethostbyname(name); +#else + he=val_gethostbyname( (val_context_t *) 0, name, &val_status); + if(!val_istrusted(val_status)){ + LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name); + } +#endif + #ifdef USE_IPV6 if(he==0 && cfg_get(core, core_cfg, dns_try_ipv6)){ #ifndef DNS_IP_HACK @@ -438,7 +453,14 @@ skip_ipv4: #endif /*try ipv6*/ #ifdef HAVE_GETHOSTBYNAME2 + #ifndef USE_DNSSEC he=gethostbyname2(name, AF_INET6); + #else + he=val_gethostbyname2((val_context_t*)0, name, AF_INET6, &val_status); + if(!val_istrusted(val_status)){ + LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name); + } + #endif //!USE_DNSSEC #elif defined HAVE_GETIPNODEBYNAME /* on solaris 8 getipnodebyname has a memory leak, * after some time calls to it will fail with err=3
_______________________________________________ sr-dev mailing list sr-dev@lists.sip-router.orgmailto:sr-dev@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
_______________________________________________ sr-dev mailing list sr-dev@lists.sip-router.orgmailto:sr-dev@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
-- Peter Dunkley Technical Director Crocodile RCS Ltd
It seems I had a typo. Because I can't commit right now, can somebody apply the patch below.
Thanks!
Marius
diff --git a/Makefile.defs b/Makefile.defs index 2b7f332..039ca33 100644 --- a/Makefile.defs +++ b/Makefile.defs @@ -1751,7 +1751,7 @@ ifeq ($(OS), linux) LIBS+=-lpthread endif endif - ifeq (,$(findstring -DUSE_DNSSEC, $(C_DEFS))) + ifneq (,$(findstring -DUSE_DNSSEC, $(C_DEFS))) LIBS+=-lval-threads -lcrypto -lsres -lpthread $(info "using libval for DNSSEC validation") endif
________________________________________ From: sr-dev-bounces@lists.sip-router.org [sr-dev-bounces@lists.sip-router.org] On Behalf Of Marius Zbihlei [marius.zbihlei@1and1.ro] Sent: Wednesday, October 10, 2012 7:42 PM To: Development mailing list of the sip-router project Subject: Re: [sr-dev] git:master: Core: added DNSSEC support for DNS queries
Hello all,
First of all sorry for the broken build. I was 100% sure that it will no be enabled in master.I thought I have tested. I will fix it first thing in the morning...
So, on Debian/Ubuntu and now it seems in RHEL the devel headers and libraries are not installed. I had to download them from dnssec-tools.org. Other than that, just enabling the flag should allow for DNSSEC queries. The failure of the validate method is actually controlled by dnsval.conf. If a zone is not signed, than the validate method will silently ignore the error and permit validation. If set to untrusted, any name that is not explicitly signed will fail. At the moment I just print an informal message in the log.
When I have tested the patch, it seemed that there aren't a lot of DNSSEC aware servers, and even if they are, the TLD's are not signed... So for now the USE_DNSSEC must be disabled
Marius ________________________________________ From: sr-dev-bounces@lists.sip-router.org [sr-dev-bounces@lists.sip-router.org] On Behalf Of Peter Dunkley [peter.dunkley@crocodile-rcs.com] Sent: Wednesday, October 10, 2012 7:27 PM To: Development mailing list of the sip-router project Subject: Re: [sr-dev] git:master: Core: added DNSSEC support for DNS queries
I've had a bit more luck...
On Fedora the package dnssec-tools-libs-devel fixes the build problems, but for CentOS/RHEL the dnssec packages are not part of the standard distribution (they are in EPEL). So as things stand the master build of Kamailio core (with default options) is broken for Enterprise Linux based OSes.
Regards,
Peter
On Wed, 2012-10-10 at 17:14 +0100, Peter Dunkley wrote: Hi,
DNSSEC seems to be enabled by default in master now.
My builds (on Fedora and CentOS) are now failing with: /usr/bin/ld: cannot find -lval-threads /usr/bin/ld: cannot find -lsres collect2: error: ld returned 1 exit status make: *** [kamailio] Error 1
I am not sure which packages to install to fix this - I don't they are actually in the default repos. Would it be possible to make the default behaviour not to build DNSSEC?
Thanks,
Peter
On Wed, 2012-10-10 at 16:56 +0200, Marius Zbihlei wrote:
Module: sip-router Branch: master Commit: 73103df8fcffa0f92dfc4699c52d5dd9474084ea URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=73103df8...
Author: Marius Zbihlei <marius.zbihlei@1and1.romailto:marius.zbihlei@1and1.ro> Committer: Marius Zbihlei <marius.zbihlei@1and1.romailto:marius.zbihlei@1and1.ro> Date: Wed Oct 10 17:53:02 2012 +0300
Core: added DNSSEC support for DNS queries
This is available by setting the USE_DNSSEC compile flag. It requires libval-threads and libres (part of dnssec-tools dnssec-tools.org) The custom resolvers were replaced by val_gethostbyname, val_gethostbyname and val_res_query (for SRV).
---
Makefile.defs | 9 +++++++-- resolve.c | 18 ++++++++++++++++++ resolve.h | 22 ++++++++++++++++++++++ 3 files changed, 47 insertions(+), 2 deletions(-)
diff --git a/Makefile.defs b/Makefile.defs index 1645c34..2b7f332 100644 --- a/Makefile.defs +++ b/Makefile.defs @@ -1,4 +1,4 @@ -# $Id$ + # # makefile defs (CC, LD,a.s.o) # @@ -1751,7 +1751,12 @@ ifeq ($(OS), linux) LIBS+=-lpthread endif endif - # check for >= 2.5.44 + ifeq (,$(findstring -DUSE_DNSSEC, $(C_DEFS))) + LIBS+=-lval-threads -lcrypto -lsres -lpthread +$(info "using libval for DNSSEC validation") + endif + # check for >= 2.5.44 + ifeq ($(shell [ $(OSREL_N) -ge 2005044 ] && echo has_epoll), has_epoll) ifeq ($(NO_EPOLL),) C_DEFS+=-DHAVE_EPOLL diff --git a/resolve.c b/resolve.c index 17772b7..36a2992 100644 --- a/resolve.c +++ b/resolve.c @@ -713,6 +713,10 @@ struct rdata* get_record(char* name, int type, int flags) int name_len; struct rdata* fullname_rd;
+#ifdef USE_DNSSEC + val_status_t val_status; +#endif + if (cfg_get(core, core_cfg, dns_search_list)==0) { search_list_used=0; name_len=0; @@ -722,7 +726,21 @@ struct rdata* get_record(char* name, int type, int flags) } fullname_rd=0;
+#ifndef USE_DNSSEC size=res_search(name, C_IN, type, buff.buff, sizeof(buff)); +#else + size=val_res_query((val_context_t *) NULL, + (char *) name, + (int) C_IN, + (int) type, + (unsigned char *) buff.buff, + (int) sizeof(buff), + &val_status); + if(!val_istrusted(val_status)){ + LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name); + } +#endif + if (unlikely(size<0)) { DBG("get_record: lookup(%s, %d) failed\n", name, type); goto not_found; diff --git a/resolve.h b/resolve.h index 8ce68e6..66fd3ff 100644 --- a/resolve.h +++ b/resolve.h @@ -58,6 +58,10 @@ #include "dns_wrappers.h" #endif
+#ifdef USE_DNSSEC +#include "validator/validator.h" +#endif + /* define RESOLVE_DBG for debugging info (very noisy) */ #define RESOLVE_DBG /* define NAPTR_DBG for naptr related debugging info (very noisy) */ @@ -400,6 +404,9 @@ static inline struct hostent* _resolvehost(char* name) #endif #endif #ifdef DNS_IP_HACK +#ifdef USE_DNSSEC + val_status_t val_status; +#endif struct ip_addr* ip; str s;
@@ -430,7 +437,15 @@ static inline struct hostent* _resolvehost(char* name) #endif #endif /* ipv4 */ +#ifndef USE_DNSSEC he=gethostbyname(name); +#else + he=val_gethostbyname( (val_context_t *) 0, name, &val_status); + if(!val_istrusted(val_status)){ + LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name); + } +#endif + #ifdef USE_IPV6 if(he==0 && cfg_get(core, core_cfg, dns_try_ipv6)){ #ifndef DNS_IP_HACK @@ -438,7 +453,14 @@ skip_ipv4: #endif /*try ipv6*/ #ifdef HAVE_GETHOSTBYNAME2 + #ifndef USE_DNSSEC he=gethostbyname2(name, AF_INET6); + #else + he=val_gethostbyname2((val_context_t*)0, name, AF_INET6, &val_status); + if(!val_istrusted(val_status)){ + LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name); + } + #endif //!USE_DNSSEC #elif defined HAVE_GETIPNODEBYNAME /* on solaris 8 getipnodebyname has a memory leak, * after some time calls to it will fail with err=3
_______________________________________________ sr-dev mailing list sr-dev@lists.sip-router.orgmailto:sr-dev@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
_______________________________________________ sr-dev mailing list sr-dev@lists.sip-router.orgmailto:sr-dev@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
-- Peter Dunkley Technical Director Crocodile RCS Ltd
_______________________________________________ sr-dev mailing list sr-dev@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
Hello,
thanks for this addition. Few comments:
1) not really important -- I guess is "validator/validator.h" part of the external library, but might be better to be included with square brackets, it is more common when including from standard paths, rather from local folders. Like:
#include <validator/validator.h>
2) from past experiences, it very unlikely people will start using it if they have to recompile with different flags. On the other hand, the core should not be dependent on such specific library (which seems it is not that spread across distros at this time anyhow). Looking at the patch, it is practically about returning a struct hostent pointer and checking a status parameter.
My proposal is to: - make a module that will have some wrappers around the dnssec functions. This wrappers should not have the dnssec specific parameters, returning the hostent and setting an integer (given as pointer) status parameter, in case the core needs to know more about the dnssec result - core can still have the USE_DNSSEC define just in case one wants to disable it completely - core will have a structure with pointers to the wrapper functions for dnssec - when loaded, the dnssec module will set the values of the function pointers in the core - core may get a new parameter use_dnnsec to enable/disable usage of dnssec from config file (although this can be redundant, such decision could be by loadind/not loading dnssec module)
This does not look like big effort, considering the patch, and I think will make dnssec easier to experiment with for a larger user base. Similar mechanism is used more or less for tls and in other modules that needed to act in the core, but had exotic dependencies or functionalities (e.g., msrp module sets some callbacks in tcp receive code).
What do you think?
Cheers, Daniel
On 10/10/12 4:56 PM, Marius Zbihlei wrote:
Module: sip-router Branch: master Commit: 73103df8fcffa0f92dfc4699c52d5dd9474084ea URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=73103df8...
Author: Marius Zbihlei marius.zbihlei@1and1.ro Committer: Marius Zbihlei marius.zbihlei@1and1.ro Date: Wed Oct 10 17:53:02 2012 +0300
Core: added DNSSEC support for DNS queries
This is available by setting the USE_DNSSEC compile flag. It requires libval-threads and libres (part of dnssec-tools dnssec-tools.org) The custom resolvers were replaced by val_gethostbyname, val_gethostbyname and val_res_query (for SRV).
[...]
Hello all,
Glad to see that there is such interest for the DNSSEC support. Thanks guys for the feedback and suggestions and sorry for the typo :)
Daniel, you are right. There are several other improvements that can be done.. For example runtime configuration of policy using the resolve context in the dnsval.conf file (specify domains if they are trusted or not etc). This type of configuration is indeed better in a modparam statement than a core keyword, so I will move the calls to a dedicated module.
Cheers, Marius ________________________________________ From: Daniel-Constantin Mierla [miconda@gmail.com] Sent: Wednesday, October 10, 2012 9:08 PM To: Development mailing list of the sip-router project Cc: Marius Zbihlei Subject: Re: [sr-dev] git:master: Core: added DNSSEC support for DNS queries
Hello,
thanks for this addition. Few comments:
1) not really important -- I guess is "validator/validator.h" part of the external library, but might be better to be included with square brackets, it is more common when including from standard paths, rather from local folders. Like:
#include <validator/validator.h>
2) from past experiences, it very unlikely people will start using it if they have to recompile with different flags. On the other hand, the core should not be dependent on such specific library (which seems it is not that spread across distros at this time anyhow). Looking at the patch, it is practically about returning a struct hostent pointer and checking a status parameter.
My proposal is to: - make a module that will have some wrappers around the dnssec functions. This wrappers should not have the dnssec specific parameters, returning the hostent and setting an integer (given as pointer) status parameter, in case the core needs to know more about the dnssec result - core can still have the USE_DNSSEC define just in case one wants to disable it completely - core will have a structure with pointers to the wrapper functions for dnssec - when loaded, the dnssec module will set the values of the function pointers in the core - core may get a new parameter use_dnnsec to enable/disable usage of dnssec from config file (although this can be redundant, such decision could be by loadind/not loading dnssec module)
This does not look like big effort, considering the patch, and I think will make dnssec easier to experiment with for a larger user base. Similar mechanism is used more or less for tls and in other modules that needed to act in the core, but had exotic dependencies or functionalities (e.g., msrp module sets some callbacks in tcp receive code).
What do you think?
Cheers, Daniel
On 10/10/12 4:56 PM, Marius Zbihlei wrote:
Module: sip-router Branch: master Commit: 73103df8fcffa0f92dfc4699c52d5dd9474084ea URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=73103df8...
Author: Marius Zbihlei marius.zbihlei@1and1.ro Committer: Marius Zbihlei marius.zbihlei@1and1.ro Date: Wed Oct 10 17:53:02 2012 +0300
Core: added DNSSEC support for DNS queries
This is available by setting the USE_DNSSEC compile flag. It requires libval-threads and libres (part of dnssec-tools dnssec-tools.org) The custom resolvers were replaced by val_gethostbyname, val_gethostbyname and val_res_query (for SRV).
[...]
-- Daniel-Constantin Mierla - http://www.asipto.com http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda Kamailio Advanced Training, Berlin, Nov 5-8, 2012 - http://asipto.com/u/kat Kamailio Advanced Training, Miami, USA, Nov 12-14, 2012 - http://asipto.com/u/katu
10 okt 2012 kl. 20:08 skrev Daniel-Constantin Mierla miconda@gmail.com:
Hello,
thanks for this addition. Few comments:
- not really important -- I guess is "validator/validator.h" part of the external library, but might be better to be included with square brackets, it is more common when including from standard paths, rather from local folders. Like:
#include <validator/validator.h>
- from past experiences, it very unlikely people will start using it if they have to recompile with different flags. On the other hand, the core should not be dependent on such specific library (which seems it is not that spread across distros at this time anyhow). Looking at the patch, it is practically about returning a struct hostent pointer and checking a status parameter.
My proposal is to:
- make a module that will have some wrappers around the dnssec functions. This wrappers should not have the dnssec specific parameters, returning the hostent and setting an integer (given as pointer) status parameter, in case the core needs to know more about the dnssec result
- core can still have the USE_DNSSEC define just in case one wants to disable it completely
- core will have a structure with pointers to the wrapper functions for dnssec
- when loaded, the dnssec module will set the values of the function pointers in the core
- core may get a new parameter use_dnnsec to enable/disable usage of dnssec from config file (although this can be redundant, such decision could be by loadind/not loading dnssec module)
This does not look like big effort, considering the patch, and I think will make dnssec easier to experiment with for a larger user base. Similar mechanism is used more or less for tls and in other modules that needed to act in the core, but had exotic dependencies or functionalities (e.g., msrp module sets some callbacks in tcp receive code).
What do you think?
For me it seems like a good architecture proposal.
We do need more DNSsec aware software in SIP and I believe it will mean a lot for SIP security soon.
/O
Cheers, Daniel
On 10/10/12 4:56 PM, Marius Zbihlei wrote:
Module: sip-router Branch: master Commit: 73103df8fcffa0f92dfc4699c52d5dd9474084ea URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=73103df8...
Author: Marius Zbihlei marius.zbihlei@1and1.ro Committer: Marius Zbihlei marius.zbihlei@1and1.ro Date: Wed Oct 10 17:53:02 2012 +0300
Core: added DNSSEC support for DNS queries
This is available by setting the USE_DNSSEC compile flag. It requires libval-threads and libres (part of dnssec-tools dnssec-tools.org) The custom resolvers were replaced by val_gethostbyname, val_gethostbyname and val_res_query (for SRV).
[...]
-- Daniel-Constantin Mierla - http://www.asipto.com http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda Kamailio Advanced Training, Berlin, Nov 5-8, 2012 - http://asipto.com/u/kat Kamailio Advanced Training, Miami, USA, Nov 12-14, 2012 - http://asipto.com/u/katu
sr-dev mailing list sr-dev@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
Hi Marius!
What's the benefit of having DNSSEC validation in Kamailio instead of having it in the respective recursive DNS server? I think most people which operate a SIP proxy do also have a resolving name server within their names. It may happen that bugfixes in DNSSEC libraries require to rebuild/restart your SIP proxy, instead of just updating the local recurser.
regards Klaus
On 10.10.2012 16:56, Marius Zbihlei wrote:
Module: sip-router Branch: master Commit: 73103df8fcffa0f92dfc4699c52d5dd9474084ea URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=73103df8...
Author: Marius Zbihlei marius.zbihlei@1and1.ro Committer: Marius Zbihlei marius.zbihlei@1and1.ro Date: Wed Oct 10 17:53:02 2012 +0300
Core: added DNSSEC support for DNS queries
This is available by setting the USE_DNSSEC compile flag. It requires libval-threads and libres (part of dnssec-tools dnssec-tools.org) The custom resolvers were replaced by val_gethostbyname, val_gethostbyname and val_res_query (for SRV).
Makefile.defs | 9 +++++++-- resolve.c | 18 ++++++++++++++++++ resolve.h | 22 ++++++++++++++++++++++ 3 files changed, 47 insertions(+), 2 deletions(-)
diff --git a/Makefile.defs b/Makefile.defs index 1645c34..2b7f332 100644 --- a/Makefile.defs +++ b/Makefile.defs @@ -1,4 +1,4 @@ -# $Id$
- # # makefile defs (CC, LD,a.s.o) #
@@ -1751,7 +1751,12 @@ ifeq ($(OS), linux) LIBS+=-lpthread endif endif
- # check for >= 2.5.44
- ifeq (,$(findstring -DUSE_DNSSEC, $(C_DEFS)))
LIBS+=-lval-threads -lcrypto -lsres -lpthread+$(info "using libval for DNSSEC validation")
- endif
# check for >= 2.5.44- ifeq ($(shell [ $(OSREL_N) -ge 2005044 ] && echo has_epoll), has_epoll) ifeq ($(NO_EPOLL),) C_DEFS+=-DHAVE_EPOLL
diff --git a/resolve.c b/resolve.c index 17772b7..36a2992 100644 --- a/resolve.c +++ b/resolve.c @@ -713,6 +713,10 @@ struct rdata* get_record(char* name, int type, int flags) int name_len; struct rdata* fullname_rd;
+#ifdef USE_DNSSEC
- val_status_t val_status;
+#endif
- if (cfg_get(core, core_cfg, dns_search_list)==0) { search_list_used=0; name_len=0;
@@ -722,7 +726,21 @@ struct rdata* get_record(char* name, int type, int flags) } fullname_rd=0;
+#ifndef USE_DNSSEC size=res_search(name, C_IN, type, buff.buff, sizeof(buff)); +#else
- size=val_res_query((val_context_t *) NULL,
(char *) name,(int) C_IN,(int) type,(unsigned char *) buff.buff,(int) sizeof(buff),&val_status);- if(!val_istrusted(val_status)){
LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);- }
+#endif
- if (unlikely(size<0)) { DBG("get_record: lookup(%s, %d) failed\n", name, type); goto not_found;
diff --git a/resolve.h b/resolve.h index 8ce68e6..66fd3ff 100644 --- a/resolve.h +++ b/resolve.h @@ -58,6 +58,10 @@ #include "dns_wrappers.h" #endif
+#ifdef USE_DNSSEC +#include "validator/validator.h" +#endif
- /* define RESOLVE_DBG for debugging info (very noisy) */ #define RESOLVE_DBG /* define NAPTR_DBG for naptr related debugging info (very noisy) */
@@ -400,6 +404,9 @@ static inline struct hostent* _resolvehost(char* name) #endif #endif #ifdef DNS_IP_HACK +#ifdef USE_DNSSEC
- val_status_t val_status;
+#endif struct ip_addr* ip; str s;
@@ -430,7 +437,15 @@ static inline struct hostent* _resolvehost(char* name) #endif #endif /* ipv4 */ +#ifndef USE_DNSSEC he=gethostbyname(name); +#else
- he=val_gethostbyname( (val_context_t *) 0, name, &val_status);
- if(!val_istrusted(val_status)){
LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);- }
+#endif
- #ifdef USE_IPV6 if(he==0 && cfg_get(core, core_cfg, dns_try_ipv6)){ #ifndef DNS_IP_HACK
@@ -438,7 +453,14 @@ skip_ipv4: #endif /*try ipv6*/ #ifdef HAVE_GETHOSTBYNAME2
#ifndef USE_DNSSEC#elsehe=val_gethostbyname2((val_context_t*)0, name, AF_INET6, &val_status);if(!val_istrusted(val_status)){LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);}#endif //!USE_DNSSEC
- after some time calls to it will fail with err=3
sr-dev mailing list sr-dev@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
On 10/11/2012 05:40 PM, Klaus Darilion wrote:
Hi Marius!
What's the benefit of having DNSSEC validation in Kamailio instead of having it in the respective recursive DNS server? I think most people which operate a SIP proxy do also have a resolving name server within their names. It may happen that bugfixes in DNSSEC libraries require to rebuild/restart your SIP proxy, instead of just updating the local recurser.
I imagined a situation in which you don't trust your resolver, even in same LAN. Due to ARP poisoning, DNS request (even your local resolver issues external requests) can be spoofed and incorrect data can be returned.
I think using bind locally as a resolved indeed eliminates this issue, but with DNS caching in place I fail to see the reason of using a local DNS resolver, instead one can use a network resolver. Just a little more flexibility.
Marius
regards Klaus
11 okt 2012 kl. 16:54 skrev Marius Zbihlei marius.zbihlei@1and1.ro:
On 10/11/2012 05:40 PM, Klaus Darilion wrote:
Hi Marius!
What's the benefit of having DNSSEC validation in Kamailio instead of having it in the respective recursive DNS server? I think most people which operate a SIP proxy do also have a resolving name server within their names. It may happen that bugfixes in DNSSEC libraries require to rebuild/restart your SIP proxy, instead of just updating the local recurser.
I imagined a situation in which you don't trust your resolver, even in same LAN. Due to ARP poisoning, DNS request (even your local resolver issues external requests) can be spoofed and incorrect data can be returned.
I think using bind locally as a resolved indeed eliminates this issue, but with DNS caching in place I fail to see the reason of using a local DNS resolver, instead one can use a network resolver. Just a little more flexibility.
With DANE, a new RFC, Kamailio will validate SSL certificates in a DNS-sec secured DNS zone. Feels good to be able to have control over the validation and get detailed error codes. And not have to trust an external software for security validation.
We should still be able to use an external resolver, of course.
/O
Gnutls' design for dane seems to be the right approach in general for apps which want to do dnssec validation: provide options for whether to respect resolv.conf and whether to cache results. Its libdane links to libunbound but allows apps to choose whether to tell libunbound to parse resolv.conf and whether to cache results.
Apps which have config file should make those options start-time configurable.
-JimC
13 okt 2012 kl. 13:19 skrev James Cloos cloos@jhcloos.com:
Gnutls' design for dane seems to be the right approach in general for apps which want to do dnssec validation: provide options for whether to respect resolv.conf and whether to cache results. Its libdane links to libunbound but allows apps to choose whether to tell libunbound to parse resolv.conf and whether to cache results.
Apps which have config file should make those options start-time configurable.
That sounds reasonable. What's the architecture for OpenSSL?
/O
On 12.10.2012 08:46, Olle E. Johansson wrote:
11 okt 2012 kl. 16:54 skrev Marius Zbihlei marius.zbihlei@1and1.ro:
On 10/11/2012 05:40 PM, Klaus Darilion wrote:
Hi Marius!
What's the benefit of having DNSSEC validation in Kamailio instead of having it in the respective recursive DNS server? I think most people which operate a SIP proxy do also have a resolving name server within their names. It may happen that bugfixes in DNSSEC libraries require to rebuild/restart your SIP proxy, instead of just updating the local recurser.
I imagined a situation in which you don't trust your resolver, even in same LAN. Due to ARP poisoning, DNS request (even your local resolver issues external requests) can be spoofed and incorrect data can be returned.
I think using bind locally as a resolved indeed eliminates this issue, but with DNS caching in place I fail to see the reason of using a local DNS resolver, instead one can use a network resolver. Just a little more flexibility.
With DANE, a new RFC, Kamailio will validate SSL certificates in a DNS-sec secured DNS zone. Feels good to be able to have control over the validation and get detailed error codes. And not have to trust an external software for security validation.
FYI - ldns supports now DANE.
regards Klaus
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello Everyone,
I am pleased to announce that version 1.6.14 of ldns is now available.
This release has more bugfixes than normally because of the code reviews from CZ.NIC and Paul Wouters. Thank you!
We have many improvements in the pyldns contribution from Karel Slany which are now listed in its own Changelog file in contrib/python (and below).
The most notably new feature is DANE support (RFC6698). New functions for verifying and constructing TLSA resource records have been added. The example tool, ldns-dane, has been added to demonstrate the new functions and for the general usability of DANE operation.
I hope this release will be useful for you and that you will keep us informed of your experiences.
Best regards,
Willem Toorop
link: http://www.nlnetlabs.nl/downloads/ldns/ldns-1.6.14.tar.gz sha1: 2ef5fbf33b25d2f7b736c332ebccc0862dd12d02
Changelog: ========== * DANE support (RFC6698), including ldns-dane example tool. * Configurable default CA certificate repository for ldns-dane with --with-ca-file=CAFILE and --with-ca-path=CAPATH * Configurable default trust anchor with --with-trust-anchor=FILE for drill, ldns-verify-zone and ldns-dane * bugfix #474: Define socklen_t when undefined (like in Win32) * bugfix #473: Dead code removal and resource leak fix in drill * bugfix #471: Let ldns_resolver_push_dnssec_anchor accept DS RR's too. * Various bugfixes from code reviews from CZ.NIC and Paul Wouters * ldns-notify TSIG option argument checking * Let ldns_resolver_nameservers_randomize keep nameservers and rtt's in sync. * Let ldns_pkt_push_rr now return false on (memory) errors. * Make buffer_export comply to documentation and fix buffer2str * Various improvements and fixes of pyldns from Katel Slany now documented in their own Changelog. * bugfix: Make ldns_resolver_pop_nameserver clear the array when there was only one. * bugfix #459: Remove ldns_symbols and export symbols based on regex * bugfix #458: Track all newly created signatures when signing. * bugfix #454: Only set -g and -O2 CFLAGS when no CFLAGS was given. * bugfix #457: Memory leak fix for ldns_key_new_frm_algorithm. * pyldns memory handling fixes and the python3/ldns-signzone.py examples script contribution from Karel Slany. * bugfix #450: Base # bytes for P, G and Y (T) on the guaranteed to be bigger (or equal) P in ldns_key_dsa2bin. * bugfix #449: Deep free cloned rdf's in ldns_tsig_mac_new. * bugfix #448: Copy nameserver value (in stead of reference) of the answering nameserver to the answer packet in ldns_send_buffer, so the original value may be deep freed with the ldns_resolver struct. * New -0 option for ldns-read-zone to replace inception, expiration and signature rdata fields with (null). Thanks Paul Wouters. * New -p option for ldns-read-zone to prepend-pad SOA serial to take up ten characters. * Return error if printing RR fails due to unknown/null RDATA.
pyldns Changelog: ================= * Added rich comparison methods for ldns_dname, ldns_rdf, ldns_rr and ldns_rr_list classes. * Added deprecation warnings into ldns_rr.new_frm_fp() and ldns_rr.new_frm_fp_l() and others. * Fixed ldns_rr.set_rdf(), which may cause memory leaks, because it returns new objects (in the scope of Python). Also it leaked memory, when the call was not successful. * Fixed ldns_get_rr_list_hosts_frm_file, marked as newobject. * Fixed ldns_rr_list.cat() to return bool as mentioned in documentation. * Fixed ldns_rr_list_cat_clone, marked as newobject. * Fixed ldns_rr_list.new_frm_file(). Exception argument was invalid. * Fixed ldns_rr_list.push_rr() to return bool as mentioned in documentation. * Fixed ldns_rr_list.push_rr_list() to return bool as mentioned in documentation. * Fixed ldns_rr_list.set_rr(), which caused memory corruption, double free problems and memory leaks. (The wrapper used original function instead of its push cloned variant which was missing.) * Fixed ldns_rr_list.set_rr_count(), added python exception raise in order to avoid assertion failure. * Fixed ldns_rr_list.subtype_by_rdf(), marked as newobject. * Added ldns_rr.to_canonical(), ldns_rr.is_question(), ldns_rr.type_by_name(), ldns_rr.class_by_name(), ldns_rr_list.new(), ldns_rr.set_question(). * Modified ldns_rr_list.owner() and ldns_rr.owner(), now returns ldns_dname. * Fixed assertion failures for several methods when receiving incorrect but syntactically valid arguments (i.e., ldns_rr.a_address(), ldns_rr.dnskey_algorithm(), ldns_rr.dnskey_flags(), ldns_rr.dnskey_key(), ldns_rr.dnskey_protocol(), ldns_rr.mx_exchange(), ldns_rr.mx_preference(), ldns_rr.ns_nsdname(), ldns_rr.owner(), ldns_rr.rdf(), ldns_rr.rrsig_algorithm(), ldns_rr.rrsig_expiration(), ldns_rr.rrsig_inception(), ldns_rr.rrsig_keytag(), ldns_rr.rrsig_labels(), ldns_rr.rrsig_origttl(), ldns_rr.rrsig_sig(), ldns_rr.rrsig_signame(), ldns_rr.rrsig_typecovered(), ldns_rr_list.owner(), ldns_rr_list.rr()) * Fixed ldns_rr.a_address(), which was asserting when called on non A or AAAA type rr. Now returns None when fails. * Added scripts for testing the basic functionality of the ldns_rr, ldns_rr_descriptor and ldns_rr_list class code. * Improved documentation of ldns_rr, ldns_rr_descriptor and ldns_rr_list. * Fixed automatic conversion from Python string to ldns_rdf and ldns_dname. Caused memory corruption when using Python 3. * The Python 3 wrapper code now raises TypeError instead of ValueError when receiving a non FILE * argument when it should be a FILE *. * Fixed wrong handling of _ldns_rr_list_free() and _ldns_rr_list_deep_free() when compiling with LDNS_DEBUG directive. * Fixed malfunctioning ldns.ldns_rdf_new_frm_fp_l(). * Fixed malfunctioning ldns_drf.absolute() and ldns_dname.absolute(). * Marked several functions related to ldns_rdf and ldns_buffer as returning new objects. * Method operating on ldns_dnames and returning dname ldns_rdfs now return ldns_dname instances. * Improved documentation of ldns_buffer, ldns_rdf and ldns_dname classes. * Methods ldns_buffer.available() and ldns_buffer.available_at() now return bool types as described in the documentation. * Added scripts for testing the basic functionality of the ldns_buffer, ldns_rdf, ldns_dname class code. * Added deprecation warnings to ldns_rdf methods operating on dname rdfs. The user is encouraged to converts dname ldns_rdfs to ldns_dnames. * Extended ldns_dname constructor to accept ldns_rdfs containing dnames.
_______________________________________________ ldns-users mailing list ldns-users@open.nlnetlabs.nl http://open.nlnetlabs.nl/mailman/listinfo/ldns-users
-
Daniel-Constantin Mierla -
Henning Westerholt -
Iñaki Baz Castillo -
James Cloos -
Klaus Darilion -
Marius Zbihlei -
Olle E. Johansson -
Peter Dunkley