[sr-dev] git:master: Core: added DNSSEC support for DNS queries

Marius Zbihlei marius.zbihlei at 1and1.ro
Wed Oct 10 16:56:40 CEST 2012


Module: sip-router
Branch: master
Commit: 73103df8fcffa0f92dfc4699c52d5dd9474084ea
URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=73103df8fcffa0f92dfc4699c52d5dd9474084ea

Author: Marius Zbihlei <marius.zbihlei at 1and1.ro>
Committer: Marius Zbihlei <marius.zbihlei at 1and1.ro>
Date:   Wed Oct 10 17:53:02 2012 +0300

Core: added DNSSEC support for DNS queries

This is available by setting the USE_DNSSEC compile flag. It requires libval-threads and libres (part of dnssec-tools dnssec-tools.org)
The custom resolvers were replaced by val_gethostbyname, val_gethostbyname and val_res_query (for SRV).

---

 Makefile.defs |    9 +++++++--
 resolve.c     |   18 ++++++++++++++++++
 resolve.h     |   22 ++++++++++++++++++++++
 3 files changed, 47 insertions(+), 2 deletions(-)

diff --git a/Makefile.defs b/Makefile.defs
index 1645c34..2b7f332 100644
--- a/Makefile.defs
+++ b/Makefile.defs
@@ -1,4 +1,4 @@
-# $Id$
+
 #
 # makefile defs (CC, LD,a.s.o)
 #
@@ -1751,7 +1751,12 @@ ifeq ($(OS), linux)
 			LIBS+=-lpthread
 		endif
 	endif
-	# check for >= 2.5.44
+	ifeq (,$(findstring -DUSE_DNSSEC, $(C_DEFS)))
+		LIBS+=-lval-threads -lcrypto -lsres -lpthread
+$(info "using libval for DNSSEC validation")
+	endif
+        # check for >= 2.5.44
+
 	ifeq ($(shell [ $(OSREL_N) -ge 2005044 ] && echo has_epoll), has_epoll)
 		ifeq ($(NO_EPOLL),)
 			C_DEFS+=-DHAVE_EPOLL
diff --git a/resolve.c b/resolve.c
index 17772b7..36a2992 100644
--- a/resolve.c
+++ b/resolve.c
@@ -713,6 +713,10 @@ struct rdata* get_record(char* name, int type, int flags)
 	int name_len;
 	struct rdata* fullname_rd;
 	
+#ifdef USE_DNSSEC
+	val_status_t val_status;
+#endif
+
 	if (cfg_get(core, core_cfg, dns_search_list)==0) {
 		search_list_used=0;
 		name_len=0;
@@ -722,7 +726,21 @@ struct rdata* get_record(char* name, int type, int flags)
 	}
 	fullname_rd=0;
 
+#ifndef USE_DNSSEC
 	size=res_search(name, C_IN, type, buff.buff, sizeof(buff));
+#else
+	size=val_res_query((val_context_t *) NULL,
+                      (char *) name, 
+                      (int) C_IN,
+		      (int) type, 
+                      (unsigned char *) buff.buff, 
+		      (int) sizeof(buff),
+                      &val_status);	
+	if(!val_istrusted(val_status)){
+		LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);
+	}
+#endif
+
 	if (unlikely(size<0)) {
 		DBG("get_record: lookup(%s, %d) failed\n", name, type);
 		goto not_found;
diff --git a/resolve.h b/resolve.h
index 8ce68e6..66fd3ff 100644
--- a/resolve.h
+++ b/resolve.h
@@ -58,6 +58,10 @@
 #include "dns_wrappers.h"
 #endif
 
+#ifdef USE_DNSSEC
+#include "validator/validator.h"
+#endif
+
 /* define RESOLVE_DBG for debugging info (very noisy) */
 #define RESOLVE_DBG
 /* define NAPTR_DBG for naptr related debugging info (very noisy) */
@@ -400,6 +404,9 @@ static inline struct hostent* _resolvehost(char* name)
 #endif
 #endif
 #ifdef DNS_IP_HACK
+#ifdef USE_DNSSEC
+	val_status_t val_status;
+#endif
 	struct ip_addr* ip;
 	str s;
 
@@ -430,7 +437,15 @@ static inline struct hostent* _resolvehost(char* name)
 #endif
 #endif
 	/* ipv4 */
+#ifndef USE_DNSSEC
 	he=gethostbyname(name);
+#else
+	he=val_gethostbyname( (val_context_t *) 0, name, &val_status);
+	if(!val_istrusted(val_status)){
+		LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);
+	}
+#endif
+
 #ifdef USE_IPV6
 	if(he==0 && cfg_get(core, core_cfg, dns_try_ipv6)){
 #ifndef DNS_IP_HACK
@@ -438,7 +453,14 @@ skip_ipv4:
 #endif
 		/*try ipv6*/
 	#ifdef HAVE_GETHOSTBYNAME2
+		#ifndef USE_DNSSEC
 		he=gethostbyname2(name, AF_INET6);
+		#else
+		he=val_gethostbyname2((val_context_t*)0, name, AF_INET6, &val_status);
+		if(!val_istrusted(val_status)){
+			LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);
+		}
+		#endif //!USE_DNSSEC
 	#elif defined HAVE_GETIPNODEBYNAME
 		/* on solaris 8 getipnodebyname has a memory leak,
 		 * after some time calls to it will fail with err=3




More information about the sr-dev mailing list