[sr-dev] git:master: Core: added DNSSEC support for DNS queries

Peter Dunkley peter.dunkley at crocodile-rcs.com
Wed Oct 10 18:14:44 CEST 2012 

Hi,

DNSSEC seems to be enabled by default in master now.

My builds (on Fedora and CentOS) are now failing with:
    /usr/bin/ld: cannot find -lval-threads
    /usr/bin/ld: cannot find -lsres
    collect2: error: ld returned 1 exit status
    make: *** [kamailio] Error 1

I am not sure which packages to install to fix this - I don't they are
actually in the default repos.  Would it be possible to make the default
behaviour not to build DNSSEC?

Thanks,

Peter

On Wed, 2012-10-10 at 16:56 +0200, Marius Zbihlei wrote:

> Module: sip-router
> Branch: master
> Commit: 73103df8fcffa0f92dfc4699c52d5dd9474084ea
> URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=73103df8fcffa0f92dfc4699c52d5dd9474084ea
> 
> Author: Marius Zbihlei <marius.zbihlei at 1and1.ro>
> Committer: Marius Zbihlei <marius.zbihlei at 1and1.ro>
> Date:   Wed Oct 10 17:53:02 2012 +0300
> 
> Core: added DNSSEC support for DNS queries
> 
> This is available by setting the USE_DNSSEC compile flag. It requires libval-threads and libres (part of dnssec-tools dnssec-tools.org)
> The custom resolvers were replaced by val_gethostbyname, val_gethostbyname and val_res_query (for SRV).
> 
> ---
> 
>  Makefile.defs |    9 +++++++--
>  resolve.c     |   18 ++++++++++++++++++
>  resolve.h     |   22 ++++++++++++++++++++++
>  3 files changed, 47 insertions(+), 2 deletions(-)
> 
> diff --git a/Makefile.defs b/Makefile.defs
> index 1645c34..2b7f332 100644
> --- a/Makefile.defs
> +++ b/Makefile.defs
> @@ -1,4 +1,4 @@
> -# $Id$
> +
>  #
>  # makefile defs (CC, LD,a.s.o)
>  #
> @@ -1751,7 +1751,12 @@ ifeq ($(OS), linux)
>  			LIBS+=-lpthread
>  		endif
>  	endif
> -	# check for >= 2.5.44
> +	ifeq (,$(findstring -DUSE_DNSSEC, $(C_DEFS)))
> +		LIBS+=-lval-threads -lcrypto -lsres -lpthread
> +$(info "using libval for DNSSEC validation")
> +	endif
> +        # check for >= 2.5.44
> +
>  	ifeq ($(shell [ $(OSREL_N) -ge 2005044 ] && echo has_epoll), has_epoll)
>  		ifeq ($(NO_EPOLL),)
>  			C_DEFS+=-DHAVE_EPOLL
> diff --git a/resolve.c b/resolve.c
> index 17772b7..36a2992 100644
> --- a/resolve.c
> +++ b/resolve.c
> @@ -713,6 +713,10 @@ struct rdata* get_record(char* name, int type, int flags)
>  	int name_len;
>  	struct rdata* fullname_rd;
>  	
> +#ifdef USE_DNSSEC
> +	val_status_t val_status;
> +#endif
> +
>  	if (cfg_get(core, core_cfg, dns_search_list)==0) {
>  		search_list_used=0;
>  		name_len=0;
> @@ -722,7 +726,21 @@ struct rdata* get_record(char* name, int type, int flags)
>  	}
>  	fullname_rd=0;
>  
> +#ifndef USE_DNSSEC
>  	size=res_search(name, C_IN, type, buff.buff, sizeof(buff));
> +#else
> +	size=val_res_query((val_context_t *) NULL,
> +                      (char *) name, 
> +                      (int) C_IN,
> +		      (int) type, 
> +                      (unsigned char *) buff.buff, 
> +		      (int) sizeof(buff),
> +                      &val_status);	
> +	if(!val_istrusted(val_status)){
> +		LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);
> +	}
> +#endif
> +
>  	if (unlikely(size<0)) {
>  		DBG("get_record: lookup(%s, %d) failed\n", name, type);
>  		goto not_found;
> diff --git a/resolve.h b/resolve.h
> index 8ce68e6..66fd3ff 100644
> --- a/resolve.h
> +++ b/resolve.h
> @@ -58,6 +58,10 @@
>  #include "dns_wrappers.h"
>  #endif
>  
> +#ifdef USE_DNSSEC
> +#include "validator/validator.h"
> +#endif
> +
>  /* define RESOLVE_DBG for debugging info (very noisy) */
>  #define RESOLVE_DBG
>  /* define NAPTR_DBG for naptr related debugging info (very noisy) */
> @@ -400,6 +404,9 @@ static inline struct hostent* _resolvehost(char* name)
>  #endif
>  #endif
>  #ifdef DNS_IP_HACK
> +#ifdef USE_DNSSEC
> +	val_status_t val_status;
> +#endif
>  	struct ip_addr* ip;
>  	str s;
>  
> @@ -430,7 +437,15 @@ static inline struct hostent* _resolvehost(char* name)
>  #endif
>  #endif
>  	/* ipv4 */
> +#ifndef USE_DNSSEC
>  	he=gethostbyname(name);
> +#else
> +	he=val_gethostbyname( (val_context_t *) 0, name, &val_status);
> +	if(!val_istrusted(val_status)){
> +		LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);
> +	}
> +#endif
> +
>  #ifdef USE_IPV6
>  	if(he==0 && cfg_get(core, core_cfg, dns_try_ipv6)){
>  #ifndef DNS_IP_HACK
> @@ -438,7 +453,14 @@ skip_ipv4:
>  #endif
>  		/*try ipv6*/
>  	#ifdef HAVE_GETHOSTBYNAME2
> +		#ifndef USE_DNSSEC
>  		he=gethostbyname2(name, AF_INET6);
> +		#else
> +		he=val_gethostbyname2((val_context_t*)0, name, AF_INET6, &val_status);
> +		if(!val_istrusted(val_status)){
> +			LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);
> +		}
> +		#endif //!USE_DNSSEC
>  	#elif defined HAVE_GETIPNODEBYNAME
>  		/* on solaris 8 getipnodebyname has a memory leak,
>  		 * after some time calls to it will fail with err=3
> 
> 
> _______________________________________________
> sr-dev mailing list
> sr-dev at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev


-- 
Peter Dunkley
Technical Director
Crocodile RCS Ltd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-dev/attachments/20121010/e9659f80/attachment-0001.htm>

More information about the sr-dev mailing list