[sr-dev] git:master: Core: added DNSSEC support for DNS queries
Peter Dunkley
peter.dunkley at crocodile-rcs.com
Wed Oct 10 18:27:19 CEST 2012
I've had a bit more luck...
On Fedora the package dnssec-tools-libs-devel fixes the build problems,
but for CentOS/RHEL the dnssec packages are not part of the standard
distribution (they are in EPEL). So as things stand the master build of
Kamailio core (with default options) is broken for Enterprise Linux
based OSes.
Regards,
Peter
On Wed, 2012-10-10 at 17:14 +0100, Peter Dunkley wrote:
> Hi,
>
> DNSSEC seems to be enabled by default in master now.
>
> My builds (on Fedora and CentOS) are now failing with:
> /usr/bin/ld: cannot find -lval-threads
> /usr/bin/ld: cannot find -lsres
> collect2: error: ld returned 1 exit status
> make: *** [kamailio] Error 1
>
> I am not sure which packages to install to fix this - I don't they are
> actually in the default repos. Would it be possible to make the
> default behaviour not to build DNSSEC?
>
> Thanks,
>
> Peter
>
> On Wed, 2012-10-10 at 16:56 +0200, Marius Zbihlei wrote:
>
> > Module: sip-router
> > Branch: master
> > Commit: 73103df8fcffa0f92dfc4699c52d5dd9474084ea
> > URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=73103df8fcffa0f92dfc4699c52d5dd9474084ea
> >
> > Author: Marius Zbihlei <marius.zbihlei at 1and1.ro>
> > Committer: Marius Zbihlei <marius.zbihlei at 1and1.ro>
> > Date: Wed Oct 10 17:53:02 2012 +0300
> >
> > Core: added DNSSEC support for DNS queries
> >
> > This is available by setting the USE_DNSSEC compile flag. It requires libval-threads and libres (part of dnssec-tools dnssec-tools.org)
> > The custom resolvers were replaced by val_gethostbyname, val_gethostbyname and val_res_query (for SRV).
> >
> > ---
> >
> > Makefile.defs | 9 +++++++--
> > resolve.c | 18 ++++++++++++++++++
> > resolve.h | 22 ++++++++++++++++++++++
> > 3 files changed, 47 insertions(+), 2 deletions(-)
> >
> > diff --git a/Makefile.defs b/Makefile.defs
> > index 1645c34..2b7f332 100644
> > --- a/Makefile.defs
> > +++ b/Makefile.defs
> > @@ -1,4 +1,4 @@
> > -# $Id$
> > +
> > #
> > # makefile defs (CC, LD,a.s.o)
> > #
> > @@ -1751,7 +1751,12 @@ ifeq ($(OS), linux)
> > LIBS+=-lpthread
> > endif
> > endif
> > - # check for >= 2.5.44
> > + ifeq (,$(findstring -DUSE_DNSSEC, $(C_DEFS)))
> > + LIBS+=-lval-threads -lcrypto -lsres -lpthread
> > +$(info "using libval for DNSSEC validation")
> > + endif
> > + # check for >= 2.5.44
> > +
> > ifeq ($(shell [ $(OSREL_N) -ge 2005044 ] && echo has_epoll), has_epoll)
> > ifeq ($(NO_EPOLL),)
> > C_DEFS+=-DHAVE_EPOLL
> > diff --git a/resolve.c b/resolve.c
> > index 17772b7..36a2992 100644
> > --- a/resolve.c
> > +++ b/resolve.c
> > @@ -713,6 +713,10 @@ struct rdata* get_record(char* name, int type, int flags)
> > int name_len;
> > struct rdata* fullname_rd;
> >
> > +#ifdef USE_DNSSEC
> > + val_status_t val_status;
> > +#endif
> > +
> > if (cfg_get(core, core_cfg, dns_search_list)==0) {
> > search_list_used=0;
> > name_len=0;
> > @@ -722,7 +726,21 @@ struct rdata* get_record(char* name, int type, int flags)
> > }
> > fullname_rd=0;
> >
> > +#ifndef USE_DNSSEC
> > size=res_search(name, C_IN, type, buff.buff, sizeof(buff));
> > +#else
> > + size=val_res_query((val_context_t *) NULL,
> > + (char *) name,
> > + (int) C_IN,
> > + (int) type,
> > + (unsigned char *) buff.buff,
> > + (int) sizeof(buff),
> > + &val_status);
> > + if(!val_istrusted(val_status)){
> > + LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);
> > + }
> > +#endif
> > +
> > if (unlikely(size<0)) {
> > DBG("get_record: lookup(%s, %d) failed\n", name, type);
> > goto not_found;
> > diff --git a/resolve.h b/resolve.h
> > index 8ce68e6..66fd3ff 100644
> > --- a/resolve.h
> > +++ b/resolve.h
> > @@ -58,6 +58,10 @@
> > #include "dns_wrappers.h"
> > #endif
> >
> > +#ifdef USE_DNSSEC
> > +#include "validator/validator.h"
> > +#endif
> > +
> > /* define RESOLVE_DBG for debugging info (very noisy) */
> > #define RESOLVE_DBG
> > /* define NAPTR_DBG for naptr related debugging info (very noisy) */
> > @@ -400,6 +404,9 @@ static inline struct hostent* _resolvehost(char* name)
> > #endif
> > #endif
> > #ifdef DNS_IP_HACK
> > +#ifdef USE_DNSSEC
> > + val_status_t val_status;
> > +#endif
> > struct ip_addr* ip;
> > str s;
> >
> > @@ -430,7 +437,15 @@ static inline struct hostent* _resolvehost(char* name)
> > #endif
> > #endif
> > /* ipv4 */
> > +#ifndef USE_DNSSEC
> > he=gethostbyname(name);
> > +#else
> > + he=val_gethostbyname( (val_context_t *) 0, name, &val_status);
> > + if(!val_istrusted(val_status)){
> > + LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);
> > + }
> > +#endif
> > +
> > #ifdef USE_IPV6
> > if(he==0 && cfg_get(core, core_cfg, dns_try_ipv6)){
> > #ifndef DNS_IP_HACK
> > @@ -438,7 +453,14 @@ skip_ipv4:
> > #endif
> > /*try ipv6*/
> > #ifdef HAVE_GETHOSTBYNAME2
> > + #ifndef USE_DNSSEC
> > he=gethostbyname2(name, AF_INET6);
> > + #else
> > + he=val_gethostbyname2((val_context_t*)0, name, AF_INET6, &val_status);
> > + if(!val_istrusted(val_status)){
> > + LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);
> > + }
> > + #endif //!USE_DNSSEC
> > #elif defined HAVE_GETIPNODEBYNAME
> > /* on solaris 8 getipnodebyname has a memory leak,
> > * after some time calls to it will fail with err=3
> >
> >
> > _______________________________________________
> > sr-dev mailing list
> > sr-dev at lists.sip-router.org
> > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
>
>
> _______________________________________________
> sr-dev mailing list
> sr-dev at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
>
--
Peter Dunkley
Technical Director
Crocodile RCS Ltd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-dev/attachments/20121010/deb08adb/attachment.htm>
More information about the sr-dev
mailing list