[sr-dev] git:master: Core: added DNSSEC support for DNS queries

Marius Zbihlei marius.zbihlei at 1and1.ro
Wed Oct 10 18:42:32 CEST 2012 

Hello all, 

First of all sorry for the broken build. I was 100% sure that it will no be enabled in master.I thought I have tested. I will fix it first thing in the morning... 


So, on Debian/Ubuntu and now it seems in RHEL the devel headers and libraries are not installed. I had to download them from dnssec-tools.org. Other than that, just enabling the flag should allow for DNSSEC queries. The failure of the validate method is actually controlled by dnsval.conf. If a zone is not signed, than the validate method will silently ignore the error and permit validation. If set to untrusted, any name that is not explicitly signed will fail. At the moment I just print an informal message in the log.

When I have tested the patch, it seemed that there aren't a lot of DNSSEC aware servers, and even if they are, the TLD's are not signed... So for now the USE_DNSSEC must be disabled

Marius
________________________________________
From: sr-dev-bounces at lists.sip-router.org [sr-dev-bounces at lists.sip-router.org] On Behalf Of Peter Dunkley [peter.dunkley at crocodile-rcs.com]
Sent: Wednesday, October 10, 2012 7:27 PM
To: Development mailing list of the sip-router project
Subject: Re: [sr-dev] git:master: Core: added DNSSEC support for DNS queries

I've had a bit more luck...

On Fedora the package dnssec-tools-libs-devel fixes the build problems, but for CentOS/RHEL the dnssec packages are not part of the standard distribution (they are in EPEL).  So as things stand the master build of Kamailio core (with default options) is broken for Enterprise Linux based OSes.

Regards,

Peter

On Wed, 2012-10-10 at 17:14 +0100, Peter Dunkley wrote:
Hi,

DNSSEC seems to be enabled by default in master now.

My builds (on Fedora and CentOS) are now failing with:
    /usr/bin/ld: cannot find -lval-threads
    /usr/bin/ld: cannot find -lsres
    collect2: error: ld returned 1 exit status
    make: *** [kamailio] Error 1

I am not sure which packages to install to fix this - I don't they are actually in the default repos.  Would it be possible to make the default behaviour not to build DNSSEC?

Thanks,

Peter

On Wed, 2012-10-10 at 16:56 +0200, Marius Zbihlei wrote:


Module: sip-router
Branch: master
Commit: 73103df8fcffa0f92dfc4699c52d5dd9474084ea
URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=73103df8fcffa0f92dfc4699c52d5dd9474084ea

Author: Marius Zbihlei <marius.zbihlei at 1and1.ro<mailto:marius.zbihlei at 1and1.ro>>
Committer: Marius Zbihlei <marius.zbihlei at 1and1.ro<mailto:marius.zbihlei at 1and1.ro>>
Date:   Wed Oct 10 17:53:02 2012 +0300

Core: added DNSSEC support for DNS queries

This is available by setting the USE_DNSSEC compile flag. It requires libval-threads and libres (part of dnssec-tools dnssec-tools.org)
The custom resolvers were replaced by val_gethostbyname, val_gethostbyname and val_res_query (for SRV).

---

 Makefile.defs |    9 +++++++--
 resolve.c     |   18 ++++++++++++++++++
 resolve.h     |   22 ++++++++++++++++++++++
 3 files changed, 47 insertions(+), 2 deletions(-)

diff --git a/Makefile.defs b/Makefile.defs
index 1645c34..2b7f332 100644
--- a/Makefile.defs
+++ b/Makefile.defs
@@ -1,4 +1,4 @@
-# $Id$
+
 #
 # makefile defs (CC, LD,a.s.o)
 #
@@ -1751,7 +1751,12 @@ ifeq ($(OS), linux)
                        LIBS+=-lpthread
                endif
        endif
-       # check for >= 2.5.44
+       ifeq (,$(findstring -DUSE_DNSSEC, $(C_DEFS)))
+               LIBS+=-lval-threads -lcrypto -lsres -lpthread
+$(info "using libval for DNSSEC validation")
+       endif
+        # check for >= 2.5.44
+
        ifeq ($(shell [ $(OSREL_N) -ge 2005044 ] && echo has_epoll), has_epoll)
                ifeq ($(NO_EPOLL),)
                        C_DEFS+=-DHAVE_EPOLL
diff --git a/resolve.c b/resolve.c
index 17772b7..36a2992 100644
--- a/resolve.c
+++ b/resolve.c
@@ -713,6 +713,10 @@ struct rdata* get_record(char* name, int type, int flags)
        int name_len;
        struct rdata* fullname_rd;

+#ifdef USE_DNSSEC
+       val_status_t val_status;
+#endif
+
        if (cfg_get(core, core_cfg, dns_search_list)==0) {
                search_list_used=0;
                name_len=0;
@@ -722,7 +726,21 @@ struct rdata* get_record(char* name, int type, int flags)
        }
        fullname_rd=0;

+#ifndef USE_DNSSEC
        size=res_search(name, C_IN, type, buff.buff, sizeof(buff));
+#else
+       size=val_res_query((val_context_t *) NULL,
+                      (char *) name,
+                      (int) C_IN,
+                     (int) type,
+                      (unsigned char *) buff.buff,
+                     (int) sizeof(buff),
+                      &val_status);
+       if(!val_istrusted(val_status)){
+               LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);
+       }
+#endif
+
        if (unlikely(size<0)) {
                DBG("get_record: lookup(%s, %d) failed\n", name, type);
                goto not_found;
diff --git a/resolve.h b/resolve.h
index 8ce68e6..66fd3ff 100644
--- a/resolve.h
+++ b/resolve.h
@@ -58,6 +58,10 @@
 #include "dns_wrappers.h"
 #endif

+#ifdef USE_DNSSEC
+#include "validator/validator.h"
+#endif
+
 /* define RESOLVE_DBG for debugging info (very noisy) */
 #define RESOLVE_DBG
 /* define NAPTR_DBG for naptr related debugging info (very noisy) */
@@ -400,6 +404,9 @@ static inline struct hostent* _resolvehost(char* name)
 #endif
 #endif
 #ifdef DNS_IP_HACK
+#ifdef USE_DNSSEC
+       val_status_t val_status;
+#endif
        struct ip_addr* ip;
        str s;

@@ -430,7 +437,15 @@ static inline struct hostent* _resolvehost(char* name)
 #endif
 #endif
        /* ipv4 */
+#ifndef USE_DNSSEC
        he=gethostbyname(name);
+#else
+       he=val_gethostbyname( (val_context_t *) 0, name, &val_status);
+       if(!val_istrusted(val_status)){
+               LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);
+       }
+#endif
+
 #ifdef USE_IPV6
        if(he==0 && cfg_get(core, core_cfg, dns_try_ipv6)){
 #ifndef DNS_IP_HACK
@@ -438,7 +453,14 @@ skip_ipv4:
 #endif
                /*try ipv6*/
        #ifdef HAVE_GETHOSTBYNAME2
+               #ifndef USE_DNSSEC
                he=gethostbyname2(name, AF_INET6);
+               #else
+               he=val_gethostbyname2((val_context_t*)0, name, AF_INET6, &val_status);
+               if(!val_istrusted(val_status)){
+                       LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);
+               }
+               #endif //!USE_DNSSEC
        #elif defined HAVE_GETIPNODEBYNAME
                /* on solaris 8 getipnodebyname has a memory leak,
                 * after some time calls to it will fail with err=3


_______________________________________________
sr-dev mailing list
sr-dev at lists.sip-router.org<mailto:sr-dev at lists.sip-router.org>
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev




_______________________________________________
sr-dev mailing list
sr-dev at lists.sip-router.org<mailto:sr-dev at lists.sip-router.org>
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev





--
Peter Dunkley
Technical Director
Crocodile RCS Ltd

More information about the sr-dev mailing list