[sr-dev] git:master: Core: added DNSSEC support for DNS queries
Marius Zbihlei
marius.zbihlei at 1and1.ro
Wed Oct 10 20:30:42 CEST 2012
Hello all,
Glad to see that there is such interest for the DNSSEC support. Thanks guys for the feedback and suggestions and sorry for the typo :)
Daniel, you are right. There are several other improvements that can be done.. For example runtime configuration of policy using the resolve context in the dnsval.conf file (specify domains if they are trusted or not etc). This type of configuration is indeed better in a modparam statement than a core keyword, so I will move the calls to a dedicated module.
Cheers,
Marius
________________________________________
From: Daniel-Constantin Mierla [miconda at gmail.com]
Sent: Wednesday, October 10, 2012 9:08 PM
To: Development mailing list of the sip-router project
Cc: Marius Zbihlei
Subject: Re: [sr-dev] git:master: Core: added DNSSEC support for DNS queries
Hello,
thanks for this addition. Few comments:
1) not really important -- I guess is "validator/validator.h" part of
the external library, but might be better to be included with square
brackets, it is more common when including from standard paths, rather
from local folders. Like:
#include <validator/validator.h>
2) from past experiences, it very unlikely people will start using it if
they have to recompile with different flags. On the other hand, the core
should not be dependent on such specific library (which seems it is not
that spread across distros at this time anyhow). Looking at the patch,
it is practically about returning a struct hostent pointer and checking
a status parameter.
My proposal is to:
- make a module that will have some wrappers around the dnssec
functions. This wrappers should not have the dnssec specific parameters,
returning the hostent and setting an integer (given as pointer) status
parameter, in case the core needs to know more about the dnssec result
- core can still have the USE_DNSSEC define just in case one wants to
disable it completely
- core will have a structure with pointers to the wrapper functions for
dnssec
- when loaded, the dnssec module will set the values of the function
pointers in the core
- core may get a new parameter use_dnnsec to enable/disable usage of
dnssec from config file (although this can be redundant, such decision
could be by loadind/not loading dnssec module)
This does not look like big effort, considering the patch, and I think
will make dnssec easier to experiment with for a larger user base.
Similar mechanism is used more or less for tls and in other modules that
needed to act in the core, but had exotic dependencies or
functionalities (e.g., msrp module sets some callbacks in tcp receive code).
What do you think?
Cheers,
Daniel
On 10/10/12 4:56 PM, Marius Zbihlei wrote:
> Module: sip-router
> Branch: master
> Commit: 73103df8fcffa0f92dfc4699c52d5dd9474084ea
> URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=73103df8fcffa0f92dfc4699c52d5dd9474084ea
>
> Author: Marius Zbihlei <marius.zbihlei at 1and1.ro>
> Committer: Marius Zbihlei <marius.zbihlei at 1and1.ro>
> Date: Wed Oct 10 17:53:02 2012 +0300
>
> Core: added DNSSEC support for DNS queries
>
> This is available by setting the USE_DNSSEC compile flag. It requires libval-threads and libres (part of dnssec-tools dnssec-tools.org)
> The custom resolvers were replaced by val_gethostbyname, val_gethostbyname and val_res_query (for SRV).
>
> [...]
--
Daniel-Constantin Mierla - http://www.asipto.com
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio Advanced Training, Berlin, Nov 5-8, 2012 - http://asipto.com/u/kat
Kamailio Advanced Training, Miami, USA, Nov 12-14, 2012 - http://asipto.com/u/katu
More information about the sr-dev
mailing list