[sr-dev] git:master: Core: added DNSSEC support for DNS queries

Olle E. Johansson oej at edvina.net
Wed Oct 10 20:50:00 CEST 2012


10 okt 2012 kl. 20:08 skrev Daniel-Constantin Mierla <miconda at gmail.com>:

> Hello,
> 
> thanks for this addition. Few comments:
> 
> 1) not really important -- I guess is "validator/validator.h" part of the external library, but might be better to be included with square brackets, it is more common when including from standard paths, rather from local folders. Like:
> 
> #include <validator/validator.h>
> 
> 2) from past experiences, it very unlikely people will start using it if they have to recompile with different flags. On the other hand, the core should not be dependent on such specific library (which seems it is not that spread across distros at this time anyhow). Looking at the patch, it is practically about returning a struct hostent pointer and checking a status parameter.
> 
> My proposal is to:
> - make a module that will have some wrappers around the dnssec functions. This wrappers should not have the dnssec specific parameters, returning the hostent and setting an integer (given as pointer) status parameter, in case the core needs to know more about the dnssec result
> - core can still have the USE_DNSSEC define just in case one wants to disable it completely
> - core will have a structure with pointers to the wrapper functions for dnssec
> - when loaded, the dnssec module will set the values of the function pointers in the core
> - core may get a new parameter use_dnnsec to enable/disable usage of dnssec from config file (although this can be redundant, such decision could be by loadind/not loading dnssec module)
> 
> This does not look like big effort, considering the patch, and I think will make dnssec easier to experiment with for a larger user base. Similar mechanism is used more or less for tls and in other modules that needed to act in the core, but had exotic dependencies or functionalities (e.g., msrp module sets some callbacks in tcp receive code).
> 
> What do you think?

For me it seems like a good architecture proposal. 

We do need more DNSsec aware software in SIP and I believe it will mean a lot for SIP security soon.

/O
> 
> Cheers,
> Daniel
> 
> On 10/10/12 4:56 PM, Marius Zbihlei wrote:
>> Module: sip-router
>> Branch: master
>> Commit: 73103df8fcffa0f92dfc4699c52d5dd9474084ea
>> URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=73103df8fcffa0f92dfc4699c52d5dd9474084ea
>> 
>> Author: Marius Zbihlei <marius.zbihlei at 1and1.ro>
>> Committer: Marius Zbihlei <marius.zbihlei at 1and1.ro>
>> Date:   Wed Oct 10 17:53:02 2012 +0300
>> 
>> Core: added DNSSEC support for DNS queries
>> 
>> This is available by setting the USE_DNSSEC compile flag. It requires libval-threads and libres (part of dnssec-tools dnssec-tools.org)
>> The custom resolvers were replaced by val_gethostbyname, val_gethostbyname and val_res_query (for SRV).
>> 
>> [...]
> 
> -- 
> Daniel-Constantin Mierla - http://www.asipto.com
> http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
> Kamailio Advanced Training, Berlin, Nov 5-8, 2012 - http://asipto.com/u/kat
> Kamailio Advanced Training, Miami, USA, Nov 12-14, 2012 - http://asipto.com/u/katu
> 
> 
> _______________________________________________
> sr-dev mailing list
> sr-dev at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev




More information about the sr-dev mailing list