[sr-dev] DNSsec stats
Olle E. Johansson
oej at edvina.net
Sun Apr 21 22:13:38 CEST 2013
21 apr 2013 kl. 21:35 skrev Marius Zbihlei <mariuszbi at gmail.com>:
> Hello,
>
> Maybe this bit of info will help in testing:
>
> Google open resolvers should (I used another Google resolver with works) work with DNSSEC, so setting nameserver 8.8.8.8 in your /etc/resolv.conf should provide access to a recursive dnssec resolver. Next, sending a SIP dummy request to the domain www.dnssec-failed.org (www is mandatory) should git this message ( level INFO on master branch)
>
> 0(70805) ERROR: dnssec [dnssec_func.c:145]: invalid domain www.dnssec-failed.org reason VAL_UNTRUSTED_ANSWER
>
> Keep note that I use val_istrusted, which is less strict the val_isvalidated ( afaik the later only returns true if the domain is validated via dnssec, for non-dnssec enabled domains it will fail), the decision should be configurable.
A more general question:
Would it be possible to generate error codes to the various forward/send/t_relay set of functions so that we know better the type of failure,
like TLS did not validate or DNSsec failed?
/O
>
> Cheers,
> Marius
>
>
> On Sun, Apr 21, 2013 at 8:23 PM, Olle E. Johansson <oej at edvina.net> wrote:
>
> 21 apr 2013 kl. 20:39 skrev Marius Zbihlei <mariuszbi at gmail.com>:
>
>> Hello,
>>
>> I have added today a feature for setting various libval flags. Based on your suggestions(thank you, by the way) and my backlog I will continue to work on the following
>>
>> 1. Strict or non-strict validation
>> 2. CFG framework for enabling/disabling features
>> 3. Exclusion list (clock-skew per domain) & other dnssec protocol specific policies
>> 4. Statistics
>> 5. DANE/DNSSEC (still have to document)
>
> I just sent e-mail to the DANE mailing list about SIP issues. I think we need to work in the IETF a bit here.
>
>> 6.Async DNS resolving support (maybe with support from t_suspend() API)
> Cool.
>
> Looking into some DNS stuff in Asterisk now. Maybe I can add libval there too.
>
> Cheers,
> /O
>>
>> The order might not be the correct one...ATM, I am mostly looking for suggestion and integrators/testers for feedback.
>>
>> Cheers,
>> Marius
>>
>>
>> On Sun, Apr 21, 2013 at 6:51 PM, Olle E. Johansson <oej at edvina.net> wrote:
>> Hi again!
>>
>> I would also like to propose that you add a counter for failures to validate DNSsec that will automatically be published
>> in rpc. I could then also add it to the SNMP module.
>>
>> Cheers,
>> /O
>> _______________________________________________
>> sr-dev mailing list
>> sr-dev at lists.sip-router.org
>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
>>
>> _______________________________________________
>> sr-dev mailing list
>> sr-dev at lists.sip-router.org
>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
>
>
> _______________________________________________
> sr-dev mailing list
> sr-dev at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
>
>
> _______________________________________________
> sr-dev mailing list
> sr-dev at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-dev/attachments/20130421/5f4ed090/attachment-0001.htm>
More information about the sr-dev
mailing list