[SR-Users] Debian, dnssec.so, and missing dnsval.conf

David Holl david+lumicallusers at ad5ey.net
Fri May 13 20:48:03 CEST 2016 

In the interest of sharing and promoting DNSSEC, I was recently stumped 
on a problem where I noticed I could not call sip:test.echo at sip5060.net 
without disabling the dnssec.so module in my kamailio.cfg.  The last 
time I had tried the sip5060 echo test was several months ago, and in 
the intervening time, I had applied the numerous debian package updates.  
Thus, I could not isolate the cause of the problem to one of the many 
package updates such as kamailio 4.4.x, libval, my own DNSSEC dns 
server, etc...  My initial only clue was kamailio's syslog messages:

May 12 18:02:49 tensor /usr/sbin/kamailio[24128]: ERROR: tm [ut.h:296]: 
uri2dst2(): ERROR: uri2dst: failed to resolve "sip5060.net" 
:unresolvable A or AAAA request (-7) 

May 12 18:02:49 tensor /usr/sbin/kamailio[24128]: ERROR: tm 
[t_fwd.c:1712]: t_forward_nonack(): ERROR: t_forward_nonack: failure to 
add branches

May 12 18:02:49 tensor /usr/sbin/kamailio[24128]: ERROR: sl 
[sl_funcs.c:363]: sl_reply_error(): ERROR: sl_reply_error used: 
Unresolvable destination (478/SL)
 


To summarize the problem, I found that kamailio's dnssec.so was failing 
queries to domains that were not DNSSEC protected such as sip5060.net.  
This behavior is a bug, since sip5060.net is in this case, provably not 
participating in DNSSEC from the toplevel "net." zone [1].



The fix was to provide a default configuration file to libval, which was 
somehow not included in Debian's libval15 package.  I created the 
following configuration from the default dnsval.conf in the source 
distribution:
https://dnssec-tools.org/download/dnsval-2.2.tar.gz
https://dnssec-tools.org/download/dnsval-2.2.tar.gz.asc
as well as their wiki:
https://www.dnssec-tools.org/wiki/index.php/Dnsval.conf

cat << 'EOF' > /etc/dnssec-tools/dnsval.conf
##################################
# Global Options 
##################################

global-options
    trust-oob-answers yes
    # I'm running a DNSSEC nameserver locally,
    # so 4 KiB queries to localhost should be OK:
    edns0-size 4096
    env-policy disable
    app-policy disable
    rec-fallback no
;

: trust-anchor
		.  DS  19036  8  2  
49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
;

: zone-security-expectation
		. validate
;

: provably-insecure-status
		. trusted
;

: clock-skew
		. 0
;
EOF



In summary: I find it odd that a default dnsval.conf was not included 
with my system's normal installation of the "libval15:amd64" package, 
version 2.2-4.  After providing dnsval.conf, kamailio's dnssec.so was 
happy again.

Side notes:

*  To identify the directory for dnsval.conf, run
	libval-config --dnsval-config
On Debian, libval-config is in the libval-dev pacakge, and this package 
includes a man page for dnsval.conf as well.

*  To test your libval and dnsval.conf, try
	dt-validate -s
On Debian, dt-validate is in the libval-bin package.


- David


[1] -- Authenticated denial of existence:
https://tools.ietf.org/html/rfc5155
https://tools.ietf.org/html/rfc7129
And for sip5060.net, there's an NSEC3 record in the top level net. zone 
proving non-existance of sip5060.net DS records:
http://dnsviz.net/d/sip5060.net/dnssec/
Translation: sip5060.net provably not enabled DNSEC.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20160513/0f07e5a6/attachment.sig>

More information about the sr-users mailing list