On 30/03/2014 21:51, Toke Høiland-Jørgensen wrote: > Dave Taht <[email protected]> writes: > >> There isn't. Arguably there should have been a flag added to >> getaddrinfo ages ago... > I was going to add one; however, it seems it's not entirely straight > forward to propagate it through the C library so the code that produces > DNS packets can actually act on it...
There is a val_getaddrinfo() available in libval which is based on http://tools.ietf.org/html/draft-hayatnagarkar-dnsext-validator-api-09#section-3.2 if we want to go down that route. From what I can tell, you'd start by creating your own validation context (http://tools.ietf.org/html/draft-hayatnagarkar-dnsext-validator-api-09#section-6) and use something like: /* Use default policy (label=NULL) and disable clock skew checks */ char *label = NULL; val_context_t *ctx; val_status_t dnssec_status; val_create_context(label, *ctx); /* Error handling here for non-zero return values or ctx=NULL */ val_context_setqflags(ctx, VAL_CTX_FLAG_SET, VAL_QUERY_IGNORE_SKEW); /* Perform lookup (ignoring error handling again) */ val_getaddrinfo(ctx, ..., *status); if (val_istrusted(status)) { /* DNSSEC signature check is good or not applicable: Continue as normal */ } /* Clear context */ val_free_context(ctx); The validation in that case is done entirely outside dnsmasq (with the CD bit set on the libval queries). We have libval available already but not installed, so that is not a problem. Implementing this in BusyBox and sysntpd may be a bit of an issue though. -- Robert Bradley
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Cerowrt-devel mailing list [email protected] https://lists.bufferbloat.net/listinfo/cerowrt-devel
