Re: DNSSEC-query with DO-bit through libc ?
Happy new year everyone, Am 16.09.2014 um 00:55 schrieb Stuart Henderson: On 2014-09-15, Marco Prause marco-obsdm...@prause.eu wrote: Looking at lib/libc/net/res_query.c Try libc/asr/res_query.c .. thanks again, Stuart, for this hint. Just a short follow-up to this thread : I've read, that there has been an update on asr_run(3) some time ago : -will request DNSSEC authentication using the EDNS0 DNSSEC OK (DO) bit. +will not request DNSSEC authentication using the EDNS0 DNSSEC OK (DO) bit. For sure maybe nothing new to the majority of this and tech-list, but just a short reality-check. Regards, Marco
Re: DNSSEC-query with DO-bit through libc ?
Am 16.09.2014 um 00:55 schrieb Stuart Henderson: On 2014-09-15, Marco Prause marco-obsdm...@prause.eu wrote: Looking at lib/libc/net/res_query.c Try libc/asr/res_query.c .. Thanks for the hint - I'd have a look at, but sadly it doesn't help me understanding, what's going on. Having a look at postfix-src I found a notice at /usr/ports/distfiles/postfix/postfix-2.11.0/srcdns/dns_lookup.c that says ... /* .IP RES_USE_DNSSEC /* Request DNSSEC validation. This flag is silently ignored /* when the system stub resolver API, resolver(3), does not /* implement DNSSEC. ... so far so good, but man resolver 3 looks also good to me : ... RES_USE_EDNS0 Attach an OPT pseudo-RR for the EDNS0 extension, as specified in RFC 2671. This informs DNS servers of a client's receive buffer size, allowing them to take advantage of a non-default receive buffer size, and thus to send larger replies. DNS query packets with the EDNS0 extension are not compatible with non-EDNS0 DNS servers. RES_USE_DNSSEC Request that the resolver uses Domain Name System Security Extensions (DNSSEC), as defined in RFCs 4033, 4034, and 4035. ... in include/resolv.h I also find global definitions for both : ... #define RES_USE_EDNS0 0x4000 /* use EDNS0 */ /* DNSSEC extensions: use higher bit to avoid conflict with ISC use */ #define RES_USE_DNSSEC 0x2000 /* use DNSSEC using OK bit in OPT */ ... but I can't see it anywhere beeing used at the query-parts at getrrsetbyname.c, res_mkquery.c, res_query.c - they are mentioned only at the responses, but in my opinion the DO-bit also have to be set in the query, to signal the usage of DNSSEC and this is, what I didn't see sniffing on the outgoing interface. Regards, Marco
DNSSEC-query with DO-bit through libc ?
Hi, while playing around with DANE-enabled postfix, I've been running in some problems (maybe) concerning with postfix's usage of libc / res_query.c At the moment it seems to me, libc (or something around) is cutting off the necessary DO-Bit in the dns-queries. While asking the local dnssec-aware unbound with dig or drill, I'm getting the correct answer and the AD-flag set in the answer. Running OpenBSD 5.5-release postfix-2.11.0 unbound-1.4.21p0 etc/resolv.conf says: nameserver 127.0.0.1 options edns0 Looking at lib/libc/net/res_query.c, I can see the usage of RES_DNSSEC and RES_EDNS0, but I can't see anything specific concerning to DO-bit. But to be honest, I'm far from being a C-programmer :) Does anyone already met some familiar issue and maybe have some workarounds ? Or can anyone verify / falsify my libc-theory ? Kind regards, Marco
Re: [Bulk] DNSSEC-query with DO-bit through libc ?
On Mon, 15 Sep 2014 12:59:46 +0200 Marco Prause wrote: Does anyone already met some familiar issue and maybe have some workarounds ? Or can anyone verify / falsify my libc-theory ? I'd look into whether you still have an issue whilst using TCP for the requests?
Re: [Bulk] DNSSEC-query with DO-bit through libc ?
Am 15.09.2014 um 15:58 schrieb Kevin Chadwick: On Mon, 15 Sep 2014 12:59:46 +0200 Marco Prause wrote: Does anyone already met some familiar issue and maybe have some workarounds ? Or can anyone verify / falsify my libc-theory ? I'd look into whether you still have an issue whilst using TCP for the requests? Well, I gave options edns0 tcp in resolv.conf a short try, but with the same result in the maillog: non DNSSEC destination for i.e. ietf.org. Concerning a DO-Bit I could only find a hint in the bind-sources, like i.e. /usr.sbin/bind/bin/named/query.c but nothing equivalent in ./libc/net/res_query.c or ./lib/libc/net/res_mkquery.c At the moment I have no idea to reproduce the postfix query manually through the libc-calls. While sniffing on the outside interface I can see, that queries that go through libc-stub-resolver don't have the DO bit set anymore. Regards, Marco
Re: DNSSEC-query with DO-bit through libc ?
On 2014-09-15, Marco Prause marco-obsdm...@prause.eu wrote: Looking at lib/libc/net/res_query.c Try libc/asr/res_query.c ..