Re: DNSSEC-query with DO-bit through libc ?

2015-01-07 Thread Marco Prause 
Happy new year everyone,

Am 16.09.2014 um 00:55 schrieb Stuart Henderson:
 On 2014-09-15, Marco Prause marco-obsdm...@prause.eu wrote:
 Looking at  lib/libc/net/res_query.c
 
 Try libc/asr/res_query.c ..
 

thanks again, Stuart, for this hint.
Just a short follow-up to this thread :

I've read, that there has been an update on asr_run(3) some time ago :

-will request DNSSEC authentication using the EDNS0 DNSSEC OK (DO) bit.
+will not request DNSSEC authentication using the EDNS0 DNSSEC OK (DO) bit.


For sure maybe nothing new to the majority of this and tech-list, but
just a short reality-check.


Regards,
Marco

Re: DNSSEC-query with DO-bit through libc ?

2014-09-16 Thread Marco Prause 
Am 16.09.2014 um 00:55 schrieb Stuart Henderson:
 On 2014-09-15, Marco Prause marco-obsdm...@prause.eu wrote:
 Looking at  lib/libc/net/res_query.c
 
 Try libc/asr/res_query.c ..

Thanks for the hint - I'd have a look at, but sadly it doesn't help me
understanding, what's going on.


Having a look at postfix-src I found a notice at

/usr/ports/distfiles/postfix/postfix-2.11.0/srcdns/dns_lookup.c

that says
...
/* .IP RES_USE_DNSSEC
/*  Request DNSSEC validation. This flag is silently ignored
/*  when the system stub resolver API, resolver(3), does not
/*  implement DNSSEC.
...


so far so good, but man resolver 3 looks also good to me :
...
RES_USE_EDNS0  Attach an OPT pseudo-RR for the EDNS0 extension, as
   specified in RFC 2671.  This informs DNS servers of a
   client's receive buffer size, allowing them to take
   advantage of a non-default receive buffer size, and thus
   to send larger replies.  DNS query packets with the EDNS0
   extension are not compatible with non-EDNS0 DNS servers.

RES_USE_DNSSEC  Request that the resolver uses Domain Name System
Security Extensions (DNSSEC), as defined in RFCs 4033,
4034, and 4035.
...



in include/resolv.h I also find global definitions for both :
...
#define RES_USE_EDNS0   0x4000  /* use EDNS0 */
/* DNSSEC extensions: use higher bit to avoid conflict with ISC use */
#define RES_USE_DNSSEC  0x2000  /* use DNSSEC using OK bit in OPT */
...


but I  can't see it anywhere beeing used at the query-parts at
getrrsetbyname.c, res_mkquery.c, res_query.c - they are mentioned only
at the responses, but in my opinion the DO-bit also have to be set in
the query, to signal the usage of DNSSEC and this is, what I didn't see
sniffing on the outgoing interface.


Regards,
Marco

DNSSEC-query with DO-bit through libc ?

2014-09-15 Thread Marco Prause 
Hi,

while playing around with DANE-enabled postfix, I've been running in
some problems (maybe) concerning with postfix's usage of libc / res_query.c

At the moment it seems to me, libc (or something around) is cutting off
the necessary DO-Bit in the dns-queries.

While asking the local dnssec-aware unbound with dig or drill, I'm
getting the correct answer and the AD-flag set in the answer.


Running

OpenBSD 5.5-release
postfix-2.11.0
unbound-1.4.21p0

etc/resolv.conf says:
nameserver 127.0.0.1
options edns0


Looking at  lib/libc/net/res_query.c, I can see the usage of RES_DNSSEC
and RES_EDNS0, but I can't see anything specific concerning to DO-bit.
But to be honest, I'm far from being a C-programmer :)


Does anyone already met some familiar issue and maybe have some
workarounds ? Or can anyone verify / falsify my libc-theory ?


Kind regards,
Marco

Re: [Bulk] DNSSEC-query with DO-bit through libc ?

2014-09-15 Thread Kevin Chadwick 
On Mon, 15 Sep 2014 12:59:46 +0200
Marco Prause wrote:

 Does anyone already met some familiar issue and maybe have some
 workarounds ? Or can anyone verify / falsify my libc-theory ?

I'd look into whether you still have an issue whilst using TCP for the
requests?

Re: [Bulk] DNSSEC-query with DO-bit through libc ?

2014-09-15 Thread Marco Prause 
Am 15.09.2014 um 15:58 schrieb Kevin Chadwick:
 On Mon, 15 Sep 2014 12:59:46 +0200
 Marco Prause wrote:

 Does anyone already met some familiar issue and maybe have some
 workarounds ? Or can anyone verify / falsify my libc-theory ?

 I'd look into whether you still have an issue whilst using TCP for the
 requests?

Well, I gave options edns0 tcp in resolv.conf a short try, but with
the same result in the maillog: non DNSSEC destination for i.e. ietf.org.

Concerning a DO-Bit I could only find a hint in the bind-sources, like
i.e. /usr.sbin/bind/bin/named/query.c but nothing equivalent in
./libc/net/res_query.c or ./lib/libc/net/res_mkquery.c

At the moment I have no idea to reproduce the postfix query manually
through the libc-calls.

While sniffing on the outside interface I can see, that queries that go
through libc-stub-resolver don't have the DO bit set anymore.


Regards,
Marco

Re: DNSSEC-query with DO-bit through libc ?

2014-09-15 Thread Stuart Henderson 
On 2014-09-15, Marco Prause marco-obsdm...@prause.eu wrote:
 Looking at  lib/libc/net/res_query.c

Try libc/asr/res_query.c ..