Hello all, First of all sorry for the broken build. I was 100% sure that it will no be enabled in master.I thought I have tested. I will fix it first thing in the morning...
So, on Debian/Ubuntu and now it seems in RHEL the devel headers and libraries are not installed. I had to download them from dnssec-tools.org. Other than that, just enabling the flag should allow for DNSSEC queries. The failure of the validate method is actually controlled by dnsval.conf. If a zone is not signed, than the validate method will silently ignore the error and permit validation. If set to untrusted, any name that is not explicitly signed will fail. At the moment I just print an informal message in the log. When I have tested the patch, it seemed that there aren't a lot of DNSSEC aware servers, and even if they are, the TLD's are not signed... So for now the USE_DNSSEC must be disabled Marius ________________________________________ From: [email protected] [[email protected]] On Behalf Of Peter Dunkley [[email protected]] Sent: Wednesday, October 10, 2012 7:27 PM To: Development mailing list of the sip-router project Subject: Re: [sr-dev] git:master: Core: added DNSSEC support for DNS queries I've had a bit more luck... On Fedora the package dnssec-tools-libs-devel fixes the build problems, but for CentOS/RHEL the dnssec packages are not part of the standard distribution (they are in EPEL). So as things stand the master build of Kamailio core (with default options) is broken for Enterprise Linux based OSes. Regards, Peter On Wed, 2012-10-10 at 17:14 +0100, Peter Dunkley wrote: Hi, DNSSEC seems to be enabled by default in master now. My builds (on Fedora and CentOS) are now failing with: /usr/bin/ld: cannot find -lval-threads /usr/bin/ld: cannot find -lsres collect2: error: ld returned 1 exit status make: *** [kamailio] Error 1 I am not sure which packages to install to fix this - I don't they are actually in the default repos. Would it be possible to make the default behaviour not to build DNSSEC? Thanks, Peter On Wed, 2012-10-10 at 16:56 +0200, Marius Zbihlei wrote: Module: sip-router Branch: master Commit: 73103df8fcffa0f92dfc4699c52d5dd9474084ea URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=73103df8fcffa0f92dfc4699c52d5dd9474084ea Author: Marius Zbihlei <[email protected]<mailto:[email protected]>> Committer: Marius Zbihlei <[email protected]<mailto:[email protected]>> Date: Wed Oct 10 17:53:02 2012 +0300 Core: added DNSSEC support for DNS queries This is available by setting the USE_DNSSEC compile flag. It requires libval-threads and libres (part of dnssec-tools dnssec-tools.org) The custom resolvers were replaced by val_gethostbyname, val_gethostbyname and val_res_query (for SRV). --- Makefile.defs | 9 +++++++-- resolve.c | 18 ++++++++++++++++++ resolve.h | 22 ++++++++++++++++++++++ 3 files changed, 47 insertions(+), 2 deletions(-) diff --git a/Makefile.defs b/Makefile.defs index 1645c34..2b7f332 100644 --- a/Makefile.defs +++ b/Makefile.defs @@ -1,4 +1,4 @@ -# $Id$ + # # makefile defs (CC, LD,a.s.o) # @@ -1751,7 +1751,12 @@ ifeq ($(OS), linux) LIBS+=-lpthread endif endif - # check for >= 2.5.44 + ifeq (,$(findstring -DUSE_DNSSEC, $(C_DEFS))) + LIBS+=-lval-threads -lcrypto -lsres -lpthread +$(info "using libval for DNSSEC validation") + endif + # check for >= 2.5.44 + ifeq ($(shell [ $(OSREL_N) -ge 2005044 ] && echo has_epoll), has_epoll) ifeq ($(NO_EPOLL),) C_DEFS+=-DHAVE_EPOLL diff --git a/resolve.c b/resolve.c index 17772b7..36a2992 100644 --- a/resolve.c +++ b/resolve.c @@ -713,6 +713,10 @@ struct rdata* get_record(char* name, int type, int flags) int name_len; struct rdata* fullname_rd; +#ifdef USE_DNSSEC + val_status_t val_status; +#endif + if (cfg_get(core, core_cfg, dns_search_list)==0) { search_list_used=0; name_len=0; @@ -722,7 +726,21 @@ struct rdata* get_record(char* name, int type, int flags) } fullname_rd=0; +#ifndef USE_DNSSEC size=res_search(name, C_IN, type, buff.buff, sizeof(buff)); +#else + size=val_res_query((val_context_t *) NULL, + (char *) name, + (int) C_IN, + (int) type, + (unsigned char *) buff.buff, + (int) sizeof(buff), + &val_status); + if(!val_istrusted(val_status)){ + LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name); + } +#endif + if (unlikely(size<0)) { DBG("get_record: lookup(%s, %d) failed\n", name, type); goto not_found; diff --git a/resolve.h b/resolve.h index 8ce68e6..66fd3ff 100644 --- a/resolve.h +++ b/resolve.h @@ -58,6 +58,10 @@ #include "dns_wrappers.h" #endif +#ifdef USE_DNSSEC +#include "validator/validator.h" +#endif + /* define RESOLVE_DBG for debugging info (very noisy) */ #define RESOLVE_DBG /* define NAPTR_DBG for naptr related debugging info (very noisy) */ @@ -400,6 +404,9 @@ static inline struct hostent* _resolvehost(char* name) #endif #endif #ifdef DNS_IP_HACK +#ifdef USE_DNSSEC + val_status_t val_status; +#endif struct ip_addr* ip; str s; @@ -430,7 +437,15 @@ static inline struct hostent* _resolvehost(char* name) #endif #endif /* ipv4 */ +#ifndef USE_DNSSEC he=gethostbyname(name); +#else + he=val_gethostbyname( (val_context_t *) 0, name, &val_status); + if(!val_istrusted(val_status)){ + LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name); + } +#endif + #ifdef USE_IPV6 if(he==0 && cfg_get(core, core_cfg, dns_try_ipv6)){ #ifndef DNS_IP_HACK @@ -438,7 +453,14 @@ skip_ipv4: #endif /*try ipv6*/ #ifdef HAVE_GETHOSTBYNAME2 + #ifndef USE_DNSSEC he=gethostbyname2(name, AF_INET6); + #else + he=val_gethostbyname2((val_context_t*)0, name, AF_INET6, &val_status); + if(!val_istrusted(val_status)){ + LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name); + } + #endif //!USE_DNSSEC #elif defined HAVE_GETIPNODEBYNAME /* on solaris 8 getipnodebyname has a memory leak, * after some time calls to it will fail with err=3 _______________________________________________ sr-dev mailing list [email protected]<mailto:[email protected]> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev _______________________________________________ sr-dev mailing list [email protected]<mailto:[email protected]> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev -- Peter Dunkley Technical Director Crocodile RCS Ltd _______________________________________________ sr-dev mailing list [email protected] http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
