21 apr 2013 kl. 21:35 skrev Marius Zbihlei <[email protected]>: > Hello, > > Maybe this bit of info will help in testing: > > Google open resolvers should (I used another Google resolver with works) work > with DNSSEC, so setting nameserver 8.8.8.8 in your /etc/resolv.conf should > provide access to a recursive dnssec resolver. Next, sending a SIP dummy > request to the domain www.dnssec-failed.org (www is mandatory) should git > this message ( level INFO on master branch) > > 0(70805) ERROR: dnssec [dnssec_func.c:145]: invalid domain > www.dnssec-failed.org reason VAL_UNTRUSTED_ANSWER > > Keep note that I use val_istrusted, which is less strict the val_isvalidated > ( afaik the later only returns true if the domain is validated via dnssec, > for non-dnssec enabled domains it will fail), the decision should be > configurable.
A more general question: Would it be possible to generate error codes to the various forward/send/t_relay set of functions so that we know better the type of failure, like TLS did not validate or DNSsec failed? /O > > Cheers, > Marius > > > On Sun, Apr 21, 2013 at 8:23 PM, Olle E. Johansson <[email protected]> wrote: > > 21 apr 2013 kl. 20:39 skrev Marius Zbihlei <[email protected]>: > >> Hello, >> >> I have added today a feature for setting various libval flags. Based on your >> suggestions(thank you, by the way) and my backlog I will continue to work on >> the following >> >> 1. Strict or non-strict validation >> 2. CFG framework for enabling/disabling features >> 3. Exclusion list (clock-skew per domain) & other dnssec protocol specific >> policies >> 4. Statistics >> 5. DANE/DNSSEC (still have to document) > > I just sent e-mail to the DANE mailing list about SIP issues. I think we need > to work in the IETF a bit here. > >> 6.Async DNS resolving support (maybe with support from t_suspend() API) > Cool. > > Looking into some DNS stuff in Asterisk now. Maybe I can add libval there too. > > Cheers, > /O >> >> The order might not be the correct one...ATM, I am mostly looking for >> suggestion and integrators/testers for feedback. >> >> Cheers, >> Marius >> >> >> On Sun, Apr 21, 2013 at 6:51 PM, Olle E. Johansson <[email protected]> wrote: >> Hi again! >> >> I would also like to propose that you add a counter for failures to validate >> DNSsec that will automatically be published >> in rpc. I could then also add it to the SNMP module. >> >> Cheers, >> /O >> _______________________________________________ >> sr-dev mailing list >> [email protected] >> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev >> >> _______________________________________________ >> sr-dev mailing list >> [email protected] >> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev > > > _______________________________________________ > sr-dev mailing list > [email protected] > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev > > > _______________________________________________ > sr-dev mailing list > [email protected] > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
_______________________________________________ sr-dev mailing list [email protected] http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
