[sr-dev] git:master: Core: added DNSSEC support for DNS queries

Klaus Darilion klaus.mailinglists at pernau.at
Thu Oct 25 15:51:17 CEST 2012 


On 12.10.2012 08:46, Olle E. Johansson wrote:
>
> 11 okt 2012 kl. 16:54 skrev Marius Zbihlei <marius.zbihlei at 1and1.ro>:
>
>> On 10/11/2012 05:40 PM, Klaus Darilion wrote:
>>> Hi Marius!
>>>
>>> What's the benefit of having DNSSEC validation in Kamailio instead of
>>> having it in the respective recursive DNS server? I think most people
>>> which operate a SIP proxy do also have a resolving name server within
>>> their names. It may happen that bugfixes in DNSSEC libraries require to
>>> rebuild/restart your SIP proxy, instead of just updating the local recurser.
>> I imagined a situation in which you don't trust your resolver, even in same LAN. Due to ARP poisoning,  DNS request (even your local resolver issues external requests) can be spoofed and incorrect data can be returned.
>>
>> I think using bind locally as a resolved indeed eliminates this issue, but with DNS caching in place I fail to see the reason of using a local DNS resolver, instead one can use a network resolver. Just a little more flexibility.
>
> With DANE, a new RFC, Kamailio will validate SSL certificates in a DNS-sec secured DNS zone. Feels good
> to be able to have control over the validation and get detailed error codes. And not have to trust an
> external software for security validation.

FYI - ldns supports now DANE.

regards
Klaus



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Everyone,

I am pleased to announce that version 1.6.14 of ldns is now available.

This release has more bugfixes than normally because of the code
reviews from CZ.NIC and Paul Wouters. Thank you!

We have many improvements in the pyldns contribution from Karel Slany
which are now listed in its own Changelog file in contrib/python (and
below).

The most notably new feature is DANE support (RFC6698). New functions
for verifying and constructing TLSA resource records have been added.
The example tool, ldns-dane, has been added to demonstrate the new
functions and for the general usability of DANE operation.

I hope this release will be useful for you and that you will keep us
informed of your experiences.

Best regards,

Willem Toorop

link: http://www.nlnetlabs.nl/downloads/ldns/ldns-1.6.14.tar.gz
sha1: 2ef5fbf33b25d2f7b736c332ebccc0862dd12d02

Changelog:
==========
* DANE support (RFC6698), including ldns-dane example tool.
* Configurable default CA certificate repository for ldns-dane with
   --with-ca-file=CAFILE and --with-ca-path=CAPATH
* Configurable default trust anchor with --with-trust-anchor=FILE
   for drill, ldns-verify-zone and ldns-dane
* bugfix #474: Define socklen_t when undefined (like in Win32)
* bugfix #473: Dead code removal and resource leak fix in drill
* bugfix #471: Let ldns_resolver_push_dnssec_anchor accept DS RR's too.
* Various bugfixes from code reviews from CZ.NIC and Paul Wouters
* ldns-notify TSIG option argument checking
* Let ldns_resolver_nameservers_randomize keep nameservers and rtt's
   in sync.
* Let ldns_pkt_push_rr now return false on (memory) errors.
* Make buffer_export comply to documentation and fix buffer2str
* Various improvements and fixes of pyldns from Katel Slany
   now documented in their own Changelog.
* bugfix: Make ldns_resolver_pop_nameserver clear the array when
   there was only one.
* bugfix #459: Remove ldns_symbols and export symbols based on regex
* bugfix #458: Track all newly created signatures when signing.
* bugfix #454: Only set -g and -O2 CFLAGS when no CFLAGS was given.
* bugfix #457: Memory leak fix for ldns_key_new_frm_algorithm.
* pyldns memory handling fixes and the python3/ldns-signzone.py
   examples script contribution from Karel Slany.
* bugfix #450: Base # bytes for P, G and Y (T) on the guaranteed
   to be bigger (or equal) P in ldns_key_dsa2bin.
* bugfix #449: Deep free cloned rdf's in ldns_tsig_mac_new.
* bugfix #448: Copy nameserver value (in stead of reference) of the
   answering nameserver to the answer packet in ldns_send_buffer, so
   the original value may be deep freed with the ldns_resolver struct.
* New -0 option for ldns-read-zone to replace inception, expiration
   and signature rdata fields with (null). Thanks Paul Wouters.
* New -p option for ldns-read-zone to prepend-pad SOA serial to take
   up ten characters.
* Return error if printing RR fails due to unknown/null RDATA.


pyldns Changelog:
=================
* Added rich comparison methods for ldns_dname, ldns_rdf, ldns_rr and
   ldns_rr_list classes.
* Added deprecation warnings into ldns_rr.new_frm_fp() and
   ldns_rr.new_frm_fp_l() and others.
* Fixed ldns_rr.set_rdf(), which may cause memory leaks, because it
   returns new objects (in the scope of Python). Also it leaked memory,
   when the call was not successful.
* Fixed ldns_get_rr_list_hosts_frm_file, marked as newobject.
* Fixed ldns_rr_list.cat() to return bool as mentioned in documentation.
* Fixed ldns_rr_list_cat_clone, marked as newobject.
* Fixed ldns_rr_list.new_frm_file(). Exception argument was invalid.
* Fixed ldns_rr_list.push_rr() to return bool as mentioned in
   documentation.
* Fixed ldns_rr_list.push_rr_list() to return bool as mentioned in
   documentation.
* Fixed ldns_rr_list.set_rr(), which caused memory corruption, double
   free problems and memory leaks. (The wrapper used original function
   instead of its push cloned variant which was missing.)
* Fixed ldns_rr_list.set_rr_count(), added python exception raise in
   order to avoid assertion failure.
* Fixed ldns_rr_list.subtype_by_rdf(), marked as newobject.
* Added ldns_rr.to_canonical(), ldns_rr.is_question(),
   ldns_rr.type_by_name(), ldns_rr.class_by_name(), ldns_rr_list.new(),
   ldns_rr.set_question().
* Modified ldns_rr_list.owner() and ldns_rr.owner(), now returns
   ldns_dname.
* Fixed assertion failures for several methods when receiving incorrect
   but syntactically valid arguments (i.e., ldns_rr.a_address(),
   ldns_rr.dnskey_algorithm(), ldns_rr.dnskey_flags(),
   ldns_rr.dnskey_key(), ldns_rr.dnskey_protocol(),
   ldns_rr.mx_exchange(), ldns_rr.mx_preference(), ldns_rr.ns_nsdname(),
   ldns_rr.owner(), ldns_rr.rdf(), ldns_rr.rrsig_algorithm(),
   ldns_rr.rrsig_expiration(), ldns_rr.rrsig_inception(),
   ldns_rr.rrsig_keytag(), ldns_rr.rrsig_labels(),
   ldns_rr.rrsig_origttl(),
   ldns_rr.rrsig_sig(), ldns_rr.rrsig_signame(),
   ldns_rr.rrsig_typecovered(), ldns_rr_list.owner(), ldns_rr_list.rr())
* Fixed ldns_rr.a_address(), which was asserting when called
   on non A or AAAA type rr. Now returns None when fails.
* Added scripts for testing the basic functionality of the ldns_rr,
   ldns_rr_descriptor and ldns_rr_list class code.
* Improved documentation of ldns_rr, ldns_rr_descriptor and
   ldns_rr_list.
* Fixed automatic conversion from Python string to ldns_rdf and
   ldns_dname. Caused memory corruption when using Python 3.
* The Python 3 wrapper code now raises TypeError instead of ValueError
   when receiving a non FILE * argument when it should be a FILE *.
* Fixed wrong handling of _ldns_rr_list_free() and
   _ldns_rr_list_deep_free() when compiling with LDNS_DEBUG directive.
* Fixed malfunctioning ldns.ldns_rdf_new_frm_fp_l().
* Fixed malfunctioning ldns_drf.absolute() and ldns_dname.absolute().
* Marked several functions related to ldns_rdf and ldns_buffer as
   returning new objects.
* Method operating on ldns_dnames and returning dname ldns_rdfs now
   return ldns_dname instances.
* Improved documentation of ldns_buffer, ldns_rdf and ldns_dname
   classes.
* Methods ldns_buffer.available() and ldns_buffer.available_at() now
   return bool types as described in the documentation.
* Added scripts for testing the basic functionality of the ldns_buffer,
   ldns_rdf, ldns_dname class code.
* Added deprecation warnings to ldns_rdf methods operating on dname
   rdfs. The user is encouraged to converts dname ldns_rdfs to
   ldns_dnames.
* Extended ldns_dname constructor to accept ldns_rdfs containing dnames.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQhqP/AAoJEOX4+CEvd6SYmYAP/1LoH5b5Re32DmpX44hUdQ4c
KbW6wG+/L1LuTTaWy7hX7DGsHQ2j8IyPZdaI1ZnoKYhudadLM3RF/QZKr5Kd3hoy
YEWlbCdpQ8INMzl0j5ak7aBRkbvkveFJL1Ya8d3p9CSdUQR2hLTNiwjp3s+c31pk
dnD/XqZ0ggfu3dDJhPXxCvAwl8hVqsVE3kUDVCKNezYrw88Sda+DCeu7Rl/Fefyq
vBLBg2WjuRrtT5icuTFcMq339/zHp45EGglYxG2a9e1mOKHVmhrTUmPsoDXtaxLc
13j6zTywxeWgRWW1t/2n4/bg4sLDsv5jYQxtpb2iQtJ1VHjYWQxhqNbikW6N2kha
vyubIv0ecdIbTtLMYT9vUmfb8CKFezggHqd9/W0cGGZNMuZjDLgFfUwKdWKNeKRT
Odg5JhVk1OfhkCzY3EvfsjccLzSZHUssPbI45YJaPrv+T13TgFdnBv5ufLP7NfpR
NNSqf9pn+YF7IKgj/9cU7Q3WW1HOwaVspL2lFhfvJlirsX1yKp/eigQeNa5bCSfl
7I5F2gGc14+E7moQByvQ75EkOkdlJ/Owq1t8/6IMWNldb2Vn9awDqaS9AfV9LQKN
g/8qQHNwQ5idbxA48fNcyhhMY8bUMJiGOo+AWKAcBWdMKTLVIKdiswEC8O7o4aJ9
MPug3EFbN6n5YzCQNIaZ
=csYG
-----END PGP SIGNATURE-----
_______________________________________________
ldns-users mailing list
ldns-users at open.nlnetlabs.nl
http://open.nlnetlabs.nl/mailman/listinfo/ldns-users

More information about the sr-dev mailing list