[sr-dev] DNSsec stats
Marius Zbihlei
mariuszbi at gmail.com
Sun Apr 21 21:35:24 CEST 2013
Hello,
Maybe this bit of info will help in testing:
Google open resolvers should (I used another Google resolver with works)
work with DNSSEC, so setting nameserver 8.8.8.8 in your /etc/resolv.conf
should provide access to a recursive dnssec resolver. Next, sending a SIP
dummy request to the domain www.dnssec-failed.org (www is mandatory)
should git this message ( level INFO on master branch)
0(70805) ERROR: dnssec [dnssec_func.c:145]: invalid domain
www.dnssec-failed.org reason VAL_UNTRUSTED_ANSWER
Keep note that I use val_istrusted, which is less strict the
val_isvalidated ( afaik the later only returns true if the domain is
validated via dnssec, for non-dnssec enabled domains it will fail), the
decision should be configurable.
Cheers,
Marius
On Sun, Apr 21, 2013 at 8:23 PM, Olle E. Johansson <oej at edvina.net> wrote:
>
> 21 apr 2013 kl. 20:39 skrev Marius Zbihlei <mariuszbi at gmail.com>:
>
> Hello,
>
> I have added today a feature for setting various libval flags. Based on
> your suggestions(thank you, by the way) and my backlog I will continue to
> work on the following
>
> 1. Strict or non-strict validation
> 2. CFG framework for enabling/disabling features
> 3. Exclusion list (clock-skew per domain) & other dnssec protocol specific
> policies
> 4. Statistics
> 5. DANE/DNSSEC (still have to document)
>
>
> I just sent e-mail to the DANE mailing list about SIP issues. I think we
> need to work in the IETF a bit here.
>
> 6.Async DNS resolving support (maybe with support from t_suspend() API)
>
> Cool.
>
> Looking into some DNS stuff in Asterisk now. Maybe I can add libval there
> too.
>
> Cheers,
> /O
>
>
> The order might not be the correct one...ATM, I am mostly looking for
> suggestion and integrators/testers for feedback.
>
> Cheers,
> Marius
>
>
> On Sun, Apr 21, 2013 at 6:51 PM, Olle E. Johansson <oej at edvina.net> wrote:
>
>> Hi again!
>>
>> I would also like to propose that you add a counter for failures to
>> validate DNSsec that will automatically be published
>> in rpc. I could then also add it to the SNMP module.
>>
>> Cheers,
>> /O
>> _______________________________________________
>> sr-dev mailing list
>> sr-dev at lists.sip-router.org
>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
>>
>
> _______________________________________________
> sr-dev mailing list
> sr-dev at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
>
>
>
> _______________________________________________
> sr-dev mailing list
> sr-dev at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-dev/attachments/20130421/182bc0ca/attachment.htm>
More information about the sr-dev
mailing list