<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/4.4.4">
</HEAD>
<BODY>
Hi,<BR>
<BR>
DNSSEC seems to be enabled by default in master now.<BR>
<BR>
My builds (on Fedora and CentOS) are now failing with:<BR>
/usr/bin/ld: cannot find -lval-threads<BR>
/usr/bin/ld: cannot find -lsres<BR>
collect2: error: ld returned 1 exit status<BR>
make: *** [kamailio] Error 1<BR>
<BR>
I am not sure which packages to install to fix this - I don't they are actually in the default repos. Would it be possible to make the default behaviour not to build DNSSEC?<BR>
<BR>
Thanks,<BR>
<BR>
Peter<BR>
<BR>
On Wed, 2012-10-10 at 16:56 +0200, Marius Zbihlei wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE>
Module: sip-router
Branch: master
Commit: 73103df8fcffa0f92dfc4699c52d5dd9474084ea
URL: <A HREF="http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=73103df8fcffa0f92dfc4699c52d5dd9474084ea">http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=73103df8fcffa0f92dfc4699c52d5dd9474084ea</A>
Author: Marius Zbihlei <<A HREF="mailto:marius.zbihlei@1and1.ro">marius.zbihlei@1and1.ro</A>>
Committer: Marius Zbihlei <<A HREF="mailto:marius.zbihlei@1and1.ro">marius.zbihlei@1and1.ro</A>>
Date: Wed Oct 10 17:53:02 2012 +0300
Core: added DNSSEC support for DNS queries
This is available by setting the USE_DNSSEC compile flag. It requires libval-threads and libres (part of dnssec-tools dnssec-tools.org)
The custom resolvers were replaced by val_gethostbyname, val_gethostbyname and val_res_query (for SRV).
---
Makefile.defs | 9 +++++++--
resolve.c | 18 ++++++++++++++++++
resolve.h | 22 ++++++++++++++++++++++
3 files changed, 47 insertions(+), 2 deletions(-)
diff --git a/Makefile.defs b/Makefile.defs
index 1645c34..2b7f332 100644
--- a/Makefile.defs
+++ b/Makefile.defs
@@ -1,4 +1,4 @@
-# $Id$
+
#
# makefile defs (CC, LD,a.s.o)
#
@@ -1751,7 +1751,12 @@ ifeq ($(OS), linux)
                        LIBS+=-lpthread
                endif
        endif
-        # check for >= 2.5.44
+        ifeq (,$(findstring -DUSE_DNSSEC, $(C_DEFS)))
+                LIBS+=-lval-threads -lcrypto -lsres -lpthread
+$(info "using libval for DNSSEC validation")
+        endif
+ # check for >= 2.5.44
+
        ifeq ($(shell [ $(OSREL_N) -ge 2005044 ] && echo has_epoll), has_epoll)
                ifeq ($(NO_EPOLL),)
                        C_DEFS+=-DHAVE_EPOLL
diff --git a/resolve.c b/resolve.c
index 17772b7..36a2992 100644
--- a/resolve.c
+++ b/resolve.c
@@ -713,6 +713,10 @@ struct rdata* get_record(char* name, int type, int flags)
        int name_len;
        struct rdata* fullname_rd;
        
+#ifdef USE_DNSSEC
+        val_status_t val_status;
+#endif
+
        if (cfg_get(core, core_cfg, dns_search_list)==0) {
                search_list_used=0;
                name_len=0;
@@ -722,7 +726,21 @@ struct rdata* get_record(char* name, int type, int flags)
        }
        fullname_rd=0;
+#ifndef USE_DNSSEC
        size=res_search(name, C_IN, type, buff.buff, sizeof(buff));
+#else
+        size=val_res_query((val_context_t *) NULL,
+ (char *) name,
+ (int) C_IN,
+                 (int) type,
+ (unsigned char *) buff.buff,
+                 (int) sizeof(buff),
+ &val_status);        
+        if(!val_istrusted(val_status)){
+                LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);
+        }
+#endif
+
        if (unlikely(size<0)) {
                DBG("get_record: lookup(%s, %d) failed\n", name, type);
                goto not_found;
diff --git a/resolve.h b/resolve.h
index 8ce68e6..66fd3ff 100644
--- a/resolve.h
+++ b/resolve.h
@@ -58,6 +58,10 @@
#include "dns_wrappers.h"
#endif
+#ifdef USE_DNSSEC
+#include "validator/validator.h"
+#endif
+
/* define RESOLVE_DBG for debugging info (very noisy) */
#define RESOLVE_DBG
/* define NAPTR_DBG for naptr related debugging info (very noisy) */
@@ -400,6 +404,9 @@ static inline struct hostent* _resolvehost(char* name)
#endif
#endif
#ifdef DNS_IP_HACK
+#ifdef USE_DNSSEC
+        val_status_t val_status;
+#endif
        struct ip_addr* ip;
        str s;
@@ -430,7 +437,15 @@ static inline struct hostent* _resolvehost(char* name)
#endif
#endif
        /* ipv4 */
+#ifndef USE_DNSSEC
        he=gethostbyname(name);
+#else
+        he=val_gethostbyname( (val_context_t *) 0, name, &val_status);
+        if(!val_istrusted(val_status)){
+                LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);
+        }
+#endif
+
#ifdef USE_IPV6
        if(he==0 && cfg_get(core, core_cfg, dns_try_ipv6)){
#ifndef DNS_IP_HACK
@@ -438,7 +453,14 @@ skip_ipv4:
#endif
                /*try ipv6*/
        #ifdef HAVE_GETHOSTBYNAME2
+                #ifndef USE_DNSSEC
                he=gethostbyname2(name, AF_INET6);
+                #else
+                he=val_gethostbyname2((val_context_t*)0, name, AF_INET6, &val_status);
+                if(!val_istrusted(val_status)){
+                        LOG(L_INFO, "INFO: got not trusted record when resolving %s\n",name);
+                }
+                #endif //!USE_DNSSEC
        #elif defined HAVE_GETIPNODEBYNAME
                /* on solaris 8 getipnodebyname has a memory leak,
                 * after some time calls to it will fail with err=3
_______________________________________________
sr-dev mailing list
<A HREF="mailto:sr-dev@lists.sip-router.org">sr-dev@lists.sip-router.org</A>
<A HREF="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev</A>
</PRE>
</BLOCKQUOTE>
<BR>
<TABLE CELLSPACING="0" CELLPADDING="0" WIDTH="100%">
<TR>
<TD>
<PRE>
--
Peter Dunkley
Technical Director
Crocodile RCS Ltd
</PRE>
</TD>
</TR>
</TABLE>
</BODY>
</HTML>