<html><head><meta http-equiv="Content-Type" content="text/html charset=iso-8859-1"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><br><div><div>21 apr 2013 kl. 21:35 skrev Marius Zbihlei <<a href="mailto:mariuszbi@gmail.com">mariuszbi@gmail.com</a>>:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div dir="ltr">Hello, <div><br></div><div style="">Maybe this bit of info will help in testing:</div><div style=""><br></div><div style="">Google open resolvers should (I used another Google resolver with works) work with DNSSEC, so setting nameserver 8.8.8.8 in your /etc/resolv.conf should provide access to a recursive dnssec resolver. Next, sending a SIP dummy request to the domain <a href="http://www.dnssec-failed.org/">www.dnssec-failed.org</a> (www is mandatory) should git this message ( level INFO on master branch)</div>
<div style=""><br></div><div style=""><div>0(70805) ERROR: dnssec [dnssec_func.c:145]: invalid domain <a href="http://www.dnssec-failed.org/">www.dnssec-failed.org</a> reason VAL_UNTRUSTED_ANSWER</div><div><br></div><div style="">Keep note that I use val_istrusted, which is less strict the val_isvalidated ( afaik the later only returns true if the domain is validated via dnssec, for non-dnssec enabled domains it will fail), the decision should be configurable.</div></div></div></blockquote><div><br></div><div>A more general question:</div>Would it be possible to generate error codes to the various forward/send/t_relay set of functions so that we know better the type of failure,</div><div>like TLS did not validate or DNSsec failed?</div><div><br></div><div>/O<br><blockquote type="cite"><div dir="ltr"><div style="">
<div style=""><br></div><div style="">Cheers,</div><div style="">Marius</div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sun, Apr 21, 2013 at 8:23 PM, Olle E. Johansson <span dir="ltr"><<a href="mailto:oej@edvina.net" target="_blank">oej@edvina.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><br><div><div>21 apr 2013 kl. 20:39 skrev Marius Zbihlei <<a href="mailto:mariuszbi@gmail.com" target="_blank">mariuszbi@gmail.com</a>>:</div>
<div class="im"><br><blockquote type="cite"><div dir="ltr">Hello, <div><br></div><div>I have added today a feature for setting various libval flags. Based on your suggestions(thank you, by the way) and my backlog I will continue to work on the following</div>
<div>
<br></div><div>1. Strict or non-strict validation </div><div>2. CFG framework for enabling/disabling features </div><div>3. Exclusion list (clock-skew per domain) & other dnssec protocol specific policies </div>
<div>4. Statistics </div><div>5. DANE/DNSSEC (still have to document)</div></div></blockquote><div><br></div></div>I just sent e-mail to the DANE mailing list about SIP issues. I think we need to work in the IETF a bit here.</div>
<div><div class="im"><br><blockquote type="cite"><div dir="ltr">6.Async DNS resolving support (maybe with support from t_suspend() API)</div></blockquote></div>Cool.</div><div><br></div><div>Looking into some DNS stuff in Asterisk now. Maybe I can add libval there too.</div>
<div><br></div><div>Cheers,</div><div>/O</div><div class="im"><div><blockquote type="cite"><div dir="ltr"><div><br></div><div>The order might not be the correct one...ATM, I am mostly looking for suggestion and integrators/testers for feedback. </div>
<div><br></div><div>Cheers,</div><div>Marius</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sun, Apr 21, 2013 at 6:51 PM, Olle E. Johansson <span dir="ltr"><<a href="mailto:oej@edvina.net" target="_blank">oej@edvina.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi again!<br>
<br>
I would also like to propose that you add a counter for failures to validate DNSsec that will automatically be published<br>
in rpc. I could then also add it to the SNMP module.<br>
<br>
Cheers,<br>
/O<br>
_______________________________________________<br>
sr-dev mailing list<br>
<a href="mailto:sr-dev@lists.sip-router.org" target="_blank">sr-dev@lists.sip-router.org</a><br>
<a href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev" target="_blank">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev</a><br>
</blockquote></div><br></div>
_______________________________________________<br>sr-dev mailing list<br><a href="mailto:sr-dev@lists.sip-router.org" target="_blank">sr-dev@lists.sip-router.org</a><br><a href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev" target="_blank">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev</a><br>
</blockquote></div><br></div></div><br>_______________________________________________<br>
sr-dev mailing list<br>
<a href="mailto:sr-dev@lists.sip-router.org">sr-dev@lists.sip-router.org</a><br>
<a href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev" target="_blank">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev</a><br>
<br></blockquote></div><br></div>
_______________________________________________<br>sr-dev mailing list<br><a href="mailto:sr-dev@lists.sip-router.org">sr-dev@lists.sip-router.org</a><br>http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev<br></blockquote></div><br></body></html>