<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hello,</p>
<p>thanks for providing all the details getting the dnssec sorted
out with dnsval.conf. It is really useful.<br>
</p>
<p>If you have the time, would be good to add those details in the
readme file for dnssec -- you cna make a pull request for the file
modules/dnssec/doc/dnssec_admin.xml</p>
<p>The alternative would be to add to the wiki:</p>
<p> - <a class="moz-txt-link-freetext" href="https://www.kamailio.org/wiki/tutorials/dns/dnssec">https://www.kamailio.org/wiki/tutorials/dns/dnssec</a></p>
<p>Cheers,<br>
Daniel<br>
</p>
<br>
<div class="moz-cite-prefix">On 13/05/16 20:48, David Holl wrote:<br>
</div>
<blockquote cite="mid:20160513184803.GA88046@subspace.local"
type="cite">In the interest of sharing and promoting DNSSEC, I was
recently stumped on a problem where I noticed I could not call
<a class="moz-txt-link-freetext" href="sip:test.echo@sip5060.net">sip:test.echo@sip5060.net</a> without disabling the dnssec.so module
in my kamailio.cfg. The last time I had tried the sip5060 echo
test was several months ago, and in the intervening time, I had
applied the numerous debian package updates. Thus, I could not
isolate the cause of the problem to one of the many package
updates such as kamailio 4.4.x, libval, my own DNSSEC dns server,
etc... My initial only clue was kamailio's syslog messages:
<br>
<br>
May 12 18:02:49 tensor /usr/sbin/kamailio[24128]: ERROR: tm
[ut.h:296]: uri2dst2(): ERROR: uri2dst: failed to resolve
"sip5060.net" :unresolvable A or AAAA request (-7) <br>
May 12 18:02:49 tensor /usr/sbin/kamailio[24128]: ERROR: tm
[t_fwd.c:1712]: t_forward_nonack(): ERROR: t_forward_nonack:
failure to add branches
<br>
<br>
May 12 18:02:49 tensor /usr/sbin/kamailio[24128]: ERROR: sl
[sl_funcs.c:363]: sl_reply_error(): ERROR: sl_reply_error used:
Unresolvable destination (478/SL)
<br>
<br>
<br>
<br>
To summarize the problem, I found that kamailio's dnssec.so was
failing queries to domains that were not DNSSEC protected such as
sip5060.net. This behavior is a bug, since sip5060.net is in this
case, provably not participating in DNSSEC from the toplevel
"net." zone [1].
<br>
<br>
<br>
<br>
The fix was to provide a default configuration file to libval,
which was somehow not included in Debian's libval15 package. I
created the following configuration from the default dnsval.conf
in the source distribution:
<br>
<a class="moz-txt-link-freetext" href="https://dnssec-tools.org/download/dnsval-2.2.tar.gz">https://dnssec-tools.org/download/dnsval-2.2.tar.gz</a>
<br>
<a class="moz-txt-link-freetext" href="https://dnssec-tools.org/download/dnsval-2.2.tar.gz.asc">https://dnssec-tools.org/download/dnsval-2.2.tar.gz.asc</a>
<br>
as well as their wiki:
<br>
<a class="moz-txt-link-freetext" href="https://www.dnssec-tools.org/wiki/index.php/Dnsval.conf">https://www.dnssec-tools.org/wiki/index.php/Dnsval.conf</a>
<br>
<br>
cat << 'EOF' > /etc/dnssec-tools/dnsval.conf
<br>
##################################
<br>
# Global Options ##################################
<br>
<br>
global-options
<br>
trust-oob-answers yes
<br>
# I'm running a DNSSEC nameserver locally,
<br>
# so 4 KiB queries to localhost should be OK:
<br>
edns0-size 4096
<br>
env-policy disable
<br>
app-policy disable
<br>
rec-fallback no
<br>
;
<br>
<br>
: trust-anchor
<br>
. DS 19036 8 2
49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
<br>
;
<br>
<br>
: zone-security-expectation
<br>
. validate
<br>
;
<br>
<br>
: provably-insecure-status
<br>
. trusted
<br>
;
<br>
<br>
: clock-skew
<br>
. 0
<br>
;
<br>
EOF
<br>
<br>
<br>
<br>
In summary: I find it odd that a default dnsval.conf was not
included with my system's normal installation of the
"libval15:amd64" package, version 2.2-4. After providing
dnsval.conf, kamailio's dnssec.so was happy again.
<br>
<br>
Side notes:
<br>
<br>
* To identify the directory for dnsval.conf, run
<br>
libval-config --dnsval-config
<br>
On Debian, libval-config is in the libval-dev pacakge, and this
package includes a man page for dnsval.conf as well.
<br>
<br>
* To test your libval and dnsval.conf, try
<br>
dt-validate -s
<br>
On Debian, dt-validate is in the libval-bin package.
<br>
<br>
<br>
- David
<br>
<br>
<br>
[1] -- Authenticated denial of existence:
<br>
<a class="moz-txt-link-freetext" href="https://tools.ietf.org/html/rfc5155">https://tools.ietf.org/html/rfc5155</a>
<br>
<a class="moz-txt-link-freetext" href="https://tools.ietf.org/html/rfc7129">https://tools.ietf.org/html/rfc7129</a>
<br>
And for sip5060.net, there's an NSEC3 record in the top level net.
zone proving non-existance of sip5060.net DS records:
<br>
<a class="moz-txt-link-freetext" href="http://dnsviz.net/d/sip5060.net/dnssec/">http://dnsviz.net/d/sip5060.net/dnssec/</a>
<br>
Translation: sip5060.net provably not enabled DNSEC.
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:sr-users@lists.sip-router.org">sr-users@lists.sip-router.org</a>
<a class="moz-txt-link-freetext" href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla
<a class="moz-txt-link-freetext" href="http://www.asipto.com">http://www.asipto.com</a>
<a class="moz-txt-link-freetext" href="http://twitter.com/#!/miconda">http://twitter.com/#!/miconda</a> - <a class="moz-txt-link-freetext" href="http://www.linkedin.com/in/miconda">http://www.linkedin.com/in/miconda</a>
Kamailio World Conference, Berlin, May 18-20, 2016 - <a class="moz-txt-link-freetext" href="http://www.kamailioworld.com">http://www.kamailioworld.com</a></pre>
</body>
</html>