sipwise
/
kamailio
mirror of https://github.com/sipwise/kamailio.git
1
0
Fork 0
Code Issues Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '04ca58409b'
${ noResults }
kamailio/modules/dnssec/README

126 lines
3.8 KiB
Raw Blame History

Dnssec Module
Marius Zbihlei
Copyright © 2013
__________________________________________________________________
Table of Contents
1. Admin Guide
1. Overview
2. Dependencies
2.1. Kamailio Modules
2.2. External Libraries or Applications
3. Parameters
3.1. general_query_flags (integer)
List of Examples
1.1. Set enable_full_lr parameter
Chapter 1. Admin Guide
Table of Contents
1. Overview
2. Dependencies
2.1. Kamailio Modules
2.2. External Libraries or Applications
3. Parameters
3.1. general_query_flags (integer)
1. Overview
The module replaces the common system dns resolver functions from core
with the DNSSEC wrappers provided by libval. Practically, by loading
the module, Kamailio will make use of extensions to DNS which provide
origin authentication of DNS data, authenticated denial of existence,
and data integrity.
There is no module parameter that should be set nor fuction that has to
be executed by the configuration file. Existing SIP server deployments
can be updated to use DNSSEC by loading this module and setting
appropriate DNS server to the operating system.
Installing libval can be done from https://www.dnssec-tools.org.
More details about DNSSEC are available at:
http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions.
2. Dependencies
2.1. Kamailio Modules
2.2. External Libraries or Applications
2.1. Kamailio Modules
The following modules must be loaded before this module:
* No dependencies on other Kamailio modules.
2.2. External Libraries or Applications
The following libraries or applications must be installed before
running Kamailio with this module loaded:
* libval - check https://www.dnssec-tools.org for installation
guidelines.
3. Parameters
3.1. general_query_flags (integer)
3.1. general_query_flags (integer)
Set this parameter to an integer value containing of an ORed result of
one or more of the following values (constant present only for
documentation process, as they are mostly mapped to libval
flags).Setting this parameter will cause the libval defaults to be
completely overwritten
QUERY_DONT_VALIDATE == 1<<0 causes the validator to disable validation
for this query.
QUERY_IGNORE_SKEW == 1<<1 causes the validator to disable checking
signature inception and expiration times on RRSIGs.
QUERY_AC_DETAIL == 1<<2 causes the validator to copy the authentication
chain details into the val_rc_answer member within the returned
val_result_chain structure.
QUERY_NO_DLV == 1<<3 causes the validator to disable DLV processing for
this query. This is only available if the libval(3) library has been
compiled with DLV support.
QUERY_NO_EDNS0_FALLBACK = 1<<4 In querying various name servers,
libsres will also attempt multiple EDNS0 sizes, ending with a query
that has EDNS0 disabled (i.e. no CD bit set). This option causes libval
to disable EDNS0 fallback for the query.
QUERY_RECURSE == 1<<5 forces libval to recursively answer the query by
iteratively querying various name servers in the delegation hierarchy,
instead of requesting this information from any caching name server
that may be configured in dnsval.conf
SKIP_RESOLVER == 1<<6 forces libval to only look at its cache while
trying to resolve a name.
SKIP_CACHE == 1<<7 forces libval to ignore cached data while trying to
resolve a name.
Default value is 0(no changes)
Example 1.1. Set enable_full_lr parameter
...
modparam("dnssec", "general_query_flags", 1) # QUERY_DONT_VALIDATE disable vali
dation
modparam("dnssec", "general_query_flags", 10) # QUERY_IGNORE_SKEW | QUERY_NO_DL
V
...
Reference in new issue View Git Blame Copy Permalink