From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <robert.bradley1@gmail.com>
Received: from mail-wg0-x231.google.com (mail-wg0-x231.google.com
	[IPv6:2a00:1450:400c:c00::231])
	(using TLSv1 with cipher RC4-SHA (128/128 bits))
	(Client CN "smtp.gmail.com",
	Issuer "Google Internet Authority G2" (verified OK))
	by huchra.bufferbloat.net (Postfix) with ESMTPS id BB3C521F14C
	for <cerowrt-devel@lists.bufferbloat.net>;
	Mon, 31 Mar 2014 05:42:43 -0700 (PDT)
Received: by mail-wg0-f49.google.com with SMTP id a1so5987883wgh.32
	for <cerowrt-devel@lists.bufferbloat.net>;
	Mon, 31 Mar 2014 05:42:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=message-id:date:from:user-agent:mime-version:to:subject:references
	:in-reply-to:content-type;
	bh=lSUTGenelyI/68fHz/Gqabsh+HFObfhPZyZpFhCAZjE=;
	b=BZdBQmEbdEBa3DENOXXGxgj7922UBNzYW9qVRKtq2lQeDDzrVzeczm6QbxxVi9LoCX
	Q7wwYa/tho37V37cVAvkfSaVXQhh+Lr7XRA4pQqO8zEGdwwMrA5yjVutwaQEW6xvuG8e
	qj05MYOZpsc7Wx8AnosF13DaW9oktyAwXvk+0Pb8uPQelQjxzKs6GT6GVKTZgwjTWWlq
	CbM49AtL9zRId1iGlyq7apWvMZ54PssLgi8asdelITpP87FWLcmHXzvnjXVy6oixp6XT
	wJMRntHKiwHIhlWgUumdkU6P9p2UCCFCJahBdBf3rvcG4j6otC/Z77sAZPaza6ASLeZQ
	5LtQ==
X-Received: by 10.194.87.163 with SMTP id az3mr5539777wjb.63.1396269761196;
	Mon, 31 Mar 2014 05:42:41 -0700 (PDT)
Received: from ?IPv6:2001:470:6aac:2:f0dc:cf0b:4103:4c5a?
	([2001:470:6aac:2:f0dc:cf0b:4103:4c5a])
	by mx.google.com with ESMTPSA id
	bl5sm12417898wjb.26.2014.03.31.05.42.39
	for <cerowrt-devel@lists.bufferbloat.net>
	(version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
	Mon, 31 Mar 2014 05:42:39 -0700 (PDT)
Message-ID: <5339629F.9000809@gmail.com>
Date: Mon, 31 Mar 2014 13:42:07 +0100
From: Robert Bradley <robert.bradley1@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1;
	rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: cerowrt-devel@lists.bufferbloat.net
References: <MTAwMDA0MC5kZWNveQ.1395459208@quikprotect>	<CAA93jw6GDnoP8_0ZBuQhK0cF2JTWrp281mRWMh5UCUvQ2r71EQ@mail.gmail.com>	<532DD9DD.8040301@thekelleys.org.uk>	<871txut453.fsf@alrua-x1.karlstad.toke.dk>	<532DE7A8.3010504@thekelleys.org.uk>	<87ppleroks.fsf@alrua-x1.karlstad.toke.dk>	<53348C32.4040907@thekelleys.org.uk>	<87ha6idabz.fsf@alrua-x1.karlstad.toke.dk>	<53353C07.9030000@thekelleys.org.uk>
	<87eh1madfy.fsf@toke.dk>	<533551F6.9010402@thekelleys.org.uk>
	<87lhvu8uqi.fsf@toke.dk>	<5335E1BD.7010304@thekelleys.org.uk>	<87k3bdbbt6.fsf@alrua-x1.karlstad.toke.dk>	<87bnwpb7f7.fsf_-_@alrua-x1.karlstad.toke.dk>	<421.1396128076@sandelman.ca>	<CAA93jw5kHUEZWWT7FM7mf+6AesV0x3fqtUWNoN0ARkf-2UNprw@mail.gmail.com>	<877g7bbz5g.fsf@alrua-x1.karlstad.toke.dk>	<87ppl3a3if.fsf@alrua-x1.karlstad.toke.dk>	<CAA93jw6Ga9Y7wUaRgUYP6A8nG+zSpmXLdctP=jLFHSfxSDG5jw@mail.gmail.com>
	<87ioqv9zqr.fsf@alrua-x1.karlstad.toke.dk>
In-Reply-To: <87ioqv9zqr.fsf@alrua-x1.karlstad.toke.dk>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="Fswthv9HgOImaawuRs1hjgUxEVbVeCX7g"
Subject: Re: [Cerowrt-devel] DNSSEC & NTP Bootstrapping -- prototype!
X-BeenThere: cerowrt-devel@lists.bufferbloat.net
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Development issues regarding the cerowrt test router project
	<cerowrt-devel.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cerowrt-devel>
List-Post: <mailto:cerowrt-devel@lists.bufferbloat.net>
List-Help: <mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Mon, 31 Mar 2014 12:42:44 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--Fswthv9HgOImaawuRs1hjgUxEVbVeCX7g
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 30/03/2014 21:51, Toke H=F8iland-J=F8rgensen wrote:
> Dave Taht <dave.taht@gmail.com> writes:
>
>> There isn't. Arguably there should have been a flag added to
>> getaddrinfo ages ago...
> I was going to add one; however, it seems it's not entirely straight
> forward to propagate it through the C library so the code that produces=

> DNS packets can actually act on it...

There is a val_getaddrinfo() available in libval which is based on
http://tools.ietf.org/html/draft-hayatnagarkar-dnsext-validator-api-09#se=
ction-3.2
if we want to go down that route.  From what I can tell, you'd start by
creating your own validation context
(http://tools.ietf.org/html/draft-hayatnagarkar-dnsext-validator-api-09#s=
ection-6)
and use something like:

/* Use default policy (label=3DNULL) and disable clock skew checks */
char *label =3D NULL;
val_context_t *ctx;
val_status_t dnssec_status;
val_create_context(label, *ctx); /* Error handling here for non-zero
return values or ctx=3DNULL */
val_context_setqflags(ctx, VAL_CTX_FLAG_SET, VAL_QUERY_IGNORE_SKEW);

/* Perform lookup (ignoring error handling again) */
val_getaddrinfo(ctx, ..., *status);
if (val_istrusted(status))
{
/*
DNSSEC signature check is good or not applicable:
Continue as normal
*/
}

/* Clear context */
val_free_context(ctx);

The validation in that case is done entirely outside dnsmasq (with the
CD bit set on the libval queries).  We have libval available already but
not installed, so that is not a problem.  Implementing this in BusyBox
and sysntpd may be a bit of an issue though.

--=20
Robert Bradley



--Fswthv9HgOImaawuRs1hjgUxEVbVeCX7g
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTOWK9AAoJEGK/UXZZ8Ak6GXQQALv6Itwqxz3ntuLmQguaU1p7
AN+QMeBklJzbFE2AUmeAexBcZq0CqTY7l9m4UJes3Hv8Cr9o4XvO6H9ZCUp/DN48
LwQMcSxxXzuhAe+l71pZcUZnMSvDbOBlEl07CIme3//TC9QCJ2bQg6QWhcvzM8x9
YT0irIl5pJ4pQ0LnygcAYNjS5PxtHfw67XY6exR7hatMnE+bDuMMKb59T8DwJcf+
Ia4TgcdG+eP1mn2VW/S2xDKv7OWqpSgg8XWsJaBKWBQYaZzkDH+unDRk2YkAzjvD
r+EEh4rQaGWR9uBImuqoCCU0YN3bUyqhw6dH6TYXPhLnU5BCr/rXIJ5rXgyv90Dn
zW+uQxEn+HegJnYXrp9hVt0pqdURnrehBbYM8Myz3g3u42g6AnpjWds0NeHIRDci
NrwOfAvX81ittOCJiiCxPDqPAKsGra2lTZAF41I+WaCClrTVEYhOsSdfMaSuPnaa
pUGCFhPd1AgSlq1uEb4tQzYNupTu/XwXgkx39291MFCKLYmyoeGeze5yRUVcXxc2
CovY1YGvEl3LnRCUJj/w7mO6IlJpzQskHv9RFgvav+9Y2X14IH5WP03el/IbJr6q
0Co3QrTPNc/sz4R1IOZvEqU0SKe6H7qH0sep8PNjY8p2p96H6u/8m2OTnt/rPiRH
Io0NCyz8Zxa8C5ExauAT
=VVfd
-----END PGP SIGNATURE-----

--Fswthv9HgOImaawuRs1hjgUxEVbVeCX7g--