[Cerowrt-devel] DNSSEC & NTP Bootstrapping -- prototype!

[Robert Bradley]

On 30/03/2014 21:51, Toke Høiland-Jørgensen wrote:
> Dave Taht <dave.taht at gmail.com> writes:
>
>> There isn't. Arguably there should have been a flag added to
>> getaddrinfo ages ago...
> I was going to add one; however, it seems it's not entirely straight
> forward to propagate it through the C library so the code that produces
> DNS packets can actually act on it...

There is a val_getaddrinfo() available in libval which is based on
http://tools.ietf.org/html/draft-hayatnagarkar-dnsext-validator-api-09#section-3.2
if we want to go down that route.  From what I can tell, you'd start by
creating your own validation context
(http://tools.ietf.org/html/draft-hayatnagarkar-dnsext-validator-api-09#section-6)
and use something like:

/* Use default policy (label=NULL) and disable clock skew checks */
char *label = NULL;
val_context_t *ctx;
val_status_t dnssec_status;
val_create_context(label, *ctx); /* Error handling here for non-zero
return values or ctx=NULL */
val_context_setqflags(ctx, VAL_CTX_FLAG_SET, VAL_QUERY_IGNORE_SKEW);

/* Perform lookup (ignoring error handling again) */
val_getaddrinfo(ctx, ..., *status);
if (val_istrusted(status))
{
/*
DNSSEC signature check is good or not applicable:
Continue as normal
*/
}

/* Clear context */
val_free_context(ctx);

The validation in that case is done entirely outside dnsmasq (with the
CD bit set on the libval queries).  We have libval available already but
not installed, so that is not a problem.  Implementing this in BusyBox
and sysntpd may be a bit of an issue though.

-- 
Robert Bradley


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20140331/a5d46965/attachment.sig>