User Tools

Site Tools


tutorials:dns:dnssec

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
tutorials:dns:dnssec [2013/04/21 14:51]
miconda [Kamailio with DNSEC]
tutorials:dns:dnssec [2013/04/25 12:49]
mariuszbihlei
Line 1: Line 1:
-====== Kamailio with DNSEC ======+====== Kamailio with DNSSEC ======
  
-The **dnssec** module was added during the development of v4.1.0 (expected to be released later in 2013). Therefore this tutorial presents how to add DNSSEC module in the default configuration file of Kamailio, following GIT installation guidelines.+The **dnssec** module in Kamailio was added during the development of v4.1.0 (expected to be released later in 2013). Therefore this tutorial presents how to add DNSSEC module in the default configuration file of Kamailio, following GIT installation guidelines.
  
 In short, this tutorial focuses on: In short, this tutorial focuses on:
Line 8: Line 8:
   * add DNSSEC support to configuration file   * add DNSSEC support to configuration file
  
-**Note:** Ubuntu 12.04 was chosen because dnssec tools devel library are provided for this distribution.+**Note:** the DNSSEC module is several days old at the time of writing initial version of this tutorial. For any assistance, email to **<sr-users [at] sip-router.org>** -- it is a public mailing list that requires subscription, see more details at: 
 + 
 +  * http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users 
 + 
 +**Note:** Ubuntu 12.04 was chosen because dnssec tools devel library are provided for this distribution, making the installation of the required dependencies much easier. There are packages for other Linux distribution (e.g., Fedora), most of the steps provided in this tutorial being valid (the rest have to updated for the specifics of the distribution, e.g., how to install packages, create system users or init.d scripts).
 ===== About DNSSEC ===== ===== About DNSSEC =====
  
Line 29: Line 33:
 ==== DNSSEC Tools Devel Libraries Installation ==== ==== DNSSEC Tools Devel Libraries Installation ====
  
-You need these libraries to compile Kamailio's DNSSEC module. You can download the libraries from:+You need DNSSEC tools devel libraries to compile Kamailio's DNSSEC module. You can download the libraries from:
  
   * http://dnssec-tools.org/download/#gotoBinaries   * http://dnssec-tools.org/download/#gotoBinaries
Line 38: Line 42:
 dns-validator_2.0-1_i386.deb dns-validator_2.0-1_i386.deb
 libval-threads_2.0-1_i386.deb libval-threads_2.0-1_i386.deb
-libsres_2.0-1_i386.deb 
 libval-threads-dev_2.0-1_i386.deb libval-threads-dev_2.0-1_i386.deb
 +libsres_2.0-1_i386.deb
 libsres-dev_2.0-1_i386.deb libsres-dev_2.0-1_i386.deb
 </code> </code>
Line 184: Line 188:
  
 <code> <code>
-/usr/local/src/kamailio-devel/kamailio/pkg/kamailio/deb/debian/kamailio.init+  /usr/local/src/kamailio-devel/kamailio/pkg/kamailio/deb/debian/kamailio.init
 </code> </code>
  
 +The default file for init.d script is provided at:
  
-Next is a script to install it and its default config: 
  
 <code> <code>
-  cp /usr/local/src/kamailio-devel/kamailio/pkg/kamailio/deb/debian/kamailio.init /etc/init.d/kamailio +  /usr/local/src/kamailio-devel/kamailio/pkg/kamailio/debian/kamailio.default
-  chmod 755 /etc/init.d/kamailio +
-  cp /usr/local/src/kamailio-devel/pkg/kamailio/debian/kamailio.default /etc/default/kamailio+
 </code> </code>
  
-Edit the file **/etc/init.d/kamailio** to update the $DAEMON value: +Run next command to deploy the init.d scripts:
-<code> +
-  DAEMON=/usr/local/sbin/kamailio +
-</code> +
- +
-Edit the file **/etc/default/kamailio** and set:+
  
 <code> <code>
-  RUN_KAMAILIO=yes+  make install-initd-debian
 </code> </code>
  
-You can edit the other options at your convenience.+It will create also user and group **kamailio**, plus runtime directory **/var/run/kamailio**.
  
-Next step is to create the directory for pid file, plus the system user and group to run kamailio: +Now Kamailio can be started or stopped with:
- +
-<code> +
-mkdir -p /var/run/kamailio +
- +
-adduser --quiet --system --group --disabled-password \ +
-        --shell /bin/false --gecos "Kamailio" \ +
-        --home /var/run/kamailio kamailio +
- +
-# set ownership to /var/run/kamailio +
-chown kamailio:kamailio /var/run/kamailio +
-</code> +
- +
-Now you can start/stop Kamailio using the following commands:+
  
 <code> <code>
Line 228: Line 212:
   /etc/init.d/kamailio stop   /etc/init.d/kamailio stop
 </code> </code>
 +
  
 ===== Update Kamailio Config File ===== ===== Update Kamailio Config File =====
Line 237: Line 222:
 </code> </code>
  
-Follow the instruction in the comments to enable usage of MySQL. Basically you have to add several lines at the top of config file, like:+Follow the instruction in the comments to enable usage of MySQL. Basically you have to add several lines at the top of config file (but after the first line), like:
  
 <code> <code>
Line 248: Line 233:
  
 ==== Add DNSSEC Module ==== ==== Add DNSSEC Module ====
 +
 +The README of DNSSEC module is available at:
 +
 +  * http://kamailio.org/docs/modules/devel/modules/dnssec.html
  
 You have to load dnssec module in kamailio.cfg: You have to load dnssec module in kamailio.cfg:
Line 265: Line 254:
 </code> </code>
  
 +===== DNS Server DNSSEC Enabled =====
 +
 +This tutorial does not include yet (left for future updates) how to setup a DNSSEC-enabled DNS server, there are many useful resources on the web. Among them:
 +
 +  * http://www.howtoforge.com/configuring-dnssec-on-bind9-9.7.3-on-debian-squeeze-ubuntu-11.10
 +  * http://wiki.wsartori.com/wiki/The_Perfect_BIND_DNS_Server_DNSSEC_enabled
 ===== Testing ===== ===== Testing =====
  
Line 270: Line 265:
  
 Then alice@domainA.com can call bob@domainB.com. Kamailio instance serving domainA.com will do DNS lookup do discover the IP address of domainB.com Then alice@domainA.com can call bob@domainB.com. Kamailio instance serving domainA.com will do DNS lookup do discover the IP address of domainB.com
 +
 +One easy way to test is to use a Open DNS resolver that provides Recursive DNSSEC capabilities. One of those is 8.8.8.8 ( Google Open DNS). 
 +As per the FAQ, DNSSEC support is enabled (https://developers.google.com/speed/public-dns/faq#dnssec)
 +
 +Edit /etc/resolv.conf and modify your nameserver definition to have 'nameserver 8.8.8.8'.
 +
 +Launch Kamailio with DNSSEC module enabled and try to send a SIP package to the domain www.dnssec-failed.org. DNS resolving for this domain should fail, as it is a test domain which provides an incorrect signature. Kamailio should report:
 +"0(70805) INFO: dnssec [dnssec_func.c:145]: invalid domain www.dnssec-failed.org reason VAL_UNTRUSTED_ANSWER"
 +
 +
 +
 +
 +
 +
 +
  
 ===== Remarks ===== ===== Remarks =====
tutorials/dns/dnssec.txt · Last modified: 2013/04/25 12:49 by mariuszbihlei