From bert.hubert at netherlabs.nl Fri Jul 3 20:38:59 2009 From: bert.hubert at netherlabs.nl (bert hubert) Date: Fri, 3 Jul 2009 22:38:59 +0200 Subject: [ldns-users] drill question Message-ID: <20090703203859.GA17733@outpost.ds9a.nl> Hi everybody, Please forgive this DNSSEC 'noob' :-) Also, many thanks for writing 'drill', it is one of the only tools I've found to validate DNSSEC signatures from the command line. However, all is not well. Can you tell me what is wrong with the following: $ drill -D dnssec.se dnskey @secondary.se | grep DNSKEY | grep "12066 (zsk" > dnskey.dnssec.se $ drill -k ./dnskey.dnssec.se -D dnssec.se @secondary.se ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 25670 ;; flags: qr aa rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 0 ;; QUESTION SECTION: ;; dnssec.se. IN A ;; ANSWER SECTION: ;; AUTHORITY SECTION: dnssec.se. 300 IN SOA ns.dnssec.se. jakob.kirei.se. 1246322701 3600 600 86400 300 dnssec.se. 300 IN RRSIG SOA 5 2 300 20090709234501 20090629234501 12066 dnssec.se. NlKm3FJehDDCOKtZUxlOCqMfCSa4wrknW6/BU0lE/wkAj29XqYp6qe7odJL6qEcFTYN5alqYLm2+nGVhBu7V29bNHq1/GshICNU/pBaDkk5OGBybE7pQphgU7sL7qnGU32P1fTj6pGlerQ84OGEfvpDcmHBL+cPtLtYGEt3TP4Y= ;{id = 12066} dnssec.se. 300 IN NSEC _adsp._domainkey.dnssec.se. NS SOA TXT RRSIG NSEC DNSKEY TYPE99 dnssec.se. 300 IN RRSIG NSEC 5 2 300 20090709234501 20090629234501 12066 dnssec.se. OC3mkDJ/gjZVRCpbTBhv0Z+vLT47pXoKa39vRyXJ592EnaYTAcJbge74NN1hgXDE9CxrJuYfEes5wdzzLsCwGjnffVtGbcpCxZbElWFZhe1f0hrLbeKV14RLpUN0yIYIO6rcNvds8veovX/N6/OIXx3mHC2elcAwBSOkpUf7rn8= ;{id = 12066} ;; ADDITIONAL SECTION: ;; Query time: 53 msec ;; EDNS: version 0; flags: ; udp: 4096 ;; SERVER: 81.93.140.75 ;; WHEN: Fri Jul 3 22:36:03 2009 ;; MSG SIZE rcvd: 491 ; result = 11 BOGUS by id = 12066, owner = dnssec.se. This is with 'drill' as contained in ldns-1.5.1. It does appear that dnssec.se is signed correctly, and my own 'pdnsdig' tool verifies it correctly too. But I really want to be able to verify signatures using another tool! Can you tell me what I am doing wrong? Thanks! -- http://www.PowerDNS.com Open source, database driven DNS Software http://netherlabs.nl Open and Closed source services From paul at xelerance.com Fri Jul 3 21:24:47 2009 From: paul at xelerance.com (Paul Wouters) Date: Fri, 3 Jul 2009 17:24:47 -0400 (EDT) Subject: [ldns-users] drill question In-Reply-To: <20090703203859.GA17733@outpost.ds9a.nl> References: <20090703203859.GA17733@outpost.ds9a.nl> Message-ID: On Fri, 3 Jul 2009, bert hubert wrote: > Please forgive this DNSSEC 'noob' :-) Also, many thanks for writing 'drill', > it is one of the only tools I've found to validate DNSSEC signatures from > the command line. see also unbound-host > However, all is not well. Can you tell me what is wrong with the following: > > $ drill -D dnssec.se dnskey @secondary.se | grep DNSKEY | grep "12066 (zsk" > dnskey.dnssec.se > $ drill -k ./dnskey.dnssec.se -D dnssec.se @secondary.se Are you sure you meant using the ZSK and not the KSK? Using this configuration, the ZSK is not signed by anything drill was told to trust. And the ZSK does not have the SEP bit set so I assume drill will not use it as a trust anchor. That said, even if I use their proper key, drill does not seem to work for me either. Paul From jelte at NLnetLabs.nl Fri Jul 3 22:58:54 2009 From: jelte at NLnetLabs.nl (Jelte Jansen) Date: Sat, 04 Jul 2009 00:58:54 +0200 Subject: [ldns-users] drill question In-Reply-To: <20090703203859.GA17733@outpost.ds9a.nl> References: <20090703203859.GA17733@outpost.ds9a.nl> Message-ID: <4A4E8D2E.1010701@NLnetLabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 bert hubert wrote: > Hi everybody, > > BOGUS by id = 12066, owner = dnssec.se. > > This is with 'drill' as contained in ldns-1.5.1. It does appear that > dnssec.se is signed correctly, and my own 'pdnsdig' tool verifies it > correctly too. > > But I really want to be able to verify signatures using another tool! > > Can you tell me what I am doing wrong? > You're doing nothing wrong, in fact, you have discovered not one, but two bugs in the way drill verifies single packets :/ The chase mode, where drill tries to be a little bit smarter, and actually queries for more information, should work though; - -------------- jelte at dragon:/tmp> drill -k dnskey.dnssec.se -S dnssec.se @secondary.se ;; Chasing: dnssec.se. A DNSSEC Trust tree: dnssec.se. (A) |---Existence is denied by: |---dnssec.se. (NSEC _adsp._domainkey.dnssec.se. NS SOA TXT RRSIG NSEC DNSKEY TYPE99 ) |---dnssec.se. (DNSKEY keytag: 12066) |---dnssec.se. (DNSKEY keytag: 2467) |---dnssec.se. (DNSKEY keytag: 54237) Existence denied or verifiably insecure ;; Chase successful - -------------- Anyway, thanks for reporting it just before we were about to release 1.6.0, I think i have fixed it in the svn trunk now. I want to do a little more testing next week, and if everything seems ok, this will be fixed in 1.6.0, due for release very shortly now. - -------------- jelte at dragon:/tmp> drill -k Kdnssec.se.+005+12066.key -D dnssec.se @secondary.se ; Existence denied for dnssec.se. A - -------------- jelte at dragon:/tmp> drill -k Kdnssec.se.+005+12066.key -D SOA dnssec.se @secondary.se ; dnssec.se. 300 IN SOA ns.dnssec.se. jakob.kirei.se. 1246322701 3600 600 86400 300 ; VALIDATED by id = 12066, owner = dnssec.se. - -------------- Jelte -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpOjSoACgkQ4nZCKsdOncVsfwCghcK9f/izFdCMORUHCHvUcgZv TUsAoLcREJCyTIqbndPYa9o4PmD3XmJE =h66C -----END PGP SIGNATURE----- From paul at xelerance.com Sat Jul 4 02:38:03 2009 From: paul at xelerance.com (Paul Wouters) Date: Fri, 3 Jul 2009 22:38:03 -0400 (EDT) Subject: [ldns-users] zones with a DS record without corresponding NS records Message-ID: Hi, I just ran into a little bug where I had a zone that contained a DS record for a delegation, but mistakenly did not include any NS records for that delegation. ldns-read-zone sees no problem with this zone and nsd zonec compiler compiled this zone without an error. I guess zonec does not perform any checks, but ldns-readzone should probably through an error. Bind's named-checkzone passed the zone as valid, however bind's dnssec-signzone refused to sign this zone. I'm not sure what the proper behaviour should be in this case. Though I would prefer that named-checkzone would not OK anything that dnssec-signzone refuses to sign. Paul From bert.hubert at netherlabs.nl Sat Jul 4 21:47:18 2009 From: bert.hubert at netherlabs.nl (bert hubert) Date: Sat, 4 Jul 2009 23:47:18 +0200 Subject: [ldns-users] drill question In-Reply-To: <4A4E8D2E.1010701@NLnetLabs.nl> References: <20090703203859.GA17733@outpost.ds9a.nl> <4A4E8D2E.1010701@NLnetLabs.nl> Message-ID: <3efd34cc0907041447v21d49bb9j4b39f0a8c7619503@mail.gmail.com> On Sat, Jul 4, 2009 at 12:58 AM, Jelte Jansen wrote: >> Can you tell me what I am doing wrong? >> > > You're doing nothing wrong, in fact, you have discovered not one, but two bugs > in the way drill verifies single packets :/ > Anyway, thanks for reporting it just before we were about to release 1.6.0, I > think i have fixed it in the svn trunk now. I want to do a little more testing > next week, and if everything seems ok, this will be fixed in 1.6.0, due for > release very shortly now. I can confirm this is fixed in svn, thanks! At least now I have a third party tool to verify I'm emitting valid data :-) (drill talking to PowerDNS experiment: ) $ ./drill -k example.com.key -D example.com @127.0.0.1 dnskey -p 5300 ;; Number of trusted keys: 1 ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 16328 ;; flags: qr aa rd ; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; example.com. IN DNSKEY ;; ANSWER SECTION: example.com. 3600 IN DNSKEY 257 3 5 AwEAAYW43PuM/1B4v9S5NL2jrTgAm7znHNVGROkcBzcSOKdAiB7qqVE8YPEXQT7lMJr1rGAfYUiEF2l2R8Ee0uvu5S7Ud7zXVCH5Eo91hokRbdGzwQhPRkFpaTZC1/+F3PhMK4/KMOn60+cZ+X8px79sXW90NNtJM31DOEW2iy+uKOi+OXKwZZImyxXkjjvXlGEyTJOWLMdrwao6/VM6vKfu7TRNPYMsxHrRY6tJ0wFKRm7p8sd0N6lE3gIVWZL/bu/SWr6YjAF06dDWXyS2LpmNtU8LegBt1z6lTpuEHrThmK8fx6xtBASpehyyMPojoU+nsMgDYafz+SuFBzjYUqqcWUE= ;{id = 28954 (ksk), size = 2048b} example.com. 3600 IN DNSKEY 256 3 5 AwEAAa+cj6FWhpLx1BtIGeEKiqqahttZyLdpnF3dauezSWf2X00SHVTDtIiKDeSW/3vLmDTXlg2mIIszXdA+ZKNQ4il7yqcBbhGHQSidO24fZQk9IDQMfbJs7aLKQhhWDvlYWSrYZRL2aBAhGuFHMOvMeWxWwQ5iw5IotuaTLVSgtdxL ;{id = 4551 (zsk), size = 1024b} example.com. 3600 IN RRSIG DNSKEY 5 2 3600 20090716000000 20090702000000 4551 example.com. CZpAZOasOxuFi4t+6n+k16xafIsVlvovR7a3x1H3o/G7E+J2wDaSZ0vyLaNo3nzyTE7cgE/JmnwwjI6GMWfnt6c8L98ASQIsa3N6Xard42IxbqQt5CGjj7HQGvo8NyklWLAgmcylM1XZoWNM5jTBgEfdekCcDsCwsdB9zZUJpAA= ;{id = 4551} example.com. 3600 IN RRSIG DNSKEY 5 2 3600 20090716000000 20090702000000 28954 example.com. gC6smfJFuyg/TfF2NJVLigGLdsVQJU/sTEPvtfBtrbXRBLbTZLlMvnP5oWHsoRx9+DtREg3WZ8GZ/uwW+wJP5Y1Jxn35uNPXfjHbM5/4i01/F8KIt9vEG7dD1+WcHgfEeZHvOGIQeeCMEUSA23hGx4khiBvx9lKb31RzS7dYaw+rYx3zuvnk62cDxvQrS8Bsd7TYOmXfRb/PF7Bc/2swPoyZ5r9g3CSLDzyfeBmJs8mmDzl3EHGzmT7XAkyxjEjVjIvzvmjF7TBX7TwprUj1Q6YEzlHQqBrdsoEJ6a/TzbEk7LeaIANTwbUO+7GAKiIFu8b05vaat+GPv4k0g+sBAA== ;{id = 28954} ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 38 msec ;; EDNS: version 0; flags: do ; udp: 2800 ;; SERVER: 127.0.0.1 ;; WHEN: Sat Jul 4 23:43:07 2009 ;; MSG SIZE rcvd: 934 ; example.com. 3600 IN DNSKEY 257 3 5 AwEAAYW43PuM/1B4v9S5NL2jrTgAm7znHNVGROkcBzcSOKdAiB7qqVE8YPEXQT7lMJr1rGAfYUiEF2l2R8Ee0uvu5S7Ud7zXVCH5Eo91hokRbdGzwQhPRkFpaTZC1/+F3PhMK4/KMOn60+cZ+X8px79sXW90NNtJM31DOEW2iy+uKOi+OXKwZZImyxXkjjvXlGEyTJOWLMdrwao6/VM6vKfu7TRNPYMsxHrRY6tJ0wFKRm7p8sd0N6lE3gIVWZL/bu/SWr6YjAF06dDWXyS2LpmNtU8LegBt1z6lTpuEHrThmK8fx6xtBASpehyyMPojoU+nsMgDYafz+SuFBzjYUqqcWUE= ;{id = 28954 (ksk), size = 2048b} example.com. 3600 IN DNSKEY 256 3 5 AwEAAa+cj6FWhpLx1BtIGeEKiqqahttZyLdpnF3dauezSWf2X00SHVTDtIiKDeSW/3vLmDTXlg2mIIszXdA+ZKNQ4il7yqcBbhGHQSidO24fZQk9IDQMfbJs7aLKQhhWDvlYWSrYZRL2aBAhGuFHMOvMeWxWwQ5iw5IotuaTLVSgtdxL ;{id = 4551 (zsk), size = 1024b} ; VALIDATED by id = 4551, owner = example.com. From matthijs at NLnetLabs.nl Mon Jul 6 09:37:52 2009 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Mon, 06 Jul 2009 11:37:52 +0200 Subject: [ldns-users] [nsd-users] zones with a DS record without corresponding NS records In-Reply-To: References: Message-ID: <4A51C5F0.30006@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Paul Wouters wrote: > > Hi, > > I just ran into a little bug where I had a zone that contained a DS > record for a delegation, but mistakenly did not include any NS records > for that delegation. > > ldns-read-zone sees no problem with this zone and nsd zonec compiler > compiled this zone without an error. I guess zonec does not perform any > checks, but ldns-readzone should probably through an error. zonec is indeed not smart enough to detect this mismatch. It works on a garbage in, garbage out basis. I think ldns-verify-zone should cover this, not ldns-read-zone. > > Bind's named-checkzone passed the zone as valid, however bind's > dnssec-signzone refused to sign this zone. > > I'm not sure what the proper behaviour should be in this case. Though > I would prefer that named-checkzone would not OK anything that > dnssec-signzone refuses to sign. +1 > > Paul > _______________________________________________ > nsd-users mailing list > nsd-users at NLnetLabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/nsd-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJKUcXtAAoJEA8yVCPsQCW5C3AH/3TR7AdHNN+gS6PI0ZwNSPBV T7CnanYQd4ES9t1KRJUIyg1Mxplj1Swr/qiwzIUsGcdoI6jBiBxfsOtuN6LRxAJV 6MQWab+vZqVMRVXduZKZifvCqimxd9fr2zb0hB/yDIppR4mYA3IssFGNyUhDu24n XB3L7Z28fNtNDoe2hhULDC6sPXUjPQVrYNgdhQyVXPLNkz/gn2f/vVtz3Q5YZI5g eE3DzINwuNuv2Qf5zx0T0Sx2aCzjscoZq2rrDUBrn8mhHfCPKxfvOQpu5CQw/+kH LVOOHA0PD2u6E6ylumYjjiLSoMWRMBHbCBmxM88AklK3Wcty9C91qEVq2hP5EVM= =Qhf4 -----END PGP SIGNATURE----- From paul at xelerance.com Mon Jul 6 15:48:20 2009 From: paul at xelerance.com (Paul Wouters) Date: Mon, 6 Jul 2009 11:48:20 -0400 (EDT) Subject: [ldns-users] [nsd-users] zones with a DS record without corresponding NS records In-Reply-To: <4A51C5F0.30006@nlnetlabs.nl> References: <4A51C5F0.30006@nlnetlabs.nl> Message-ID: On Mon, 6 Jul 2009, Matthijs Mekking wrote: > zonec is indeed not smart enough to detect this mismatch. It works on a > garbage in, garbage out basis. I think ldns-verify-zone should cover > this, not ldns-read-zone. Did you ever try to run ldns-verify-zone on a real production zone (eg TLD :) It's so slow, it is useless for anything but small zones. Paul From jelte at NLnetLabs.nl Thu Jul 9 11:04:24 2009 From: jelte at NLnetLabs.nl (Jelte Jansen) Date: Thu, 09 Jul 2009 13:04:24 +0200 Subject: [ldns-users] ldns-1.6.0 released Message-ID: <4A55CEB8.1090301@NLnetLabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, we are happy to announce the next release of ldns, version 1.6.0. A few features have been added, and a few bugs have been fixed; full changelog below this message. Get it while it's hot: http://www.nlnetlabs.nl/downloads/ldns/ldns-1.6.0.tar.gz Sha1sum: e5fdbc5cd66f6afc4f816e9acd334bddc488e830 Enjoy! Jelte - --------- Changelog - --------- 1.6.0 Additions: * Addition of an ldns-config script which gives cflags and libs values, for use in configure scripts for applications that use use ldns. Can be disabled with ./configure --disable-ldns-config * Added direct sha1, sha256, and sha512 support in ldns. With these functions, all NSEC3 functionality can still be used, even if ldns is built without OpenSSL. Thanks to OpenBSD, Steve Reid, and Aaron D. Gifford for the code. * Added reading/writing support for the SPF Resource Record * Base32 functions are now exported Bugfixes: * ldns_is_rrset did not go through the complete rrset, but only compared the first two records. Thanks to Olafur Gudmundsson for report and patch * Fixed a small memory bug in ldns_rr_list_subtype_by_rdf(), thanks to Marius Rieder for finding an patching this. * --without-ssl should now work. Make sure that examples/ and drill also get the --without-ssl flag on their configure, if this is used. * Some malloc() return value checks have been added * NSEC3 creation has been improved wrt to empty nonterminals, and opt-out. * Fixed a bug in the parser when reading large NSEC3 salt values. * Made the allowed length for domain names on wire and presentation format the same. Example tools: * ldns-key2ds can now also generate DS records for keys without the SEP flag * ldns-signzone now equalizes the TTL of the DNSKEY RRset (to the first non-default DNSKEY TTL value it sees) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpVzpgACgkQ4nZCKsdOncWPlQCfa6oY5dsaOwOFRiI0n9PNIvX3 QRYAn2NveRnmQ2BHKXdSQ8/B7Eb7XdQy =Tl2J -----END PGP SIGNATURE----- From paul at xelerance.com Sat Jul 11 04:20:55 2009 From: paul at xelerance.com (Paul Wouters) Date: Sat, 11 Jul 2009 00:20:55 -0400 (EDT) Subject: [ldns-users] ldns 1.6.0 fails to compile with --without-ssl Message-ID: Hi, I tried to compile ldns without openssl (using --without-ssl), but it fails with: higher.c:18:25: error: openssl/ssl.h: No such file or directory higher.c:19:25: error: openssl/sha.h: No such file or directory There are a few more of these. The attached patch should fix those. I also get the following warnings/errors; drill.c:123: warning: unused variable 'type_str' ldns-chaos.c:23: warning: 'remove_nameservers' defined but not used ldns-dpa.c:324: warning: 'is_match_name' defined but not used ldns-dpa.c:458: warning: 'calculate_counters_total' defined but not used ldns-dpa.c:1381: warning: 'match_expression_compare_count_p' defined but not used ldns-dpa.c:1489: warning: 'match_expression_compare_p' defined but not used ldns-dpa.c:1605: warning: 'match_expression_equals' defined but not used ldns-read-zone.o: In function `main': /home/paul/BUILD/ldns-1.6.0/examples/ldns-read-zone.c:71: undefined reference to `ldns_version' /home/paul/BUILD/ldns-1.6.0/examples/ldns-read-zone.c:96: undefined reference to `ldns_zone_new_frm_fp_l' /home/paul/BUILD/ldns-1.6.0/examples/ldns-read-zone.c:147: undefined reference to `ldns_zone_rrs' /home/paul/BUILD/ldns-1.6.0/examples/ldns-read-zone.c:147: undefined reference to `ldns_rr_list_print' [.....] I have not looked into those. I just enabled openssl again. Paul From paul at xelerance.com Sat Jul 11 04:54:50 2009 From: paul at xelerance.com (Paul Wouters) Date: Sat, 11 Jul 2009 00:54:50 -0400 (EDT) Subject: [ldns-users] ldns 1.6.0 fails to compile with --without-ssl In-Reply-To: References: Message-ID: On Sat, 11 Jul 2009, Paul Wouters wrote: > higher.c:18:25: error: openssl/ssl.h: No such file or directory > higher.c:19:25: error: openssl/sha.h: No such file or directory > > There are a few more of these. The attached patch should fix those. Now attached for real. > I also get the following warnings/errors; Please ignore the rest of my bug reports. Operator error. ldns compiles with without ssl using the attached patch. Paul -------------- next part -------------- diff -Naur ldns-1.6.0.org/examples/ldns-nsec3-hash.c ldns-1.6.0/examples/ldns-nsec3-hash.c --- ldns-1.6.0.org/examples/ldns-nsec3-hash.c 2009-07-11 00:09:45.000000000 -0400 +++ ldns-1.6.0/examples/ldns-nsec3-hash.c 2009-07-11 00:10:13.000000000 -0400 @@ -16,8 +16,10 @@ #include #include +#ifdef HAVE_SSL #include #include +#endif #define MAX_FILENAME_LEN 250 diff -Naur ldns-1.6.0.org/examples/ldns-revoke.c ldns-1.6.0/examples/ldns-revoke.c --- ldns-1.6.0.org/examples/ldns-revoke.c 2009-07-11 00:10:07.000000000 -0400 +++ ldns-1.6.0/examples/ldns-revoke.c 2009-07-11 00:10:13.000000000 -0400 @@ -8,7 +8,9 @@ #include "config.h" #include +#ifdef HAVE_SSL #include +#endif #include diff -Naur ldns-1.6.0.org/higher.c ldns-1.6.0/higher.c --- ldns-1.6.0.org/higher.c 2007-08-09 05:03:41.000000000 -0400 +++ ldns-1.6.0/higher.c 2009-07-11 00:11:55.000000000 -0400 @@ -15,8 +15,10 @@ #include +#ifdef HAVE_SSL #include #include +#endif From henri at asseily.com Sat Jul 11 07:30:18 2009 From: henri at asseily.com (Henri Asseily) Date: Sat, 11 Jul 2009 09:30:18 +0200 Subject: [ldns-users] ldns 1.6.0 fails to compile with --without-ssl In-Reply-To: References: Message-ID: Thanks. This means I should be able to compile now ldns on the iPhone directly from the distribution. This will be great! Up till now I had to rip out the DNSSec stuff and anything that needed OpenSSL because the ifdefs for SSL didn't really work that well. --- Henri Asseily henri.tel On Jul 11, 2009, at 6:54 AM, Paul Wouters wrote: > On Sat, 11 Jul 2009, Paul Wouters wrote: > >> higher.c:18:25: error: openssl/ssl.h: No such file or directory >> higher.c:19:25: error: openssl/sha.h: No such file or directory >> >> There are a few more of these. The attached patch should fix those. > > Now attached for real. > >> I also get the following warnings/errors; > > Please ignore the rest of my bug reports. Operator error. ldns > compiles > with without ssl using the attached patch. > > Paul_______________________________________________ > ldns-users mailing list > ldns-users at open.nlnetlabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/ldns-users From marius.rieder at durchmesser.ch Mon Jul 13 06:00:49 2009 From: marius.rieder at durchmesser.ch (Marius Rieder) Date: Mon, 13 Jul 2009 08:00:49 +0200 Subject: [ldns-users] autoconf ssl problem in drill Message-ID: <4A5ACD91.1050603@durchmesser.ch> Hi ldns-users and devels I have a problem compiling drill with a given open ssl path. ldns and examples works, but drill won't. Is it possible to copy over the ssl check from ldns to drill? The ssl check from acx_nlnetlabs.m4 don't fit, as it's not allow without-ssl Marius -- ~o__O Marius Rieder O__o~ |vV| http://www.durchmesser.ch/ |vV| /] | | [\ ---/|--|\--------[ Dance first. Think later. ]--------/|--|\--- From henri at asseily.com Mon Jul 13 17:28:08 2009 From: henri at asseily.com (Henri Asseily) Date: Mon, 13 Jul 2009 19:28:08 +0200 Subject: [ldns-users] rrlist issue Message-ID: <66C3353D-9BD2-492A-9656-BF797C506AAC@asseily.com> In ldns 1.5.x I have an issue with an exception being caught if there's no data in the rrlist and I try to count its rrs. My code needs to do: @try { ldns_rr_list_rr_count(rrlist); } @catch (NSException * e) { // Exception is caught if there's no data in the rrlist, // i.e. if there are no records. // TODO: See in ldns rr.c source why ldns_rr_list_rr_count() fails and doesn't return 0 // In the meantime, disable the error } Haven't had time yet to check 1.6, sorry. H From miek at miek.nl Mon Jul 13 17:52:41 2009 From: miek at miek.nl (Miek Gieben) Date: Mon, 13 Jul 2009 19:52:41 +0200 Subject: [ldns-users] rrlist issue In-Reply-To: <66C3353D-9BD2-492A-9656-BF797C506AAC@asseily.com> References: <66C3353D-9BD2-492A-9656-BF797C506AAC@asseily.com> Message-ID: <20090713175241.GA27384@miek.nl> [ Quoting Henri Asseily in "[ldns-users] rrlist issue"... ] > In ldns 1.5.x I have an issue with an exception being caught if there's > no data in the rrlist and I try to count its rrs. My code needs to do: > > @try { > ldns_rr_list_rr_count(rrlist); > } > @catch (NSException * e) { > // Exception is caught if there's no data in the rrlist, > // i.e. if there are no records. > // TODO: See in ldns rr.c source why ldns_rr_list_rr_count() fails and > doesn't return 0 > // In the meantime, disable the error > } > > Haven't had time yet to check 1.6, sorry. If you use a valid ldns_rr_list* it (ldns_rr_list_rr_count) just returns _rr_count. It could be that it is not initialized properly? grtz, -- --Miek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: Digital signature URL: From jelte at NLnetLabs.nl Mon Jul 13 19:16:32 2009 From: jelte at NLnetLabs.nl (Jelte Jansen) Date: Mon, 13 Jul 2009 21:16:32 +0200 Subject: [ldns-users] autoconf ssl problem in drill In-Reply-To: <4A5ACD91.1050603@durchmesser.ch> References: <4A5ACD91.1050603@durchmesser.ch> Message-ID: <4A5B8810.5050001@NLnetLabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marius Rieder wrote: > Hi ldns-users and devels > > I have a problem compiling drill with a given open ssl path. ldns and > examples works, but drill won't. > Is it possible to copy over the ssl check from ldns to drill? The ssl > check from acx_nlnetlabs.m4 don't fit, as it's not allow without-ssl > I have updated the acx function to allow for --without, and both the examples and drill now use that. I have also committed Paul's patch to trunk. I am now contemplating whether these changes warrant an extra release, but in the meantime, if you have a trunk checkout, please try to see whether these changes actually fix all issues. Thanks, Jelte -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpbiBAACgkQ4nZCKsdOncXiXACg0GCDbFaCoxhQP8pPbnLN7+pU jJ4AoIrR7XmIYGbbOs6Wc6AlhodvmAnR =Hgow -----END PGP SIGNATURE----- From paul at xelerance.com Mon Jul 13 20:35:04 2009 From: paul at xelerance.com (Paul Wouters) Date: Mon, 13 Jul 2009 16:35:04 -0400 (EDT) Subject: [ldns-users] autoconf ssl problem in drill In-Reply-To: <4A5B8810.5050001@NLnetLabs.nl> References: <4A5ACD91.1050603@durchmesser.ch> <4A5B8810.5050001@NLnetLabs.nl> Message-ID: On Mon, 13 Jul 2009, Jelte Jansen wrote: > I have updated the acx function to allow for --without, and both the examples > and drill now use that. I have also committed Paul's patch to trunk. I am now Note I had missed one in examples/ldns-signzone. > contemplating whether these changes warrant an extra release, but in the > meantime, if you have a trunk checkout, please try to see whether these changes > actually fix all issues. I'm right now pushing and building 1.6.0 for Fedora/EPEL with --without-ssl Paul From henri at asseily.com Tue Jul 14 05:13:27 2009 From: henri at asseily.com (Henri Asseily) Date: Tue, 14 Jul 2009 07:13:27 +0200 Subject: [ldns-users] Compile of 1.6.0 Message-ID: <7E220C8A-6FCD-4D19-9FC8-939BB003E2B8@asseily.com> Hello, in my quest to make the compile as easy as possible for the iPhone (meaning packaging it into a framework with a fat static library or arm and i686, while using the official makefile system), I've come across a couple of issues: First, it seems we're missing #ifdef HAVE_SSL in higher.c. When compiling with --without-ssl, I get: higher.c:18:25: error: openssl/ssl.h: No such file or directory higher.c:19:25: error: openssl/sha.h: No such file or directory Second, the download version of 1.6.0's configure gives the following warnings: config.status: executing libtool commands sed: ./ltmain.sh: No such file or directory sed: ./ltmain.sh: No such file or directory mv: rename libtoolT to libtool: No such file or directory cp: libtoolT: No such file or directory chmod: libtool: No such file or directory However, if I do: autoreconf --install --force then add AC_PROG_LIBTOOL in configure.ac and finally run the configure command, it works fine. --- Henri Asseily henri.tel From jtk at cymru.com Tue Jul 21 15:12:35 2009 From: jtk at cymru.com (John Kristoff) Date: Tue, 21 Jul 2009 10:12:35 -0500 Subject: [ldns-users] Accessing RR rdata Message-ID: <20090721101235.7611b89f@t61p> I've used the Perl Net::DNS library quite a bit, but am trying to incorporate ldns into my projects where appropriate. Thanks for making this available. I'm a poor C coder, but this certainly does make some things easier. I'm trying to still wrap my head around some parts of ldns (and brush up on my poor C skills generally :-) and am finding at least one part a bit confusing I was hoping to get clued in on. In Net::DNS I would create a Net::DNS::Packet object and then could roll through the $obj->answer (or authority/additional section RRs) in a loop like this: for my $rr (@section) { my $qname = lc( $rr->name || '.' ); my $class = $rr->class; my $type = $rr->type; my $ttl = $rr->ttl; my $rdata = $rr->rdatastr; ... work goes here ... With ldns, the qname, class, type and ttl I can grab in a similar fashion by unrolling an RRset using ldns_rr_list_pop_rr, but am I correct in thinking that to get the equivalent of the rdatastr in Net::DNS I have to reconstruct it manually by rolling through and rdf rdata array or is there an equivalent function that can accomplish essentially what is shown with Net::DNS above? Maybe I'm getting a little confused by the rdf/rdata terminology sprinkled throughout the doxygen pages? John From miek at miek.nl Tue Jul 21 17:17:36 2009 From: miek at miek.nl (Miek Gieben) Date: Tue, 21 Jul 2009 19:17:36 +0200 Subject: [ldns-users] Accessing RR rdata In-Reply-To: <20090721101235.7611b89f@t61p> References: <20090721101235.7611b89f@t61p> Message-ID: <20090721171736.GA19060@miek.nl> [ Quoting John Kristoff in "[ldns-users] Accessing RR rdata"... ] > correct in thinking that to get the equivalent of the rdatastr in > Net::DNS I have to reconstruct it manually by rolling through and rdf > rdata array or That's the general idea if I remember correctly. > is there an equivalent function that can accomplish > essentially what is shown with Net::DNS above? No, you need to get the rr and then hop over the rdfs. > Maybe I'm getting a little confused by the rdf/rdata terminology > sprinkled throughout the doxygen pages? Well, the rdata of an RR consists out of rdfs. grtz Miek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: Digital signature URL: From wouter at NLnetLabs.nl Tue Jul 21 17:24:38 2009 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Tue, 21 Jul 2009 19:24:38 +0200 Subject: [ldns-users] Accessing RR rdata In-Reply-To: <20090721171736.GA19060@miek.nl> References: <20090721101235.7611b89f@t61p> <20090721171736.GA19060@miek.nl> Message-ID: <4A65F9D6.9000809@nlnetlabs.nl> Hi, On 07/21/2009 07:17 PM, Miek Gieben wrote: > That's the general idea if I remember correctly. > >> is there an equivalent function that can accomplish >> essentially what is shown with Net::DNS above? > > No, you need to get the rr and then hop over the rdfs. > You can use ldns_rr_rdata2buffer_wire() to get the rdata string. Best regards, Wouter