From john.barnitz at gmail.com Mon Apr 23 17:02:08 2012 From: john.barnitz at gmail.com (John Barnitz) Date: Mon, 23 Apr 2012 13:02:08 -0400 Subject: [ldns-users] LDNS and opt-out NSEC3 validation Message-ID: I am using LDNS to query the net zone for a DS record of a domain, for example, sample.net. The net zone is opt-out, so I get back NSEC3 records and NOERROR. I am using ldns_dnssec_verify_denial_nsec3 to validate the response. I always get back LDNS_STATUS_DNSSEC_NSEC_RR_NOT_COVERED as a result code. Can anyone help me determine what is wrong, or is there a different function I should be using? Let me know if you need any more information. Thanks, John Barnitz From Willem at NLnetLabs.nl Tue Apr 24 20:30:19 2012 From: Willem at NLnetLabs.nl (Willem Toorop) Date: Tue, 24 Apr 2012 22:30:19 +0200 Subject: [ldns-users] LDNS and opt-out NSEC3 validation In-Reply-To: References: Message-ID: <4F970D5B.8070402@NLnetLabs.nl> Hi John, I just had a look at it, and it looks like the second paragraph of section 8.6 of rfc5155 (dealing with Opt-Out NSEC3's for DS's) is not (yet) implemented! I will dive into it and let you know when it is implemented in trunk. Thanks for finding this shortcoming. Willem Op 23-04-12 19:02, John Barnitz schreef: > I am using LDNS to query the net zone for a DS record of a domain, > for example, sample.net. The net zone is opt-out, so I get back NSEC3 > records and NOERROR. I am using ldns_dnssec_verify_denial_nsec3 to > validate the response. I always get back > LDNS_STATUS_DNSSEC_NSEC_RR_NOT_COVERED as a result code. Can anyone > help me determine what is wrong, or is there a different function I > should be using? Let me know if you need any more information. > > Thanks, > John Barnitz > _______________________________________________ > ldns-users mailing list > ldns-users at open.nlnetlabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/ldns-users From Willem at NLnetLabs.nl Tue Apr 24 21:35:44 2012 From: Willem at NLnetLabs.nl (Willem Toorop) Date: Tue, 24 Apr 2012 23:35:44 +0200 Subject: [ldns-users] LDNS and opt-out NSEC3 validation In-Reply-To: <4F970D5B.8070402@NLnetLabs.nl> References: <4F970D5B.8070402@NLnetLabs.nl> Message-ID: <4F971CB0.8060506@NLnetLabs.nl> Hi John, The issue is now fixed (as of revision 3668) in trunk and will be in the next ldns release (1.6.13). Thanks again, -- Willem Op 24-04-12 22:30, Willem Toorop schreef: > Hi John, > > I just had a look at it, and it looks like the second paragraph of > section 8.6 of rfc5155 (dealing with Opt-Out NSEC3's for DS's) is not > (yet) implemented! I will dive into it and let you know when it is > implemented in trunk. > Thanks for finding this shortcoming. > > Willem > > > > Op 23-04-12 19:02, John Barnitz schreef: >> I am using LDNS to query the net zone for a DS record of a domain, >> for example, sample.net. The net zone is opt-out, so I get back NSEC3 >> records and NOERROR. I am using ldns_dnssec_verify_denial_nsec3 to >> validate the response. I always get back >> LDNS_STATUS_DNSSEC_NSEC_RR_NOT_COVERED as a result code. Can anyone >> help me determine what is wrong, or is there a different function I >> should be using? Let me know if you need any more information. >> >> Thanks, >> John Barnitz >> _______________________________________________ >> ldns-users mailing list >> ldns-users at open.nlnetlabs.nl >> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users > _______________________________________________ > ldns-users mailing list > ldns-users at open.nlnetlabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/ldns-users From john at jones.name Thu Apr 26 16:51:16 2012 From: john at jones.name (John Jones) Date: Fri, 27 Apr 2012 02:51:16 +1000 Subject: [ldns-users] ldns on iPhone ? Message-ID: <4212CB92-1EE4-45B0-819C-C357CAF868D0@jones.name> Hi I am working with a iPhone and frankly the kludge to get even reverse DNS working correctly is pretty scary... is there ldns setup/lib/framwork for the iPhone ? I simply want my simple app to able to query SRV, MX, validate DNSSEC and be able to do reverse DNS both with the current local server and one I specify... I have seen that some people used ldns but ripped out all the SSL functions (.tel people) has anyone got any setups/config they could share with me ? I would really appreciate any help ! regards John Jones From henri at asseily.com Thu Apr 26 21:17:37 2012 From: henri at asseily.com (Henri Asseily) Date: Fri, 27 Apr 2012 00:17:37 +0300 Subject: [ldns-users] ldns on iPhone ? In-Reply-To: <4212CB92-1EE4-45B0-819C-C357CAF868D0@jones.name> References: <4212CB92-1EE4-45B0-819C-C357CAF868D0@jones.name> Message-ID: I did create a shell script and frameworks skeleton package that builds a complete ldns framework (both simulator and device, both debug and release) for use in iOS. As you said, I ripped out SSL because I didn't need it and iOS doesn't expose all the necessary OpenSSL functions (that's highly idiotic). However, you can build a complete OpenSSL library for iOS, and then you can build the ldns framework with SSL enabled. So to be clear, if you want to do DNSSEC, you'll need to compile a static OpenSSL library (or get a framework), include it in your app, and build the ldns framework with SSL. -- Henri Asseily henri.tel On Apr 26, 2012, at 7:51 PM, John Jones wrote: > Hi > > I am working with a iPhone and frankly the kludge to get even reverse DNS working correctly is pretty scary... > > is there ldns setup/lib/framwork for the iPhone ? > > I simply want my simple app to able to query SRV, MX, validate DNSSEC and be able to do reverse DNS both with the current local server and one I specify... > I have seen that some people used ldns but ripped out all the SSL functions (.tel people) has anyone got any setups/config they could share with me ? > > I would really appreciate any help ! > > regards > > John Jones > _______________________________________________ > ldns-users mailing list > ldns-users at open.nlnetlabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/ldns-users From john at jones.name Fri Apr 27 03:42:47 2012 From: john at jones.name (John Jones) Date: Fri, 27 Apr 2012 13:42:47 +1000 Subject: [ldns-users] ldns on iPhone ? In-Reply-To: References: <4212CB92-1EE4-45B0-819C-C357CAF868D0@jones.name> Message-ID: Hi Heri Asseily, Thank you for your answer could you post your script ? I would be very grateful ! regards John Jones On 27/04/2012, at 7:17 AM, Henri Asseily wrote: > I did create a shell script and frameworks skeleton package that builds a complete ldns framework (both simulator and device, both debug and release) for use in iOS. > As you said, I ripped out SSL because I didn't need it and iOS doesn't expose all the necessary OpenSSL functions (that's highly idiotic). > However, you can build a complete OpenSSL library for iOS, and then you can build the ldns framework with SSL enabled. > > So to be clear, if you want to do DNSSEC, you'll need to compile a static OpenSSL library (or get a framework), include it in your app, and build the ldns framework with SSL. > > -- > Henri Asseily > henri.tel > > > On Apr 26, 2012, at 7:51 PM, John Jones wrote: > >> Hi >> >> I am working with a iPhone and frankly the kludge to get even reverse DNS working correctly is pretty scary... >> >> is there ldns setup/lib/framwork for the iPhone ? >> >> I simply want my simple app to able to query SRV, MX, validate DNSSEC and be able to do reverse DNS both with the current local server and one I specify... >> I have seen that some people used ldns but ripped out all the SSL functions (.tel people) has anyone got any setups/config they could share with me ? >> >> I would really appreciate any help ! >> >> regards >> >> John Jones >> _______________________________________________ >> ldns-users mailing list >> ldns-users at open.nlnetlabs.nl >> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users > From marco.davids at sidn.nl Fri Apr 27 07:54:04 2012 From: marco.davids at sidn.nl (Marco Davids (SIDN)) Date: Fri, 27 Apr 2012 09:54:04 +0200 Subject: [ldns-users] ldns on iPhone ? In-Reply-To: References: <4212CB92-1EE4-45B0-819C-C357CAF868D0@jones.name> Message-ID: <4F9A509C.4080301@sidn.nl> [sorry for any duplicates - I send a reply with some pictures attached first, but that one was held back for moderation] Hi, We (SIDN Labs) experimented with this a while ago and managed to turn LDNS into a 'universal library' for iOS: The blog about this, including some source-code, can be found here (but it is in Dutch, unfortunately): http://www.sidnlabs.nl/laatste-berichten/nieuwsdetail/article/ldns-als-ios-universal-library/ We also manged to get LibUnbound working on an iPhone and where able to do validation. However, the blog-post of that endeavour is still in the making. Regards, -- Marco On 04/26/12 23:17, Henri Asseily wrote: > I did create a shell script and frameworks skeleton package that builds a complete ldns framework (both simulator and device, both debug and release) for use in iOS. > As you said, I ripped out SSL because I didn't need it and iOS doesn't expose all the necessary OpenSSL functions (that's highly idiotic). > However, you can build a complete OpenSSL library for iOS, and then you can build the ldns framework with SSL enabled. > > So to be clear, if you want to do DNSSEC, you'll need to compile a static OpenSSL library (or get a framework), include it in your app, and build the ldns framework with SSL. > > -- > Henri Asseily > henri.tel > > > On Apr 26, 2012, at 7:51 PM, John Jones wrote: > >> Hi >> >> I am working with a iPhone and frankly the kludge to get even reverse DNS working correctly is pretty scary... >> >> is there ldns setup/lib/framwork for the iPhone ? >> >> I simply want my simple app to able to query SRV, MX, validate DNSSEC and be able to do reverse DNS both with the current local server and one I specify... >> I have seen that some people used ldns but ripped out all the SSL functions (.tel people) has anyone got any setups/config they could share with me ? >> >> I would really appreciate any help ! >> >> regards >> >> John Jones >> _______________________________________________ >> ldns-users mailing list >> ldns-users at open.nlnetlabs.nl >> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users > > > _______________________________________________ > ldns-users mailing list > ldns-users at open.nlnetlabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/ldns-users From matthijs at nlnetlabs.nl Fri Apr 27 07:53:37 2012 From: matthijs at nlnetlabs.nl (Matthijs Mekking) Date: Fri, 27 Apr 2012 09:53:37 +0200 Subject: [ldns-users] ldns on iPhone ? In-Reply-To: <4212CB92-1EE4-45B0-819C-C357CAF868D0@jones.name> References: <4212CB92-1EE4-45B0-819C-C357CAF868D0@jones.name> Message-ID: <4F9A5081.5000706@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I am aware of SIDN's effort to put ldns on the IPhone. They have a blog item: http://www.sidnlabs.nl/laatste-berichten/nieuwsdetail/article/ldns-als-ios-universal-library/ Unfortunately, it is in Dutch, but it provides links to the scripts and examples, and maybe Google Translate can help out:). Best regards, Matthijs On 04/26/2012 06:51 PM, John Jones wrote: > Hi > > I am working with a iPhone and frankly the kludge to get even > reverse DNS working correctly is pretty scary... > > is there ldns setup/lib/framwork for the iPhone ? > > I simply want my simple app to able to query SRV, MX, validate > DNSSEC and be able to do reverse DNS both with the current local > server and one I specify... I have seen that some people used ldns > but ripped out all the SSL functions (.tel people) has anyone got > any setups/config they could share with me ? > > I would really appreciate any help ! > > regards > > John Jones _______________________________________________ > ldns-users mailing list ldns-users at open.nlnetlabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/ldns-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPmlB4AAoJEA8yVCPsQCW5OfYH/R79m8p5JdeyM+Q/YBbsj7jM eBCmTyGlO8JpiwfAT8MtvHlth1LHRHoiW2MT7ABtK+qYPGosQxyMcxZJRAE+a19R w/f46xaHRZP3y2HjSEeGHXLmulrsdzmQnzqrykJizSoKB7PL3C3eXiFSiODA3tRS Abg588s1lZ38xXb6myAY34+Qni9zeDjuzes/BPCb2P3UAT9/TXMZOSHTTFl1IfoU /vO0Y9KgjRf5KOlt5gK/0I0q1WbiZ/GQxpU2iMo+RSPujQJy5PKX1cwq2qdP+lqo sCO0Bn4+UlpxEBrigZKgWO8qKskPgUA4DFFtp4sLkIadn6FYXqNKrk0JScxGqfk= =Vrd5 -----END PGP SIGNATURE----- From henri at asseily.com Fri Apr 27 07:56:00 2012 From: henri at asseily.com (Henri Asseily) Date: Fri, 27 Apr 2012 10:56:00 +0300 Subject: [ldns-users] ldns on iPhone ? In-Reply-To: References: <4212CB92-1EE4-45B0-819C-C357CAF868D0@jones.name> Message-ID: <8D1CC88A-D757-4AD7-991D-4D0E806BEC4E@asseily.com> The files are on github: https://github.com/hasseily/Makefile-to-iOS-Framework To use this with ldns: - Copy the Canonical.Framework.tar and makeframework.sh files to the ldns directory - Go to the directory containing the makefile and run makeframework.sh with the correct options. For example, if you have ldns 1.6.12, want the framework to use the same version number, and are compiling for iOS out of the box (without SSL), you'd use: ./makeframework.sh -v 1.6.12 framework --disable-gost --disable-sha2 --without-ssl If you want to use sha2, gost and ssl you'll have to ensure your project also has the relevant static libraries included, as the default iOS doesn't include them (or doesn't allow dynamic linking to them, as in the case of OpenSSL). The resulting framework will be in your home directory under: ${HOME}/compiles/iPhoneFramework Hope this helps. -- Henri Asseily henri.tel On Apr 27, 2012, at 6:42 AM, John Jones wrote: > Hi Henri Asseily, > > Thank you for your answer could you post your script ? > I would be very grateful ! > > regards > > John Jones > > > > On 27/04/2012, at 7:17 AM, Henri Asseily wrote: > >> I did create a shell script and frameworks skeleton package that builds a complete ldns framework (both simulator and device, both debug and release) for use in iOS. >> As you said, I ripped out SSL because I didn't need it and iOS doesn't expose all the necessary OpenSSL functions (that's highly idiotic). >> However, you can build a complete OpenSSL library for iOS, and then you can build the ldns framework with SSL enabled. >> >> So to be clear, if you want to do DNSSEC, you'll need to compile a static OpenSSL library (or get a framework), include it in your app, and build the ldns framework with SSL. >> >> -- >> Henri Asseily >> henri.tel >> >> >> On Apr 26, 2012, at 7:51 PM, John Jones wrote: >> >>> Hi >>> >>> I am working with a iPhone and frankly the kludge to get even reverse DNS working correctly is pretty scary... >>> >>> is there ldns setup/lib/framwork for the iPhone ? >>> >>> I simply want my simple app to able to query SRV, MX, validate DNSSEC and be able to do reverse DNS both with the current local server and one I specify... >>> I have seen that some people used ldns but ripped out all the SSL functions (.tel people) has anyone got any setups/config they could share with me ? >>> >>> I would really appreciate any help ! >>> >>> regards >>> >>> John Jones >>> _______________________________________________ >>> ldns-users mailing list >>> ldns-users at open.nlnetlabs.nl >>> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users >> > From john at jones.name Fri Apr 27 08:13:55 2012 From: john at jones.name (John Jones) Date: Fri, 27 Apr 2012 18:13:55 +1000 Subject: [ldns-users] ldns on iPhone ? In-Reply-To: <4F9A509C.4080301@sidn.nl> References: <4212CB92-1EE4-45B0-819C-C357CAF868D0@jones.name> <4F9A509C.4080301@sidn.nl> Message-ID: <39698E56-20AC-48AE-8D7F-BB70D3E74C06@jones.name> Hi I would very much like to know how you got libunbound working/validation (I presume you mean DNSSEC) ? did you have to modify only the build or all the crypto calls ? even just briefly outline what you did ? including OpenSSL in a build for ldns creates a application that is over 10Mb just for a working resolver... I have spent the day looking at common crypto from apple thats driving me crazy please help... regards John Jones On 27/04/2012, at 5:54 PM, Marco Davids (SIDN) wrote: > [sorry for any duplicates - I send a reply with some pictures attached > first, but that one was held back for moderation] > > Hi, > > We (SIDN Labs) experimented with this a while ago and managed to turn > LDNS into a 'universal library' for iOS: > > The blog about this, including some source-code, can be found here (but > it is in Dutch, unfortunately): > > http://www.sidnlabs.nl/laatste-berichten/nieuwsdetail/article/ldns-als-ios-universal-library/ > > We also manged to get LibUnbound working on an iPhone and where able to > do validation. However, the blog-post of that endeavour is still in the > making. > > Regards, > > -- > Marco > > > On 04/26/12 23:17, Henri Asseily wrote: >> I did create a shell script and frameworks skeleton package that builds a complete ldns framework (both simulator and device, both debug and release) for use in iOS. >> As you said, I ripped out SSL because I didn't need it and iOS doesn't expose all the necessary OpenSSL functions (that's highly idiotic). >> However, you can build a complete OpenSSL library for iOS, and then you can build the ldns framework with SSL enabled. >> >> So to be clear, if you want to do DNSSEC, you'll need to compile a static OpenSSL library (or get a framework), include it in your app, and build the ldns framework with SSL. >> >> -- >> Henri Asseily >> henri.tel >> >> >> On Apr 26, 2012, at 7:51 PM, John Jones wrote: >> >>> Hi >>> >>> I am working with a iPhone and frankly the kludge to get even reverse DNS working correctly is pretty scary... >>> >>> is there ldns setup/lib/framwork for the iPhone ? >>> >>> I simply want my simple app to able to query SRV, MX, validate DNSSEC and be able to do reverse DNS both with the current local server and one I specify... >>> I have seen that some people used ldns but ripped out all the SSL functions (.tel people) has anyone got any setups/config they could share with me ? >>> >>> I would really appreciate any help ! >>> >>> regards >>> >>> John Jones >>> _______________________________________________ >>> ldns-users mailing list >>> ldns-users at open.nlnetlabs.nl >>> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users >> >> >> _______________________________________________ >> ldns-users mailing list >> ldns-users at open.nlnetlabs.nl >> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users > > _______________________________________________ > ldns-users mailing list > ldns-users at open.nlnetlabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/ldns-users From henri at asseily.com Fri Apr 27 08:21:31 2012 From: henri at asseily.com (Henri Asseily) Date: Fri, 27 Apr 2012 11:21:31 +0300 Subject: [ldns-users] ldns on iPhone ? In-Reply-To: <39698E56-20AC-48AE-8D7F-BB70D3E74C06@jones.name> References: <4212CB92-1EE4-45B0-819C-C357CAF868D0@jones.name> <4F9A509C.4080301@sidn.nl> <39698E56-20AC-48AE-8D7F-BB70D3E74C06@jones.name> Message-ID: <2D0C4489-75A0-46FC-9AD4-4ACF711C746D@asseily.com> I wonder if my framework script works out of the box with libunbound (given the correct prerequisites and compile options)... Anyway, blame Apple for the idiocy of not exposing the OpenSSL shared libraries and having to go through a ridiculously complicated security framework. Don't bother trying to find a way to use Apple's included common crypto functions, you'll go crazy and it won't help. There are just things in OpenSSL that you'll need and that Apple doesn't expose. H On Apr 27, 2012, at 11:13 AM, John Jones wrote: > Hi > > I would very much like to know how you got libunbound working/validation (I presume you mean DNSSEC) ? > did you have to modify only the build or all the crypto calls ? > even just briefly outline what you did ? > > including OpenSSL in a build for ldns creates a application that is over 10Mb just for a working resolver... > > I have spent the day looking at common crypto from apple thats driving me crazy please help... > > regards > > John Jones > > On 27/04/2012, at 5:54 PM, Marco Davids (SIDN) wrote: > >> [sorry for any duplicates - I send a reply with some pictures attached >> first, but that one was held back for moderation] >> >> Hi, >> >> We (SIDN Labs) experimented with this a while ago and managed to turn >> LDNS into a 'universal library' for iOS: >> >> The blog about this, including some source-code, can be found here (but >> it is in Dutch, unfortunately): >> >> http://www.sidnlabs.nl/laatste-berichten/nieuwsdetail/article/ldns-als-ios-universal-library/ >> >> We also manged to get LibUnbound working on an iPhone and where able to >> do validation. However, the blog-post of that endeavour is still in the >> making. >> >> Regards, >> >> -- >> Marco >> >> >> On 04/26/12 23:17, Henri Asseily wrote: >>> I did create a shell script and frameworks skeleton package that builds a complete ldns framework (both simulator and device, both debug and release) for use in iOS. >>> As you said, I ripped out SSL because I didn't need it and iOS doesn't expose all the necessary OpenSSL functions (that's highly idiotic). >>> However, you can build a complete OpenSSL library for iOS, and then you can build the ldns framework with SSL enabled. >>> >>> So to be clear, if you want to do DNSSEC, you'll need to compile a static OpenSSL library (or get a framework), include it in your app, and build the ldns framework with SSL. >>> >>> -- >>> Henri Asseily >>> henri.tel >>> >>> >>> On Apr 26, 2012, at 7:51 PM, John Jones wrote: >>> >>>> Hi >>>> >>>> I am working with a iPhone and frankly the kludge to get even reverse DNS working correctly is pretty scary... >>>> >>>> is there ldns setup/lib/framwork for the iPhone ? >>>> >>>> I simply want my simple app to able to query SRV, MX, validate DNSSEC and be able to do reverse DNS both with the current local server and one I specify... >>>> I have seen that some people used ldns but ripped out all the SSL functions (.tel people) has anyone got any setups/config they could share with me ? >>>> >>>> I would really appreciate any help ! >>>> >>>> regards >>>> >>>> John Jones >>>> _______________________________________________ >>>> ldns-users mailing list >>>> ldns-users at open.nlnetlabs.nl >>>> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users >>> >>> >>> _______________________________________________ >>> ldns-users mailing list >>> ldns-users at open.nlnetlabs.nl >>> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users >> >> _______________________________________________ >> ldns-users mailing list >> ldns-users at open.nlnetlabs.nl >> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users > > > _______________________________________________ > ldns-users mailing list > ldns-users at open.nlnetlabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/ldns-users