From Marc.Groeneweg at sidn.nl Tue May 1 05:31:05 2012 From: Marc.Groeneweg at sidn.nl (Marc Groeneweg) Date: Tue, 1 May 2012 05:31:05 +0000 Subject: [ldns-users] ldns on iPhone ? In-Reply-To: <39698E56-20AC-48AE-8D7F-BB70D3E74C06@jones.name> References: <4212CB92-1EE4-45B0-819C-C357CAF868D0@jones.name> <4F9A509C.4080301@sidn.nl> <39698E56-20AC-48AE-8D7F-BB70D3E74C06@jones.name> Message-ID: <5BFD186DCB661E4D951017B0818285AE275E844E@kambx1.SIDN.local> Hi John, >I would very much like to know how you got libunbound >working/validation (I presume you mean DNSSEC) ? This will be posted very soon on SIDNlabs. And yes, we mean DNSSEC. >did you have to modify only the build or all the crypto calls ? I didn't have to do anything to create the library. So no modifications are necessary. >even just briefly outline what you did ? I downloaded the script for creating the OpenSLL library made by Felix Schutze: http://www.x2on.de/2010/12/16/tutorial-script-for-building-openssl-for-ios-iphoneipad/ (He has made a new one. Everything broke 'cause of the XCode update as an Mac App Store app). The technique involved here, is creating static, Universal libraries you can add to your XCode project. Not creating a Framework like Henri Asseily did. I thought this was smarter, but I am not sure. For creating the libunbound, the same technique is needed, but you have to iterate because of the dependencies Unbound has with ldns. Three build runs were needed to create libunbound (with ldns) for the architectures needed for iOS devices (i386, armv6, armv7). Scripts can be found at SIDN labs as soon as the article on libunbound gets published. (Though the script is broken because of the XCode update. I must fix this, but I'm no hard-core programmer). >including OpenSSL in a build for ldns creates a application that is over 10Mb just for a working resolver... I guess. I just focused on how to make it work, not how big it would get. >I have spent the day looking at common crypto from apple thats driving me crazy please help... As I did, before I tried anything with respect to ldns and libunbound. And more over, since Apple forbids, other then themselves, any dynamic/shared library it's fun to look for alternatives. Isn't it time DNSSEC support is included in the base libraries? Regards, Marc Groeneweg From henri at asseily.com Wed May 2 04:21:03 2012 From: henri at asseily.com (Henri Asseily) Date: Wed, 2 May 2012 07:21:03 +0300 Subject: [ldns-users] ldns on iPhone ? In-Reply-To: <5BFD186DCB661E4D951017B0818285AE275E844E@kambx1.SIDN.local> References: <4212CB92-1EE4-45B0-819C-C357CAF868D0@jones.name> <4F9A509C.4080301@sidn.nl> <39698E56-20AC-48AE-8D7F-BB70D3E74C06@jones.name> <5BFD186DCB661E4D951017B0818285AE275E844E@kambx1.SIDN.local> Message-ID: <860161F1-56C7-4EAB-9B58-C67B476DCD28@asseily.com> >> even just briefly outline what you did ? > I downloaded the script for creating the OpenSLL library made by Felix Schutze: > http://www.x2on.de/2010/12/16/tutorial-script-for-building-openssl-for-ios-iphoneipad/ > (He has made a new one. Everything broke 'cause of the XCode update as an Mac App Store app). > > The technique involved here, is creating static, Universal libraries you can add to your XCode project. > Not creating a Framework like Henri Asseily did. I thought this was smarter, but I am not sure. The difference between a shared lib and a framework is simply one of bundling. The framework is a directory structure comprising all the necessary libraries and their header files that can be simply dropped into a project in XCode in a single step. Felix Schutze determined that there was not only an additional parameter to send to configure (BSD-generic32, which can be passed into my generic script on the command line), but also that OpenSSL source code needs the below modifications for iOS (slightly different for each build of sim, armv6 or armv7): sed -ie "s!^CFLAG=!CFLAG=-isysroot /Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS${SDKVERSION}.sdk !" "Makefile" # remove sig_atomic for iPhoneOS sed -ie "s!static volatile sig_atomic_t intr_signal;!static volatile intr_signal;!" "crypto/ui/ui_openssl.c" I can add that to my script and make a complete OpenSSL framework if you're interested. > > For creating the libunbound, the same technique is needed, but you have to iterate because of the > dependencies Unbound has with ldns. Three build runs were needed to create libunbound (with ldns) > for the architectures needed for iOS devices (i386, armv6, armv7). Scripts can be found at SIDN labs > as soon as the article on libunbound gets published. (Though the script is broken because of the > XCode update. I must fix this, but I'm no hard-core programmer). Let me know if you need help. We could pretty much package the whole thing (OpenSSL + libunbound + ldns) into one drop-in framework. From Willem at NLnetLabs.nl Mon May 21 13:59:18 2012 From: Willem at NLnetLabs.nl (Willem Toorop) Date: Mon, 21 May 2012 15:59:18 +0200 Subject: [ldns-users] ldns 1.6.13 released Message-ID: <4FBA4A36.8060600@NLnetLabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Version 1.6.13 of ldns is now available. This is mostly a bugfix release. Most notable new features are ECDSA support (RFC 6605) and command-line options for ldns-verify-zone for validating against given keys and for safety margins on signatures inception and expiration times. Best regards, Willem Toorop link: http://www.nlnetlabs.nl/downloads/ldns/ldns-1.6.13.tar.gz sha1: 859f633d10b763f06b602e2113828cbbd964c7eb Changelog: * New -S option for ldns-verify-zone to chase signatures online. * New -k option for ldns-verify-zone to validate using a trusted key. * New inception and expiration margin options (-i and -e) to ldns-verify-zone. * New ldns_dnssec_zone_new_frm_fp and ldns_dnssec_zone_new_frm_fp_l functions. * New ldns_duration* functions (copied from OpenDNSSEC source) * fix ldns-verify-zone to allow NSEC3 signatures to come before the NSEC3 RR in all cases. Thanks Wolfgang Nagele. * Zero the correct flag (opt-out) when creating NSEC3PARAMS. Thanks Peter van Dijk. * Canonicalize RRSIG's Signer's name too when validating, because bind and unbound do that too. Thanks Peter van Dijk. * bugfix #433: Allocate rdf using ldns_rdf_new in ldns_dname_label * bugfix #432: Use LDNS_MALLOC & LDNS_FREE i.s.o. malloc & free * bugfix #431: Added error message for LDNS_STATUS_INVALID_B32_EXT * bugfix #427: Explicitely link ssl with the programs that use it. * Fix reading \DDD: Error on values that are outside range (>255). * bugfix #429: fix doxyparse.pl fails on NetBSD because specified path to perl. * New ECDSA support (RFC 6605), use --disable-ecdsa for older openssl. * fix verifying denial of existence for DS's in NSEC3 Opt-Out zones. Thanks John Barnitz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPuko2AAoJEOX4+CEvd6SYDB4P/RTsSXt/x1vbkvOBhxwGO04w 8Um2agBTrAt4hdvgRa3KxYZlKEgk5EzKNCRLQbSPbCOZiIObt0dnU/k2zhSCMwmc 1BnYZdH+x9+XDW2nffw9mGqd4DICE5T7fIpR1hvhiEsJzJ4Ib8RTXp3RFWtyTNkp Xb7Zj6P7aEbpXUqhnZfuAal679h9d6sJYyHd7ctajnPRQaHblYt0/cst3XoN1V4E 86vsb9earDnYBR2iRaISAlteRWo1F4CkUXjhsZgZbp0zANvoD04fJ3ZxXIOlXN3c FC+4loK8AF+PFvcSNWoL5y8NM8ITNV0wZZlBdXwdi5D0k7Pu8Dd6tB7eGMMj8r0Q VAaRA8gFQHX8L3CalP77fd+TmsTnVln3k/ZQ4Nj84DdeMZEI1s0gnx4Ha8pP2vRr 2G08U2EBhcqUFzPOfZZAt5GfBGPFP2VJsbcp4kd+nCRyrPVPoO4XhIB/5tafo2qY 5egF16qHmJFRixRWHhA3rmpqFfv3ai825ZLQBjy6sURnaW8phNI6e+925hYYt2te dnV2KPuvOkQCFpbaNjcsAcSZYg45UQeJN8myG18B6lxv8WcoSTJV2Q5doMdKFXfC Z5UzmsIR9f1GuIGdJS2iPLWKvSuohz17RFTLto1AOdxgzX1jKrHYnJEWirakuPhs SP75ugwcviT9b5sVdfS1 =p4Ac -----END PGP SIGNATURE----- From Willem at NLnetLabs.nl Tue May 22 08:53:21 2012 From: Willem at NLnetLabs.nl (Willem Toorop) Date: Tue, 22 May 2012 10:53:21 +0200 Subject: [ldns-users] ldns-verify-zone In-Reply-To: References: <4FBA4A36.8060600@NLnetLabs.nl> Message-ID: <4FBB5401.2090507@NLnetLabs.nl> Hi Paul, Op 21-05-12 22:07, Paul Wouters schreef: > On Mon, 21 May 2012, Willem Toorop wrote: > >> and command-line options for ldns-verify-zone for >> validating against given keys > > The man page and this description does not make it very > clear what this validation option is. > > Since a zone has the DNSKEY's in it to perform RRSIG verification, > I assume this option means it can validate the DNSKEY RRset > against other trust anchors (those specified with -k ?) I copied the description from drill which already had such an option with the same meaning. dig has also a similar description with its +trusted-key=#### option. It means that everything, signed with keys from the -k options, or with keys that in their verification path are ultimately signed with a key from those -k options, is considered valid. Provided that all other conditions determining the validity are good too of course. If the -S options is also given, one could provide the root key, and that should ultimately validate. In that sense -k could be considered to be an option providing the trust anchor(s). > Running ldns-very-zone -a against a 1M zone was aborted after 8h: > > real 834m21.494s > user 0m0.000s > sys 0m0.001s > > Note it was using 100% of a single CPU until I killed it > despite the user/sys time being zero. > > Since -a means to only check the apex, I'm quite confused what it > was actualy doing with the cpu. ldns-verify-zone currently reads the whole zone into memory (as an array), and then puts it in a red/black-tree. This is far from efficient. Especially for sorted zones we expect quiet some improvements with a sliding window technique (in which zones are processed while reading). ldns efficiency is high on the priority list for the next release and it will certainly contain a much improved ldns-verify-zone in terms of speed and memory requirements. Though... I can not explain your numbers. On my desktop PC ldns-read-zone takes real 1m8.885s user 1m15.821s sys 0m1.244s with a zone with 12M RRs. ldns-verify-zone takes for that zone: real 3m19.718s user 3m17.372s sys 0m1.808s For comparison, validns does it in: real 0m14.144s user 0m13.313s sys 0m0.716s So there is quiet a bit to improve here :/ -- Willem From msheldon at godaddy.com Thu May 24 21:00:20 2012 From: msheldon at godaddy.com (Michael Sheldon) Date: Thu, 24 May 2012 14:00:20 -0700 Subject: [ldns-users] =?utf-8?q?Bug_in_tsig_code=3F?= Message-ID: <20120524140020.205a61dff9fc1684c258b274662bb912.d7626d61c9.wbe@email00.secureserver.net> Valgrind is popping me on memory errors: ==8692== 16 bytes in 1 blocks are definitely lost in loss record 1 of 2 ==8692== at 0x4A05FDE: malloc (vg_replace_malloc.c:236) ==8692== by 0x301542F3A9: ldns_rdf_new_frm_data (rdata.c:207) ==8692== by 0x301543A134: ldns_tsig_mac_new (tsig.c:181) ==8692== by 0x301543A882: ldns_pkt_tsig_sign_next (tsig.c:428) ==8692== by 0x301543A9A2: ldns_pkt_tsig_sign (tsig.c:357) ==8692== 26 bytes in 1 blocks are definitely lost in loss record 2 of 2 ==8692== at 0x4A05FDE: malloc (vg_replace_malloc.c:236) ==8692== by 0x301542F3A9: ldns_rdf_new_frm_data (rdata.c:207) ==8692== by 0x301543A141: ldns_tsig_mac_new (tsig.c:182) ==8692== by 0x301543A882: ldns_pkt_tsig_sign_next (tsig.c:428) ==8692== by 0x301543A9A2: ldns_pkt_tsig_sign (tsig.c:357) Looks to me that in tsic.c 00269 ldns_rdf_free(canonical_algorithm_rdf); 00270 ldns_rdf_free(canonical_key_name_rdf); Should be ldns_rdf_deep_free() these were allocated at: 00181 canonical_key_name_rdf = ldns_rdf_clone(key_name_rdf); 00182 canonical_algorithm_rdf = ldns_rdf_clone(algorithm_rdf); Michael Sheldon Dev-DNS Services GoDaddy.com From msheldon at godaddy.com Thu May 24 23:22:10 2012 From: msheldon at godaddy.com (Michael Sheldon) Date: Thu, 24 May 2012 16:22:10 -0700 Subject: [ldns-users] =?utf-8?b?QnVnX2luX3RzaWdfY29kZT8=?= Message-ID: <20120524162210.205a61dff9fc1684c258b274662bb912.0056fa0a83.wbe@email00.secureserver.net> Submitted as bug 449. I think this got introduced with the fix for bug 407. Michael Sheldon Dev-DNS Services GoDaddy.com > -------- Original Message -------- > Subject: [ldns-users] Bug_in_tsig_code? > From: "Michael Sheldon" > Date: Thu, May 24, 2012 2:00 pm > To: ldns-users at NLnetLabs.nl > > > Valgrind is popping me on memory errors: > > ==8692== 16 bytes in 1 blocks are definitely lost in loss record 1 of 2 > ==8692== at 0x4A05FDE: malloc (vg_replace_malloc.c:236) > ==8692== by 0x301542F3A9: ldns_rdf_new_frm_data (rdata.c:207) > ==8692== by 0x301543A134: ldns_tsig_mac_new (tsig.c:181) > ==8692== by 0x301543A882: ldns_pkt_tsig_sign_next (tsig.c:428) > ==8692== by 0x301543A9A2: ldns_pkt_tsig_sign (tsig.c:357) > > ==8692== 26 bytes in 1 blocks are definitely lost in loss record 2 of 2 > ==8692== at 0x4A05FDE: malloc (vg_replace_malloc.c:236) > ==8692== by 0x301542F3A9: ldns_rdf_new_frm_data (rdata.c:207) > ==8692== by 0x301543A141: ldns_tsig_mac_new (tsig.c:182) > ==8692== by 0x301543A882: ldns_pkt_tsig_sign_next (tsig.c:428) > ==8692== by 0x301543A9A2: ldns_pkt_tsig_sign (tsig.c:357) > > Looks to me that in tsic.c > > 00269 ldns_rdf_free(canonical_algorithm_rdf); > 00270 ldns_rdf_free(canonical_key_name_rdf); > > Should be ldns_rdf_deep_free() > > these were allocated at: > > 00181 canonical_key_name_rdf = ldns_rdf_clone(key_name_rdf); > 00182 canonical_algorithm_rdf = ldns_rdf_clone(algorithm_rdf); > > Michael Sheldon > Dev-DNS Services > GoDaddy.com > > > > _______________________________________________ > ldns-users mailing list > ldns-users at open.nlnetlabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/ldns-users From Willem at NLnetLabs.nl Fri May 25 08:09:05 2012 From: Willem at NLnetLabs.nl (Willem Toorop) Date: Fri, 25 May 2012 10:09:05 +0200 Subject: [ldns-users] Bug_in_tsig_code? In-Reply-To: <20120524162210.205a61dff9fc1684c258b274662bb912.0056fa0a83.wbe@email00.secureserver.net> References: <20120524162210.205a61dff9fc1684c258b274662bb912.0056fa0a83.wbe@email00.secureserver.net> Message-ID: <4FBF3E21.1060900@NLnetLabs.nl> Hi Michael, Op 25-05-12 01:22, Michael Sheldon schreef: > Submitted as bug 449. I think this got introduced with the fix for bug > 407. It did indeed. Thanks for finding and resolving this issue. Regards, -- Willem From paul at nohats.ca Mon May 28 03:44:54 2012 From: paul at nohats.ca (Paul Wouters) Date: Sun, 27 May 2012 23:44:54 -0400 (EDT) Subject: [ldns-users] patch for feature, and a bug report :) Message-ID: Hi, The attached patch adds the -0 option to ldns-read-zone: This will change an RRSIG line from: ns2.nohats.ca. 3600 IN RRSIG AAAA 8 3 3600 20120606031026 20120522162451 22195 nohats.ca. r9P+6mryYDK35ZtgGUiWsFaLbPq3d2tNs0hybSD iP+f+hrYEchMZuDOTAIm/dypbva0Qw7bJze1yHiwUWTIGPptOx0tkT7kHVIB1wGQjjWoL/ptWDO9zu6lvPCjtbU1RebfcNMjdrN29fV2LGd65dDPjTvDrx2gW4zfzJbH1+CE= into: ns2.nohats.ca. 3600 IN RRSIG A 8 3 3600 (null) (null) 22195 nohats.ca. (null) This way, you can do some zone comparision between two different signer systems that use the same keys, but would have different RRSIG output due different inception/expiring times as a result of jitter or a slightly different signing time. Now for the bug, when looking through the ldns-read-zone code, I noticed: case LDNS_RR_TYPE_RRSIG: if ((fmt->flags & LDNS_COMMENT_KEY) && (fmt->flags & LDNS_COMMENT_RRSIGS) && ldns_rr_rdf(rr, 6) != NULL) { ...} case LDNS_RR_TYPE_DS: if ((fmt->flags & LDNS_COMMENT_BUBBLEBABBLE) However, I only see a way to set LDNS_COMMENT_BUBBLEBABBLE using "-b". I am not sure how one would set LDNS_COMMENT_KEY or LDNS_COMMENT_RRSIGS? In fact, grepping through the source, it seems that no one ever sets these, so the code is effectively never called. Paul -------------- next part -------------- diff -Naur ldns-1.6.13-orig/examples/ldns-read-zone.1 ldns-1.6.13/examples/ldns-read-zone.1 --- ldns-1.6.13-orig/examples/ldns-read-zone.1 2012-01-17 06:18:30.000000000 -0500 +++ ldns-1.6.13/examples/ldns-read-zone.1 2012-05-27 22:46:18.145827465 -0400 @@ -22,6 +22,12 @@ printed. .TP +\fB-0\fR +Print a (null) for the RRSIG inception, expiry and key data. This option +can be used when comparing different signing systems that use the same +DNSKEYs for signing but would have a slightly different timings/jitter. + +.TP \fB-h\fR Show usage and exit diff -Naur ldns-1.6.13-orig/examples/ldns-read-zone.c ldns-1.6.13/examples/ldns-read-zone.c --- ldns-1.6.13-orig/examples/ldns-read-zone.c 2012-01-06 04:57:03.000000000 -0500 +++ ldns-1.6.13/examples/ldns-read-zone.c 2012-05-27 22:42:44.984403758 -0400 @@ -37,10 +37,12 @@ ldns_soa_serial_increment_func_t soa_serial_increment_func = NULL; int soa_serial_increment_func_data = 0; - while ((c = getopt(argc, argv, "bcdhnsvzS:")) != -1) { + while ((c = getopt(argc, argv, "0bcdhnsvzS:")) != -1) { switch(c) { case 'b': fmt = ldns_output_format_bubblebabble; + case '0': + fmt = ldns_output_format_zeroize; case 'c': canonicalize = true; break; @@ -55,6 +57,7 @@ printf("\tReads the zonefile and prints it.\n"); printf("\tThe RR count of the zone is printed to stderr.\n"); printf("\t-b include bubblebabble of DS's.\n"); + printf("\t-0 zeroize timestamps and signature in RRSIG records.\n"); printf("\t-c canonicalize all rrs in the zone.\n"); printf("\t-d only show DNSSEC data from the zone\n"); printf("\t-h show this text\n"); diff -Naur ldns-1.6.13-orig/host2str.c ldns-1.6.13/host2str.c --- ldns-1.6.13-orig/host2str.c 2012-05-16 03:43:08.000000000 -0400 +++ ldns-1.6.13/host2str.c 2012-05-27 22:42:44.985403770 -0400 @@ -123,12 +123,19 @@ = &ldns_output_format_onlykeyids_record; const ldns_output_format *ldns_output_format_default = &ldns_output_format_onlykeyids_record; + const ldns_output_format ldns_output_format_bubblebabble_record = { LDNS_COMMENT_KEY | LDNS_COMMENT_BUBBLEBABBLE | LDNS_COMMENT_FLAGS, NULL }; const ldns_output_format *ldns_output_format_bubblebabble = &ldns_output_format_bubblebabble_record; +const ldns_output_format ldns_output_format_zeroize_record = { + LDNS_COMMENT_KEY | LDNS_RRSIGS_ZEROIZE | LDNS_COMMENT_FLAGS, NULL +}; +const ldns_output_format *ldns_output_format_zeroize + = &ldns_output_format_zeroize_record; + ldns_status ldns_pkt_opcode2buffer_str(ldns_buffer *output, ldns_pkt_opcode opcode) { @@ -1230,6 +1237,12 @@ for (i = 0; i < ldns_rr_rd_count(rr); i++) { /* ldns_rdf2buffer_str handles NULL input fine! */ + if ((LDNS_RRSIGS_ZEROIZE & fmt->flags) && (ldns_rr_get_type(rr) == LDNS_RR_TYPE_RRSIG)) { + /* zeroize start(5), end(6) and signature(9) */ + ldns_rr_rrsig_set_expiration(rr,0); + ldns_rr_rrsig_set_inception(rr,0); + ldns_rr_rrsig_set_sig(rr,0); + } status = ldns_rdf2buffer_str(output, ldns_rr_rdf(rr, i)); if(status != LDNS_STATUS_OK) return status; diff -Naur ldns-1.6.13-orig/ldns/host2str.h ldns-1.6.13/ldns/host2str.h --- ldns-1.6.13-orig/ldns/host2str.h 2011-09-22 06:36:55.000000000 -0400 +++ ldns-1.6.13/ldns/host2str.h 2012-05-27 22:42:44.988403806 -0400 @@ -64,6 +64,7 @@ #define LDNS_COMMENT_LAYOUT 0x0080 /** Also comment KEY_ID with RRSIGS **/ #define LDNS_COMMENT_RRSIGS 0x0100 +#define LDNS_RRSIGS_ZEROIZE 0x0200 /** * Output format specifier @@ -104,6 +105,7 @@ * bubblebabble representation of DS RR's. */ extern const ldns_output_format *ldns_output_format_bubblebabble; +extern const ldns_output_format *ldns_output_format_zeroize; /** * Converts an ldns packet opcode value to its mnemonic, and adds that