From sca at andreasschulze.de Thu Oct 13 19:34:27 2016 From: sca at andreasschulze.de (A. Schulze) Date: Thu, 13 Oct 2016 21:34:27 +0200 Subject: [ldns-users] ldns and openssl-1.1.x Message-ID: <872b2226-9225-0217-fb9d-d2eb53411b62@andreasschulze.de> Hello, I try to compile ldns-1.6.17 with openssl-1.1.0b and I fail :-/ Here's what I found so far. 1. I need to use pkg-config because my versions of libssl/libcrypto are named libssl-foo/libcrypto-foo 2. HMAC_CTX_init() was replaced with HMAC_CTX_reset() in OpenSSL versions 1.1.0 ( see https://www.openssl.org/docs/manmaster/crypto/HMAC.html#HISTORY ) I created the attached patch to address these points in ./configure. After that compilation still fail: ./dane.c: In function 'ldns_dane_pkix_get_last_self_signed': ./dane.c:330:14: error: dereferencing pointer to incomplete type if (vrfy_ctx->error == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN || ^ ./dane.c:331:14: error: dereferencing pointer to incomplete type vrfy_ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT){ ^ any ideas? Andreas -------------- next part -------------- A non-text attachment was scrubbed... Name: openssl-1.1.x.patch Type: text/x-diff Size: 1783 bytes Desc: not available URL: From benno at NLnetLabs.nl Tue Oct 18 06:22:28 2016 From: benno at NLnetLabs.nl (Benno Overeinder) Date: Tue, 18 Oct 2016 08:22:28 +0200 Subject: [ldns-users] Proposed new api to load build-time configured trust anchors In-Reply-To: <85ec0dc9dd1b03b35dcf9029079d24f0@shambarger.net> References: <85ec0dc9dd1b03b35dcf9029079d24f0@shambarger.net> Message-ID: <53f60f01-18ea-a6dc-5d49-e9dbb66f259c@NLnetLabs.nl> Hi Scott, Thank you for your contribution. As you remarked, you didn't see any feedback on your proposal. We should have informed you and the ldns-users that for a number of developments we waited for openssl 1.1.0 (DANE TLSA support) and the release of getdns API 1.0 final release (a number of ideas will also be implemented in ldns v2). In the next month, we will start working on openssl 1.1.0 in ldns, open tickets in bugzilla, and include or discuss patches submitted by community members. Best regards, -- Benno On 20/08/2016 19:15, Scott Shambarger wrote: > I've been trying to get openssh to locally validate SSHFP records on OSX. > > The problem stems from the fact that OSX's configd rewrites > /etc/resolv.conf each time the network changes (think connecting to a > coffee shop's wifi). Openssh (configured with ldns) connections will > then query the SSHFP record, but as the trust anchors are not referenced > in resolv.conf, it is unable to perform DNSSEC validation. > > Openssh maintainers don't feel that trust-anchor loading is in their > scope of responsibility, and feel the ldns interface should work "out of > the box" (see Comment#1 at > https://bugzilla.mindrot.org/show_bug.cgi?id=2119) > > I submitted a patch to add a new api to libldns to load keys from > build-time defined locations (by default $sysconfdir/trusted-key.key and > $sysconfdir/unbound/root.key), in > https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=727 -- however, > there hasn't been any feedback on the proposal for 8 months... > > I added a new api as drill (and possibly other users) may want to load > their own trust anchors and not have any loaded by default; however > users such as openssh do want validation to work without adding their > own anchor files. > > The root of the problem is still OSX, as other platforms can just add > the "anchor" key to /etc/resolv.conf (but edits are wiped repeatedly on > OSX). > > I'd love to hear if anyone has a better solution though :) > > Thanks, > Scott > > _______________________________________________ > ldns-users mailing list > ldns-users at open.nlnetlabs.nl > https://open.nlnetlabs.nl/mailman/listinfo/ldns-users -- Benno J. Overeinder NLnet Labs http://www.nlnetlabs.nl/ From benno at NLnetLabs.nl Tue Oct 18 07:06:44 2016 From: benno at NLnetLabs.nl (Benno Overeinder) Date: Tue, 18 Oct 2016 09:06:44 +0200 Subject: [ldns-users] Python3 / ldns_wire2pkt In-Reply-To: <874m621ek9.fsf@hepworth.siccegge.de> References: <874m621ek9.fsf@hepworth.siccegge.de> Message-ID: <77ac495d-57cc-4ca0-498f-604997435986@NLnetLabs.nl> Hi Christoph, We will pick-up your patch soon. Best, -- Benno On 30/08/2016 17:06, Christoph Egger wrote: > Hi! > > For ldns.ldns_wire2pkt to work with Python3 one needs it to accept a > python byte object instead of a string. After a lot of fiddling around > the below patch seems to make it work. However iterationg [2] over rrs() > fails with [1] -- extracting the first one works fine. > > [0] > --- ldns-1.6.17.orig/contrib/python/ldns.i > +++ ldns-1.6.17/contrib/python/ldns.i > @@ -132,12 +137,22 @@ uint32_t ldns_read_timeval_usec(struct t > > %apply uint32_t *OUTPUT { uint32_t *default_ttl}; > > +#define SWIG_PYTHON_STRICT_BYTE_CHAR > + > // wire2pkt > -%apply (char *STRING, int LENGTH) { (const char *str, int len) }; > +// %apply (char *STRING, int LENGTH) { (const char *str, int len) }; > + > +%typemap(in) (const char* str,int len) (Py_ssize_t lenn) %{ > + if(PyBytes_AsStringAndSize($input,&$1,&lenn) == -1) > + return NULL; > + $2 = (int)lenn; > +%} > + > > [1] > StopIteration > > During handling of the above exception, another exception occurred: > > SystemError: returned a result with an error set > > During handling of the above exception, another exception occurred: > > Traceback (most recent call last): > File "./check_dnssec", line 107, in > sys.exit(main()) > File "./check_dnssec", line 104, in main > check_synced(resolver, zone, args) > File "./check_dnssec", line 62, in check_synced > LDNS_SECTION_ANSWER).rrs()) > SystemError: returned a result with an error set > > [2] > list(result.rr_list_by_type(RR_TYPE_SOA, LDNS_SECTION_ANSWER).rrs()) > -- Benno J. Overeinder NLnet Labs http://www.nlnetlabs.nl/ From benno at NLnetLabs.nl Tue Oct 18 07:07:59 2016 From: benno at NLnetLabs.nl (Benno Overeinder) Date: Tue, 18 Oct 2016 09:07:59 +0200 Subject: [ldns-users] Small ldns_resolver_send() header fix In-Reply-To: References: Message-ID: Thanks, will review and include this in next ldns developments. -- Benno On 29/08/2016 12:30, Vladimir Levijev wrote: > Hi, > > Sorry for possibly sending it to the wrong place. Noticed this small > error in the description of ldns_resolver_send() function. > > Cheers, > > VL > > > > _______________________________________________ > ldns-users mailing list > ldns-users at open.nlnetlabs.nl > https://open.nlnetlabs.nl/mailman/listinfo/ldns-users > -- Benno J. Overeinder NLnet Labs http://www.nlnetlabs.nl/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: OpenPGP digital signature URL: From benno at NLnetLabs.nl Tue Oct 18 07:11:47 2016 From: benno at NLnetLabs.nl (Benno Overeinder) Date: Tue, 18 Oct 2016 09:11:47 +0200 Subject: [ldns-users] [PATCH] Python binding for ldns_pkt2wire() In-Reply-To: <1472470965110.56688@amazon.com> References: <1472470965110.56688@amazon.com> Message-ID: Thanks. -- Benno On 29/08/2016 13:42, Raftery, James wrote: > Hi, > > The auto-generated binding for ldns_pkt2wire() doesn't work properly. Patch attached that fixes that, providing the same style of interface as ldns_wire2pkt() > > > Thanks, > james > > > > > > _______________________________________________ > ldns-users mailing list > ldns-users at open.nlnetlabs.nl > https://open.nlnetlabs.nl/mailman/listinfo/ldns-users > -- Benno J. Overeinder NLnet Labs http://www.nlnetlabs.nl/ From sca at andreasschulze.de Fri Oct 21 21:06:29 2016 From: sca at andreasschulze.de (A. Schulze) Date: Fri, 21 Oct 2016 23:06:29 +0200 Subject: [ldns-users] unbound / ldns + openssl-1.1.x Message-ID: <5b2afb0e-6b6a-2a4f-812e-78d25db1b2d7@andreasschulze.de> Hello, I spend some time to compile unbound-1.5.9 and ldns-1.6.17 with openssl-1.1.0b. The current results you find attached. WARNING: unbound and ldns compile - unbound with warnings. treat the patches as if it will break major things - no guarantee! don't use them as they are. please comment and review! Andreas -------------- next part -------------- A non-text attachment was scrubbed... Name: unbound-1.5.9-openssl-1.1.x.patch Type: text/x-diff Size: 6743 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ldns-1.6.17-openssl-1.1.x.patch Type: text/x-diff Size: 33533 bytes Desc: not available URL: