As part of DANE implementation, I have added a new function
to dns.c library. I have made the following modifications but
am stuck because of lack of knowledge about DNSSEC.
1. Modified dns.c and added dns_tlsarr() function
2. New source tlsarralloc.c, tlsarralloc.h which uses
gen_alloc, gen_allocdefs
3. New program dnstlsarr which uses the above dns_tlsarr()
function to query TLSA Resource Records
4. In the course of writing, discovered and fixed an extremely
minor memory leak in dns_mxip(). How did djb miss it?
5. I have also written the TLS routines to verify the DANE
records and implemented that in qmail-remote.
However the patch below does not include it. I have
implemented that in indimail and still working backwards
to have it in netqmail.
6. I have also written a daemon that caches the result
of the DANE verification. It listens on a UDP port. That
code is not in this patch, but can be seen in the indimail
git repository along with the qmail-remote modifications.
7. This is without DNSSEC. Can anyone point me in the right
direction on what I need to do in dns.c? Will this be very
difficult? Does anyone have an example C code to show how
this is done?
I did achieve DNSSEC by using libunbound and getdns library.
But was not happy with the response times. Maybe I am missing
something.
e.g. usage of dnstlsarr command
$ ./dnstlsarr postino.cesnet.cz
terenasslca3ta.cesnet.cz ttl=1072 2 0 1
beb8efe9b1a73c841b375a90e5fff8048848e3a2af66f6c4dd7b938d6fe8c5d8
terenasslca3ta.cesnet.cz ttl=1072 2 0 1
be6a0d9e1d115f2293f6abf11b3ec8e882e24426eeeb09aaa503597993e77a25
$ ./dnstlsarr mail.ietf.org
_25._tcp.mail.ietf.org ttl=1800 3 1 1
0c72ac70b745ac19998811b131d662c9ac69dbdbe7cb23e5b514b56664c5d3d6
The patch which adds this feature to netqmail-1.06 can be downloaded
from
https://sourceforge.net/projects/indimail/files/netqmail-addons/tlsarr.patch.gz
How to apply the patch ?
-------------------------------
$ gunzip -c tlsarr.patch.gz |patch -p0
patching file netqmail-1.06/dns.c
patching file netqmail-1.06/dns.h
patching file netqmail-1.06/dnstlsarr.c
patching file netqmail-1.06/fmt.h
patching file netqmail-1.06/fmt_hexbytes.c
patching file netqmail-1.06/hier.c
patching file netqmail-1.06/Makefile
patching file netqmail-1.06/TARGETS
patching file netqmail-1.06/tlsarralloc.c
patching file netqmail-1.06/tlsarralloc.h
--
Regards Manvendra - http://www.indimail.org
GPG Pub Key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC7CBC760014D250C
to dns.c library. I have made the following modifications but
am stuck because of lack of knowledge about DNSSEC.
1. Modified dns.c and added dns_tlsarr() function
2. New source tlsarralloc.c, tlsarralloc.h which uses
gen_alloc, gen_allocdefs
3. New program dnstlsarr which uses the above dns_tlsarr()
function to query TLSA Resource Records
4. In the course of writing, discovered and fixed an extremely
minor memory leak in dns_mxip(). How did djb miss it?
5. I have also written the TLS routines to verify the DANE
records and implemented that in qmail-remote.
However the patch below does not include it. I have
implemented that in indimail and still working backwards
to have it in netqmail.
6. I have also written a daemon that caches the result
of the DANE verification. It listens on a UDP port. That
code is not in this patch, but can be seen in the indimail
git repository along with the qmail-remote modifications.
7. This is without DNSSEC. Can anyone point me in the right
direction on what I need to do in dns.c? Will this be very
difficult? Does anyone have an example C code to show how
this is done?
I did achieve DNSSEC by using libunbound and getdns library.
But was not happy with the response times. Maybe I am missing
something.
e.g. usage of dnstlsarr command
$ ./dnstlsarr postino.cesnet.cz
terenasslca3ta.cesnet.cz ttl=1072 2 0 1
beb8efe9b1a73c841b375a90e5fff8048848e3a2af66f6c4dd7b938d6fe8c5d8
terenasslca3ta.cesnet.cz ttl=1072 2 0 1
be6a0d9e1d115f2293f6abf11b3ec8e882e24426eeeb09aaa503597993e77a25
$ ./dnstlsarr mail.ietf.org
_25._tcp.mail.ietf.org ttl=1800 3 1 1
0c72ac70b745ac19998811b131d662c9ac69dbdbe7cb23e5b514b56664c5d3d6
The patch which adds this feature to netqmail-1.06 can be downloaded
from
https://sourceforge.net/projects/indimail/files/netqmail-addons/tlsarr.patch.gz
How to apply the patch ?
-------------------------------
$ gunzip -c tlsarr.patch.gz |patch -p0
patching file netqmail-1.06/dns.c
patching file netqmail-1.06/dns.h
patching file netqmail-1.06/dnstlsarr.c
patching file netqmail-1.06/fmt.h
patching file netqmail-1.06/fmt_hexbytes.c
patching file netqmail-1.06/hier.c
patching file netqmail-1.06/Makefile
patching file netqmail-1.06/TARGETS
patching file netqmail-1.06/tlsarralloc.c
patching file netqmail-1.06/tlsarralloc.h
--
Regards Manvendra - http://www.indimail.org
GPG Pub Key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC7CBC760014D250C