modules/dnssec: added support for libval query parameter flags

Documentation in the README

modules/dnssec/README

@@ -15,6 +15,14 @@ Marius Zbihlei
               2.1. Kamailio Modules
               2.2. External Libraries or Applications
 
+        3. Parameters
+
+              3.1. general_query_flags (integer)
+
+   List of Examples
+
+   1.1. Set enable_full_lr parameter
+
 Chapter 1. Admin Guide
 
    Table of Contents
@@ -25,6 +33,10 @@ Chapter 1. Admin Guide
         2.1. Kamailio Modules
         2.2. External Libraries or Applications
 
+   3. Parameters
+
+        3.1. general_query_flags (integer)
+
 1. Overview
 
    The module replaces the common system dns resolver functions from core
@@ -59,3 +71,54 @@ Chapter 1. Admin Guide
    running Kamailio with this module loaded:
      * libval - check https://www.dnssec-tools.org for installation
        guidelines.
+
+3. Parameters
+
+   3.1. general_query_flags (integer)
+
+3.1. general_query_flags (integer)
+
+   Set this parameter to an integer value containing of an ORed result of
+   one or more of the following values (constant present only for
+   documentation process, as they are mostly mapped to libval
+   flags).Setting this parameter will cause the libval defaults to be
+   completely overwritten
+
+   QUERY_DONT_VALIDATE == 1<<0 causes the validator to disable validation
+   for this query.
+
+   QUERY_IGNORE_SKEW == 1<<1 causes the validator to disable checking
+   signature inception and expiration times on RRSIGs.
+
+   QUERY_AC_DETAIL == 1<<2 causes the validator to copy the authentication
+   chain details into the val_rc_answer member within the returned
+   val_result_chain structure.
+
+   QUERY_NO_DLV == 1<<3 causes the validator to disable DLV processing for
+   this query. This is only available if the libval(3) library has been
+   compiled with DLV support.
+
+   QUERY_NO_EDNS0_FALLBACK = 1<<4 In querying various name servers,
+   libsres will also attempt multiple EDNS0 sizes, ending with a query
+   that has EDNS0 disabled (i.e. no CD bit set). This option causes libval
+   to disable EDNS0 fallback for the query.
+
+   QUERY_RECURSE == 1<<5 forces libval to recursively answer the query by
+   iteratively querying various name servers in the delegation hierarchy,
+   instead of requesting this information from any caching name server
+   that may be configured in dnsval.conf
+
+   SKIP_RESOLVER == 1<<6 forces libval to only look at its cache while
+   trying to resolve a name.
+
+   SKIP_CACHE == 1<<7 forces libval to ignore cached data while trying to
+   resolve a name.
+
+   Default value is 0(no changes)
+
+   Example 1.1. Set enable_full_lr parameter
+ ...
+ modparam("dnssec", "general_query_flags", 1) # QUERY_DONT_VALIDATE disable vali
+dation
+ modparam("dnssec", "general_query_flags", 10) # QUERY_IGNORE_SKEW | QUERY_NO_DLV
+ ...

modules/dnssec/dnssec_func.c

@@ -26,69 +26,93 @@
  *  2013-03	initial implementation
  */
 
-#include "validator/validator-config.h"
+#include <validator/validator-config.h>
 #include <validator/validator.h>
 #include <validator/resolver.h>
 
 #include "../../dprint.h"
+#include "dnssec_func.h"
 
 static struct libval_context  *libval_ctx = NULL;
+static unsigned int context_flags = 0;
+
+
+unsigned int
+set_context_flags(unsigned int flags) {
+#define CHECK_AND_SET(flag) \
+	if ((flag & flags) != 0) {\
+			context_flags |= VAL_##flag;\
+			LOG(L_INFO, "setting param %s\n", #flag);\
+	}
+	unsigned int old_flags = context_flags;
+	context_flags = 0;
+
+	CHECK_AND_SET(QUERY_DONT_VALIDATE);
+	CHECK_AND_SET(QUERY_IGNORE_SKEW);
+	CHECK_AND_SET(QUERY_AC_DETAIL);
+	CHECK_AND_SET(QUERY_NO_DLV);  
+	CHECK_AND_SET(QUERY_NO_EDNS0_FALLBACK);
+	CHECK_AND_SET(QUERY_RECURSE);
+ 	CHECK_AND_SET(QUERY_SKIP_RESOLVER);
+ 	CHECK_AND_SET(QUERY_SKIP_CACHE);
+
+	return old_flags;
+}
 
 static inline int
 dnssec_init_context(void) {
-  if (libval_ctx == NULL) {
-      if (val_create_context(NULL, &libval_ctx) != VAL_NO_ERROR)
-	return -1;
-  }
-  return 0;
+  	if (libval_ctx == NULL) {
+    	if (val_create_context(NULL, &libval_ctx) != VAL_NO_ERROR)
+	  		return -1;
+		if (context_flags != 0) {
+	  		val_context_setqflags(libval_ctx, VAL_CTX_FLAG_SET, context_flags);
+		}	
+  	}
+  	return 0;
 }
 
-
-
 struct hostent *
 dnssec_gethostbyname(const char *name) {
-  val_status_t          val_status;
-  struct hostent *      res;
+  	val_status_t          val_status;
+  	struct hostent *      res;
 
-  if (dnssec_init_context())
-    return NULL;
+  	if (dnssec_init_context())
+    	return NULL;
 
-  LOG(L_ERR, " gethostbyname(%s) called: wrapper\n", name);
+  	LOG(L_INFO, " gethostbyname(%s) called: wrapper\n", name);
   
-  res = val_gethostbyname(libval_ctx, name, &val_status);
+  	res = val_gethostbyname(libval_ctx, name, &val_status);
 
-  if (val_istrusted(val_status) && !val_does_not_exist(val_status)) {
-   return res;
-  }
-
-  return (NULL); 
+  	if (val_istrusted(val_status) && !val_does_not_exist(val_status)) {
+   		return res;
+  	}
+  	return NULL; 
 }
 
 
 struct hostent *
 dnssec_gethostbyname2(const char *name, int family) {
-  val_status_t          val_status;
-  struct hostent *      res;
+  	val_status_t          val_status;
+  	struct hostent *      res;
 
-  if (dnssec_init_context())
-    return NULL;
+  	if (dnssec_init_context())
+    	return NULL;
 
-  LOG(L_ERR, " gethostbyname2(%s) called: wrapper\n", name);
+  	LOG(L_INFO, " gethostbyname2(%s) called: wrapper\n", name);
   
-  res = val_gethostbyname2(libval_ctx, name, family,  &val_status);
+  	res = val_gethostbyname2(libval_ctx, name, family,  &val_status);
 
-  if (val_istrusted(val_status) && !val_does_not_exist(val_status)) {
-      return res;
-  }
-  return NULL; 
+  	if (val_istrusted(val_status) && !val_does_not_exist(val_status)) {
+      	return res;
+  	}
+  	return NULL; 
 }
 
 int
 dnssec_res_init(void) {
+  	LOG(L_INFO, "res_init called: wrapper\n");
 
-  LOG(L_ERR, "res_init called: wrapper\n");
-
-  return dnssec_init_context();
+  	return dnssec_init_context();
 }
 
 
@@ -96,21 +120,22 @@ dnssec_res_init(void) {
 int
 dnssec_res_search(const char *dname, int class_h, int type_h, 
 	  unsigned char *answer, int anslen) {
-  val_status_t          val_status;
-  int ret;
+  	val_status_t          val_status;
+  	int ret;
 
-  if (dnssec_init_context())
-    return -1;
+  	if (dnssec_init_context())
+    	return -1;
 
-  LOG(L_ERR, "res_query(%s,%d,%d) called: wrapper\n",
-	  dname, class_h, type_h);
+  	LOG(L_ERR, "res_query(%s,%d,%d) called: wrapper\n",
+	  	dname, class_h, type_h);
 
-  ret = val_res_search(libval_ctx, dname, class_h, type_h, answer, anslen,
+  	ret = val_res_search(libval_ctx, dname, class_h, type_h, answer, anslen,
 			&val_status);
 
-  if (val_istrusted(val_status) && !val_does_not_exist(val_status)) {
-    return ret;
-  }
+  	if (val_istrusted(val_status) && !val_does_not_exist(val_status)) {
+    	return ret;
+  	}
 
-  return -1;
+ 	return -1;
 }
+

modules/dnssec/dnssec_func.h

@@ -31,10 +31,23 @@
 
 struct hostent;
 
+typedef enum {
+	QUERY_DONT_VALIDATE = 1<<0,
+	QUERY_IGNORE_SKEW = 1<<1,
+	QUERY_AC_DETAIL = 1<<2,
+	QUERY_NO_DLV = 1<<3,
+	QUERY_NO_EDNS0_FALLBACK = 1<<4,
+	QUERY_RECURSE = 1<<5,
+	QUERY_SKIP_RESOLVER = 1<<6,
+	QUERY_SKIP_CACHE = 1<<7
+} query_flags_t;
+
 int dnssec_res_init(void);
+unsigned int set_context_flags(unsigned int flags);
 struct hostent* dnssec_gethostbyname(const char *);
 struct hostent* dnssec_gethostbyname2(const char *, int);
 int dnssec_res_search(const char*, int, int, unsigned char*, int);
 
 
-#endif
+#endif // DNSSEC_FUNC_H
+

modules/dnssec/dnssec_mod.c

@@ -49,6 +49,7 @@ static int dnssec_exit(void);
 
 
 /* parameters */
+static unsigned int flags=0;
 
 /* global variables */
 gen_lock_t*             timer_lock=0;
@@ -60,6 +61,7 @@ static cmd_export_t cmds[]={
 };
 
 static param_export_t params[]={
+	{"general_query_flags", INT_PARAM, &flags},
 	{0,0,0}
 };
 
@@ -85,9 +87,12 @@ struct module_exports exports= {
 };
 
 
-static void load_dns(void)
+static int load_dns(void)
 {
 	struct dns_func_t *f = pkg_malloc(sizeof(struct dns_func_t));
+	if( NULL == f ) {
+		return -1;
+	}
 	memset(f, 0, sizeof(struct dns_func_t));
 	f->sr_res_init = dnssec_res_init;
 	f->sr_gethostbyname = dnssec_gethostbyname;
@@ -95,6 +100,7 @@ static void load_dns(void)
 	f->sr_res_search = dnssec_res_search;
 
 	load_dnsfunc(f);
+	return 0;
 }
 
 static int dnssec_init(void)
@@ -107,9 +113,12 @@ static int dnssec_init(void)
 		return -1;
 	}
 */
-	load_dns();
-	{
-		LM_ERR("loaded dnssec wrappers\n");
+	
+	//set parameters
+	if(flags) set_context_flags(flags);
+
+	if(load_dns() != 0) {
+		LM_ERR("loaded dnssec wrappers failed\n");
 	}
 	/* load dnssec resolver wrappers */
 	return 0;
@@ -119,7 +128,6 @@ static int dnssec_init(void)
 
 static int dnssec_exit(void)
 {
-
 	return 0;
 }
 

modules/dnssec/doc/dnssec_admin.xml

@@ -70,6 +70,60 @@
 		</para>
 	</section>
 	</section>
+<section>
+     <title>Parameters</title>
+ 
+     <section>
+       <title><varname>general_query_flags</varname> (integer)</title>
+ 
+ 
+ 		<para> Set this parameter to an integer value containing of an ORed result of one or more of the following
+		values
+		(constant present only for documentation process, as they are mostly mapped to libval flags).Setting this
+		parameter will cause the libval defaults to be completely overwritten</para> 
+ 		<para>QUERY_DONT_VALIDATE == 1&lt;&lt;0
+		causes the validator to disable validation for this query.</para>
 
+		<para>QUERY_IGNORE_SKEW == 1&lt;&lt;1
+		causes the validator to disable checking signature inception and expiration times on RRSIGs.</para>
+
+		<para>QUERY_AC_DETAIL == 1&lt;&lt;2 
+		causes the validator to copy the authentication chain details into the val_rc_answer member within the returned val_result_chain structure.
+		</para>
+
+		<para>
+		QUERY_NO_DLV == 1&lt;&lt;3
+		causes the validator to disable DLV processing for this query. This is only available if the libval(3) library has been compiled with DLV support.
+		</para>
+		<para>
+		QUERY_NO_EDNS0_FALLBACK = 1&lt;&lt;4
+		In querying various name servers, libsres will also attempt multiple EDNS0 sizes, ending with a query that has EDNS0 disabled (i.e. no CD bit set). This option causes libval to disable EDNS0 fallback for the query.
+		</para>
+		<para>
+		QUERY_RECURSE == 1&lt;&lt;5
+		forces libval to recursively answer the query by iteratively querying various name servers in the delegation hierarchy, instead of requesting this information from any caching name server that may be configured in dnsval.conf
+		</para>
+		<para>
+		SKIP_RESOLVER == 1&lt;&lt;6
+		forces libval to only look at its cache while trying to resolve a name.
+		</para>
+		<para>
+		SKIP_CACHE == 1&lt;&lt;7
+		forces libval to ignore cached data while trying to resolve a name.
+		</para>
+       <para><emphasis> Default value is 0(no changes)</emphasis></para>
+ 
+       <example>
+         <title>Set <varname>enable_full_lr</varname> parameter</title>
+ 
+         <programlisting format="linespecific">
+ ...
+ modparam("dnssec", "general_query_flags", 1) # QUERY_DONT_VALIDATE disable validation  
+ modparam("dnssec", "general_query_flags", 10) # QUERY_IGNORE_SKEW | QUERY_NO_DLV
+ ...
+ </programlisting>
+       </example>
+     </section>
+	 </section>
 </chapter>