cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: libcurl and DANE support

From: Suresh Krishnaswamy <suresh_at_tislabs.com>
Date: Fri, 8 Mar 2013 12:58:38 -0500

Hi,

On Mar 7, 2013, at 5:03 PM, Daniel Stenberg wrote:

>
> A. The configure.ac check should check for the required libs properly using
> correct autoconf mechanisms. What's the reason you need to specify
> -lsres and -lpthread when you're "only" using the val-threads lib? For
> static linking?
>

The dnsval component is actually split into a set of two libraries - libval and libsres.
libval in turn can be built with or without thread support. When built with thread support (we attach the -threads suffix to the library name in that case) we also need pthread support. The change to configure.ac was a quick way to get the HAVE_DNSVAL_DANE definition in place without diving too deep into the existing configure script structure. I agree that it would be better to have a more robust set of checks here.
 
> B. I would like a more generic placement of the DANE checks so that we can do
> it independently of what SSL backend we build libcurl to use.
>
> Is there anything speaking against it being functional when not using
> OpenSSL?
>

libval uses libcrypto internally for all its DNSSEC-related crypto checks, so currently the patch implicitly relies on openSSL for DANE support. Given the current dependency on openSSL I wasn't sure if there was a way to move the DANE checks in curl to a more generic location. That said, we are looking to add support for other crypto libraries in libval in the near future.
 
> C. I think we need options to control whether DANE should be checked at all,
> and possibly we should allow users to force DANE checks to be used (and
> fail if they fail).
>

Fully agree.

> D. val_getdaneinfo() seems like a blocking function call. Since it involves
> DNS and what not, that could potentially take a very long time. Is there
> any non-blocking alternative APIs or what can we do to avoid long blocks?
>
> Is there documentation somewhere for the lib?
>

The val_dane_submit() function provides the asynchronous lookup capability and there's sample code in the validator/apps directory of the dnsval package that illustrates its use. I've also put up a man page for the DANE-related functions at http://www.dnssec-tools.org/docs/tool-description/val_getdaneinfo.html

A general description of the asynchronous lookup API is at http://tools.ietf.org/html/draft-hayatnagarkar-dnsext-validator-api-09, but I'll try and also create a manual page version for the async functions in a little bit.

> E. I can't download dnsval. I tried it from
> http://www.dnssec-tools.org/download/dnsval-2.0.tar.gz but I get a 403
> "Forbidden". (and I didn't find any debian package for it as a backup
> solution)
>

Sorry, permissions should be fixed now.

Thanks!
Suresh

> F. There's some minor code style violations.
>
> --
>
> / daniel.haxx.se
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-03-08