OverSIP with DNSSEC

DNSSEC provides to DNS clients (resolvers) origin authentication of DNS data. Learn about DNSSEC in this fantastic presentation by Dan York:

• Who Are You Really Calling? How DNSSEC Can Help?

Enabling DNSSEC in OverSIP is straightforward given that OverSIP built-in DNS resolver requires a recursive DNS server, thus DNSSEC must be enabled in such a recursive DNS server. That’s all.

Enabling DNSSEC in Unbound

Unbound is a validating, recursive and caching DNS resolver. Unbound comes with DNSSEC enabled by default in latest versions.

In Debian and Ubuntu it is just required to install the unbound-anchor package:

• unbound-anchor in Debian (use backports in case of Debian 6 Squeeze)
• unbound-anchor in Ubuntu

Testing DNSSEC

DNSSEC-Tools site provides a DNS zone with invalid/wrong DNS records suitable for DNSSEC testing:

• DNSSEC-Tools Test Zone

For example, once your DNS resolver has DNSSEC enabled (and OverSIP points to it), OverSIP would refuse to route a SIP request to the domain “badsign-A.test.dnssec-tools.org” since its RRSIG signature data was modified after signing. Let’s see the logs generated by OverSIP:

oversip[7703]:   INFO: <SipEvents> [user] INVITE from sip:alice@oversip.net to sip:bob@badsign-A.test.dnssec-tools.org
[...]
oversip[7703]:  DEBUG: <RFC3263 48225.1> DNS A error resolving domain 'badsign-a.test.dnssec-tools.org': dns_error_tempfail
oversip[7703]:  DEBUG: <Proxy proxy_out 48225.1> no resolution
oversip[7703]:  DEBUG: <SIP Request 48225.1> replying 404 "No DNS Resolution"