OverSIP with DNSSEC
DNSSEC provides to DNS clients (resolvers) origin authentication of DNS data. Learn about DNSSEC in this fantastic presentation by Dan York:
Enabling DNSSEC in OverSIP is straightforward given that OverSIP built-in DNS resolver requires a recursive DNS server, thus DNSSEC must be enabled in such a recursive DNS server. That’s all.
Enabling DNSSEC in Unbound
Unbound is a validating, recursive and caching DNS resolver. Unbound comes with DNSSEC enabled by default in latest versions.
In Debian and Ubuntu it is just required to install the
DNSSEC-Tools site provides a DNS zone with invalid/wrong DNS records suitable for DNSSEC testing:
For example, once your DNS resolver has DNSSEC enabled (and OverSIP points to it), OverSIP would refuse to route a SIP request to the domain “badsign-A.test.dnssec-tools.org” since its RRSIG signature data was modified after signing. Let’s see the logs generated by OverSIP:
oversip: INFO: <SipEvents> [user] INVITE from sip:firstname.lastname@example.org to sip:bob@badsign-A.test.dnssec-tools.org [...] oversip: DEBUG: <RFC3263 48225.1> DNS A error resolving domain 'badsign-a.test.dnssec-tools.org': dns_error_tempfail oversip: DEBUG: <Proxy proxy_out 48225.1> no resolution oversip: DEBUG: <SIP Request 48225.1> replying 404 "No DNS Resolution"