Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for encrypting IP addresses #gdpr #6242

Closed
wants to merge 19 commits into from

Conversation

@ahupowerdns
Copy link
Contributor

@ahupowerdns ahupowerdns commented Feb 2, 2018

Short description

With this change, PowerDNS core gains ability to encrypt & decrypt IP addresses as described in https://medium.com/@bert.hubert/on-ip-address-encryption-security-analysis-with-respect-for-privacy-dabe1201b476
For IPv4 this uses ipcrypt, for IPv6 it uses a 128-bit AES ECB operation.
This PR also hooks up ipencrypt() and ipdecrypt() methods for dnsdist use, specifically to pseudonomyse logging.

Checklist

I have:

  • read the CONTRIBUTING.md document
  • compiled and tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)
  • checked that this code was merged to master
ahupowerdns added 2 commits Feb 2, 2018
With this change, PowerDNS core gains ability to encrypt & decrypt IP addresses as described in https://medium.com/@bert.hubert/on-ip-address-encryption-security-analysis-with-respect-for-privacy-dabe1201b476
For IPv4 this uses ipcrypt, for IPv6 it uses a 128-bit AES ECB operation.
This CR also hooks up ipencrypt() and ipdecrypt() methods for dnsdist use, specifically to pseudonomyse logging.
Copy link
Member

@rgacogne rgacogne left a comment

LGTM, just one nit regarding dnsdist's linkage.

Loading

@@ -152,14 +152,13 @@ if HAVE_RE2
dnsdist_LDADD += $(RE2_LIBS)
endif

if HAVE_DNS_OVER_TLS
Copy link
Member

@rgacogne rgacogne Feb 12, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This would cause dnsdist to be linked against libgnutls and $(LIBSSL_LIBS) when they are available, regardless of whether DNS over TLS support is enabled. If I'm not mistaken you only need to link against $(LIBCRYPTO_LIBS) for this to work?

Loading

Copy link
Contributor Author

@ahupowerdns ahupowerdns Feb 16, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, that is correct, but I did not find a way to make that happen correctly.

Loading

@@ -52,10 +52,11 @@ PDNS_CHECK_LUA_HPP
DNSDIST_ENABLE_DNS_OVER_TLS
DNSDIST_CHECK_GNUTLS
DNSDIST_CHECK_LIBSSL
PDNS_CHECK_LIBCRYPTO
AS_IF([test "x$enable_dns_over_tls" != "xno"], [
AS_IF([test "$HAVE_LIBSSL" = "1"], [
# we need libcrypto if libssl is enabled
Copy link
Member

@rgacogne rgacogne Feb 12, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment is now useless

Loading

@rgacogne
Copy link
Member

@rgacogne rgacogne commented Apr 4, 2019

Superseded by #7481.

Loading

@rgacogne rgacogne closed this Apr 4, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants