From ogud at ogud.com  Thu Dec  1 16:17:17 2011
From: ogud at ogud.com (Olafur Gudmundsson)
Date: Thu, 01 Dec 2011 11:17:17 -0500
Subject: [Dnssec-trigger] Is Dnssec-trigger a resolver or a stub-resolver ?
Message-ID: <4ED7A88D.2070407@ogud.com>


I have run into another issue, my work DHCP server hands out three DNS 
resolver addresses, the first two are local resolvers the last one is an 
ISP provided DNS resolver, all are DNSSEC validating resolvers.
(I'm told this is common just in case the local resolvers have all 
crashed or lost power).

A standard recursive resolver will randomize which upstream resolvers
it talks to. Most stub-resolvers on the other hand will ask resolvers
in the order provided. Thus in my work case the ISP resolver should
only be asked after both local resolvers have failed to answer.

DNSSEC-Trigger seems to send queries to the 3 resolvers by random, this
is causing a minor interoperability issue due to split-DNS usage
inside the firewall i.e. about 1/3 of the time I get RCODE=3 for
local names that do not exist on the outside.

I'm not sure which behavior DNSSEC-Trigger should follow but
having it behave more like stub-resolver might have fewer
interoperability issues of this kind.

Conversely I can see DNSSEC-Trigger favor resolvers that support DNSSEC
transport and the ISP one might the only one.....

	Olafur



From bortzmeyer at nic.fr  Mon Dec  5 13:59:28 2011
From: bortzmeyer at nic.fr (Stephane Bortzmeyer)
Date: Mon, 5 Dec 2011 14:59:28 +0100
Subject: [Dnssec-trigger] Is Dnssec-trigger a resolver or a
	stub-resolver ?
In-Reply-To: <4ED7A88D.2070407@ogud.com>
References: <4ED7A88D.2070407@ogud.com>
Message-ID: <20111205135928.GA2354@nic.fr>

On Thu, Dec 01, 2011 at 11:17:17AM -0500,
 Olafur Gudmundsson <ogud at ogud.com> wrote 
 a message of 30 lines which said:

> A standard recursive resolver will randomize which upstream
> resolvers it talks to. Most stub-resolvers on the other hand will
> ask resolvers in the order provided.

As you know, it is not standard (it is common, yes, but you cannot
rely on it).

> DNSSEC-Trigger seems to send queries to the 3 resolvers by random,
> this is causing a minor interoperability issue due to split-DNS
> usage

I would say that, if the DHCP server returns three resolvers and they
do not have the same data (split-view), then, you had a problem even
before dnssec-trigger.

> I'm not sure which behavior DNSSEC-Trigger should follow 

I'm happy with the current behavior. For me, dnssec-trigger is a full
resolver and randomizes among its forwarders.



From wouter at NLnetLabs.nl  Tue Dec 13 10:51:03 2011
From: wouter at NLnetLabs.nl (W.C.A. Wijngaards)
Date: Tue, 13 Dec 2011 11:51:03 +0100
Subject: [Dnssec-trigger] dnssec-trigger 0.8 release
Message-ID: <4EE72E17.1000205@nlnetlabs.nl>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Dnssec trigger 0.8 is released, at
http://www.nlnetlabs.nl/projects/dnssec-trigger/

Source tarball hash is
sha1 fd4eeb7dae3d39d5a9abac86d5c66f792e139bbf
sha256 8fed4f699619e7e2c230560a5fa24ffb9659f87dcf6e17cdc64028a8bed75723

Please note that Dnssec Trigger is an experimental project.

The SSL functionality requires unbound 1.4.14.  With older unbound it
will skip the SSL fallback step, it is backwards compatible.

This 0.8 release fixes a number of important bugs.  One which caused
OSX to malfunction (apple-R at boot and reinstall OS), another that
caused completely wrong diagnosis (counting error in probe results),
and a couple that caused a lot of SERVFAIL to happen (race in setting
unbound, probing while not connected).

The additional functionality is that it can fallback to SSL-wrapped
DNS service.  This is plain DNS (tcp-style) but over SSL, on port 443.
 Unbound 1.4.14 supports that, and there is an open resolver at
nlnetlabs for this experimental project.  TCP443 probe removed in
favor of SSL443 probe (TCP80 probe still exists).  This works past
some deep-packet-inspecting firewalls that only allow ssl-wrapped
contents to pass.

The open resolver at nlnetlabs is provided at best effort but no
guarantees of any kind.  It likely cannot scale to high demand.  It
provides UDP, TCP and SSL DNS service.

Have fun with this!  If you want: share experience with success,
failure, or strangeness.  For geeks, it would be nice to know 'how
often' you need to resort to SSL-wrapped service, and it at that time
you have 'a nice internet experience' (the DPI-firewalled
SSL-roundtrip time can be 1 second or more, that would likely be
perceived as cumbersome).

There is a detailed changelog on the website.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJO5y4SAAoJEJ9vHC1+BF+NsFgP/RGKwUtetBCQaX3Nnp3fJAzJ
WWiy8bPI/YdASwNREUZGtEza/eRDHapft5Cp0prpjAmwSsSLmljVr/pCfQxOZ6Lm
7WE1n/+EOyVAolVZ+owFuN6khJjx27sMwdPn66px4X9MlNSfSpvuTBPi++V1bRQp
yORMf63kSP+01yU5UuPphyp/iIjr/x7sd8rFKKIMJdAlpHQzBfKkYsxEBonOo0Om
lbOHVnhCjbyWYVUrxQNCMHy9AX/QlWpAS1SsizIOecHWnH/U2hljtXnyuT++6Rza
ta4HwKRinTTvV3Muno07majM+35OFXv6lp4vL3a2+SbuqKjE0+FodyhAC8hvmSYo
zovAjwKvjav0874+yjbwmIXRmgkmlTj4YzC5MMQJcdZ0O1d/59NsnPdcgQqt2amT
CXCya82W9Ii1FJwLKbYmGip4tGBIkyNFBc7A6JOs6cIz1/440tv19goyRaOLxKL9
oLQOSSzmmOO5jdWWNUyMk8A2/43N2ABz20QrHtR7WtnP0jEsXMxme25vg6lGcst+
GOjVMNxodyXvC278Igmsm/PhzndN3CzROv6Jc0eTxUeNRpZNCLB4NtIcXdrl1NQ8
hy8F4FSYgVAMFjDn/U9bDr/mNBhNkVwvqnnFQnwTdT2F8jTwtCQ2G1+sSHw1ZnlF
GQ4je6EueW4Bg7dIu6VZ
=DJMC
-----END PGP SIGNATURE-----


From jpmens.dns at gmail.com  Tue Dec 13 11:43:03 2011
From: jpmens.dns at gmail.com (Jan-Piet Mens)
Date: Tue, 13 Dec 2011 12:43:03 +0100
Subject: [Dnssec-trigger] dnssec-trigger 0.8 release
In-Reply-To: <4EE72E17.1000205@nlnetlabs.nl>
References: <4EE72E17.1000205@nlnetlabs.nl>
Message-ID: <20111213114303.GA83235@jmbp.jpmens.org>

Hello Wouter,

> Dnssec trigger 0.8 is released, at

just want to say the installer works fine on OS/X Snow-Leopard (10.6.8).
Thanks for a very fine bit of work!

        -JP


From alan at clegg.com  Wed Dec 14 06:46:30 2011
From: alan at clegg.com (Alan Clegg)
Date: Wed, 14 Dec 2011 08:46:30 +0200
Subject: [Dnssec-trigger] dnssec-triggerd.exe uses 100% of one core...
Message-ID: <4EE84646.6030200@clegg.com>

Good morning, all!

I have the 0.8 package installed on a Windows 7 Pro system and am seeing
that the dnssec-triggerd.exe (*32) is constantly using 25% of the CPU
time (100 % of one core) on my laptop.

I can't find any logging but would be more than happy to help find the
problem, as I think this is a REALLY cool solution to the last-mile
(especially for windows!)

AlanC
-- 
alan at clegg.com | aclegg at infoblox.com
          1.919.355.8851

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20111214/8772bb3e/attachment.bin>

From wouter at NLnetLabs.nl  Wed Dec 14 11:07:10 2011
From: wouter at NLnetLabs.nl (W.C.A. Wijngaards)
Date: Wed, 14 Dec 2011 12:07:10 +0100
Subject: [Dnssec-trigger] dnssec-triggerd.exe uses 100% of one core...
In-Reply-To: <4EE84646.6030200@clegg.com>
References: <4EE84646.6030200@clegg.com>
Message-ID: <4EE8835E.4010904@nlnetlabs.nl>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Alan,

On 12/14/2011 07:46 AM, Alan Clegg wrote:
> Good morning, all!
> 
> I have the 0.8 package installed on a Windows 7 Pro system and am seeing
> that the dnssec-triggerd.exe (*32) is constantly using 25% of the CPU
> time (100 % of one core) on my laptop.
> 
> I can't find any logging but would be more than happy to help find the
> problem, as I think this is a REALLY cool solution to the last-mile
> (especially for windows!)

In C:\programfiles\dnssectrigger\ there is dnssec-trigger.conf where you
can enable a logfile and increase verbosity.  (normally the logs go to
the windows system application log, but that is a little inaccessible,
especially in high volume logs):

logfile: "C:\dnssec-trigger.log"
verbosity: 4

Then you get more detail about what is going on inside the
dnssec-triggerd.exe

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJO6INeAAoJEJ9vHC1+BF+N53gQAKqqqKJYnSW1smwBdiOMEVpB
NPZ2dsFdXnqYLf/LZhO7F8DfdmM8MOeUA5ltkBqOBUvBFKn5fqFOrd0yJpAW8exL
IPTRohwZYT276z883ZUv87Y/l+UCCbPsAy3WSdcnoY8Dt9JyWrH67oYlwQ3tI0e/
EeOJLjjpU0fa+qwgU6EA4V6uRpQAgwAV7/0oMoi6T1Q7H4Jj1nAebBbnTYhomhNr
VDG5Jx84wPH21snFnngr0mCCa430iC4KXBz9Wl9h/3hpABfW6xuaBjwvwK/UjLaf
vuORokw9FlFdh1XoLQcvtxN12NpMvDwgLpEc8zmWafMfmGzlWwFTFUQxlcH+BSO5
QurDIIL8BTdi/JAcWGyOOFQFrQrJClC3W8vbkEbfhalT0/zefZz5pC+Ppksj1FDc
KEfQOyj4UAcpUK/vrQI7/C4bsJqWgvFZ0/0j13K5/dCriPMcUOxoeaEM81TW8iDd
17t1CduNLQi+mZL4aaIVoGZfNBl370l+bqfjZR+pTCoJLT0KzvodKeXX8JcI1014
UgDTrrhVkoemkwpOYs7k2oNfs4qsN+ymQoUbYFySd/9fxcFFXTwlzvE8crN8oP/o
kn6wnhr0QpV3FjFUG5UtB8F0T7QyVKza1dXUfcM72tA1v91ELxLVNi4fd3MnBNYd
3e6eZteldKRTpkh6XuaF
=0/we
-----END PGP SIGNATURE-----


From alan at clegg.com  Thu Dec 15 19:15:18 2011
From: alan at clegg.com (Alan Clegg)
Date: Thu, 15 Dec 2011 21:15:18 +0200
Subject: [Dnssec-trigger] Logging from 100% core usage..
Message-ID: <4EEA4746.3080303@clegg.com>

Here's a snippet from the logging (sorry to start a new thread, but
didn't get on the list until Wouter's response had been sent)..

Changes to dnssec-trigger.conf:

verbosity: 4
logfile: "C:\temp\dnssectrigger.log"

And the resulting log:

[1323975452] dnssec-triggerd[2216] info: set reg 127.0.0.1
[1323975452] dnssec-triggerd[2216] debug: enum 0
{1F3ADCC9-C346-4A9F-86A0-04993E49717F}
[1323975452] dnssec-triggerd[2216] debug: enum 1
{34A64FBF-6370-4302-8980-E0EE1B937695}
[1323975452] dnssec-triggerd[2216] debug: enum 2
{3C242E08-175A-4790-907A-E6E6BC56658E}
[1323975452] dnssec-triggerd[2216] debug: enum 3
{47BE73A4-34C5-4B9A-A4CC-8CED2B6AD4FF}
[1323975452] dnssec-triggerd[2216] debug: enum 4
{4F06EC62-86AB-4C52-9E0C-6C25E6C898CE}
[1323975452] dnssec-triggerd[2216] debug: enum 5
{4F48AE87-E269-4336-A724-B28E995371EC}
[1323975452] dnssec-triggerd[2216] debug: enum 6
{544A47DC-FB43-466E-8526-D1085809F4A1}
[1323975452] dnssec-triggerd[2216] debug: enum 7
{62C4FAD2-F759-43D6-8A31-F1399EA45E8E}
[1323975452] dnssec-triggerd[2216] debug: enum 8
{7C0FBBE5-FE04-415E-9AAD-5E351C8866FE}
[1323975452] dnssec-triggerd[2216] debug: enum 9
{846ee342-7039-11de-9d20-806e6f6e6963}
[1323975452] dnssec-triggerd[2216] debug: enum 10
{8E06314D-6C3F-4493-9BCB-8FC821FB3482}
[1323975452] dnssec-triggerd[2216] debug: enum 11
{963D5E96-B82C-4F63-B4BF-1C11A3B3563D}
[1323975452] dnssec-triggerd[2216] debug: enum 12
{DB5A125C-EEB3-4491-8471-3F4C5782B9FD}
[1323975452] dnssec-triggerd[2216] debug: event_add 00abd394 added=0
fd=-1 tv=3600000  EV_TIMEOUT
[1323975452] dnssec-triggerd[2216] debug: winservice - init complete
[1323975452] dnssec-triggerd[2216] debug: netlist sweep
[1323975452] dnssec-triggerd[2216] debug: service name hotell.tallink.ee
[1323975452] dnssec-triggerd[2216] debug: comment (null)
[1323975452] dnssec-triggerd[2216] debug: context (null)
[1323975452] dnssec-triggerd[2216] debug: adapter
{4F06EC62-86AB-4C52-9E0C-6C25E6C898CE}
[1323975452] dnssec-triggerd[2216] debug: dhcpnameserver 194.204.0.1

followed by just shy of 7 million lines before I killed it:

[1323975664] dnssec-triggerd[2216] debug: adapter
{4F06EC62-86AB-4C52-9E0C-6C25E6C898CE}
[1323975664] dnssec-triggerd[2216] debug: dhcpnameserver 194.204.0.1
[1323975664] dnssec-triggerd[2216] debug: adapter
{4F06EC62-86AB-4C52-9E0C-6C25E6C898CE}
[1323975664] dnssec-triggerd[2216] debug: dhcpnameserver 194.204.0.1

With logging on it happily fills the disk as well as the CPU.  :)

AlanC

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20111215/589dd3a9/attachment.bin>

From wouter at NLnetLabs.nl  Fri Dec 16 08:34:48 2011
From: wouter at NLnetLabs.nl (W.C.A. Wijngaards)
Date: Fri, 16 Dec 2011 09:34:48 +0100
Subject: [Dnssec-trigger] Logging from 100% core usage..
In-Reply-To: <4EEA4746.3080303@clegg.com>
References: <4EEA4746.3080303@clegg.com>
Message-ID: <4EEB02A8.5010704@nlnetlabs.nl>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Alan,

Thanks this tells me which for loop is causing the endless loop.

Now, to the debugger! :-)

Best regards,
   Wouter

On 12/15/2011 08:15 PM, Alan Clegg wrote:
> Here's a snippet from the logging (sorry to start a new thread,
> but didn't get on the list until Wouter's response had been
> sent)..
> 
> Changes to dnssec-trigger.conf:
> 
> verbosity: 4 logfile: "C:\temp\dnssectrigger.log"
> 
> And the resulting log:
> 
> [1323975452] dnssec-triggerd[2216] info: set reg 127.0.0.1 
> [1323975452] dnssec-triggerd[2216] debug: enum 0 
> {1F3ADCC9-C346-4A9F-86A0-04993E49717F} [1323975452]
> dnssec-triggerd[2216] debug: enum 1 
> {34A64FBF-6370-4302-8980-E0EE1B937695} [1323975452]
> dnssec-triggerd[2216] debug: enum 2 
> {3C242E08-175A-4790-907A-E6E6BC56658E} [1323975452]
> dnssec-triggerd[2216] debug: enum 3 
> {47BE73A4-34C5-4B9A-A4CC-8CED2B6AD4FF} [1323975452]
> dnssec-triggerd[2216] debug: enum 4 
> {4F06EC62-86AB-4C52-9E0C-6C25E6C898CE} [1323975452]
> dnssec-triggerd[2216] debug: enum 5 
> {4F48AE87-E269-4336-A724-B28E995371EC} [1323975452]
> dnssec-triggerd[2216] debug: enum 6 
> {544A47DC-FB43-466E-8526-D1085809F4A1} [1323975452]
> dnssec-triggerd[2216] debug: enum 7 
> {62C4FAD2-F759-43D6-8A31-F1399EA45E8E} [1323975452]
> dnssec-triggerd[2216] debug: enum 8 
> {7C0FBBE5-FE04-415E-9AAD-5E351C8866FE} [1323975452]
> dnssec-triggerd[2216] debug: enum 9 
> {846ee342-7039-11de-9d20-806e6f6e6963} [1323975452]
> dnssec-triggerd[2216] debug: enum 10 
> {8E06314D-6C3F-4493-9BCB-8FC821FB3482} [1323975452]
> dnssec-triggerd[2216] debug: enum 11 
> {963D5E96-B82C-4F63-B4BF-1C11A3B3563D} [1323975452]
> dnssec-triggerd[2216] debug: enum 12 
> {DB5A125C-EEB3-4491-8471-3F4C5782B9FD} [1323975452]
> dnssec-triggerd[2216] debug: event_add 00abd394 added=0 fd=-1
> tv=3600000  EV_TIMEOUT [1323975452] dnssec-triggerd[2216] debug:
> winservice - init complete [1323975452] dnssec-triggerd[2216]
> debug: netlist sweep [1323975452] dnssec-triggerd[2216] debug:
> service name hotell.tallink.ee [1323975452] dnssec-triggerd[2216]
> debug: comment (null) [1323975452] dnssec-triggerd[2216] debug:
> context (null) [1323975452] dnssec-triggerd[2216] debug: adapter 
> {4F06EC62-86AB-4C52-9E0C-6C25E6C898CE} [1323975452]
> dnssec-triggerd[2216] debug: dhcpnameserver 194.204.0.1
> 
> followed by just shy of 7 million lines before I killed it:
> 
> [1323975664] dnssec-triggerd[2216] debug: adapter 
> {4F06EC62-86AB-4C52-9E0C-6C25E6C898CE} [1323975664]
> dnssec-triggerd[2216] debug: dhcpnameserver 194.204.0.1 
> [1323975664] dnssec-triggerd[2216] debug: adapter 
> {4F06EC62-86AB-4C52-9E0C-6C25E6C898CE} [1323975664]
> dnssec-triggerd[2216] debug: dhcpnameserver 194.204.0.1
> 
> With logging on it happily fills the disk as well as the CPU.  :)
> 
> AlanC
> 
> 
> 
> _______________________________________________ dnssec-trigger
> mailing list dnssec-trigger at NLnetLabs.nl 
> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJO6wKoAAoJEJ9vHC1+BF+NPWYQAJ1plXE42rArHLefUiLFEsTV
slGh/MBkkLO+JL2GQvKfeqXmj+FPiNOU0+o5Ce80mRX8SWVdtoFhIwC0ONmVtRZR
8Pi8UcStWHxtamgSmI9bK4x3QApDOGTEfcmFYGA7bnbc5evPcDnb0iVk0Q0+4I3x
84gH6u9SBD+xryRNDDLDn3/ahUtMhuZsImOyRe0AlyKK4JpjQMtBtneweaGNxwxH
tfOEcmPZmc7tmvjYFHBiGTUw3Soy47oUXI87Xd0yjR94mHDp8KOSE7UGMvf0x4IR
c2W5oPjsw5EuAa/t1ElwH/VvL12+mZlxYNRehTGlh/xtk4s/HDoWkcIFmovCcRZk
1ne/udjx+z2koh/8c8R0krA2R8tIbYfLOROkFLN2lBYpNgsEgW8WtIP5thecIfbz
4v8bnikdWk/Rf3Zz7WdvoAe/SIojvNFJGQwS0EYJ5i3p5Q+1aCU9CppGo3FbSaOx
j4qa4JWT+J4q3q84ZZ5Hfm3cKYdlTXGyiNmy14HdUfcZgAnDkqL+5rjZPr8K72WD
nnETPXbg6JwyJ4REFmUEGUBQ96AGvcKD3LZ/8v5s8VzkqixmhUbhnakdd12KPgqi
rxbPFsNyI4vejC8E19bIbeCPWF/3SfATYoGMSimQ4o/q2+LC55TS0jAZRpP9q+NJ
MROiAM4rqaR0+Nl+Qpcc
=tQTe
-----END PGP SIGNATURE-----


From wouter at NLnetLabs.nl  Fri Dec 16 09:49:29 2011
From: wouter at NLnetLabs.nl (W.C.A. Wijngaards)
Date: Fri, 16 Dec 2011 10:49:29 +0100
Subject: [Dnssec-trigger] Logging from 100% core usage..
In-Reply-To: <4EEB02A8.5010704@nlnetlabs.nl>
References: <4EEA4746.3080303@clegg.com> <4EEB02A8.5010704@nlnetlabs.nl>
Message-ID: <4EEB1429.7090407@nlnetlabs.nl>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Alan,

I cannot reproduce the issue, but I have written a fix for the endless
loop in that routine, would you be willing to test this:

http://www.nlnetlabs.nl/~wouter/dnssec_trigger_setup_0.9_20111216.exe
(snapshot of development).

Best regards,
   Wouter

On 12/16/2011 09:34 AM, W.C.A. Wijngaards wrote:
> Hi Alan,
> 
> Thanks this tells me which for loop is causing the endless loop.
> 
> Now, to the debugger! :-)
> 
> Best regards, Wouter
> 
> On 12/15/2011 08:15 PM, Alan Clegg wrote:
>> Here's a snippet from the logging (sorry to start a new thread, 
>> but didn't get on the list until Wouter's response had been 
>> sent)..
> 
>> Changes to dnssec-trigger.conf:
> 
>> verbosity: 4 logfile: "C:\temp\dnssectrigger.log"
> 
>> And the resulting log:
> 
>> [1323975452] dnssec-triggerd[2216] info: set reg 127.0.0.1 
>> [1323975452] dnssec-triggerd[2216] debug: enum 0 
>> {1F3ADCC9-C346-4A9F-86A0-04993E49717F} [1323975452] 
>> dnssec-triggerd[2216] debug: enum 1 
>> {34A64FBF-6370-4302-8980-E0EE1B937695} [1323975452] 
>> dnssec-triggerd[2216] debug: enum 2 
>> {3C242E08-175A-4790-907A-E6E6BC56658E} [1323975452] 
>> dnssec-triggerd[2216] debug: enum 3 
>> {47BE73A4-34C5-4B9A-A4CC-8CED2B6AD4FF} [1323975452] 
>> dnssec-triggerd[2216] debug: enum 4 
>> {4F06EC62-86AB-4C52-9E0C-6C25E6C898CE} [1323975452] 
>> dnssec-triggerd[2216] debug: enum 5 
>> {4F48AE87-E269-4336-A724-B28E995371EC} [1323975452] 
>> dnssec-triggerd[2216] debug: enum 6 
>> {544A47DC-FB43-466E-8526-D1085809F4A1} [1323975452] 
>> dnssec-triggerd[2216] debug: enum 7 
>> {62C4FAD2-F759-43D6-8A31-F1399EA45E8E} [1323975452] 
>> dnssec-triggerd[2216] debug: enum 8 
>> {7C0FBBE5-FE04-415E-9AAD-5E351C8866FE} [1323975452] 
>> dnssec-triggerd[2216] debug: enum 9 
>> {846ee342-7039-11de-9d20-806e6f6e6963} [1323975452] 
>> dnssec-triggerd[2216] debug: enum 10 
>> {8E06314D-6C3F-4493-9BCB-8FC821FB3482} [1323975452] 
>> dnssec-triggerd[2216] debug: enum 11 
>> {963D5E96-B82C-4F63-B4BF-1C11A3B3563D} [1323975452] 
>> dnssec-triggerd[2216] debug: enum 12 
>> {DB5A125C-EEB3-4491-8471-3F4C5782B9FD} [1323975452] 
>> dnssec-triggerd[2216] debug: event_add 00abd394 added=0 fd=-1 
>> tv=3600000  EV_TIMEOUT [1323975452] dnssec-triggerd[2216] debug: 
>> winservice - init complete [1323975452] dnssec-triggerd[2216] 
>> debug: netlist sweep [1323975452] dnssec-triggerd[2216] debug: 
>> service name hotell.tallink.ee [1323975452]
>> dnssec-triggerd[2216] debug: comment (null) [1323975452]
>> dnssec-triggerd[2216] debug: context (null) [1323975452]
>> dnssec-triggerd[2216] debug: adapter 
>> {4F06EC62-86AB-4C52-9E0C-6C25E6C898CE} [1323975452] 
>> dnssec-triggerd[2216] debug: dhcpnameserver 194.204.0.1
> 
>> followed by just shy of 7 million lines before I killed it:
> 
>> [1323975664] dnssec-triggerd[2216] debug: adapter 
>> {4F06EC62-86AB-4C52-9E0C-6C25E6C898CE} [1323975664] 
>> dnssec-triggerd[2216] debug: dhcpnameserver 194.204.0.1 
>> [1323975664] dnssec-triggerd[2216] debug: adapter 
>> {4F06EC62-86AB-4C52-9E0C-6C25E6C898CE} [1323975664] 
>> dnssec-triggerd[2216] debug: dhcpnameserver 194.204.0.1
> 
>> With logging on it happily fills the disk as well as the CPU.
>> :)
> 
>> AlanC
> 
> 
> 
>> _______________________________________________ dnssec-trigger 
>> mailing list dnssec-trigger at NLnetLabs.nl 
>> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger
> 
> _______________________________________________ dnssec-trigger
> mailing list dnssec-trigger at NLnetLabs.nl 
> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJO6xQjAAoJEJ9vHC1+BF+NpLgP/3EBMxHB8Dnqz9qZFERmFHOZ
C1S4x92I678itYHVKZGFZ5dFo9V9T7n73U+bX+AaA6lYJX/yjKxckih2jGXj62UI
nAoWBXuJ1TwRc42IQthWjvdZMnHHF+YT0eRDPZl7XhASXsYTViQODRPzkUC6TxPV
Ugo3WIN/Ptpul2RycRQvvVn7EOjGpzjWPqbkE3rlsoeQ1LSfvPlpW57S2OQn3WRJ
BkpDVOgJbqybXxlA3AWKQafstYhEo8EK0hl1/KMPLo1R28Wf87ToJ2aTR8czRUtZ
Bk14k83JMh+NUe7PoHGVsChdLcSuT5o+bnVyluKhhVut63O0pSj3zef1MK7q9fM6
9dolnZ+yebuu3iYjsKGB1NLfuMMRa8g4PNkY72Ceg5nVS8+imB4Ka1uaFNwbR/9c
tVrvHXEDskvu0k0XfmKuW5MFyY1DQZZup0mE2UGqBDhuh6+iTto7ozCwRKsXvNx+
ggaNvtb/jbURoo071fTsGMSN7uhZ+STNGN7QXVLDt1NDR7XpsrUbAePBs5E/ReTO
GRtCgBISgVyKgQwPy2NIDXmzW7oeGrO5W26NaLzACitJYxDxBsklxivMaWM7IcGT
20jVCmMiUgwoIpJhWhQzvsnDwbY6khPQfAVzPYxYjUGbB09q8WFsWVzF5EZToOlm
aOsz45/RRxodZxS01MdJ
=jUYR
-----END PGP SIGNATURE-----


From alan at clegg.com  Fri Dec 16 13:22:35 2011
From: alan at clegg.com (Alan Clegg)
Date: Fri, 16 Dec 2011 15:22:35 +0200
Subject: [Dnssec-trigger] Logging from 100% core usage..
In-Reply-To: <4EEB1429.7090407@nlnetlabs.nl>
References: <4EEA4746.3080303@clegg.com> <4EEB02A8.5010704@nlnetlabs.nl>
 <4EEB1429.7090407@nlnetlabs.nl>
Message-ID: <4EEB461B.9000801@clegg.com>

On 12/16/2011 11:49 AM, W.C.A. Wijngaards wrote:

> I cannot reproduce the issue, but I have written a fix for the endless
> loop in that routine, would you be willing to test this:
> 
> http://www.nlnetlabs.nl/~wouter/dnssec_trigger_setup_0.9_20111216.exe
> (snapshot of development).

I am now able to run with no problem, and now get:

   results from probe at 2011-12-16 15:20:19

   authority 193.0.14.129: OK
   no cache: no DNS servers have been supplied via DHCP

   DNSSEC results fetched direct from authorities

as probe results.

Tool tests now show that DNSSEC is enabled locally.  :)

AlanC
-- 
alan at clegg.com | aclegg at infoblox.com
          1.919.355.8851

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20111216/7b444246/attachment.bin>

From wouter at NLnetLabs.nl  Mon Dec 19 13:25:40 2011
From: wouter at NLnetLabs.nl (W.C.A. Wijngaards)
Date: Mon, 19 Dec 2011 14:25:40 +0100
Subject: [Dnssec-trigger] dnssec-trigger 0.9 release
Message-ID: <4EEF3B54.5080308@nlnetlabs.nl>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Dnssec trigger 0.9 is released, get source and binaries here
http://www.nlnetlabs.nl/projects/dnssec-trigger/

source tarball hash is
sha1   4cf68e88d712db2cdccbed93e7059e977578246f
sha256 2bdd5e8d0e190dcdc0309e4c229bea8324f48b3e44732f7fbfe998d9c25eb6ed

The reason for this release is unbound update to 1.4.14 in the binary
packages.  There are minor fixes as well.

Details
    * unbound in binary packages is upgraded to 1.4.14.
    * Set hook throttleinterval to 1 second, this reduces the osx wakeup
and bootup wrong probes because the hook was throttled for 10 seconds.
    * stoppanels waits for the connection of the panel to close, this
may remove re-install race conditions.
    * detailprints in windows installer and uninstaller.
    * attempt to fix endless loop on windows (reported by Alan Clegg).
    * windows installer waits for services to come to a full stop.

Best regards and a Merry Christmas,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJO7ztUAAoJEJ9vHC1+BF+NEk4P/i15bCdC9x1GRFBQPn6d50dS
QbKONxJlG+Bd/AwbDPNWERSGmgn1uhtvz1KNxLNDcpeUe7JVvjWOOaoSN784XwYa
Ho3OgBBiIarwbmoltmd1lpuIbXZkpNHTXB/hdaq6wmOFiWhLQKkqtCBdTrcFpNEj
ymS/cP2fvmOWWYZl/xjCW7gDo5B8+wKma/JR26Z8MGujIAfpqStOkorv9Nyj8f4g
ldL1To9ZlMIGrKIP4AUpQ4s79Gll+iTa7H8fcR2s1XgboZD440RqS/v8SkUzi7aC
9o/FiYXz+6GcPpYJgwhqpJhW/1lpwOt/bnmm7sIP4GYKZrMlRJy5LN7qvN5X4YR1
s5/zLGFLd1ClhrcWxG3tJADHhPoUZS7QQ1CGs+vSdNPUYTB30JS7GT4hkRT/t0vS
rJZJERdZCdVFQJ90Zz0steKqfoev/BuPqnhU1o3vRVtgDxqrgcz88FaFvZHgGmix
z5DwEh8mJUOh4NOH22dxUxUgTU53UB7ndgWXy3U0XvB/n0CiD4Dg4KoaIMh8CSVc
Rbw47a8mHGynXin16xmleSeL+xDaKF5Cae89CrZLvEEKnAnc1+Ho/vdaWzgSC4sn
+bF48zrSQpj5Sy9XppN3Bj1X90xp8SeFp/M7cmAxNoMN//yH7LGcQq5ESC0En55V
B43v0BEdbzW658buckv/
=4qZR
-----END PGP SIGNATURE-----


From nlnetlabs at belanger.fr  Sat Dec 24 16:49:27 2011
From: nlnetlabs at belanger.fr (Xavier Belanger)
Date: Sat, 24 Dec 2011 11:49:27 -0500
Subject: [Dnssec-trigger] DHCP client hook script for dnssec-trigger
Message-ID: <20111224114927.d742899c.nlnetlabs@belanger.fr>

Hi,

If some people are interested, I have wrote a hook script for dhcpcd,
to be used with dnssec-trigger.

There is also basics instructions and scripts for GNU/Linux Slackware 13.37
for dnssec-trigger and Unbound.

 [ http://www.ellendhel.net/fichiers/dnssec-slackware.zip ]

This is probably not perfect, any suggestion is welcome.

Sincerely.
-- 
Xavier Belanger


From stephan.lagerholm at secure64.com  Wed Dec 28 15:58:28 2011
From: stephan.lagerholm at secure64.com (Stephan Lagerholm)
Date: Wed, 28 Dec 2011 08:58:28 -0700
Subject: [Dnssec-trigger] DNSSEC trigger and v6 DNS servers
In-Reply-To: <20111224114927.d742899c.nlnetlabs@belanger.fr>
References: <20111224114927.d742899c.nlnetlabs@belanger.fr>
Message-ID: <DD056A31A84CFC4AB501BD56D1E14BBBB5C7DF@exchange.secure64.com>

Hi,

I can still access www.trasigdnssec.se (a deliberately DNSSEC broken
domain) with DNSSEC trigger 0.9 installed and running on my windows 7
laptop when using v6 capable applications such as firefox. 

-----------------------------------------------
The probe results are:
results from probe at 2011-12-28 09:26:37

cache 64.92.220.220: OK 
cache 208.67.222.222: error no RRSIGs in reply

DNSSEC results fetched from (DHCP) cache(s)

---------------------------------------------

What appears to happen is the firefox/IE is sending queries to the IPv6
DNS server 2001:5c0:1000:11::2 that I got provisioned via DHCPv6.
Shouldn't dnssec-trigger rewrite both the 'resolv.conf' for IPv4 and
IPv6 and start a local unbound on both ::1 and 127.0.0.1?

/S




From bortzmeyer at nic.fr  Thu Dec 29 07:30:38 2011
From: bortzmeyer at nic.fr (Stephane Bortzmeyer)
Date: Thu, 29 Dec 2011 08:30:38 +0100
Subject: [Dnssec-trigger] A new kind of brokenness in Internet access
Message-ID: <20111229073038.GA16420@laperouse.bortzmeyer.org>

% dnssec-trigger-control status
at 2011-12-29 08:25:23
authority 192.228.79.201: OK 
cache 192.168.1.1: error cannot disassemble reply: answer section incomplete
state: auth secure

And, indeed, the answer is mangled:

% dig +dnssec  @192.168.1.1 DNSKEY .
;; Warning: Message parser reports malformed message packet.

; <<>> DiG 9.7.3 <<>> +dnssec @192.168.1.1 DNSKEY .
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24575
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: Messages has 62 extra bytes at end

;; QUESTION SECTION:
;.				IN	DNSKEY

;; ANSWER SECTION:
.			31438	IN	DNSKEY	257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
.			31438	IN	DNSKEY	256 3 8 AwEAAZ/NErKzyMlImJ+2HTmK9qeH2sLUywlsF+mJbTP5GKoYFHoU2vn2 Zqr261Lk7a6jfBKYny5GX7BDRJcVvig36TgOinE9QP5KVS0RxdrOl98g KLwFMORfNf/wjCwjPdEl1GgaGYl0npJ4c+x+o6aa/xmDKJo9zUlpvb7B LxbJ7HwF

;; Query time: 37 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Thu Dec 29 08:26:14 2011
;; MSG SIZE  rcvd: 512

dnssec-trigger 0.8 deals correctly with it. 

(Belgacom broadband access in a home in Brussels.)