[Dnssec-trigger] dnssec-trigger 0.8 release
wouter at NLnetLabs.nl
Tue Dec 13 10:51:03 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Dnssec trigger 0.8 is released, at
Source tarball hash is
Please note that Dnssec Trigger is an experimental project.
The SSL functionality requires unbound 1.4.14. With older unbound it
will skip the SSL fallback step, it is backwards compatible.
This 0.8 release fixes a number of important bugs. One which caused
OSX to malfunction (apple-R at boot and reinstall OS), another that
caused completely wrong diagnosis (counting error in probe results),
and a couple that caused a lot of SERVFAIL to happen (race in setting
unbound, probing while not connected).
The additional functionality is that it can fallback to SSL-wrapped
DNS service. This is plain DNS (tcp-style) but over SSL, on port 443.
Unbound 1.4.14 supports that, and there is an open resolver at
nlnetlabs for this experimental project. TCP443 probe removed in
favor of SSL443 probe (TCP80 probe still exists). This works past
some deep-packet-inspecting firewalls that only allow ssl-wrapped
contents to pass.
The open resolver at nlnetlabs is provided at best effort but no
guarantees of any kind. It likely cannot scale to high demand. It
provides UDP, TCP and SSL DNS service.
Have fun with this! If you want: share experience with success,
failure, or strangeness. For geeks, it would be nice to know 'how
often' you need to resort to SSL-wrapped service, and it at that time
you have 'a nice internet experience' (the DPI-firewalled
SSL-roundtrip time can be 1 second or more, that would likely be
perceived as cumbersome).
There is a detailed changelog on the website.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the dnssec-trigger