[Dnssec-trigger] dnssec-trigger 0.8 release

W.C.A. Wijngaards wouter at NLnetLabs.nl
Tue Dec 13 10:51:03 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Dnssec trigger 0.8 is released, at
http://www.nlnetlabs.nl/projects/dnssec-trigger/

Source tarball hash is
sha1 fd4eeb7dae3d39d5a9abac86d5c66f792e139bbf
sha256 8fed4f699619e7e2c230560a5fa24ffb9659f87dcf6e17cdc64028a8bed75723

Please note that Dnssec Trigger is an experimental project.

The SSL functionality requires unbound 1.4.14.  With older unbound it
will skip the SSL fallback step, it is backwards compatible.

This 0.8 release fixes a number of important bugs.  One which caused
OSX to malfunction (apple-R at boot and reinstall OS), another that
caused completely wrong diagnosis (counting error in probe results),
and a couple that caused a lot of SERVFAIL to happen (race in setting
unbound, probing while not connected).

The additional functionality is that it can fallback to SSL-wrapped
DNS service.  This is plain DNS (tcp-style) but over SSL, on port 443.
 Unbound 1.4.14 supports that, and there is an open resolver at
nlnetlabs for this experimental project.  TCP443 probe removed in
favor of SSL443 probe (TCP80 probe still exists).  This works past
some deep-packet-inspecting firewalls that only allow ssl-wrapped
contents to pass.

The open resolver at nlnetlabs is provided at best effort but no
guarantees of any kind.  It likely cannot scale to high demand.  It
provides UDP, TCP and SSL DNS service.

Have fun with this!  If you want: share experience with success,
failure, or strangeness.  For geeks, it would be nice to know 'how
often' you need to resort to SSL-wrapped service, and it at that time
you have 'a nice internet experience' (the DPI-firewalled
SSL-roundtrip time can be 1 second or more, that would likely be
perceived as cumbersome).

There is a detailed changelog on the website.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJO5y4SAAoJEJ9vHC1+BF+NsFgP/RGKwUtetBCQaX3Nnp3fJAzJ
WWiy8bPI/YdASwNREUZGtEza/eRDHapft5Cp0prpjAmwSsSLmljVr/pCfQxOZ6Lm
7WE1n/+EOyVAolVZ+owFuN6khJjx27sMwdPn66px4X9MlNSfSpvuTBPi++V1bRQp
yORMf63kSP+01yU5UuPphyp/iIjr/x7sd8rFKKIMJdAlpHQzBfKkYsxEBonOo0Om
lbOHVnhCjbyWYVUrxQNCMHy9AX/QlWpAS1SsizIOecHWnH/U2hljtXnyuT++6Rza
ta4HwKRinTTvV3Muno07majM+35OFXv6lp4vL3a2+SbuqKjE0+FodyhAC8hvmSYo
zovAjwKvjav0874+yjbwmIXRmgkmlTj4YzC5MMQJcdZ0O1d/59NsnPdcgQqt2amT
CXCya82W9Ii1FJwLKbYmGip4tGBIkyNFBc7A6JOs6cIz1/440tv19goyRaOLxKL9
oLQOSSzmmOO5jdWWNUyMk8A2/43N2ABz20QrHtR7WtnP0jEsXMxme25vg6lGcst+
GOjVMNxodyXvC278Igmsm/PhzndN3CzROv6Jc0eTxUeNRpZNCLB4NtIcXdrl1NQ8
hy8F4FSYgVAMFjDn/U9bDr/mNBhNkVwvqnnFQnwTdT2F8jTwtCQ2G1+sSHw1ZnlF
GQ4je6EueW4Bg7dIu6VZ
=DJMC
-----END PGP SIGNATURE-----



More information about the dnssec-trigger mailing list