From paul at xelerance.com Fri Nov 4 17:29:07 2011 From: paul at xelerance.com (Paul Wouters) Date: Fri, 4 Nov 2011 13:29:07 -0400 (EDT) Subject: [Dnssec-trigger] OSX Lion issue with installer dmg? Message-ID: I just tried the 0.7 DMG on my OSX Lion laptop and the installer tells me the installation failed. Is there a log anywhere, where I can see what went wrong? did anyone else test this on Lion? Paul From carsten at strotmann.de Fri Nov 4 18:14:55 2011 From: carsten at strotmann.de (Carsten Strotmann (private)) Date: Fri, 04 Nov 2011 19:14:55 +0100 Subject: [Dnssec-trigger] OSX Lion issue with installer dmg? In-Reply-To: References: Message-ID: <4EB42B9F.2070600@strotmann.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/4/11 6:29 PM, Paul Wouters wrote: > > I just tried the 0.7 DMG on my OSX Lion laptop and the installer > tells me the installation failed. Is there a log anywhere, where I > can see what went wrong? > Hallo Paul, in the Installer (do not close the Installer on Error) choose from the menu "Window -> Install Log and then "Show all Logs". There is a "Save" button to save the logs to a file. > did anyone else test this on Lion? I did, it also fails on me, Wouter is informed, but I need to deliver more details which I couldn't do so far :( (I've got a flu, my systems are down to the bare minimum) Best regards Carsten -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk60K58ACgkQsUJ3c+pomYGJrwCgnuCZLDCJNxyTiuL5HTzvnNC1 dbQAn2Ns45J5bkXGk6th84hnvPC7Ba1J =ROvR -----END PGP SIGNATURE----- From jpmens.dns at gmail.com Sat Nov 5 00:59:42 2011 From: jpmens.dns at gmail.com (Jan-Piet Mens) Date: Sat, 5 Nov 2011 01:59:42 +0100 Subject: [Dnssec-trigger] OSX Lion issue with installer dmg? In-Reply-To: References: Message-ID: <20111105005942.GA71583@jmbp.jpmens.org> I finally got around to trying the installation of dnssec-trigger 0.7 on Snow Leopard (10.6.8), and installation fails for me too, at least according to the installer. These are my findings: Unbound and dnssec-trigger are launched: 71455 ?? Ss 0:00.05 /usr/sbin/unbound -d 71458 ?? Ss 0:00.02 /usr/sbin/dnssec-triggerd -d Nov 5 01:43:37 jmbp Firewall[542]: unbound is listening from ::1:53 proto=6 Nov 5 01:43:37 jmbp Firewall[542]: unbound is listening from 127.0.0.1:53 proto=6 Nov 5 01:43:37 jmbp Firewall[542]: unbound is listening from ::1:8953 proto=6 Nov 5 01:43:37 jmbp Firewall[542]: unbound is listening from 127.0.0.1:8953 proto=6 Nov 5 01:43:37 jmbp Firewall[542]: dnssec-triggerd is listening from 127.0.0.1:8955 proto=6 Files are visible in both /etc/dnssec-trigger/ and /etc/unbound/. No GUI icon visible on status bar. I've attached the installer log. While I'm at it, I'll test uninstall: 1. Processes unbound and dnssec-triggerd have stopped. 2. /etc/dnssec-trigger/ and content remains on system; assume correct. 3. /etc/unbound/ and content remains on system; assume correct. 4. /usr/sbin/unbound* have been removed. 5. /usr/sbin/dnssec-trigg* has been removed. A subsequent re-install produces the same errors as during the first attempt. However, the utilities work, e.g. unbound validates, and: $ sudo dnssec-trigger-control status at 2011-11-05 01:55:56 cache 192.168.1.4: OK cache 192.168.1.20: OK state: cache secure Best regards, -JP From jpmens.dns at gmail.com Sat Nov 5 01:28:45 2011 From: jpmens.dns at gmail.com (Jan-Piet Mens) Date: Sat, 5 Nov 2011 02:28:45 +0100 Subject: [Dnssec-trigger] OSX Lion issue with installer dmg? In-Reply-To: <20111105005942.GA71583@jmbp.jpmens.org> References: <20111105005942.GA71583@jmbp.jpmens.org> Message-ID: <20111105012845.GA72949@jmbp.jpmens.org> > I've attached the installer log. I would have if I weren't so tired. Here it is. -JP -------------- next part -------------- Nov 5 01:40:01 jmbp Installer[71103]: @(#)PROGRAM:Installer PROJECT:Installer-430.1 Nov 5 01:40:01 jmbp Installer[71103]: Hardware: MacBookPro5,1 @ 2.53 GHz (x 2), 8192 MB RAM Nov 5 01:40:01 jmbp Installer[71103]: Running OS Build: Mac OS X 10.6.8 (10K549) Nov 5 01:40:02 jmbp Installer[71103]: NLnet Labs DnssecTrigger 0.7 for MacOS X 10.7 Installation Log Nov 5 01:40:02 jmbp Installer[71103]: Opened from: /Volumes/DnssecTrigger/dnssectrigger-0.7-i386.mpkg Nov 5 01:41:34 jmbp Installer[71103]: ================================================================================ Nov 5 01:41:34 jmbp Installer[71103]: User picked Standard Install Nov 5 01:41:34 jmbp Installer[71103]: Choices selected for installation: Nov 5 01:41:34 jmbp Installer[71103]: Install: "NLnet Labs DnssecTrigger 0.7 for MacOS X 10.7" Nov 5 01:41:34 jmbp Installer[71103]: Install: "Package_Root" Nov 5 01:41:34 jmbp Installer[71103]: ================================================================================ Nov 5 01:41:34 jmbp Installer[71103]: Configuring volume "Macintosh HD" Nov 5 01:41:34 jmbp Installer[71103]: Free space on "Macintosh HD": 1.79 GB (1789087744 bytes). Nov 5 01:41:34 jmbp Installer[71103]: Create temporary directory "/var/folders/jA/jA4IbxFXGJ0KSmsooRhDAU+++TI/-Tmp-//Install.711038pasrT" Nov 5 01:41:34 jmbp Installer[71103]: IFPKInstallElement (1 packages) Nov 5 01:41:34 jmbp installd[71212]: PackageKit: ----- Begin install ----- Nov 5 01:41:39 jmbp installd[71212]: PackageKit: Install Failed: PKG: post-flight scripts for "nl.nlnetlabsdnssectrigger07ForMacosX10.7.Package_Root.pkg"\nError Domain=PKInstallErrorDomain Code=112 UserInfo=0x10044b6d0 "An error occurred while running scripts from the package ?packageroot.pkg?." {\n NSFilePath = "./postflight";\n NSLocalizedDescription = "An error occurred while running scripts from the package \U201cpackageroot.pkg\U201d.";\n NSURL = "./Contents/Packages/packageroot.pkg -- file://localhost/Volumes/DnssecTrigger/dnssectrigger-0.7-i386.mpkg/";\n PKInstallPackageIdentifier = "nl.nlnetlabsdnssectrigger07ForMacosX10.7.Package_Root.pkg";\n} Nov 5 01:41:40 jmbp Installer[71103]: Install failed: The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance. Nov 5 01:41:40 jmbp Installer[71103]: IFDInstallController 3309B0 state = 7 Nov 5 01:41:40 jmbp Installer[71103]: Displaying 'Install Failed' UI. Nov 5 01:41:40 jmbp Installer[71103]: 'Install Failed' UI displayed message:'The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance.'. From jpmens.dns at gmail.com Sat Nov 5 00:22:13 2011 From: jpmens.dns at gmail.com (Jan-Piet Mens) Date: Sat, 5 Nov 2011 01:22:13 +0100 Subject: [Dnssec-trigger] OSX Lion issue with installer dmg? In-Reply-To: <4EB42B9F.2070600@strotmann.de> References: <4EB42B9F.2070600@strotmann.de> Message-ID: <20111105002213.GA70968@jmbp.jpmens.org> > (I've got a flu, my systems are down to the bare minimum) So lack of DNSSEC got you a virus? Get well soon! :-) -JP From jaap at NLnetLabs.nl Sat Nov 5 13:13:26 2011 From: jaap at NLnetLabs.nl (Jaap Akkerhuis) Date: Sat, 05 Nov 2011 14:13:26 +0100 Subject: [Dnssec-trigger] OSX Lion issue with installer dmg? In-Reply-To: References: Message-ID: <201111051313.pA5DDQPb028915@bartok.nlnetlabs.nl> I just tried the 0.7 DMG on my OSX Lion laptop and the installer tells me the installation failed. Is there a log anywhere, where I can see what went wrong? It is a known problem in the installer. It did install properly anyway. did anyone else test this on Lion? Multiple people did (ignoring the error). jaap From jpmens.dns at gmail.com Sat Nov 5 15:11:02 2011 From: jpmens.dns at gmail.com (Jan-Piet Mens) Date: Sat, 5 Nov 2011 16:11:02 +0100 Subject: [Dnssec-trigger] OSX Lion issue with installer dmg? In-Reply-To: <201111051313.pA5DDQPb028915@bartok.nlnetlabs.nl> References: <201111051313.pA5DDQPb028915@bartok.nlnetlabs.nl> Message-ID: <20111105151102.GA80406@jmbp.jpmens.org> Jaap, > It is a known problem in the installer. It did install properly anyway. > Multiple people did (ignoring the error). My findings (on Snow Leopard) are that the daemons are correctly installed and primed, but the GUI component (RiggerStatusItem.app?), isn't launched. What is the correct method of launching this, apart from running `sudo RiggerStatusItem.app'? (I'd prefer not to reboot. :-) -JP From jpmens.dns at gmail.com Sat Nov 5 15:22:17 2011 From: jpmens.dns at gmail.com (Jan-Piet Mens) Date: Sat, 5 Nov 2011 16:22:17 +0100 Subject: [Dnssec-trigger] OSX Lion issue with installer dmg? In-Reply-To: <20111105151102.GA80406@jmbp.jpmens.org> References: <201111051313.pA5DDQPb028915@bartok.nlnetlabs.nl> <20111105151102.GA80406@jmbp.jpmens.org> Message-ID: <20111105152217.GB80406@jmbp.jpmens.org> > What is the correct method of launching this, apart from running > `sudo RiggerStatusItem.app'? (I'd prefer not to reboot. :-) For the record, I found it where I should have looked to start with. sudo launchctl load -w \ /Library/LaunchAgents/nl.nlnetlabs.dnssec-trigger-panel.plist Apologies for the noise. -JP From jaap at NLnetLabs.nl Sat Nov 5 21:39:31 2011 From: jaap at NLnetLabs.nl (Jaap Akkerhuis) Date: Sat, 05 Nov 2011 22:39:31 +0100 Subject: [Dnssec-trigger] OSX Lion issue with installer dmg? In-Reply-To: <20111105151102.GA80406@jmbp.jpmens.org> References: <201111051313.pA5DDQPb028915@bartok.nlnetlabs.nl> <20111105151102.GA80406@jmbp.jpmens.org> Message-ID: <201111052139.pA5LdVqJ093246@bartok.nlnetlabs.nl> > It is a known problem in the installer. It did install properly anyway. > Multiple people did (ignoring the error). My findings (on Snow Leopard) are that the daemons are correctly installed and primed, but the GUI component (RiggerStatusItem.app?), isn't launched. Yup, that is the problem. What is the correct method of launching this, apart from running `sudo RiggerStatusItem.app'? (I'd prefer not to reboot. :-) Apart from the reboot (what most people did) you can Logout/Login. That will have th effect that /Library/LaunchAgents/nl.nlnetlabs.dnssec-trigger-panel.plist will put the RiggerStatusItem under launchctld. I thinkt you can do that by hand with "launchtld -w load Library/LaunchAgents/nl.nlnetlabs.dnssec-trigger-panel.plist" or something like that). jaap From wouter at NLnetLabs.nl Mon Nov 7 15:27:31 2011 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Mon, 07 Nov 2011 16:27:31 +0100 Subject: [Dnssec-trigger] OSX Lion issue with installer dmg? In-Reply-To: <201111052139.pA5LdVqJ093246@bartok.nlnetlabs.nl> References: <201111051313.pA5DDQPb028915@bartok.nlnetlabs.nl> <20111105151102.GA80406@jmbp.jpmens.org> <201111052139.pA5LdVqJ093246@bartok.nlnetlabs.nl> Message-ID: <4EB7F8E3.10300@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Jaap, Jan-Piet, Carsten, Paul, On 11/05/2011 10:39 PM, Jaap Akkerhuis wrote: > > > It is a known problem in the installer. It did install properly anyway. > > Multiple people did (ignoring the error). > > My findings (on Snow Leopard) are that the daemons are correctly > installed and primed, but the GUI component (RiggerStatusItem.app?), > isn't launched. Yes, thank you for your input. The 'sudo' was the clue. You see, the launchd contexts are messed up. The userspace and Mach bootstrap namespace hierarchy gets messed up badly during the install. Furthermore, launchctl has side-effects where load today enables load at boot-time tomorrow, but this side-effect only happens when executed in 'some weird other context' and as user (not as root). Now, after trying many times (and a broken machine after a failed OS update that broke networking), I think I have a working version. The OS version is important. Sudo -u user, is different from as-root, and that is also different from sudo -u user and a particular Mach bootstrap namespace hierarchy. > Yup, that is the problem. > > What is the correct method of launching this, apart from running > `sudo RiggerStatusItem.app'? (I'd prefer not to reboot. :-) > > Apart from the reboot (what most people did) you can Logout/Login. > That will have th effect that > /Library/LaunchAgents/nl.nlnetlabs.dnssec-trigger-panel.plist will > put the RiggerStatusItem under launchctld. I thinkt you can do that > by hand with "launchtld -w load > Library/LaunchAgents/nl.nlnetlabs.dnssec-trigger-panel.plist" or > something like that). Yes, I thought so too, but the commandline is different from the script-environment because it has a different Mach-context ... I still do not know what a mach bootstrap namespace hierarchy is, but it seems to work when I test it. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOt/jjAAoJEJ9vHC1+BF+NEWQP+wdgo/B4T5fFTyNjnGyd9SXr 7gu1mOTjNI54LA0IzDG2gNjakKMGZuBgkK0gHB7+7Fy0r6S4kokxGfiT3HaSQdZF cJ3OJY3yXvI2hVABagbift+jQ0J9yop5zULwB8oYrmKcPPCEXeuJK0sRv5kFce8G 0BKtmgxC9TumMd+gbN8HoW09L+/APIYu8NQZUU7it6Nos0WlIEmwfkE5YqhRj6Kc NkBaWBt2FVNguDZeJ4KOV5xwoWQDyWS2O7TEgTKdYYh7I1YGA0f+CjNGo/LXweL4 gEZSOBC9ouH3gtF/WIPNJ4SSVUnsolYJT2YwobUGIyp+WoBL2IVUuUzVGs38p5ms In1sgDcmqsTqenrv5/3BjVtUcfxMT0A9rsUnvk4Hayt7ygbjkCO8wS6AUt1RP8eA BJ8mgTuLgk/HNlBWRFeayK9p+fDXNcwFENwXR7mMYltphTdSeobWOnQ6D2yaiqEt xelSaTbT6/L6S3Y5HW15edcAq67p5UP1VBPaViXia8P+wTPhNRUbeNjCJ64G9YOt tbRb4X3uabItLYQCNts0avxRWvGiKdApnDByG6lzGEmpYwNH9WkWCXk3w52FypXa LsjW0wVnR8j6Jw3ZLWMSWRZ1zezZpV3ZOr9ol8mpS3iwFh3kDGo/DyV+maYdz8I+ Sjp1DntvsIJtGXHEPS9q =dVdf -----END PGP SIGNATURE----- From noreply at badoo.com Tue Nov 8 00:56:16 2011 From: noreply at badoo.com (Badoo) Date: Tue, 8 Nov 2011 00:56:16 +0000 Subject: [Dnssec-trigger] Daniel left a message for you... Message-ID: <201111080110.pA81AFt3022545@omval.tednet.nl> Daniel left a message for you... Its sender and content will be shown only to you and you can delete it at any time. You can instantly reply to it, using the message exchange system. To find out what's in the message, just follow this link: http://us1.badoo.com/01199805865/in/3aTpYg1O2kk/?lang_id=3&m=21&mid=4eb87e260000000000030000724c85ca Some more patiently waiting folks: Gaetano (Sydney, Australia) Shannon-lee noack (Wagga Wagga, Australia) Fabien (Sydney, Australia) http://us1.badoo.com/01199805865/in/3aTpYg1O2kk/?lang_id=3&m=21&mid=4eb87e260000000000030000724c85ca If the link in this message does not work, try copying and pasting it into your browser. This email is part of our delivery procedure for the message sent by Daniel. If you have received this email by mistake, please ignore it. The message will be deleted soon. Have fun! The Badoo Team You have received this email, because a Badoo member has left a message for you on Badoo. This is a post-only mailing. Replies to this message are not monitored or answered. If you don't want to receive any more messages from Badoo, please notify us: http://us1.badoo.com/impersonation.phtml?lang_id=3&mail_code=21&email=dnssec-trigger%40nlnetlabs.nl&secret=&block_code=148e23&m=21&mid=4eb87e260000000000030000724c85ca -------------- next part -------------- An HTML attachment was scrubbed... URL: From wouter at NLnetLabs.nl Tue Nov 8 14:54:34 2011 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Tue, 08 Nov 2011 15:54:34 +0100 Subject: [Dnssec-trigger] dnssec trigger snapshot 0.8 SSL test Message-ID: <4EB942AA.4040906@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, There is a snapshot of 0.8 available. Dnssec trigger is experimental and not ready for production use. The aim is to figure out how to do it for production use (and normal people). The snapshot here has the mac install bug (erroneous error) fixed. The snapshot contains the SSL fallback. For this you need unbound from svn trunk (the osx and windows binaries include this unbound version), that supports SSL queries. It can then maybe use this functionality. However, it is currently unknown if this works - it works in lab conditions, however the issue seems that the code fails in a real (hostile deep-packet-thingy) network in a hotel (or other spot). Where another test (plain https over ssl) seems to work. If you want to install this, please try out in such networks. If the ssl443 fallback really works. And if ssl443 fails, if then https also fails (i.e. try some https site, such as nlnetlabs.nl (signed with CAcert)). The idea is to gain confidence that the ssl fallback really provides tangible benefit. The server is also changed, to a new server at NLnet Labs that can do SSL. Upon a final release the old server would be decommissioned. The server is provided as-is, and there are no service and uptime guarantees. http://www.nlnetlabs.nl/~wouter/dnssectrigger-0.8_20111108.dmg http://www.nlnetlabs.nl/~wouter/dnssec_trigger_setup_0.8_20111108.exe http://www.nlnetlabs.nl/~wouter/dnssec-trigger-0.8_20111108.tar.gz sha1 5e55e1b1d685bdda75bd2ce4e4d617fa7b8cd995 sha256 954f58ed071f7e5366f68c152eae06307c573ca95ef2962b524119a0ccf2810e Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOuUKqAAoJEJ9vHC1+BF+NOrsQAK9FB9V3+7RUXlzH97hrxjus fTCYFYOzZxa1kzkFBb4O7BGbd6YqvgQuTnQBz5rR7rB6wtIm0J99ljGIuDrvaI6P pzu48pfjv/KHTXIH6V1NdkQltKGd/vQe94SLoEkqs9DNqffNRE4qKjN3tVvsZx+3 rh4wUtS2bEk7L7ptGicP0jg4ubqR72awAUd3WODN99XjYVsLIqXFYCsbKCjk6bLf rKswF1/flVVy/e31Fiu9gy1FZ+nh4g8zHyb+5QT+AMpjgESuizm/PD3/qv5EMNjk 3Qcw4BLla7LyI/2cD5s4ahh9KkiGHLnvF4YDG/v9kv2HtQQ1bOblssFHP+1M1NL/ tYgQnXXnZb0544jb3HqrtuSJjcK64NeOxDQnZ+EkUDk015aKtHKwsnz4yMIx/G3o dVdcQfkajIMy8g1bdXFC6yM80oUsOk82XQ8gvKmIr3TMg4iwJYaxjYAxwNaFltyN dhGCNxhKsoyZp0bOMMqJw1225Z9Yb3ZaWTGGdanXNpiI3+AxULkr14VMEqHYQygK AOrKxTqns8O9oUMZe/nOun23xu3OylVyTYmQuiAlpDsDJLgtAuL3uDGqXS+5VuZV 0JT0M9CF5ceNDQUW67agTs6pacEisE5Kwyt9CNqOWLg5WO2J6O6tKbWBz7RaWeBo 8rTwXaDnOMntIb7Gzvsy =v6VM -----END PGP SIGNATURE----- From ogud at ogud.com Tue Nov 8 14:59:08 2011 From: ogud at ogud.com (Olafur Gudmundsson) Date: Tue, 08 Nov 2011 09:59:08 -0500 Subject: [Dnssec-trigger] False negative test result Message-ID: <4EB943BC.3030306@ogud.com> First impression: Cool I love the idea and the program. I installed the program yesterday and after work turned the computer on at home. DNS Trigger reported no DNSSEC possible, the reason was that my machine at that time had not got any addresses but still remembered the addresses and DNS servers from the work network. Once the machine was up and running on the network I retested and things were cool. Two suggestions: a) On the report that pops up please include a button to retest it will reduce the number of complaints in the long run. b) I'm not sure why DNS Trigger thought the machine was on a network, but I'm sure all the resolvers timed out thus the program should retest after a few seconds before throwing up a message to the user. Specifics: (probably not that important) OS: Windows-7 Premier Network: 802.11g DNSTrigger: 0.7 Olafur From wouter at NLnetLabs.nl Tue Nov 8 16:18:43 2011 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Tue, 08 Nov 2011 17:18:43 +0100 Subject: [Dnssec-trigger] False negative test result In-Reply-To: <4EB943BC.3030306@ogud.com> References: <4EB943BC.3030306@ogud.com> Message-ID: <4EB95663.30204@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Olafur, On 11/08/2011 03:59 PM, Olafur Gudmundsson wrote: > > First impression: Cool I love the idea and the program. :-) > I installed the program yesterday and after work turned the computer on > at home. DNS Trigger reported no DNSSEC possible, the reason was that my > machine at that time had not got any addresses but still remembered the > addresses and DNS servers from the work network. I see, from the Registry. > Once the machine was up and running on the network I retested and things > were cool. The slow bootup, during this time it tested the servers it remembered but there was no network. There is a similar problem on OSX when it boots up slowly, and gives insecure warning spuriously. > Two suggestions: > a) On the report that pops up please include a button to retest it > will reduce the number of complaints in the long run. No, more GUI complexity is bad, there is already a menu item. > b) I'm not sure why DNS Trigger thought the machine was on a > network, but I'm sure all the resolvers timed out thus the program > should retest after a few seconds before throwing up a message to the user. Yes, I think a fix here is to detect (something that needs careful code) that none of the servers could really be reached and there is no network, and that the 'disconnected' state is the correct response. Because the cache does not ping, insecure is not that nice, and if the other options also do not ping, that seems to be a good user experience to simply activate the disconnected state, and that may solve this issue without GUI-complexity. > Specifics: (probably not that important) > OS: Windows-7 Premier > Network: 802.11g > DNSTrigger: 0.7 Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOuVZjAAoJEJ9vHC1+BF+NOJMP/RI6QdHovFtCmOwRHxlC8LG1 NVlgG3TOpBdG8c0d8ABnhNg1ddbIZeYgy7IS8NdS8vkY9cdkfMFF82oEJekj2BFj SFPgbPzTvl9ZXjA11SWgJFkoBzJTD3iTBoaZkblIpKEGvWtuaNu24ItxQEZNnSAj Tg3Ekb2mygn7tRPKl8SlyHIAmDaSHRoVAoSKnVV/eiGhquHVndnEqLBewlUyoFbo SZiuT/tyoRG/IhgogAl+ET5hfHruaXlzVhntyT7u3RPZTNc4VG62i+toCfmLHOJ+ SmiaNmZaQOMB+Yo22MBEe3u5/2Nauy5RruTNGjQtxxqslVxPv8c9M1KbfmfMyzh7 pa4c+HQ0iFoFDHcQdkvrdjKq8n+3ohTfQDFH3hoFau2/9NPAYadEfGsefvGIm5n9 fP7Am20HYaZpsLp0iNJNI+BAMrKs89Go4JpTh6KFaecWgQGN2CozXTAXVHP5WIl8 aWTbWiyvnY4e/M+L60UlX3RGH5k/MIhQESKYKr27sdHYAkSkqFCTUAD0Kp0A2WKM xjva2L8isKxMpsTV59MTTLZc1KNZq7sGuEsSpSNRuDT1jpvf17/gGrunNFgxU7tb CT/sjsXBedf7CfZdA3MAvk1YkBTht/6t/mWNb0QhwZP8IK5h79rUJ2RlwyUd7KQf 46HdT1MC82lxTz5ZPZy1 =PB6v -----END PGP SIGNATURE----- From paul at xelerance.com Tue Nov 15 05:52:31 2011 From: paul at xelerance.com (Paul Wouters) Date: Tue, 15 Nov 2011 00:52:31 -0500 (EST) Subject: [Dnssec-trigger] Feature creep :) was Re: [Dnssec-deployment] Fetching the RRSIGs can be a problem too. (fwd) Message-ID: Should unbound and dnssec-trigger be extended to look at this? As Paul Vixie said before "Clear path DNS is not engineering - it is infomation warfare" Paul ---------- Forwarded message ---------- Date: Fri, 2 Sep 2011 03:32:09 From: Paul Vixie To: dnssec-deployment at dnssec-deployment.org Subject: Re: [Dnssec-deployment] Fetching the RRSIGs can be a problem too. > From: Mark Andrews > Date: Fri, 02 Sep 2011 10:13:48 +1000 > > Just the other day I was sitting in a hotel with "transparent" > intercepting DNS cache. This was not a issue for DNSSEC validation > because it was DNSSEC aware and returned the records which allowed > me to validate the responses. The only thing I need to tweak was > to set RD=1 on all queries or else the "transparent" intercepting > DNS cache wouldn't recurse for me. is this RD=1 fallback something we should enshrine in BIND and/or an RFC? From jpmens.dns at gmail.com Tue Nov 15 14:30:02 2011 From: jpmens.dns at gmail.com (Jan-Piet Mens) Date: Tue, 15 Nov 2011 15:30:02 +0100 Subject: [Dnssec-trigger] dnssec trigger snapshot 0.8 SSL test In-Reply-To: <4EB942AA.4040906@nlnetlabs.nl> References: <4EB942AA.4040906@nlnetlabs.nl> Message-ID: <20111115143002.GA16302@jmbp.jpmens.org> Hello Wouter, > There is a snapshot of 0.8 available. I've just checked into a hotel and have installed this snapshot, with the following results: $ dig +short rs.dns-oarc.net txt rst.x476.rs.dns-oarc.net. rst.x485.x476.rs.dns-oarc.net. rst.x490.x485.x476.rs.dns-oarc.net. "62.253.172.149 DNS reply size limit is at least 490" "62.253.172.149 lacks EDNS, defaults to 512" "Tested at 2011-11-15 14:19:23 UTC" $ sudo /usr/sbin/dnssec-trigger-control status at 2011-11-15 15:26:15 authority 192.58.128.30: error no RRSIGs in reply cache 194.168.4.123: error no RRSIGs in reply cache 194.168.8.123: error no RRSIGs in reply state: nodnssec insecure $ cat /etc/resolv.conf domain GUEST search intern nameserver 194.168.8.123 nameserver 194.168.4.123 No DNSSEC for my Mac :-( I'll be here until early Thursday, and I'm willing to test, so just tell me what I should do ;-) Regards, -JP From matthijs at NLnetLabs.nl Tue Nov 15 15:29:24 2011 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Tue, 15 Nov 2011 16:29:24 +0100 Subject: [Dnssec-trigger] dnssec trigger snapshot 0.8 SSL test In-Reply-To: <20111115143002.GA16302@jmbp.jpmens.org> References: <4EB942AA.4040906@nlnetlabs.nl> <20111115143002.GA16302@jmbp.jpmens.org> Message-ID: <4EC28554.2020900@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Jan-Piet, Unfortunately, Wouter is taking days off, so it is unsure if he will read this before you will check out again. I would recommend to let dnssec-triggerd run with verbosity level 4 or 5 (highest setting) and send the logfile to me + Wouter. Both can be configured in the configuration file. Best regards, Matthijs On 11/15/2011 03:30 PM, Jan-Piet Mens wrote: > Hello Wouter, > >> There is a snapshot of 0.8 available. > > I've just checked into a hotel and have installed this snapshot, with > the following results: > > $ dig +short rs.dns-oarc.net txt > rst.x476.rs.dns-oarc.net. > rst.x485.x476.rs.dns-oarc.net. > rst.x490.x485.x476.rs.dns-oarc.net. > "62.253.172.149 DNS reply size limit is at least 490" > "62.253.172.149 lacks EDNS, defaults to 512" > "Tested at 2011-11-15 14:19:23 UTC" > > $ sudo /usr/sbin/dnssec-trigger-control status > at 2011-11-15 15:26:15 > authority 192.58.128.30: error no RRSIGs in reply > cache 194.168.4.123: error no RRSIGs in reply > cache 194.168.8.123: error no RRSIGs in reply > state: nodnssec insecure > > $ cat /etc/resolv.conf > domain GUEST > search intern > nameserver 194.168.8.123 > nameserver 194.168.4.123 > > No DNSSEC for my Mac :-( > > I'll be here until early Thursday, and I'm willing to test, so just tell > me what I should do ;-) > > Regards, > > -JP > _______________________________________________ > dnssec-trigger mailing list > dnssec-trigger at NLnetLabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJOwoVUAAoJEA8yVCPsQCW50AQIAK3/rTbPbCXqFdThsmyBif+R cQSDpzkkxUiUgUoui91h3TDu6I+Q56l8EW/WZuw1G3hxER1hAnv7s+l7qv87DYnZ 1H/fYwrvWoAgyL9VGxk9JwqONyc5tXgxwnQVV1gsC8EiVThERvsNuPUC2mcZD911 FaGjFy5oeCEh0uPFUgL0mDPdRacDnUPd3p4Mmm58S1zYWahNZOnJ9zFj+0a79yJ7 YkirvvHVvKcHQtPQl3gEbyWXn2oXIq/Lzbav2MnIbMLEpsYuBig7L8S3E01r0r7C XS7hhz5netpP1hxmHN4DSenzfUFc9rZqyEP8AZpOZTHxFxK20sc8IgHHbwPW4mE= =S7SK -----END PGP SIGNATURE----- From noreply at badoo.com Wed Nov 16 09:33:09 2011 From: noreply at badoo.com (Badoo) Date: Wed, 16 Nov 2011 09:33:09 +0000 Subject: [Dnssec-trigger] Read your message before it gets deleted! Message-ID: <201111160944.pAG9itip010938@omval.tednet.nl> Read your message left by Daniel before it gets deleted! To read your message, follow this link: http://us1.badoo.com/01199805865/in/3aTpYg1O2kk/?lang_id=3&m=65&mid=4ec38345000000000003000060e292ca Some more patiently waiting folks: Mhmd (Sydney, Australia) Shannon-lee noack (Wagga Wagga, Australia) Sandesh (Sydney, Australia) http://us1.badoo.com/01199805865/in/3aTpYg1O2kk/?lang_id=3&m=65&mid=4ec38345000000000003000060e292ca If clicking the links in this message does not work, copy and paste them into the address bar of your browser. This email is part of our delivery procedure for the message sent by Daniel. If you have received this email by mistake, please ignore it. The message will be deleted soon. Have fun! The Badoo Team You have received this email, because a Badoo member has left a message for you on Badoo. This is a post-only mailing. Replies to this message are not monitored or answered. If you don't want to receive any more messages from Badoo, please notify us: http://us1.badoo.com/impersonation.phtml?lang_id=3&mail_code=65&email=dnssec-trigger%40nlnetlabs.nl&secret=&block_code=148e23&m=65&mid=4ec38345000000000003000060e292ca -------------- next part -------------- An HTML attachment was scrubbed... URL: From noreply at badoo.com Fri Nov 25 17:03:34 2011 From: noreply at badoo.com (Badoo) Date: Fri, 25 Nov 2011 17:03:34 +0000 Subject: [Dnssec-trigger] Daniel left a message for you... Message-ID: <201111251715.pAPHF0qB091480@omval.tednet.nl> Daniel left a message for you... Its sender and content will be shown only to you and you can delete it at any time. You can instantly reply to it, using the message exchange system. To find out what's in the message, just follow this link: http://us1.badoo.com/01199805865/in/3aTpYg1O2kk/?lang_id=3&m=63&mid=4ecfca5c00000000000300006d09969f Some more patiently waiting folks: Mathieu (Sydney, Australia) Shannon-lee noack (Wagga Wagga, Australia) ?. (Sydney, Australia) http://us1.badoo.com/01199805865/in/3aTpYg1O2kk/?lang_id=3&m=63&mid=4ecfca5c00000000000300006d09969f If the link in this message does not work, try copying and pasting it into your browser. This email is part of our delivery procedure for the message sent by Daniel. If you have received this email by mistake, please ignore it. The message will be deleted soon. Have fun! The Badoo Team You have received this email, because a Badoo member has left a message for you on Badoo. This is a post-only mailing. Replies to this message are not monitored or answered. If you don't want to receive any more messages from Badoo, please notify us: http://us1.badoo.com/impersonation.phtml?lang_id=3&mail_code=63&email=dnssec-trigger%40nlnetlabs.nl&secret=&block_code=148e23&m=63&mid=4ecfca5c00000000000300006d09969f -------------- next part -------------- An HTML attachment was scrubbed... URL: From wouter at NLnetLabs.nl Mon Nov 28 14:42:18 2011 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Mon, 28 Nov 2011 15:42:18 +0100 Subject: [Dnssec-trigger] Feature creep :) was Re: [Dnssec-deployment] Fetching the RRSIGs can be a problem too. (fwd) In-Reply-To: References: Message-ID: <4ED39DCA.6080001@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Paul, Such caches set the RA flag on the reply. Unbound has a fallback already builtin where it sees the RA flag and retries with +RD. It also dislikes the result immensely, and will only try it at last resort. Sometimes people deploy a recursor instead of authoritative slave and this happens on the normal internet. Dnssec-trigger in the last version notices the transparent proxy and stop lookups (entirely!) via the transparent proxy. It does not attempt a +RD retry via the transparent proxy, which is complicated I think, because I am not sure how to make it work once detected: would forward-zone: "." and a root-server forward-addr work, i.e. pretend the root server is a cache and let the transparent proxy cache via that address? Best regards, Wouter On 11/15/2011 06:52 AM, Paul Wouters wrote: > > Should unbound and dnssec-trigger be extended to look at this? > > As Paul Vixie said before "Clear path DNS is not engineering - it is > infomation warfare" > > Paul > > ---------- Forwarded message ---------- > Date: Fri, 2 Sep 2011 03:32:09 > From: Paul Vixie > To: dnssec-deployment at dnssec-deployment.org > Subject: Re: [Dnssec-deployment] Fetching the RRSIGs can be a problem too. > >> From: Mark Andrews >> Date: Fri, 02 Sep 2011 10:13:48 +1000 >> >> Just the other day I was sitting in a hotel with "transparent" >> intercepting DNS cache. This was not a issue for DNSSEC validation >> because it was DNSSEC aware and returned the records which allowed >> me to validate the responses. The only thing I need to tweak was >> to set RD=1 on all queries or else the "transparent" intercepting >> DNS cache wouldn't recurse for me. > > is this RD=1 fallback something we should enshrine in BIND and/or an RFC? > _______________________________________________ > dnssec-trigger mailing list > dnssec-trigger at NLnetLabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJO053JAAoJEJ9vHC1+BF+Nl00P/j+2VUVEwdQE40PPYCcbw0WE CPRdnQlj5zi2oF2B/Y8yGps3RvBYTeE+IljtNUQb9pamYxJc8bcKUyF8j6/QCY7D MIFAdGx5JpLBNp/zdkqfrBo721xI/k93yQ1HCq9+rR1FWq96oqyzwXVrV/w7bwCA qvJkyUWWKVJWt7NUAfWGFMYWDGID4+sVy6urybhMmO98TN1fkbNarcA/F9GRRa5Q tpR2uC9sHBizfGrwammPG3oqhBXBQxmqmiStlq0Wgpj7hx0QlYYSCw+6WqM29i/B fSlu05Zj25xFc1ycsKs0BhMP/kMl/XyrJo+zVAWftcdohwaUfK2DdcCOjrW1elOE sfZlYM2nTy0iJwr67+jvEAFBU1OpB2gHGifdqsBrSQ0mva3uU3jh+oGPcPxKitDz IXzZmyTSrM4W1Jl6u2B4Q/QlP/f7wJm2TmlgaM/SgfNCS70Jss7+QYSX3ggkpcLe F2wT8s0ptYjSqf5VuRH1f7O3XGFmv1WHL1YnCf07Bl6+BQAq/LNGk0AJovx5Qo3Z xjS/6ThYMojP7yyPI/0nuYG8TEhwGeytae38zvRBeIN+6nhWyhMW2KaqmJgrB0B6 3dEKzs204qZmZq8/VRtWahrMtWtMiBcVYR1NPJYG52vOySP9kNLe3B8XZ+J69Z1i p8LVlIYuXTTjfhNI8RZu =iGhA -----END PGP SIGNATURE-----