[Dnssec-trigger] False negative test result

W.C.A. Wijngaards wouter at NLnetLabs.nl
Tue Nov 8 16:18:43 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Olafur,

On 11/08/2011 03:59 PM, Olafur Gudmundsson wrote:
> 
> First impression: Cool I love the idea and the program.

:-)

> I installed the program yesterday and after work turned the computer on
> at home. DNS Trigger reported no DNSSEC possible, the reason was that my
> machine at that time had not got any addresses but still remembered the
> addresses and DNS servers from the work network.

I see, from the Registry.

> Once the machine was up and running on the network I retested and things
> were cool.

The slow bootup, during this time it tested the servers it remembered
but there was no network.  There is a similar problem on OSX when it
boots up slowly, and gives insecure warning spuriously.

> Two suggestions:
>     a) On the report that pops up please include a button to retest it
> will reduce the number of complaints in the long run.

No, more GUI complexity is bad, there is already a menu item.

>     b) I'm not sure why DNS Trigger thought the machine was on a
> network, but I'm sure all the resolvers timed out thus the program
> should retest after a few seconds before throwing up a message to the user.

Yes, I think a fix here is to detect (something that needs careful code)
that none of the servers could really be reached and there is no
network, and that the 'disconnected' state is the correct response.
Because the cache does not ping, insecure is not that nice, and if the
other options also do not ping, that seems to be a good user experience
to simply activate the disconnected state, and that may solve this issue
without GUI-complexity.

> Specifics: (probably not that important)
>     OS: Windows-7 Premier
>     Network: 802.11g
>     DNSTrigger: 0.7

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOuVZjAAoJEJ9vHC1+BF+NOJMP/RI6QdHovFtCmOwRHxlC8LG1
NVlgG3TOpBdG8c0d8ABnhNg1ddbIZeYgy7IS8NdS8vkY9cdkfMFF82oEJekj2BFj
SFPgbPzTvl9ZXjA11SWgJFkoBzJTD3iTBoaZkblIpKEGvWtuaNu24ItxQEZNnSAj
Tg3Ekb2mygn7tRPKl8SlyHIAmDaSHRoVAoSKnVV/eiGhquHVndnEqLBewlUyoFbo
SZiuT/tyoRG/IhgogAl+ET5hfHruaXlzVhntyT7u3RPZTNc4VG62i+toCfmLHOJ+
SmiaNmZaQOMB+Yo22MBEe3u5/2Nauy5RruTNGjQtxxqslVxPv8c9M1KbfmfMyzh7
pa4c+HQ0iFoFDHcQdkvrdjKq8n+3ohTfQDFH3hoFau2/9NPAYadEfGsefvGIm5n9
fP7Am20HYaZpsLp0iNJNI+BAMrKs89Go4JpTh6KFaecWgQGN2CozXTAXVHP5WIl8
aWTbWiyvnY4e/M+L60UlX3RGH5k/MIhQESKYKr27sdHYAkSkqFCTUAD0Kp0A2WKM
xjva2L8isKxMpsTV59MTTLZc1KNZq7sGuEsSpSNRuDT1jpvf17/gGrunNFgxU7tb
CT/sjsXBedf7CfZdA3MAvk1YkBTht/6t/mWNb0QhwZP8IK5h79rUJ2RlwyUd7KQf
46HdT1MC82lxTz5ZPZy1
=PB6v
-----END PGP SIGNATURE-----



More information about the dnssec-trigger mailing list