[Dnssec-trigger] False negative test result
wouter at NLnetLabs.nl
Tue Nov 8 16:18:43 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
On 11/08/2011 03:59 PM, Olafur Gudmundsson wrote:
> First impression: Cool I love the idea and the program.
> I installed the program yesterday and after work turned the computer on
> at home. DNS Trigger reported no DNSSEC possible, the reason was that my
> machine at that time had not got any addresses but still remembered the
> addresses and DNS servers from the work network.
I see, from the Registry.
> Once the machine was up and running on the network I retested and things
> were cool.
The slow bootup, during this time it tested the servers it remembered
but there was no network. There is a similar problem on OSX when it
boots up slowly, and gives insecure warning spuriously.
> Two suggestions:
> a) On the report that pops up please include a button to retest it
> will reduce the number of complaints in the long run.
No, more GUI complexity is bad, there is already a menu item.
> b) I'm not sure why DNS Trigger thought the machine was on a
> network, but I'm sure all the resolvers timed out thus the program
> should retest after a few seconds before throwing up a message to the user.
Yes, I think a fix here is to detect (something that needs careful code)
that none of the servers could really be reached and there is no
network, and that the 'disconnected' state is the correct response.
Because the cache does not ping, insecure is not that nice, and if the
other options also do not ping, that seems to be a good user experience
to simply activate the disconnected state, and that may solve this issue
> Specifics: (probably not that important)
> OS: Windows-7 Premier
> Network: 802.11g
> DNSTrigger: 0.7
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the dnssec-trigger