From bortzmeyer at nic.fr Fri Oct 7 07:16:22 2011 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Fri, 7 Oct 2011 09:16:22 +0200 Subject: [Dnssec-trigger] A new type of painful hotspot: split-view for the captive portal Message-ID: <20111007071622.GA10517@laperouse.bortzmeyer.org> I just encountered a sort of hotspot I didn't now. The DNS resolvers are broken, it allows direct access to the authoritative name servers but there is a captive portal and its name is not in the public DNS, but only in the view of the local resolvers. dnssec-trigger 0.5 is happy with it: at 2011-10-07 09:08:46 authority 193.0.14.129: OK cache 10.150.6.1: error no RRSIGs in reply cache 10.150.2.1: error no RRSIGs in reply state: auth secure So it uses it: # Generated by dnssec-trigger 0.5 domain nic.fr search nic.fr nameserver 127.0.0.1 And, indeed, I can talk to authoritative name servers: ; <<>> DiG 9.7.3 <<>> @193.0.14.129 DNSKEY . ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57997 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;. IN DNSKEY ;; ANSWER SECTION: . 172800 IN DNSKEY 256 3 8 AwEAAcy4Eo1P5B3ut9Vm9ZP92JnCFSALJqdhO5fOq1UsseYaiMFqgDH6 Y40iqDw6JmpkmhiJLW6HGj//JLQXAJ+k4EcQ9tlDJqumEe7OJMU6KpcK s6qI4lugy8j/v6DxDlZdAPASbKmoGx1oceRKzr/UdwyB1G5aIEtwK7/D QFrn3zRj . 172800 IN DNSKEY 256 3 8 AwEAAdNW7YIhcTdqXrzgZjJJ35VjAFT1ArvnhAzXDm7AuGxSQqmGBRmj JvBv0xS4gahB9mj6ekF0dVKoeZgLmNAjo8hj2JI7K281YTo2R5k3mKSc 4hOCP55hR22r5hIsPJoT19pv/VdZQfyTzZ96frQ16qRa9+/GSjzjtFfQ v16FwE7R . 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= ;; Query time: 42 msec ;; SERVER: 193.0.14.129#53(193.0.14.129) ;; WHEN: Fri Oct 7 09:10:08 2011 ;; MSG SIZE rcvd: 597 But when I try to surf, I get messages saying that bsc-lsh3.essec.fr does not exist. It seems to be the captive portal and is not in the public DNS : ; <<>> DiG 9.7.3 <<>> A bsc-lsh3.essec.fr ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 28170 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;bsc-lsh3.essec.fr. IN A ;; AUTHORITY SECTION: essec.fr. 3201 IN SOA rubis.essec.fr. postmaster.essec.fr. 2008102551 10800 3600 1728000 3600 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Oct 7 09:11:33 2011 ;; MSG SIZE rcvd: 99 But it is on the name servers they provide: ; <<>> DiG 9.7.3 <<>> @10.150.6.1 A bsc-lsh3.essec.fr ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2500 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;bsc-lsh3.essec.fr. IN A ;; ANSWER SECTION: bsc-lsh3.essec.fr. 28800 IN A 194.254.137.123 ;; Query time: 37 msec ;; SERVER: 10.150.6.1#53(10.150.6.1) ;; WHEN: Fri Oct 7 09:11:26 2011 ;; MSG SIZE rcvd: 62 From wouter at NLnetLabs.nl Mon Oct 10 12:23:31 2011 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Mon, 10 Oct 2011 14:23:31 +0200 Subject: [Dnssec-trigger] A new type of painful hotspot: split-view for the captive portal In-Reply-To: <20111007071622.GA10517@laperouse.bortzmeyer.org> References: <20111007071622.GA10517@laperouse.bortzmeyer.org> Message-ID: <4E92E3C3.6010407@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Stephane, In 0.5 I made the HotSpot SignOn menu item, that triggers insecure mode so you can sign on to the broken signon page of this hotspot. You can also setup this from the commandline: $ dnssec-trigger-control hotspot_signon .. do the signon via web browser .. $ dnssec-trigger-control reprobe .. state should be back to DNSSEC secure again .. This option is evil, in that it allows you to turn off DNSSEC. And thus users downgrade themselves. But it works with these hotspots in practice. And may work for some nasty split-view local printer setups and so on... Best regards, Wouter On 10/07/2011 09:16 AM, Stephane Bortzmeyer wrote: > I just encountered a sort of hotspot I didn't now. The DNS resolvers > are broken, it allows direct access to the authoritative name servers > but there is a captive portal and its name is not in the public DNS, > but only in the view of the local resolvers. > > dnssec-trigger 0.5 is happy with it: > > at 2011-10-07 09:08:46 > authority 193.0.14.129: OK > cache 10.150.6.1: error no RRSIGs in reply > cache 10.150.2.1: error no RRSIGs in reply > state: auth secure > > So it uses it: > > # Generated by dnssec-trigger 0.5 > domain nic.fr > search nic.fr > nameserver 127.0.0.1 > > And, indeed, I can talk to authoritative name servers: > > ; <<>> DiG 9.7.3 <<>> @193.0.14.129 DNSKEY . > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57997 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;. IN DNSKEY > > ;; ANSWER SECTION: > . 172800 IN DNSKEY 256 3 8 AwEAAcy4Eo1P5B3ut9Vm9ZP92JnCFSALJqdhO5fOq1UsseYaiMFqgDH6 Y40iqDw6JmpkmhiJLW6HGj//JLQXAJ+k4EcQ9tlDJqumEe7OJMU6KpcK s6qI4lugy8j/v6DxDlZdAPASbKmoGx1oceRKzr/UdwyB1G5aIEtwK7/D QFrn3zRj > . 172800 IN DNSKEY 256 3 8 AwEAAdNW7YIhcTdqXrzgZjJJ35VjAFT1ArvnhAzXDm7AuGxSQqmGBRmj JvBv0xS4gahB9mj6ekF0dVKoeZgLmNAjo8hj2JI7K281YTo2R5k3mKSc 4hOCP55hR22r5hIsPJoT19pv/VdZQfyTzZ96frQ16qRa9+/GSjzjtFfQ v16FwE7R > . 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= > > ;; Query time: 42 msec > ;; SERVER: 193.0.14.129#53(193.0.14.129) > ;; WHEN: Fri Oct 7 09:10:08 2011 > ;; MSG SIZE rcvd: 597 > > But when I try to surf, I get messages saying that bsc-lsh3.essec.fr > does not exist. It seems to be the captive portal and is not in the > public DNS : > > ; <<>> DiG 9.7.3 <<>> A bsc-lsh3.essec.fr > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 28170 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;bsc-lsh3.essec.fr. IN A > > ;; AUTHORITY SECTION: > essec.fr. 3201 IN SOA rubis.essec.fr. postmaster.essec.fr. 2008102551 10800 3600 1728000 3600 > > ;; Query time: 0 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Fri Oct 7 09:11:33 2011 > ;; MSG SIZE rcvd: 99 > > > > But it is on the name servers they provide: > > ; <<>> DiG 9.7.3 <<>> @10.150.6.1 A bsc-lsh3.essec.fr > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2500 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;bsc-lsh3.essec.fr. IN A > > ;; ANSWER SECTION: > bsc-lsh3.essec.fr. 28800 IN A 194.254.137.123 > > ;; Query time: 37 msec > ;; SERVER: 10.150.6.1#53(10.150.6.1) > ;; WHEN: Fri Oct 7 09:11:26 2011 > ;; MSG SIZE rcvd: 62 > > > _______________________________________________ > dnssec-trigger mailing list > dnssec-trigger at NLnetLabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOkuO+AAoJEJ9vHC1+BF+Nw/gP/jkKe5DSZF0ds3WthnXG14Qx ll52pbBKogJ38I80dAnV2iOb3y5Eoc5Zhj8nhWQUU5gflNnfDjmJaTK/q5xzZOBj IpfAMLMwV5o2jQIbP28E0ool8bv8bAVNKK8CG8kTcoZGrXpcQiUH7vpl6Mwzn0X7 pwu30oOLJKuXkb4+1cBUiJyBPDMyxlKYXR/HvCBe3i820Nj3Mv7qNzLn0jRDyx0M ZtMNEQwT42B1LYOLrdLjz5mA8ntUn8BCe434G6LsOZDgoMOzlMyOW/Qx7nHGrMXa +vHbwgeTsbAbbmKlKWvCoRR39BB7yPrexflMymESlQqOqLx3hCsC/6kv3unX2grf I0EAdk3xApUyWZfJ/EI0A8PprqkRLfIsq+e2N4JFdIad3n8v6svvRg4Nat2DEvRy cklT10Rt0/oqNEeOBDVw14NRS0unQ6lcdiwJosdD4bIz8WQ9VQbFpmvkIrEPdqHu RpFA+INj2gSs2RjUdaXnnGUk4xpxfZ63SgkjDjr26PYyLWfigXjH8S9rt9lymRKO 4YF4Das0eLhpEcd1O8aBT9urWIbkPW+lGBxXwSNbvLbt6pphNFGeXc5CHTGfkk2G wqslYREbAuiVALqkBFwANEg0l2AgfVLJmRvkEogoO79GtzIuPl4EIlZRoFv3QnxM qGtPLVJyspGGq5zBcIj/ =1Uil -----END PGP SIGNATURE----- From paul at xelerance.com Tue Oct 11 16:12:13 2011 From: paul at xelerance.com (Paul Wouters) Date: Tue, 11 Oct 2011 12:12:13 -0400 (EDT) Subject: [Dnssec-trigger] A new type of painful hotspot: split-view for the captive portal In-Reply-To: <4E92E3C3.6010407@nlnetlabs.nl> References: <20111007071622.GA10517@laperouse.bortzmeyer.org> <4E92E3C3.6010407@nlnetlabs.nl> Message-ID: On Mon, 10 Oct 2011, W.C.A. Wijngaards wrote: > In 0.5 I made the HotSpot SignOn menu item, that triggers insecure mode > so you can sign on to the broken signon page of this hotspot. > > You can also setup this from the commandline: > $ dnssec-trigger-control hotspot_signon > .. do the signon via web browser .. > $ dnssec-trigger-control reprobe > .. state should be back to DNSSEC secure again .. does it drop the cache at this point to clear any potential spoofed records when dnssec was off? Paul From wouter at NLnetLabs.nl Wed Oct 12 06:52:16 2011 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Wed, 12 Oct 2011 08:52:16 +0200 Subject: [Dnssec-trigger] A new type of painful hotspot: split-view for the captive portal In-Reply-To: References: <20111007071622.GA10517@laperouse.bortzmeyer.org> <4E92E3C3.6010407@nlnetlabs.nl> Message-ID: <4E953920.1040804@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/11/2011 06:12 PM, Paul Wouters wrote: > On Mon, 10 Oct 2011, W.C.A. Wijngaards wrote: > >> In 0.5 I made the HotSpot SignOn menu item, that triggers insecure mode >> so you can sign on to the broken signon page of this hotspot. >> >> You can also setup this from the commandline: >> $ dnssec-trigger-control hotspot_signon >> .. do the signon via web browser .. >> $ dnssec-trigger-control reprobe >> .. state should be back to DNSSEC secure again .. > > does it drop the cache at this point to clear any potential spoofed records > when dnssec was off? Yes. It attempts to flush the OS system DNS cache too. (blabla /-flushdns on OSX and Windows). Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOlTkgAAoJEJ9vHC1+BF+NqooP/ioiMvpI83FPG5GwyV9IVFjC fQtU51vpsCUZrb4PoKiC35/LwbGxnm/LyOff4pNpvSW7XasX8bP4YcC7hPrBPRAe SvnelekTN4bBu1sO9xLyEdMozfHJa/PI2Wrij2GC77OwHu1djXl+DjRgF34VUGI4 lL/srjP+eZWM0QMvvdQoJ3j9HYfEToHCpDRc44+N6jpczT4eZlXNWtFsfyppdII4 ppwHRQ9k7UngO6Ccx+LlNjbFrX1yY0JfJaa4aVouj7hPs8XAR/RA0w7EL1yl8GB+ cSCaHLFUHgYxHzSE8pgTySy7WIT6baEcQjp7h9+4i0AO+OELc1k9sSJfst7yOdfA gn03paaOViSLG/NIjaWEYJvVqPqRXDfWaZoSOgP51O7VIAA8E+pL7aXk9cjykNtI ehpqy47m2IrLh0IPM8J0b4uT0jW5qYVHZAKQJtpmisiqNmi+EvI7lIC/sCmeXzzv w9Ellpreq1ivaqKdJBixptIiBz4mdYc2ejtW9eAwjsxukqB/83U0od2phbPCPOKl 0p/UMoFGI+GuvZZv1iqEh1oNx8KXUVx9K/Yp04dkvaveTqaEi+d2K7O2BCaoK7/n OFCEX7N3L3P6ApgircpHbXo3kgybkEhVWxINhkjF9DXDya3Xo+hzxsvMwcmNX2sh rKqMBiypzdxtnxn3RETh =Yvl1 -----END PGP SIGNATURE----- From omotheclowno25 at gmail.com Wed Oct 12 13:55:30 2011 From: omotheclowno25 at gmail.com (Daniel Ashford) Date: Thu, 13 Oct 2011 00:55:30 +1100 Subject: [Dnssec-trigger] dnssec-trigger Digest, Vol 2, Issue 3 In-Reply-To: References: Message-ID: what do you mean by hotspot? And what is a split-view for the captive portal? On Wed, Oct 12, 2011 at 9:00 PM, wrote: > Send dnssec-trigger mailing list submissions to > dnssec-trigger at NLnetLabs.nl > > To subscribe or unsubscribe via the World Wide Web, visit > http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger > or, via email, send a message with subject or body 'help' to > dnssec-trigger-request at NLnetLabs.nl > > You can reach the person managing the list at > dnssec-trigger-owner at NLnetLabs.nl > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of dnssec-trigger digest..." > > > Today's Topics: > > 1. Re: A new type of painful hotspot: split-view for the captive > portal (Paul Wouters) > 2. Re: A new type of painful hotspot: split-view for the captive > portal (W.C.A. Wijngaards) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 11 Oct 2011 12:12:13 -0400 (EDT) > From: Paul Wouters > To: "W.C.A. Wijngaards" > Cc: dnssec-trigger at NLnetLabs.nl > Subject: Re: [Dnssec-trigger] A new type of painful hotspot: > split-view for the captive portal > Message-ID: > Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed > > On Mon, 10 Oct 2011, W.C.A. Wijngaards wrote: > > > In 0.5 I made the HotSpot SignOn menu item, that triggers insecure mode > > so you can sign on to the broken signon page of this hotspot. > > > > You can also setup this from the commandline: > > $ dnssec-trigger-control hotspot_signon > > .. do the signon via web browser .. > > $ dnssec-trigger-control reprobe > > .. state should be back to DNSSEC secure again .. > > does it drop the cache at this point to clear any potential spoofed records > when dnssec was off? > > Paul > > > ------------------------------ > > Message: 2 > Date: Wed, 12 Oct 2011 08:52:16 +0200 > From: "W.C.A. Wijngaards" > To: Paul Wouters > Cc: dnssec-trigger at nlnetlabs.nl > Subject: Re: [Dnssec-trigger] A new type of painful hotspot: > split-view for the captive portal > Message-ID: <4E953920.1040804 at nlnetlabs.nl> > Content-Type: text/plain; charset=ISO-8859-1 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 10/11/2011 06:12 PM, Paul Wouters wrote: > > On Mon, 10 Oct 2011, W.C.A. Wijngaards wrote: > > > >> In 0.5 I made the HotSpot SignOn menu item, that triggers insecure mode > >> so you can sign on to the broken signon page of this hotspot. > >> > >> You can also setup this from the commandline: > >> $ dnssec-trigger-control hotspot_signon > >> .. do the signon via web browser .. > >> $ dnssec-trigger-control reprobe > >> .. state should be back to DNSSEC secure again .. > > > > does it drop the cache at this point to clear any potential spoofed > records > > when dnssec was off? > > Yes. It attempts to flush the OS system DNS cache too. > (blabla /-flushdns on OSX and Windows). > > Best regards, > Wouter > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.15 (GNU/Linux) > Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ > > iQIcBAEBAgAGBQJOlTkgAAoJEJ9vHC1+BF+NqooP/ioiMvpI83FPG5GwyV9IVFjC > fQtU51vpsCUZrb4PoKiC35/LwbGxnm/LyOff4pNpvSW7XasX8bP4YcC7hPrBPRAe > SvnelekTN4bBu1sO9xLyEdMozfHJa/PI2Wrij2GC77OwHu1djXl+DjRgF34VUGI4 > lL/srjP+eZWM0QMvvdQoJ3j9HYfEToHCpDRc44+N6jpczT4eZlXNWtFsfyppdII4 > ppwHRQ9k7UngO6Ccx+LlNjbFrX1yY0JfJaa4aVouj7hPs8XAR/RA0w7EL1yl8GB+ > cSCaHLFUHgYxHzSE8pgTySy7WIT6baEcQjp7h9+4i0AO+OELc1k9sSJfst7yOdfA > gn03paaOViSLG/NIjaWEYJvVqPqRXDfWaZoSOgP51O7VIAA8E+pL7aXk9cjykNtI > ehpqy47m2IrLh0IPM8J0b4uT0jW5qYVHZAKQJtpmisiqNmi+EvI7lIC/sCmeXzzv > w9Ellpreq1ivaqKdJBixptIiBz4mdYc2ejtW9eAwjsxukqB/83U0od2phbPCPOKl > 0p/UMoFGI+GuvZZv1iqEh1oNx8KXUVx9K/Yp04dkvaveTqaEi+d2K7O2BCaoK7/n > OFCEX7N3L3P6ApgircpHbXo3kgybkEhVWxINhkjF9DXDya3Xo+hzxsvMwcmNX2sh > rKqMBiypzdxtnxn3RETh > =Yvl1 > -----END PGP SIGNATURE----- > > > ------------------------------ > > _______________________________________________ > dnssec-trigger mailing list > dnssec-trigger at NLnetLabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger > > > End of dnssec-trigger Digest, Vol 2, Issue 3 > ******************************************** > -- omotheclowno25 at yahoo.com.au -------------- next part -------------- An HTML attachment was scrubbed... URL: From wouter at NLnetLabs.nl Thu Oct 13 12:01:36 2011 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Thu, 13 Oct 2011 14:01:36 +0200 Subject: [Dnssec-trigger] dnssec-trigger Digest, Vol 2, Issue 3 In-Reply-To: References: Message-ID: <4E96D320.6070804@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Daniel, This may not be precise, but vague: hotspot: public wifi access point, such as your find in airports, hotels or coffee sellers. split-view: dns is not the dns that the rest of the internet sees, but has different or additional contents. captive portal: the thing that means you cannot access the internet right away. Best regards, Wouter On 10/12/2011 03:55 PM, Daniel Ashford wrote: > what do you mean by hotspot? And what is a split-view for the captive > portal? > > On Wed, Oct 12, 2011 at 9:00 PM, > wrote: > > Send dnssec-trigger mailing list submissions to > dnssec-trigger at NLnetLabs.nl > > To subscribe or unsubscribe via the World Wide Web, visit > http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger > or, via email, send a message with subject or body 'help' to > dnssec-trigger-request at NLnetLabs.nl > > You can reach the person managing the list at > dnssec-trigger-owner at NLnetLabs.nl > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of dnssec-trigger digest..." > > > Today's Topics: > > 1. Re: A new type of painful hotspot: split-view for the captive > portal (Paul Wouters) > 2. Re: A new type of painful hotspot: split-view for the captive > portal (W.C.A. Wijngaards) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 11 Oct 2011 12:12:13 -0400 (EDT) > From: Paul Wouters > > To: "W.C.A. Wijngaards" > Cc: dnssec-trigger at NLnetLabs.nl > Subject: Re: [Dnssec-trigger] A new type of painful hotspot: > split-view for the captive portal > Message-ID: > > Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed > > On Mon, 10 Oct 2011, W.C.A. Wijngaards wrote: > > > In 0.5 I made the HotSpot SignOn menu item, that triggers insecure > mode > > so you can sign on to the broken signon page of this hotspot. > > > > You can also setup this from the commandline: > > $ dnssec-trigger-control hotspot_signon > > .. do the signon via web browser .. > > $ dnssec-trigger-control reprobe > > .. state should be back to DNSSEC secure again .. > > does it drop the cache at this point to clear any potential spoofed > records > when dnssec was off? > > Paul > > > ------------------------------ > > Message: 2 > Date: Wed, 12 Oct 2011 08:52:16 +0200 > From: "W.C.A. Wijngaards" > To: Paul Wouters > > Cc: dnssec-trigger at nlnetlabs.nl > Subject: Re: [Dnssec-trigger] A new type of painful hotspot: > split-view for the captive portal > Message-ID: <4E953920.1040804 at nlnetlabs.nl > > > Content-Type: text/plain; charset=ISO-8859-1 > > On 10/11/2011 06:12 PM, Paul Wouters wrote: >> On Mon, 10 Oct 2011, W.C.A. Wijngaards wrote: > >>> In 0.5 I made the HotSpot SignOn menu item, that triggers > insecure mode >>> so you can sign on to the broken signon page of this hotspot. >>> >>> You can also setup this from the commandline: >>> $ dnssec-trigger-control hotspot_signon >>> .. do the signon via web browser .. >>> $ dnssec-trigger-control reprobe >>> .. state should be back to DNSSEC secure again .. > >> does it drop the cache at this point to clear any potential > spoofed records >> when dnssec was off? > > Yes. It attempts to flush the OS system DNS cache too. > (blabla /-flushdns on OSX and Windows). > > Best regards, > Wouter - ------------------------------ _______________________________________________ dnssec-trigger mailing list dnssec-trigger at NLnetLabs.nl http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger End of dnssec-trigger Digest, Vol 2, Issue 3 ******************************************** > -- > omotheclowno25 at yahoo.com.au > _______________________________________________ > dnssec-trigger mailing list > dnssec-trigger at NLnetLabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOltMcAAoJEJ9vHC1+BF+NJMMP/A95/uSoP6shytiN+iuUcvaH EFkdltI3bcQQ/RW0kSTp7jr2lAXKa3SkI5L/L3zyD79mWQzNvBf4y9pzZvBjlshA 1C9CUlm23Ae3VXTQGtu8JJYQouCeImD+FtJHEnGWY1BWgLb+BFSYA6mQWtWEeRnF 4cM3PDBzfNmOipmkOpCfW+ZA2LkSZeIQJ9cyed5Z1v3NkVs6Tsxe7y8wbw6XEktl c8nC3QdQHxbcgu6ZrsOullb0OFrGifrCAXmbT0pA9tFwAjMeL/gsRLMNFeVowOg9 ikPHtMGtWe3Xj/PVnCFkMShZ1tf5OBjFfnaNWEXqeFunhM3WEjpD/rA1YAZEWyMP e4bL+VgSvpATS7pcvR0+nUXtJmqBk9JDCdl+aC7o/1dZ38sOg5w4hxhCZv3SVuSa V5EVmScdTNxmaZzH3nqjyQ7VtUlLQMDxP70GVoZtmwnvLiTO2pnsU2hXQcWejjsK mePNRxXHMTGAV2R2iNOldqRimXm6CMr9mVsyNql7Zo1BbgU9ruLBD2Rjv5iP/3jV cV+ia5iMfCJHKIFrz2Rkd7++JA7BTJelMSCzaQd/I7RgTg7O60cOIevWAKiWq56r NI7VEWrHnpdPezlonFItjcAsXEOuXNueTlqNyj/olSqAQUolEF6kGxqVfePghHcK oIwlc9m36E+ZfVJOsvLJ =DERr -----END PGP SIGNATURE----- From bortzmeyer at nic.fr Wed Oct 19 13:30:29 2011 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Wed, 19 Oct 2011 15:30:29 +0200 Subject: [Dnssec-trigger] dnssec-trigger-control ignores unknown commands Message-ID: <20111019133029.GA12435@laperouse.bortzmeyer.org> By making a typo, I discovered that dnssec-trigger-control 0.5 silently ignores unknown commands, which is a bad thing, because a typo may go undetected. % dnssec-trigger-control zzzz % From nlnetlabs at belanger.fr Wed Oct 19 18:54:34 2011 From: nlnetlabs at belanger.fr (Xavier Belanger) Date: Wed, 19 Oct 2011 14:54:34 -0400 Subject: [Dnssec-trigger] Echo bug in makefile Message-ID: <20111019145434.49372cac.nlnetlabs@belanger.fr> Hi, When I call "make install" the last message is printed twice: echo "It is probably good to run dnssec-trigger-control-setup (...) It is probably good to run dnssec-trigger-control-setup (...) It seems due to a missing @ sign before the echo command (and there is some others) ine the Makefile. Bye. -- Xavier Belanger From nlnetlabs at belanger.fr Wed Oct 19 18:31:05 2011 From: nlnetlabs at belanger.fr (Xavier Belanger) Date: Wed, 19 Oct 2011 14:31:05 -0400 Subject: [Dnssec-trigger] dnssec-trigger-control ignores unknown commands In-Reply-To: <20111019133029.GA12435@laperouse.bortzmeyer.org> References: <20111019133029.GA12435@laperouse.bortzmeyer.org> Message-ID: <20111019143105.baa27ec3.nlnetlabs@belanger.fr> Hi, > By making a typo, I discovered that dnssec-trigger-control 0.5 silently > ignores unknown commands, which is a bad thing, because a typo may go > undetected. > > % dnssec-trigger-control zzzz > % And it return a 'wrong' exit status: # dnssec-trigger-control zzz # echo $? 0 # Bye. -- Xavier Belanger From wouter at NLnetLabs.nl Fri Oct 21 07:34:38 2011 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Fri, 21 Oct 2011 09:34:38 +0200 Subject: [Dnssec-trigger] dnssec-trigger-control ignores unknown commands In-Reply-To: <20111019143105.baa27ec3.nlnetlabs@belanger.fr> References: <20111019133029.GA12435@laperouse.bortzmeyer.org> <20111019143105.baa27ec3.nlnetlabs@belanger.fr> Message-ID: <4EA1208E.5010103@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Stephane, Xavier, On 10/19/2011 08:31 PM, Xavier Belanger wrote: > Hi, > >> By making a typo, I discovered that dnssec-trigger-control 0.5 silently >> ignores unknown commands, which is a bad thing, because a typo may go >> undetected. >> >> % dnssec-trigger-control zzzz >> % > > And it return a 'wrong' exit status: > > # dnssec-trigger-control zzz > # echo $? > 0 > # Fixed in the upcoming (soon) 0.6 release, and also the @echo. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOoSCOAAoJEJ9vHC1+BF+NpgQP/R5GH8rIPQgYeu7rXNyazjdQ pgHlH88gvARdvSI/6gzosoAoI2hKqehmgI+w+Sque3OaXj4ueX8XWRhoHrONqDCV hby3f627aGxi4dxHYdGUKxd/uqaK8NYi/+Q6Q4rx3wGaVyA/2ctINHjb/ivwVZnP 6H0koo6mb+RLgGNcFB/b1rT0X+R6/0kGdDl5hpgsOq0OHZHkW0T4SAJegQ1VxSJd OKjIS0CZw2KeuVDmzkQNAfM5a8H/9QnQmJlB/1zqh3BHaEcl7hgnDHUUg8YISAms fW0YxblBxaJbuUBNtUByTRkU5Qeg2L95yA4qZGAO5Y8aA7c1Tyqo1oIwiHyI3c3g cRkGCYufP0VWisFvfdYzdhCUNrA9ebOA7B3yS7WwBH1wvjRKWHLMA73N3Yl855KC ikLuKfbzyIF7zg8Keqn9lFVkVz/1rWm6f9Y6aG+FN/7uq8st/3efoLbMFWXQchrK pus/r3E7ThGqv+YF2ZiuOAXHB1Yz2o9BAD5wMBwCi5oJDyxkgo7I1Nu+9EBaTYQ6 lSFyhcZirdbtdLVf1yTXeDQdT3EIceUpi2ELNSP6dOTJ6MrldRz/wVUNELzqoXUc VO+TbhLc9hrmN8rWCa3JpWLdR5CRiF7W5sNGxaU9qe+lejkuZjPl+wP6j7FO9QJY 5Upqlz/JHWyHCWsT7O+2 =/J/I -----END PGP SIGNATURE----- From wouter at NLnetLabs.nl Fri Oct 21 08:34:03 2011 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Fri, 21 Oct 2011 10:34:03 +0200 Subject: [Dnssec-trigger] dnssec-trigger release 0.6 Message-ID: <4EA12E7B.9090500@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Dnssec Trigger 0.6 is release, get it at our new webpage: nlnetlabs.nl/projects/dnssec-trigger svn is available: http://www.nlnetlabs.nl/svn/dnssec-trigger you can browse it with a browser or svn co it. http://nlnetlabs.nl/downloads/dnssec-trigger/dnssec-trigger-0.6.tar.gz sha1 21ab4134c2a8c5585f1158e59e856666a2c3f838 sha256 abd39400a4550802e212550c22c00b4d2e8c5d368b7120c4ae36bdf92a7ac120 GUI: XFCE and Ubuntu-Unity support. Windows worked for me in a test. (GTK and OSX still work of course). Detect: transparent proxy trouble and insecure fail after tcp443 test. Security: Race condition gone, really secure (during bootup). Possibly an issue on Linux without ext234fs (chattr immutable is used). Changelog * detect transparent proxies and avoid them. * Fix insecure mode after dnstcp443 has been probed. * Fix race condition between system and dnssec-trigger where briefly the DHCP insecure response was dominant. On OSX and Windows a system preference (like from the control panel) is created. On Linux chattr immutable, on BSD chflag immutable. On exit, it enters 127.0.0.1 even if in insecure mode, so that a later reboot will be secure. The override is removed on uninstall. * windows package work, tested Vista. * the dnssec-trigger-panel (gtk2 without libappindicator) works on the XFCE desktop. * libappindicator support, for Ubuntu Unity desktop GUI. Just install libappindicator-dev and build and a Unity GUI tray icon is produced. * can build outside of sourcedir. * Manpage fixes * Add @ to echo in Makefile. * print error on control unknown command, and exit status 1. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOoS57AAoJEJ9vHC1+BF+NUfYP/0D7jHYiCAh7T3HzVYqA84iq kQceZsYnHLSjKAurdzGd+stxDCDSS4ExeIgvVoWiQ/hKovkg0dXCbHOFeBLFq/yQ tmBt3SvCA4Cp+PBagUpRQmGmeN5iyA2MlCDhbL9bjWgTVc9iwdfkmhHkINjcumXe ty0smdTGBdSH4U2fTuOYNnl7rl/6lmXf4taj3ozCmgV+FrEwreOt/EEAyNjC/q8W QPgL4Kzga9eOVPZikJ+yENs99V/vH3sawz7QFi1csVt8G3QG8p/PCmMapotG1ffF Z3WCXEjwPDW1BLVYSfDm6f41A1F3fbz8sifFad70H9zcIaj7DMp3nR6red+dG5dG 2E4DtOG7uibddCXIxPs7LBuZ+eqJCR6Vnf6Vqfk9clr7hyP0Enw/ouynndkJkCT/ JNIMOfae3x4pdBh2fSxxLwfQ+lAZzpVGNKFrYjFUj7fanV/ZKUDRJmvFU/jGqBxW eAviAkf5dXpCKTnG8HEeFaZzVWiQQhEgUwMQqSJhSDHrAlQR41Nd3mArZvdohEuO MK4KRAjiCj+2q1HHSdaekmt+GBMiwntFlclf8YVEnVuY+iGO5CxhQ6MgTUqRVcHE 3inQwgIS7EQybHLsLdBfk4Yq1HWYulJqOySi6m3iG+Ia3EWAayCUMy6etrNWxt7v vSJq/SiFKVpBFzkAjD3U =1/AS -----END PGP SIGNATURE----- From bortzmeyer at nic.fr Fri Oct 21 09:05:32 2011 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Fri, 21 Oct 2011 11:05:32 +0200 Subject: [Dnssec-trigger] dnssec-trigger release 0.6 In-Reply-To: <4EA12E7B.9090500@nlnetlabs.nl> References: <4EA12E7B.9090500@nlnetlabs.nl> Message-ID: <20111021090532.GA21861@nic.fr> On Fri, Oct 21, 2011 at 10:34:03AM +0200, W.C.A. Wijngaards wrote a message of 68 lines which said: > Dnssec Trigger 0.6 is release, When you already have a dnssec-trigger in place, make install still tells you: It is probably good to run dnssec-trigger-control-setup to generate keys now, and possibly run dnssec-trigger-control-setup -i to edit unbound.conf if it does not have a trust anchor and remote-control which is useless. From wouter at NLnetLabs.nl Fri Oct 21 09:12:06 2011 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Fri, 21 Oct 2011 11:12:06 +0200 Subject: [Dnssec-trigger] dnssec-trigger release 0.6 In-Reply-To: <20111021090532.GA21861@nic.fr> References: <4EA12E7B.9090500@nlnetlabs.nl> <20111021090532.GA21861@nic.fr> Message-ID: <4EA13766.8070705@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Stephane, On 10/21/2011 11:05 AM, Stephane Bortzmeyer wrote: > When you already have a dnssec-trigger in place, make install still > tells you: > > It is probably good to run dnssec-trigger-control-setup to generate keys now, and possibly run dnssec-trigger-control-setup -i to edit unbound.conf if it does not have a trust anchor and remote-control > > which is useless. Fixed in svn trunk. Thanks for the report. Does the GUI work for you (may need restart to catch the gui startup item , or dnssec-trigger-panel from commandline if startup item does not work) ? Or do you use Gnome-Shell, not Unity? Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOoTdmAAoJEJ9vHC1+BF+NPMYP/02bTJWiIG4plQgVpDG574B7 qfpKVnstYySeR0/s5CqkJ5wTsjhI2YQuXmJ3fLRqS5TB7sjHRycTsDsBfpoFaCOx 6+LEThS47TblzxM4X50r46M+noi4kZr++awrMHFE4cNUXNO5WpljkWKlAHJG0nwz sFnaSL6xN4CHA/5T3ZMVFJ08wAMkf8cfRV3G2gqMmpHbkbn6khjSpuCdITsCs5Zt A8JQc9dcLGYKxwUvTxlJ3O1T40CfDNhAC1X5bJ9baGwE5+GTeNwkKtkzmRYuKqUn 4i7PGhHIedH4bTGerDy+Lek19IuJ59Swh5dpyfE8ixEy4RjW6DZzVvwNDVg2+oRn /dHtmAwO+5j13qGxRLQlmnPwneCTvf5IFx897KSivx5KsgBMEeCLPmfrtlutQzc1 nU0cnSdbAvIjoZm1PjugxuxW9mcnYAx5hyAvmHK0neglIPvUGngqf8Rh3Fw8/byD 8gaj0llro8bV7+cGFbyViIzM6ZfzQHMk3g7HD8WjTIRMi7l041A0qG05hyZ3gaS0 BU85tgIl3C2MJ7QYO2kIN82m9cgPM7glcSYvGSEo6tV+vpv7U/3+Qu3I/YzqQBAX 0URKdMSEhdrEjcvjrZluDffifNuLyKOb4ZGos2MRQSx8O126KR1ukt5VsbbROagQ ao54ey2RsKHkXo2qbIxN =2vD1 -----END PGP SIGNATURE----- From bortzmeyer at nic.fr Fri Oct 21 09:22:39 2011 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Fri, 21 Oct 2011 11:22:39 +0200 Subject: [Dnssec-trigger] dnssec-trigger release 0.6 In-Reply-To: <4EA13766.8070705@nlnetlabs.nl> References: <4EA12E7B.9090500@nlnetlabs.nl> <20111021090532.GA21861@nic.fr> <4EA13766.8070705@nlnetlabs.nl> Message-ID: <20111021092239.GA27934@nic.fr> On Fri, Oct 21, 2011 at 11:12:06AM +0200, W.C.A. Wijngaards wrote a message of 40 lines which said: > Does the GUI work for you (may need restart to catch the gui startup > item , or dnssec-trigger-panel from commandline if startup item does > not work) ? No. Nothing appear in the taskbar at the top (even after logout+login). And dnssec-trigger-panel from the shell displays absolutely nothing (it just runs). Ubuntu "Oneiric Ocelot", just upgraded (now that is is officially released and stable). > Or do you use Gnome-Shell, not Unity? I believe (I'm not joking, I'm really not an UI guy) that it is Unity. At least my screen looks like the screenshots at , with the little icons on the left. From wouter at NLnetLabs.nl Fri Oct 21 09:31:03 2011 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Fri, 21 Oct 2011 11:31:03 +0200 Subject: [Dnssec-trigger] dnssec-trigger release 0.6 In-Reply-To: <20111021092239.GA27934@nic.fr> References: <4EA12E7B.9090500@nlnetlabs.nl> <20111021090532.GA21861@nic.fr> <4EA13766.8070705@nlnetlabs.nl> <20111021092239.GA27934@nic.fr> Message-ID: <4EA13BD7.2000902@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Stephane, On 10/21/2011 11:22 AM, Stephane Bortzmeyer wrote: > On Fri, Oct 21, 2011 at 11:12:06AM +0200, > W.C.A. Wijngaards wrote > a message of 40 lines which said: > >> Does the GUI work for you (may need restart to catch the gui startup >> item , or dnssec-trigger-panel from commandline if startup item does >> not work) ? > > No. Nothing appear in the taskbar at the top (even after > logout+login). And dnssec-trigger-panel from the shell displays > absolutely nothing (it just runs). It should show a tray icon in the tray bar. > Ubuntu "Oneiric Ocelot", just upgraded (now that is is officially > released and stable). > >> Or do you use Gnome-Shell, not Unity? > > I believe (I'm not joking, I'm really not an UI guy) that it is > Unity. At least my screen looks like the screenshots at > , with the > little icons on the left. Ok, Unity! Can you install libappindicator-dev ? Then make clean (or delete sourcedir and reextract sourcedir) Then re-run configure and make and make-install I saw Unity GUI working, but you need to have libappindicator-dev installed for it to work (and autodetect). Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOoTvXAAoJEJ9vHC1+BF+NLNgP/1+gTfNUwP8jtYYJ23ep7CEg UNinHRDjx1r5Nuo3rrNMHjT3K+BCEzmy19KCR/5Aq6tLdbcdtAjEu1FljmywE9Zx hMtSuslkzyPNxxwo7D3y08xPIAK+SXbcI9mtblqN3h8Itn4E7qZIo5IIL1dYBsGm zI2gtnuLF2JS0osnkWiapSankt8awiSIBbRjoNA7l+TY3dsgtsWLbaimkHAFXpzb kii5yVgH74c/KqSh0DzezZKj8PF49XUQkUzcsn8bA8MywN7qMyQ9sEwBtT/jg8Tu iIPM3nj8T4zeg8V3ovCxZfmcBa/azyG1v7/7tfOg5egtzuyLWyLeP5tJgG6QUOIT eVybHVjJ80mOIvd7JoGL0g9C5esv5vml6FfY6niJzAEV5NSfY9PCgjCjGLHdhJc8 2brgQ44akUqx9GuyRZ5Id4zrrtX+PIigJrp2lm9OaKtmsQuqeZipnxalBAFSFZ6A +Jvx+oDCRXduFDxDoeOxgIpvopsHAf6vER4UXmtEycTupZ04mYh7ql+DNrxodUJ1 LQqxcIvSTMzkKCEgxy54q4NIM9srX7EHMAZPz/zOk3MREk03/7Osom6n8p52d18d PwgvQ6IaAk9kQjs3pHDHLSHRKjRKMRGeMbKfBfckBx2NRSCPfJNBm1NvE3Vj12kk fgB1iM4jwQ8jxk2teOSo =k0lq -----END PGP SIGNATURE----- From matthijs at NLnetLabs.nl Fri Oct 21 09:31:48 2011 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Fri, 21 Oct 2011 11:31:48 +0200 Subject: [Dnssec-trigger] dnssec-trigger release 0.6 In-Reply-To: <20111021092239.GA27934@nic.fr> References: <4EA12E7B.9090500@nlnetlabs.nl> <20111021090532.GA21861@nic.fr> <4EA13766.8070705@nlnetlabs.nl> <20111021092239.GA27934@nic.fr> Message-ID: <4EA13C04.5000807@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/21/2011 11:22 AM, Stephane Bortzmeyer wrote: > On Fri, Oct 21, 2011 at 11:12:06AM +0200, > W.C.A. Wijngaards wrote > a message of 40 lines which said: > >> Does the GUI work for you (may need restart to catch the gui startup >> item , or dnssec-trigger-panel from commandline if startup item does >> not work) ? > > No. Nothing appear in the taskbar at the top (even after > logout+login). And dnssec-trigger-panel from the shell displays > absolutely nothing (it just runs). > > Ubuntu "Oneiric Ocelot", just upgraded (now that is is officially > released and stable). Well, we can argue about stable... ;) >> Or do you use Gnome-Shell, not Unity? > > I believe (I'm not joking, I'm really not an UI guy) that it is > Unity. At least my screen looks like the screenshots at > , with the > little icons on the left. That is indeed Unity. Best regards, Matthijs > _______________________________________________ > dnssec-trigger mailing list > dnssec-trigger at NLnetLabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJOoTwEAAoJEA8yVCPsQCW5H8IH/0BL54RGYdKeQJvqYuNJTyyM ZKmSv+TeOULNczCRs6XXqvejP/j6BgMlD9fVZbczG0GBpt5qwhVy1dmyztKUjdUH 0GAChDSEDH6PEf1hISHAZgAIZl00H//JD9Y7eETcDasHG6dsK4Zz9hpTJtFhd+qG c191kN/cGZPGjYvasF4iI8PaodC+zmE4UsJ45Lud92oZ20CPAho578n1mBjMzyZe RDnrP/CCvl8JzoNt830RKf0OB6b8zT0QHLYf6rPa3FLrHIxEHxcNYDZO05UsXn3q Djepf8XhDWsQ4/p9YOHiDlhs3bONsed20VGD03nAOQOQIYasEvuwexIDKqCgeIw= =npDU -----END PGP SIGNATURE----- From bortzmeyer at nic.fr Fri Oct 21 09:48:49 2011 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Fri, 21 Oct 2011 11:48:49 +0200 Subject: [Dnssec-trigger] dnssec-trigger release 0.6 In-Reply-To: <4EA13BD7.2000902@nlnetlabs.nl> References: <4EA12E7B.9090500@nlnetlabs.nl> <20111021090532.GA21861@nic.fr> <4EA13766.8070705@nlnetlabs.nl> <20111021092239.GA27934@nic.fr> <4EA13BD7.2000902@nlnetlabs.nl> Message-ID: <20111021094849.GA11590@nic.fr> On Fri, Oct 21, 2011 at 11:31:03AM +0200, W.C.A. Wijngaards wrote a message of 59 lines which said: > Can you install libappindicator-dev ? Then make clean (or delete > sourcedir and reextract sourcedir) Then re-run configure and make > and make-install It works, I have the nice anchor in the bar, thanks. From patrick at vande-walle.eu Fri Oct 21 09:51:30 2011 From: patrick at vande-walle.eu (Patrick Vande Walle) Date: Fri, 21 Oct 2011 11:51:30 +0200 Subject: [Dnssec-trigger] dnssec-trigger release 0.6 In-Reply-To: <4EA13BD7.2000902@nlnetlabs.nl> References: <4EA12E7B.9090500@nlnetlabs.nl> <20111021090532.GA21861@nic.fr> <4EA13766.8070705@nlnetlabs.nl> <20111021092239.GA27934@nic.fr> <4EA13BD7.2000902@nlnetlabs.nl> Message-ID: <4EA140A2.90000@vande-walle.eu> On 21/10/11 11:31, W.C.A. Wijngaards wrote: > Hi Stephane, > > On 10/21/2011 11:22 AM, Stephane Bortzmeyer wrote: > > On Fri, Oct 21, 2011 at 11:12:06AM +0200, > > W.C.A. Wijngaards wrote > > a message of 40 lines which said: > > >> Does the GUI work for you (may need restart to catch the gui startup > >> item , or dnssec-trigger-panel from commandline if startup item does > >> not work) ? > > > No. Nothing appear in the taskbar at the top (even after > > logout+login). And dnssec-trigger-panel from the shell displays > > absolutely nothing (it just runs). > > > Ok, Unity! > > Can you install libappindicator-dev ? > Then make clean (or delete sourcedir and reextract sourcedir) > Then re-run configure and make and make-install > > I saw Unity GUI working, but you need to have libappindicator-dev > installed for it to work (and autodetect). I was having the same issue as St?phane, with the same Ubuntu release. Indeed, installing libappindicator-dev and running "configure/make/make install" allowed the applet to appear in the top menu bar. While I am at it: thanks for this very useful app :-) Patrick Vande Walle From paul at xelerance.com Fri Oct 21 14:22:59 2011 From: paul at xelerance.com (Paul Wouters) Date: Fri, 21 Oct 2011 10:22:59 -0400 (EDT) Subject: [Dnssec-trigger] dnssec-trigger release 0.6 In-Reply-To: <4EA12E7B.9090500@nlnetlabs.nl> References: <4EA12E7B.9090500@nlnetlabs.nl> Message-ID: On Fri, 21 Oct 2011, W.C.A. Wijngaards wrote: > Dnssec Trigger 0.6 is release, get it at our new webpage: > Changelog > * detect transparent proxies and avoid them. > * Fix insecure mode after dnstcp443 has been probed. > * Fix race condition between system and dnssec-trigger where briefly > the DHCP insecure response was dominant. On OSX and Windows a system > preference (like from the control panel) is created. On Linux chattr > immutable, on BSD chflag immutable. On exit, it enters 127.0.0.1 even if > in insecure mode, so that a later reboot will be secure. The override is > removed on uninstall. > * windows package work, tested Vista. > * the dnssec-trigger-panel (gtk2 without libappindicator) works on > the XFCE desktop. > * libappindicator support, for Ubuntu Unity desktop GUI. Just > install libappindicator-dev and build and a Unity GUI tray icon is produced. > * can build outside of sourcedir. > * Manpage fixes > * Add @ to echo in Makefile. > * print error on control unknown command, and exit status 1. Can we get an option to specify the port 80/443 fallback server? :) Or perhaps we can start a project where create a web of these things for people? (with list distribution in DNS just to give us another challange :) Paul From wouter at NLnetLabs.nl Fri Oct 21 14:27:54 2011 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Fri, 21 Oct 2011 16:27:54 +0200 Subject: [Dnssec-trigger] dnssec-trigger release 0.6 In-Reply-To: References: <4EA12E7B.9090500@nlnetlabs.nl> Message-ID: <4EA1816A.8020900@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Paul, On 10/21/2011 04:22 PM, Paul Wouters wrote: > On Fri, 21 Oct 2011, W.C.A. Wijngaards wrote: > >> Dnssec Trigger 0.6 is release, get it at our new webpage: > >> Changelog >> * detect transparent proxies and avoid them. >> * Fix insecure mode after dnstcp443 has been probed. >> * Fix race condition between system and dnssec-trigger where briefly >> the DHCP insecure response was dominant. On OSX and Windows a system >> preference (like from the control panel) is created. On Linux chattr >> immutable, on BSD chflag immutable. On exit, it enters 127.0.0.1 even if >> in insecure mode, so that a later reboot will be secure. The override is >> removed on uninstall. >> * windows package work, tested Vista. >> * the dnssec-trigger-panel (gtk2 without libappindicator) works on >> the XFCE desktop. >> * libappindicator support, for Ubuntu Unity desktop GUI. Just >> install libappindicator-dev and build and a Unity GUI tray icon is >> produced. >> * can build outside of sourcedir. >> * Manpage fixes >> * Add @ to echo in Makefile. >> * print error on control unknown command, and exit status 1. > > Can we get an option to specify the port 80/443 fallback server? :) It exists: tcp80: tcp443: in dnssec-trigger.conf adds more entries. Just add more of these lines to enable more servers. The nlnetlabs server is there as a start (you can remove the lines with .42 in them to disable if you do not want to send queries to nlnetlabs). > Or perhaps we can start a project where create a web of these things for > people? > (with list distribution in DNS just to give us another challange :) Yes more servers can be useful if the project grows in deployment. Right now the server has a very low rate - only a few people test. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOoYFqAAoJEJ9vHC1+BF+NZqMP/1zuORI7UIMHzkxAUAAdUNTS V8Du26JqLz4IcQQnLiKFTSR9rspF3I0Eg8vHML/V+oB4LRnmK6TxAt1JiVC+T1Tk Rc3olpts4rEL1yUq0INaRe5Wk8VFQVTh/EyXLVgKOni2xf0mNOw2KF0RKcX6ptb0 V7y3Gz35b+Du35gT8zf91KGCS299LjNF/3G3fsPd7WlmZFVBeBFboSK0DXpbxync qXBy1dNL33uzc+TczY3S7lRuAlLox7HrSXt2RDJ0+ZTh9meoebneaihPfj/E9Ypn B854da5pj2iq32+4f5YWeOnKRPBxN0aTSLVwKjWs6CLFNaen6yE5zBEqzC2BEMWh xXJNqaGJwkMOOyHX5HUalepCIJkthM8+IH5m1tD8as+GOeu/DG83AjPdpMyZzcra 7c/Dsx8uaTVEEtJO3tPBJXW7inCH4a6YQHbBf72FKXJK1xe37oFcIaTDUy5jMPSA IB2oxR59H8mdC/AJusLTe22gYWXW/KFx3Oz7kNoqW6sdRDb6j30DcPitI4rVqboU p3VOE177x3zx5mSoArS3mHd/5y3gxwv2KHg9hp38gmV4QJ00If8jKnSKCPem/Wo1 Tx6FaK1XTUFTzJtK8Tu3yhWbuXzdmzxVjgO+uMnO70BPONjPU9KdIFga44eN/Vnf 8U4NHaQBYIWeNUV+DD14 =3MRX -----END PGP SIGNATURE----- From regnauld at nsrc.org Fri Oct 21 14:13:49 2011 From: regnauld at nsrc.org (Phil Regnauld) Date: Fri, 21 Oct 2011 14:13:49 +0000 Subject: [Dnssec-trigger] Bug reports ? Message-ID: <20111021141349.GB6562@macbook.bluepipe.net> I have a strange issue I'm trying to debug with dnssec-trigger + unbound 1.4.13 on OS X Lion, and a broken network with TCP/53 only. Should I use this list to discuss this issue, or submit the problem somewhere else ? Thanks, Phil From regnauld at nsrc.org Fri Oct 21 14:34:14 2011 From: regnauld at nsrc.org (Phil Regnauld) Date: Fri, 21 Oct 2011 14:34:14 +0000 Subject: [Dnssec-trigger] dnssec-trigger release 0.6 In-Reply-To: <4EA1816A.8020900@nlnetlabs.nl> References: <4EA12E7B.9090500@nlnetlabs.nl> <4EA1816A.8020900@nlnetlabs.nl> Message-ID: <20111021143414.GC6562@macbook.bluepipe.net> W.C.A. Wijngaards (wouter) writes: > > Can we get an option to specify the port 80/443 fallback server? :) > > It exists: > tcp80: > tcp443: > in dnssec-trigger.conf adds more entries. Just add more of these lines > to enable more servers. The nlnetlabs server is there as a start (you > can remove the lines with .42 in them to disable if you do not want to > send queries to nlnetlabs). How to deal with a network that will allow tcp/53, but actually filter DNS on TCP 80/443 ? Would it be an idea to have a more generic mechanism for specifying the port ? It doesn't like tcp53: :) Phil From paul at xelerance.com Fri Oct 21 14:34:22 2011 From: paul at xelerance.com (Paul Wouters) Date: Fri, 21 Oct 2011 10:34:22 -0400 (EDT) Subject: [Dnssec-trigger] dnssec-trigger release 0.6 In-Reply-To: <4EA1816A.8020900@nlnetlabs.nl> References: <4EA12E7B.9090500@nlnetlabs.nl> <4EA1816A.8020900@nlnetlabs.nl> Message-ID: On Fri, 21 Oct 2011, W.C.A. Wijngaards wrote: > It exists: > tcp80: > tcp443: > in dnssec-trigger.conf adds more entries. Just add more of these lines > to enable more servers. The nlnetlabs server is there as a start (you > can remove the lines with .42 in them to disable if you do not want to > send queries to nlnetlabs). I stand corrected. Guess it works so well I haven't looked in the config file for ages :) Paul From wouter at NLnetLabs.nl Fri Oct 21 14:36:00 2011 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Fri, 21 Oct 2011 16:36:00 +0200 Subject: [Dnssec-trigger] Bug reports ? In-Reply-To: <20111021141349.GB6562@macbook.bluepipe.net> References: <20111021141349.GB6562@macbook.bluepipe.net> Message-ID: <4EA18350.1000402@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Phil, On 10/21/2011 04:13 PM, Phil Regnauld wrote: > I have a strange issue I'm trying to debug with dnssec-trigger + unbound 1.4.13 > on OS X Lion, and a broken network with TCP/53 only. Should I use this list > to discuss this issue, or submit the problem somewhere else ? Yes use this list. TCP/53 only, it must try to use the tcp-80 and tcp-443 fallback servers? Does that work? (you may be first to actually use it). Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOoYNQAAoJEJ9vHC1+BF+N75sP/2sb9yEOWutcI99cA+PfAAIZ X9V4Tk7JUgac6uBfA4PU/M314FWZzarOqAfzSrYlKUY+sZMV2QdlKP8a8Yx1yGV1 obyuqxKAvmqZUYZNS+CjAAX8/dmw3v9JAVcjCK2NAVuaixaa/O8Y7vqRrPhRIHHU +V7RC4ive6KwXezneLAY4xVSJ+x2y+qnj0FdkeNvE2+kvdbyYA9mzuCLc+wcCpf2 ngMjSfSxEGpMfpjAAj0CRrpiopmGzQ3yWSXe3awfgHoOZuvr6DdQjUIY5Ki9r9TJ jHHux8LmDfTo4IoIJgESQEwuly20fSXrxpSaV7290lfLBHvnEE85pB9RwzU4WRHt RDQUmtet24rVIdGuKgXzAcXU+HoXvOqi3lzbF3kp+Qz+bXccQy73eWRX5LLXzxgQ qo+JHxmZCpDK0eLp8ASwMtAQJfI7DHteJxA+py6bPvNMpg29QWSlM12dMAgZGY5I nnI2Ege0gN1ELFuHO6riI9Cs3z4RZiqq7CXbwsErOIC0WRjRz6cPFNUnw4cLOMd8 VPxuhsAsXxJsa08SDWb7ltMUm1u5EvaA4beSV/WetCWRQvJr0HcbRuJvabReOkzk R+rJNS50/uQ+2F3J3d4KINmBNrrjrtYrdxLo/XGUw+KsMolOSTesCKXn5G8AZ0CM uohSkd3ivB9g8UAz1ScZ =z0SX -----END PGP SIGNATURE----- From wouter at NLnetLabs.nl Fri Oct 21 14:38:50 2011 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Fri, 21 Oct 2011 16:38:50 +0200 Subject: [Dnssec-trigger] dnssec-trigger release 0.6 In-Reply-To: References: <4EA12E7B.9090500@nlnetlabs.nl> <4EA1816A.8020900@nlnetlabs.nl> Message-ID: <4EA183FA.60105@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Paul, On 10/21/2011 04:34 PM, Paul Wouters wrote: > On Fri, 21 Oct 2011, W.C.A. Wijngaards wrote: > >> It exists: >> tcp80: >> tcp443: >> in dnssec-trigger.conf adds more entries. Just add more of these lines >> to enable more servers. The nlnetlabs server is there as a start (you >> can remove the lines with .42 in them to disable if you do not want to >> send queries to nlnetlabs). > > I stand corrected. Guess it works so well I haven't looked in the config > file for ages :) Yes it got snuck in there a while ago. Did not mention it in changelog that big, and reading the config file for random changes does seem a bit wasteful. :-) It'll probe a random server to test. Then submit all of them to unbound, 1.4.14 will do a server-selection based on ping (and rtt-banding). It picks on random tcp80-ip4, one random tcp80-ip6, one random tcp443-ip4 and one random tcp443-ip6 to probe. It would be good if servers have good uptime, though, probably, not bad for short outages (since other portnumber is likely to work and so on). Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOoYP6AAoJEJ9vHC1+BF+NTc8P/i9Tu8VAiqzIFC/RgcYYUTob asWWLQLPOV6TNr8G7+tumEOSu0f9MQgy3WcMZbmYZ5hV19mCWjZLcrwon79ZdKyD hWo1sdYgLsg38/Lk9SpU+5sZWblO1SxxkFOB8aGDLVzgNAwABOrCk8yi5AYX3PYD 54q3NFqLgTZkiUCFMMZ1cYg0zFAmTivHYA5hyBzS2ihesYv8ZmWAOHHEV6uORJov mmf8PXKIDOGE3BqFlpLfZLyWD9+hxSAB2ZXvJQvh2Ms2ap+NAjekWdYV1I1OAr9S B9glUb1XgiGjROtBDSpv7fm2JPv0tfIFdbCP+vx3WHw6lZtly7k4lFeWw3mmubIX j4g9uPlCR5feEhl9UmicxA6hyGrETXLBy7nn4Or/eZXEGlY0+HehMf2TgTCvUQak 7fRqMzjxayQncj0PMCsYsYWlLiChPxIFnvJ3XItJymTtpJBc8Mf2u4DVoVtWEtvH WNXTuRQeJWMgWkBA127vFole3W1+satsp15G3z0upCaLQSzzF0ddz5pdum2SNWIH 38MkTgbJ3QhHV3jx3Xti/B0MT0G/r1Szxo13QdJNFcpvQ7zj1mrjWbOhhGIO5nGt uAvWceGLlcPQDAa6ohpQesgibUO3ba3xJYjfZKokKBaNldDlKVdIcAz9t0P3How2 ByJZntOIcklE1yVRCiF6 =CFZ/ -----END PGP SIGNATURE----- From regnauld at nsrc.org Fri Oct 21 14:39:49 2011 From: regnauld at nsrc.org (Phil Regnauld) Date: Fri, 21 Oct 2011 14:39:49 +0000 Subject: [Dnssec-trigger] Bug reports ? In-Reply-To: <4EA18350.1000402@nlnetlabs.nl> References: <20111021141349.GB6562@macbook.bluepipe.net> <4EA18350.1000402@nlnetlabs.nl> Message-ID: <20111021143949.GD6562@macbook.bluepipe.net> W.C.A. Wijngaards (wouter) writes: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Phil, > > On 10/21/2011 04:13 PM, Phil Regnauld wrote: > > I have a strange issue I'm trying to debug with dnssec-trigger + unbound 1.4.13 > > on OS X Lion, and a broken network with TCP/53 only. Should I use this list > > to discuss this issue, or submit the problem somewhere else ? > > Yes use this list. > > TCP/53 only, it must try to use the tcp-80 and tcp-443 fallback servers? > Does that work? (you may be first to actually use it). Nope, didn't work. I'm seeing a strange combination of problems which led med to work around just to get DNS resolution working: - tcp-upstream: yes in unbound.conf - disable auto-trust-anchor (and validation) - turn off dnssec-trigger (that was 0.5, but I've just upgraded to 0.6 following your announcement) I'll try again with 0.6 a bit later, and will make sure it's not an issue with unbound first, then get back to the list. Phil From wouter at NLnetLabs.nl Fri Oct 21 14:51:04 2011 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Fri, 21 Oct 2011 16:51:04 +0200 Subject: [Dnssec-trigger] Bug reports ? In-Reply-To: <20111021143949.GD6562@macbook.bluepipe.net> References: <20111021141349.GB6562@macbook.bluepipe.net> <4EA18350.1000402@nlnetlabs.nl> <20111021143949.GD6562@macbook.bluepipe.net> Message-ID: <4EA186D8.2030709@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Phil, On 10/21/2011 04:39 PM, Phil Regnauld wrote: > W.C.A. Wijngaards (wouter) writes: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hi Phil, >> >> On 10/21/2011 04:13 PM, Phil Regnauld wrote: >>> I have a strange issue I'm trying to debug with dnssec-trigger + unbound 1.4.13 >>> on OS X Lion, and a broken network with TCP/53 only. Should I use this list >>> to discuss this issue, or submit the problem somewhere else ? >> >> Yes use this list. >> >> TCP/53 only, it must try to use the tcp-80 and tcp-443 fallback servers? >> Does that work? (you may be first to actually use it). > > Nope, didn't work. I'm seeing a strange combination of problems which > led med to work around just to get DNS resolution working: > > - tcp-upstream: yes in unbound.conf > - disable auto-trust-anchor (and validation) > - turn off dnssec-trigger (that was 0.5, but I've just upgraded to 0.6 > following your announcement) Ok, unbound's tcp-upstream works then :-) > I'll try again with 0.6 a bit later, and will make sure it's not an > issue with unbound first, then get back to the list. Alright, thanks for that, remove the tcp-upstreamyes from the conf when you try again (and add the trustanchoragain), otherwise dnssec-trigger fails. You can always try 'Hotspot signon' which puts you in insecure mode: the servers from DHCP are used, and unbound is bypassed. Maybe that is useful during debugging to get DHCP-connectivity again. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOoYbYAAoJEJ9vHC1+BF+Ne2oQAJfHtzjIDZ9ZgGuKk+X5Rops MYCzKMeRDkk85Rnm7Uh/1tmQpoISOT68U0RwRKMmUarO/3KHw3cYSnBKhGQ8kO8w AOirgKclWow4VIsWVYxe1fZarRPhQ5is37bzcs/GGmDc71aMc1vTND/aUCmdQgVa WM68yEIpKHj94m1ob+CAPPWz7DSEMgZaRP5TYsMWsuggLhKpPOG2xrtWi1FA73W2 6U/41C8/bZgdr2JQdPJek/qklipIC5L8tvpRJvmMOgPlSLe38zViy35OXpmmPs3W IlnWCESRSmoenTDzUXveLcyDkHnhiC9UBxb/2J3TB1a+5rK4KstGWJ8P8j7Gup0s 7bKIre1WUHsgnAqfErygHe6zHF3QXyFwAwG8jQ6Lo7JmgHiAKZWxPnSQ/V4GhXNr eAyaF6u3t7JXZM00LDYatVI9hTxIpsbu97kKG3+LyyHpfe8W0Oh+jeiVTQHHb/F5 dIS64I7j3xjgm7F+gjaWGN6WbIGDQqRKxj3dZDFGCOi6EKjcXE27ofc0hE12ynLx 8IFJw3dtPKpqVikOvuQgu7/iH94kP2Y4eIIBcAltwHCu5samRh8dCMy1ab4QUfB0 RLHZWmVhgv1fo94k+bP+JqJ+iHDw7uvmyHIkyFYPjhT51MBzMDaOFL/GmVlmMJup BJvZ852tQUysapevoSuJ =cLa/ -----END PGP SIGNATURE----- From wouter at NLnetLabs.nl Fri Oct 21 15:09:23 2011 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Fri, 21 Oct 2011 17:09:23 +0200 Subject: [Dnssec-trigger] dnssec-trigger release 0.6 In-Reply-To: <20111021143414.GC6562@macbook.bluepipe.net> References: <4EA12E7B.9090500@nlnetlabs.nl> <4EA1816A.8020900@nlnetlabs.nl> <20111021143414.GC6562@macbook.bluepipe.net> Message-ID: <4EA18B23.4000802@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Phil, On 10/21/2011 04:34 PM, Phil Regnauld wrote: > W.C.A. Wijngaards (wouter) writes: >>> Can we get an option to specify the port 80/443 fallback server? :) >> >> It exists: >> tcp80: >> tcp443: >> in dnssec-trigger.conf adds more entries. Just add more of these lines >> to enable more servers. The nlnetlabs server is there as a start (you >> can remove the lines with .42 in them to disable if you do not want to >> send queries to nlnetlabs). > > How to deal with a network that will allow tcp/53, but actually > filter DNS on TCP 80/443 ? > > Would it be an idea to have a more generic mechanism for specifying > the port ? It doesn't like tcp53: :) Can you try a number of probe digs? dig @192.5.5.241 (f-root server over UDP). dig @192.5.5.241 +vc (f-root over TCP) dig @213.154.224.42 +vc -p 80 (port80 over TCP) dig @213.154.224.42 +vc -p 443 (port443 over TCP) dig @213.154.224.42 +vc (port53 over TCP) Can you do https://www.nlnetlabs.nl? We have a cert from CAcert, if you can get that, then presumably DANE could work over port443. And which ones work (if they all do, its a transparent proxy somehow, try +dnssec and so on). It would be interesting to see what sort of proxy this is :-) Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOoYsjAAoJEJ9vHC1+BF+NlM4P/RZG7Al+UdrjUH8ShVTgSYQ9 1MBEZvYPqjEoWOFM3XKGHvxeEaKN4gYBfGhq+CggRhvt8/4OeY9LY1BoU68EDVgO 7OIIMoMOh+lPiubp9gV1Uhtxi38hVj9K0t3SAtWM4cm2rAuH/iO5iy4NP87/Vu9a XWtvbE/NtIz8fpba0kuF+zItja34lV49bMR4FZRmMy44kXcdAGnyKUTkD8ZKULym Si3OZgZyIlE4kcZej1HTO9Ss0d5cG7k69sUniUlI0DOShkhNOCl3EsBnG4+BNsYN bPFzxuMiqPwfwS81caQLygkNsjy8h8GF+q8VSC7dRIlWpolexJ+lxb/t+1elUzHt xdWjI2SfbTv+2/WYtAxMq50cmpdtdBDUT+R9kkMvDu0yizTIa+qlRdUZ+XOFqVki /dHyI384kRC1+NxkkahTWzPVrBTHOIzF7tpWHGC2oUlDIImsjiIK1Wei/blMymzU uKrusCgvwhdyLcJW1nglG7JOfKqFimZeOe3oWWxpAiTUMfunZR5Yqg/ON2OXOlit 0IcCQY2oQsH1s9efoINZu6jYLZ+rKvA1/rfm2H00U42igWAiczF+vpdTpIkNcR2X pULjtezLRoYRGL+ySD+IzCBR2Hr/3tbfJv9Er+XdeSsM9mvasLnIl0KC4dA7XAdB rsdh/g2b64Wv11VHIyK7 =bHGH -----END PGP SIGNATURE----- From regnauld at nsrc.org Fri Oct 21 17:00:31 2011 From: regnauld at nsrc.org (Phil Regnauld) Date: Fri, 21 Oct 2011 17:00:31 +0000 Subject: [Dnssec-trigger] Bug reports ? In-Reply-To: <4EA186D8.2030709@nlnetlabs.nl> References: <20111021141349.GB6562@macbook.bluepipe.net> <4EA18350.1000402@nlnetlabs.nl> <20111021143949.GD6562@macbook.bluepipe.net> <4EA186D8.2030709@nlnetlabs.nl> Message-ID: <20111021170031.GF38226@macbook.bluepipe.net> W.C.A. Wijngaards (wouter) writes: > > Alright, thanks for that, remove the tcp-upstreamyes from the conf when > you try again (and add the trustanchoragain), otherwise dnssec-trigger > fails. Why wouldn't tcp-upstream: yes and dnssec-trigger not work together ? Or is it because dnssec-trigger only probes with UDP ? > You can always try 'Hotspot signon' which puts you in insecure mode: the > servers from DHCP are used, and unbound is bypassed. Maybe that is > useful during debugging to get DHCP-connectivity again. Right, will test that as well. Phil From nlnetlabs at belanger.fr Fri Oct 21 20:43:12 2011 From: nlnetlabs at belanger.fr (Xavier Belanger) Date: Fri, 21 Oct 2011 16:43:12 -0400 Subject: [Dnssec-trigger] dnssec-trigger release 0.6 In-Reply-To: <4EA12E7B.9090500@nlnetlabs.nl> References: <4EA12E7B.9090500@nlnetlabs.nl> Message-ID: <20111021164312.623419a0.nlnetlabs@belanger.fr> Hi, > Dnssec Trigger 0.6 is release, get it at our new webpage: > nlnetlabs.nl/projects/dnssec-trigger Compile, run and work on Slackware 13.37 32 bit (as the 0.5 version before). It's not fully automatic because I have choose to use WiCd [1] to manage network connexions, but there is no problems. I will spend some time to test it with various WiFi publics networks... And thanks for this software! Bye. [1]: http://wicd.sourceforge.net/ -- Xavier Belanger From nlnetlabs at belanger.fr Fri Oct 21 20:56:39 2011 From: nlnetlabs at belanger.fr (Xavier Belanger) Date: Fri, 21 Oct 2011 16:56:39 -0400 Subject: [Dnssec-trigger] Bug with 'version' option for dnssec-trigger-panel Message-ID: <20111021165639.129e884d.nlnetlabs@belanger.fr> Hi, Just to check my latest installation I have tried the option 'version' for dnssec-trigger-panel and the result is a strange bug :-) $ dnssec-trigger-panel --version dnssec-trigger-panel: invalid option -- '-' dnssec-trigger-panel: invalid option -- 'v' dnssec-trigger-panel: invalid option -- 'e' dnssec-trigger-panel: invalid option -- 'r' dnssec-trigger-panel: invalid option -- 's' dnssec-trigger-panel: invalid option -- 'i' dnssec-trigger-panel: invalid option -- 'o' dnssec-trigger-panel: invalid option -- 'n' could not load the UI (-d to run from build dir) $ Bye. -- Xavier Belanger From wouter at NLnetLabs.nl Sat Oct 22 09:40:24 2011 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Sat, 22 Oct 2011 11:40:24 +0200 Subject: [Dnssec-trigger] Bug reports ? In-Reply-To: <20111021170031.GF38226@macbook.bluepipe.net> References: <20111021141349.GB6562@macbook.bluepipe.net> <4EA18350.1000402@nlnetlabs.nl> <20111021143949.GD6562@macbook.bluepipe.net> <4EA186D8.2030709@nlnetlabs.nl> <20111021170031.GF38226@macbook.bluepipe.net> Message-ID: <4EA28F88.5030201@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Phil, On 10/21/2011 07:00 PM, Phil Regnauld wrote: > W.C.A. Wijngaards (wouter) writes: >> >> Alright, thanks for that, remove the tcp-upstreamyes from the conf when >> you try again (and add the trustanchoragain), otherwise dnssec-trigger >> fails. > > Why wouldn't tcp-upstream: yes and dnssec-trigger not work > together ? Or is it because dnssec-trigger only probes with UDP ? dnssec-trigger wants tcp-upstream to be the default (no) in unbound.conf. It enables it dynamically when necessary. >> You can always try 'Hotspot signon' which puts you in insecure mode: the >> servers from DHCP are used, and unbound is bypassed. Maybe that is >> useful during debugging to get DHCP-connectivity again. > > Right, will test that as well. Have fun probing proxies :-) Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOoo+IAAoJEJ9vHC1+BF+NTTEP/j60X5IPuCsbRCYHiMSkxmWI MTkM1XoGjguOhUgBg9qmQ0uXIAxklgx27GMxAhcO2KeremOBHx8XKy6CEmFVWi+g GBLpRuimvMYPx3w1c7EOvm2j5s88AcjOQmVt+AEM9Qwm/WNrFa6bho3zZgVIWJun DxdWRfRGg2dTT0J7HaNsAdTfhGjY2tM5GjmvSAmNeC+kshQqPoMpvkDJB50HP1/S xGKS6H5dezwurIdf1yY8dI5L+UN+2AIdOSnI/S00Cz96OmYK+4AFz6Ah1wHj8RIy NDdUlZ5wdZrIsBwzL+DHJYmJq3hIq6dq+0E/XfgBU2yc8gTaqB9WXRAhGmR1DqQ6 SArM8fPhbQ2mRb4xBMKOYkDRYyT1oiwoOsJ1SsP3rdhWORjl2jYzCF6iBPnMSDlC j+/xP2a7f0RQCv/NnXDB+/IDeOQVf7ScDCgKdzF28bOGZXGvKj4L/tIPsKInYpIz /AQV4fYw+FJOu7gYSRm1OmQzh+gx12rGboWkxqNTy+x5ruycsTIGGt1DRgqHDL5H pl6WUp4B1aXcX+wVjzRtymwRg1EzQY8ZX64bcUYR8SK4/Sv6tt4s6cLnHlEgfQg2 stb6e+i8sEbGCQbG/7DqOrswVcPDZXob9MnpZw4gWmOl+jZoXHfft8WRrjwzF4Ns VVDplg2/cewSho+yTzfL =19+N -----END PGP SIGNATURE----- From wouter at NLnetLabs.nl Sat Oct 22 09:52:13 2011 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Sat, 22 Oct 2011 11:52:13 +0200 Subject: [Dnssec-trigger] dnssec-trigger release 0.6 In-Reply-To: <20111021164312.623419a0.nlnetlabs@belanger.fr> References: <4EA12E7B.9090500@nlnetlabs.nl> <20111021164312.623419a0.nlnetlabs@belanger.fr> Message-ID: <4EA2924D.5040408@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Xavier, On 10/21/2011 10:43 PM, Xavier Belanger wrote: > Hi, > >> Dnssec Trigger 0.6 is release, get it at our new webpage: >> nlnetlabs.nl/projects/dnssec-trigger Fixed the -version stuff (it errors and prints version) in svn. > Compile, run and work on Slackware 13.37 32 bit (as the 0.5 version > before). > > It's not fully automatic because I have choose to use WiCd [1] > to manage network connexions, but there is no problems. I could not find on their webpage: if there is some way to 'trigger' on DHCP events, and you can have a shellscript called, then you can automate it. How to register such a shellscript? For networkmanager its put in /etc/NetworkManager/dispatcher.d but for wicd it may be different. Once you find out how to call a shellscript trigger after a DHCP event, have that script call $ dnssec-trigger-control submit $ips (ip addresses separated by spaces, from the DNS option in the DHCP) from your script (or you can use the networkmanager script as a base, it also throttles the events to only deliver changes). > I will spend some time to test it with various WiFi publics networks... > > And thanks for this software! > > Bye. > > [1]: http://wicd.sourceforge.net/ Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOopJNAAoJEJ9vHC1+BF+NyMAP/A5S+zC5gAEsArg88FsAb4yi L3T0RKiadFaLHChHgqYPf6um5XiEV8mw9gGDWlVLckrtt/Mt0GoNm09Yn69pNIlM D6uUvzxGAxQSjhgRrYQrYUNRZM1f/2KW8OjAdZD1QeQX5Fr2dxvmFZrhZv4yHndX hjBpAOFmCdqrNtXLmiqwZhE9qGtyUFTHlsR8RcAs+8qcxbMB02Jht3aoCGc6XQaq fypiYdlwkJJohR5dAWRaddgy91ZAeD2lkaBz+5u+I26rMga1XZ7QIo9K6HkT1HQz XyvyQA10emP8WpK46bh3Ggbqn9o7liaNm/mq2fCam6ZtTungTC4vtIdnt4eBoRX9 BHqbO9Lroo3YP49rrsEcu4rxBguZ2LIcsXy1CIK6rKG/2I6Nbna2BnSI4XWjI7Un gqCEKoURlbCx717jvsVGdUkQ71O1xqnQnkMB/QZzoxp4CbNQwoYSatuqz3GNEE7R MbllwxAjJJfjVsouyNY/f+eWnlhcuVp7fveSBz8edcTdYlb6x+77991Lx4VHv3Ah FPgrttmKiRKfl/LIDUGcLKSBT/adFW8kPVRU8qhgDU8bhG+3h053gNMS7PSVOCQZ djfE9I3gM3I2UQsE0TPBQfjI4ecf0eb6AyQ4/01Z8cFWHygBz65LHNHLJLpIvHNA 3I44IHk2svCSbMFS0Oqu =Udkg -----END PGP SIGNATURE----- From nlnetlabs at belanger.fr Wed Oct 26 13:48:22 2011 From: nlnetlabs at belanger.fr (Xavier Belanger) Date: Wed, 26 Oct 2011 09:48:22 -0400 Subject: [Dnssec-trigger] dnssec-trigger release 0.6 In-Reply-To: <4EA2924D.5040408@nlnetlabs.nl> References: <4EA12E7B.9090500@nlnetlabs.nl> <20111021164312.623419a0.nlnetlabs@belanger.fr> <4EA2924D.5040408@nlnetlabs.nl> Message-ID: <20111026094822.ec5dd2dc.nlnetlabs@belanger.fr> Hi, > Fixed the -version stuff (it errors and prints version) in svn. Thanks you. > > It's not fully automatic because I have choose to use WiCd [1] > > to manage network connexions, but there is no problems. > > I could not find on their webpage: if there is some way to 'trigger' on > DHCP events, and you can have a shellscript called, then you can > automate it. How to register such a shellscript? For networkmanager > its put in /etc/NetworkManager/dispatcher.d but for wicd it may be > different. There is a possibility to call scripts in WiCd for each network with pre- and post-connection scripts and pre- and post-disconnection. > Once you find out how to call a shellscript trigger after a DHCP event, > have that script call > $ dnssec-trigger-control submit $ips > (ip addresses separated by spaces, from the DNS option in the DHCP) from > your script (or you can use the networkmanager script as a base, it also > throttles the events to only deliver changes). I have tried to use dnssec-trigger-control as post-connection script but it doesn't work, I need to find why... Some other issue with DHCP client: since the resolv.conf file is immutable, there is a minor problem when dhcpcd try to write into ("Permission denied / Operation not permitted"). So, for the Slackware network configuration script I have modify a value in the /etc/rc.d/rc.inet1.conf: DHCP_KEEPRESOLV[0]="yes" As 0 is for the interface number. I have also add a directive in /etc/dhcpcd.conf to desactivate the hook who try to change the resolv.conf file: nohook resolv.conf It's probably not necessary to make the first change since the second one is done, but just in case... Bye. -- Xavier Belanger From bortzmeyer at nic.fr Thu Oct 27 07:34:09 2011 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Thu, 27 Oct 2011 09:34:09 +0200 Subject: [Dnssec-trigger] A new kind of broken hotspot: RRSIG are OK but NSEC3 are deleted Message-ID: <20111027073409.GA18123@laperouse.bortzmeyer.org> % dnssec-trigger-control status at 2011-10-27 09:26:01 cache 192.168.254.2: OK state: cache secure But 192.168.254.2 is not OK. It strips NSEC3 records. % dig A aws.amazon.com ; <<>> DiG 9.7.3 <<>> A aws.amazon.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30784 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;aws.amazon.com. IN A ;; Query time: 39 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Oct 27 09:29:22 2011 ;; MSG SIZE rcvd: 43 % dig DS amazon.com ; <<>> DiG 9.7.3 <<>> DS amazon.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53969 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;amazon.com. IN DS ;; Query time: 12 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Oct 27 09:29:30 2011 ;; MSG SIZE rcvd: 39 % dig +dnssec +cd DS amazon.com ; <<>> DiG 9.7.3 <<>> +dnssec +cd DS amazon.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44775 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;amazon.com. IN DS ;; AUTHORITY SECTION: com. 588 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1319700242 1800 900 604800 86400 com. 588 IN RRSIG SOA 8 1 900 20111103072402 20111027071402 3272 com. gQcKr3NkiDE1da4Oc14iSkWRsoKUju5MHABsbMfSgX7SLw2sMlgApRin tn3AKui/1oiD+ts4Qln8emkEgmvGDsvmgU1y5VptMYoQC0mdPxp4WZcI F4ZefwKSR0YY4oqWAP2yjl+WAc2VCf6YgqwhkkVhbIbcQW4w1ffYdSc0 weI= ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Oct 27 09:29:51 2011 ;; MSG SIZE rcvd: 275 % dig @192.168.254.2 +dnssec DS amazon.com ; <<>> DiG 9.7.3 <<>> @192.168.254.2 +dnssec DS amazon.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63577 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;amazon.com. IN DS ;; AUTHORITY SECTION: com. 351 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1319700242 1800 900 604800 86400 com. 351 IN RRSIG SOA 8 1 900 20111103072402 20111027071402 3272 com. gQcKr3NkiDE1da4Oc14iSkWRsoKUju5MHABsbMfSgX7SLw2sMlgApRin tn3AKui/1oiD+ts4Qln8emkEgmvGDsvmgU1y5VptMYoQC0mdPxp4WZcI F4ZefwKSR0YY4oqWAP2yjl+WAc2VCf6YgqwhkkVhbIbcQW4w1ffYdSc0 weI= ;; Query time: 1 msec ;; SERVER: 192.168.254.2#53(192.168.254.2) ;; WHEN: Thu Oct 27 09:33:48 2011 ;; MSG SIZE rcvd: 275 May be dnssec-trigger should test NSEC/NSEC3 on non-existent records as well? Signed names are OK since there is no NSEC to send back. % dig +dnssec A www.afnic.fr ; <<>> DiG 9.7.3 <<>> +dnssec A www.afnic.fr ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38813 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 6, AUTHORITY: 7, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www.afnic.fr. IN A ;; ANSWER SECTION: www.afnic.fr. 22242 IN CNAME www.nic.fr. www.afnic.fr. 22242 IN RRSIG CNAME 8 3 172800 20111030030835 20111022211659 25699 afnic.fr. ggA/yvdMgFeKmU/+/GIosL17dqQJswwbClqhD8rcr7fx/MHLEIr7o7y7 +RTzVbHbgsfsHeriQtEQ1QGBBENrw3Bm6aPHNrnmg5MUfExKWLqPvp8q Serqojcxgkr8ls1RZPHZYx+CwSEdiQJTvg2sEuiNimnjSRbJthpWe3mu r+Y= www.nic.fr. 22242 IN CNAME rigolo.nic.fr. www.nic.fr. 22242 IN RRSIG CNAME 8 3 172800 20111030000136 20111022233143 25699 nic.fr. jEsHiECJAQF213wy1JptG/2ZMdIHG7lrHtlSOAWt3ypnwpa+zBCD04+o hJFU80R8t1qHc0wxpCnO2wBPfzWS9S5/1a37LuNPk0XbrFNgkL0sCkSQ RpreN/BOmQ1Zx7AyEjiCZ6Wl4hK50onI4g/MXbhyG/HJ37VY3mtBW0m3 UFQ= rigolo.nic.fr. 22242 IN A 192.134.4.20 rigolo.nic.fr. 22242 IN RRSIG A 8 3 172800 20111030200341 20111024053415 25699 nic.fr. CWG2ydXS9c8Zi48fk5aTAx/XuWaqFVoMNkA274ZeadHXq0ikVcopA//2 u30lJXExlfVcycKBIydNGorr/KeEE9Qo2S9tRCytl1lprjHniPg4ZvgG f8hihRs9ullsQETIT2l84wJuyNfCkFin2EAf+FI3qMoWlvizRlngwzEp oIg= ;; AUTHORITY SECTION: nic.fr. 27687 IN NS ns6.ext.nic.fr. nic.fr. 27687 IN NS ns2.nic.fr. nic.fr. 27687 IN NS ns4.ext.nic.fr. nic.fr. 27687 IN NS ns1.nic.fr. nic.fr. 27687 IN NS ns3.nic.fr. nic.fr. 27687 IN NS ns1.ext.nic.fr. nic.fr. 27687 IN RRSIG NS 8 2 172800 20111030031909 20111023053213 25699 nic.fr. 0Vl3lJxUk4agQO6FUZfi6k8TlEBlWBpsekpMsS8WgpkRl3c8Heeo2Hyq wubrDMiKaNx7nIDZtlF2FY5ohfN/keBi35Tgppf15FKi8hV92IC2S8nP sVouXntpcdnR0wgQurqTBu0jV7LzlIYku6zOJKSnK0fyu/Mf5aIdL2Jz fR8= ;; ADDITIONAL SECTION: ns2.nic.fr. 114087 IN A 192.93.0.4 ns2.nic.fr. 114087 IN AAAA 2001:660:3005:1::1:2 ns2.nic.fr. 114087 IN RRSIG A 8 3 172800 20111031150630 20111024033405 25699 nic.fr. G3yPTjKs8UFLrEY5I1Z2ervENOjV22XN2mMvKxTNxMZDNMo9pg3PwfQz WVMo2+/OHDHIdN5eaPJ9cPihAxvEX70ce6Zt4C6AYJsTUwgcAqIajJCZ 12W7HTB1cj7yv+HMgypwfz9C4TX7Bjx41068LI22fENca2AmPxQCGUTT W/0= ns2.nic.fr. 114087 IN RRSIG AAAA 8 3 172800 20111030031945 20111023073223 25699 nic.fr. LaqvLJaQzrig7bRy06R5KDr2c6/ydm/QM+UqnXXNuLOpYyIRKHI0jh71 3RT34QF5jkB187wc1py+DmgK/um0UJfjc+MFTx+T33DGg1GcB2M9bMbd f+hd8j7XJoFMOJZ5qiPg21U1LkCfgvVJSla7H5cmuO+678OU3Q82LdrX XeA= ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Oct 27 09:31:36 2011 ;; MSG SIZE rcvd: 1254 % dig +dnssec TXT www.afnic.fr ; <<>> DiG 9.7.3 <<>> +dnssec TXT www.afnic.fr ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 37316 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www.afnic.fr. IN TXT ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Oct 27 09:32:19 2011 ;; MSG SIZE rcvd: 41 From wouter at NLnetLabs.nl Thu Oct 27 07:35:22 2011 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Thu, 27 Oct 2011 09:35:22 +0200 Subject: [Dnssec-trigger] dnssec-trigger release 0.6 In-Reply-To: <20111026094822.ec5dd2dc.nlnetlabs@belanger.fr> References: <4EA12E7B.9090500@nlnetlabs.nl> <20111021164312.623419a0.nlnetlabs@belanger.fr> <4EA2924D.5040408@nlnetlabs.nl> <20111026094822.ec5dd2dc.nlnetlabs@belanger.fr> Message-ID: <4EA909BA.4070208@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Xavier, On 10/26/2011 03:48 PM, Xavier Belanger wrote: > Hi, > >> Fixed the -version stuff (it errors and prints version) in svn. > > Thanks you. > >>> It's not fully automatic because I have choose to use WiCd [1] >>> to manage network connexions, but there is no problems. >> >> I could not find on their webpage: if there is some way to 'trigger' on >> DHCP events, and you can have a shellscript called, then you can >> automate it. How to register such a shellscript? For networkmanager >> its put in /etc/NetworkManager/dispatcher.d but for wicd it may be >> different. > > There is a possibility to call scripts in WiCd for each network with > pre- and post-connection scripts and pre- and post-disconnection. > >> Once you find out how to call a shellscript trigger after a DHCP event, >> have that script call >> $ dnssec-trigger-control submit $ips >> (ip addresses separated by spaces, from the DNS option in the DHCP) from >> your script (or you can use the networkmanager script as a base, it also >> throttles the events to only deliver changes). > > I have tried to use dnssec-trigger-control as post-connection script > but it doesn't work, I need to find why... > > Some other issue with DHCP client: since the resolv.conf file is > immutable, there is a minor problem when dhcpcd try to write > into ("Permission denied / Operation not permitted"). > > So, for the Slackware network configuration script I have modify a > value in the /etc/rc.d/rc.inet1.conf: > > DHCP_KEEPRESOLV[0]="yes" > > As 0 is for the interface number. > > I have also add a directive in /etc/dhcpcd.conf to desactivate > the hook who try to change the resolv.conf file: > > nohook resolv.conf > > It's probably not necessary to make the first change since > the second one is done, but just in case... Ah it is dhcpd that manages resolv.conf with wicd? Perhaps stop wasting time with the wicd network hooks, but create a dhcpclient hook that calls dnssec-trigger-control (to replace the resolv.conf hook). I am not sure if this is possible, but that could make things work. (And also work for people that use plain dhclient on FreeBSD). Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOqQm6AAoJEJ9vHC1+BF+Nk74QAIL5NXzW6BXYspEYToDE05ry L10K/PP3aDe5TUTvsP8amFS9v+6H1pTM0NHBWQfAt5J37OuFbHbSKJGrPxAg3vv0 fjWiRnliqq8oBg2nZad9kiuA88vSv3Wp3IHCTdDi7CtoG+aAZmPAql8kxz2McvN7 tYz9UDtBed6WUK+d7OSkYNF2WlqY0tdPKFYar9QrF9HLN5rVqRiahVOozHr5W+RM +MoBli2/oUCATKyhGfBn/+wl9dcP0xeYFf8My26yy2cB6aAZGalA9K9NpPgmjE8J E0L75X189L0E3tjnX6g4LqwkNPTjteyygNw36GxHaBzSECEJclReAbQZ18DzVj8P q37UuvdBMXJHooBl6iXsG4UBmv8D7v/NCgjWT9qvymJrpwcWjfUXFHP4eLEXq8Jc kwSUrQcJep74MsLKlsejBLwF+yYv5/rltWhoi9sno0tLPaFe5SjBuzYt/vuXDC+/ /Afrel7qi+92Tz3nKZaeWJoM7padH1Ksh3vp74RpQhWlWxCrtXKU/IxMsF7qTG2c n3NWEpIUUUQ/087o+RdUMcbIoFjdQXs5Hy2k7T19a+WQv/hAsFKuJ8mLexLFsn/u wy6WMw/e2QYI2HIdrzRhzDy6f5V67O2d+LP+Zw7EGJOditCeXYZBC4Lv3jRhIKJW BUYSoheNSI3SGKIBfe3T =IJ7g -----END PGP SIGNATURE----- From omotheclowno25 at gmail.com Thu Oct 27 11:00:12 2011 From: omotheclowno25 at gmail.com (Daniel Ashford) Date: Thu, 27 Oct 2011 22:00:12 +1100 Subject: [Dnssec-trigger] does everything have to be so technical? Message-ID: I completed a Diploma of IT (PC & Network Support) a few years ago, so i consider myself a technical person, but this mailing list blows me way! Can u translate some of the jargon, for those of us who dont use linux, and arent natural born programmers?? i htought DNSSEC TRIGGER was for all sorts, not just die hard programming types.? -------------- next part -------------- An HTML attachment was scrubbed... URL: From wouter at NLnetLabs.nl Thu Oct 27 11:43:04 2011 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Thu, 27 Oct 2011 13:43:04 +0200 Subject: [Dnssec-trigger] does everything have to be so technical? In-Reply-To: References: Message-ID: <4EA943C8.3050902@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Daniel, On 10/27/2011 01:00 PM, Daniel Ashford wrote: > I completed a Diploma of IT (PC & Network Support) a few years ago, so i > consider myself a technical person, but this mailing list blows me way! > > Can u translate some of the jargon, for those of us who dont use linux, > and arent natural born programmers?? It is because of DNS. Some users are discussing DNS internals and if you do not know that base internet protocol well (even if you know Linux and programming) then it can be hard to follow. The users are discussing this because the program must be tested :-) > i htought DNSSEC TRIGGER was for all sorts, not just die hard > programming types.? Yes, that is the idea. But I created it recently, we are at 0.6, and some field-testing of this new toy is required. So, it is very nice to get informed reports. I would appreciate if you would use dnssec-trigger. Understand we are in an experimental phase. If you encounter oddness, please give a report (and technical details, logs, and system information is just the thing). Or if it just works, then that report also helps know how good it works. What jargon would you like explained? The user-interface would be the first to want to explain. (But understand some of the 'probe errors' in the probe results will contain DNS protocol things). Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOqUPHAAoJEJ9vHC1+BF+Nar4P/j11Br1qeKv9yXxs1HvXG5u3 ThbLBxO8EJ7pJrhNsvJ47NuRf0yJ0bVuGePb7xQviy5E6sh9UXETQRpiqxYNu4kk AI5ss6RnJLaoWexjxhEiskppBYxdP/aNop34qXzEvxOIWk5v5BT+8mJNwEKWfEBP SlcjelAYZFGes3uC9VZM3g2skHDdjc8fgXXjgQ9gBEQ6jlADiqCE85AnnMgJKKWi HAIqRgslTq3/4k5damjOme5TP4bd7yVgafs58FK4qIx1ZP5N0uzjghIdMEBtimQ6 M0WaUyIF4iTyHQpIgxVwvgbq7733KNS6H5xDISQs8SQRcFTZpkjEW0Lr37mnQjIe h4Du0dKAYYbweWcJwEjvbibAtfjZttfKlP5D0vBIsVlmctSreKcqrAfqoy4grPws O/jg96qwp4niCJBJa0IMDq0/SvLvxMBVdkg2l8nnDXQlIuHxzaluonPCQS4gYwxo yzXQXpYrbYB+SYaQ6m3n5VEr1IfZdHTrPko0VDP/DduxkDDbV+Qmo4r2x8tI2cO4 Zamnd6nEolpHsSXX9QkFS2js951YeVi2Ox815/f+IgKkQ8zwgHQfT+muSZeqIOYE HiSeyIenVChxAR9ya9kVOaN30ZIbuz8iXIo0gREVDS6/8VGfT4G2sJQA/vIxU68J OQubx2i9DegvYvo0NKXD =oz+J -----END PGP SIGNATURE----- From wouter at NLnetLabs.nl Thu Oct 27 17:18:51 2011 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Thu, 27 Oct 2011 19:18:51 +0200 Subject: [Dnssec-trigger] A new kind of broken hotspot: RRSIG are OK but NSEC3 are deleted In-Reply-To: <20111027073409.GA18123@laperouse.bortzmeyer.org> References: <20111027073409.GA18123@laperouse.bortzmeyer.org> Message-ID: <4EA9927B.6010207@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Stephane, On 10/27/2011 09:34 AM, Stephane Bortzmeyer wrote: > > % dnssec-trigger-control status at 2011-10-27 09:26:01 cache > 192.168.254.2: OK state: cache secure > > But 192.168.254.2 is not OK. It strips NSEC3 records. Thanks for the report. Adjusted svn trunk of dnssec-trigger: for caches it probes "tld. TYPE_NULL" and checks that the answer contains an NSEC3 in the authority section. If you are still at the hotspot, it should now work (well, probe that it does *not* work) :-) Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOqZJ7AAoJEJ9vHC1+BF+N5vIP/20BCTmdxj6dJjEsu851HWwW MqzySxxS47bMHvm1Dbt3fLSmyoMyYUVNLLatq+qYuAM1U6cp9u13I8gZM5U7mrBG fervUbWwvjBy4tDgKDXyPMZkNSYMtRJfqkiVfxU7A8oHGb2+y+CiUS/In2sOejn/ UL8yI6zDvIKxrV4SlCh4ylkFIOPrAMrU/uWANlumyVBmm1cY7oVM7f0feLovMXOa gWOuttp/NwLsGYsZ3a3mwZPPGAd2mFi85drU75XqI2DAFoit2cVU8XCT05495lYx ITDZwDSyOrzscOeeTlPQu8qyJtaN0J+YHNQJvHLbkPCV1eHo786cHFuc4IWMbgmZ LhNJUH2pgH9mRH3bwmiY9TaPOsawiny8T9YPszjWK4kPZyqQZEDGmBUJjFmtVvyo GycXsRzQD0uxvJqZ1L7ohXvm0V2e6rdXkcp5LeyfyO/9/FKQ0Drzs0QscVk2ECAO zwXTvEWVJRNqQS3caWmJLiHrtUZsNIn4pwj12cK7WDgsfHdjB/vQ9F8g3BxVpM+o MzTIYOb3eFLcv/dTON3SdKNdQX8nZP/h/6Zm0s3F/EJBXnvy0/rF98K9OkM9K3Ho D7Bir1b7nfiki3Bjk6H5rTDCZ41pbtspcpaNIzPKf3Mq3O1RmU6Iht6u1bvMfIUk xGl7Xo2h4J0EFBq40NCP =tuqr -----END PGP SIGNATURE----- From paul at xelerance.com Thu Oct 27 17:53:01 2011 From: paul at xelerance.com (Paul Wouters) Date: Thu, 27 Oct 2011 13:53:01 -0400 (EDT) Subject: [Dnssec-trigger] A new kind of broken hotspot: RRSIG are OK but NSEC3 are deleted In-Reply-To: <20111027073409.GA18123@laperouse.bortzmeyer.org> References: <20111027073409.GA18123@laperouse.bortzmeyer.org> Message-ID: On Thu, 27 Oct 2011, Stephane Bortzmeyer wrote: > May be dnssec-trigger should test NSEC/NSEC3 on non-existent records > as well? > > Signed names are OK since there is no NSEC to send back. unless they are synthesized from a wildcard....... Paul From bortzmeyer at nic.fr Fri Oct 28 08:42:25 2011 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Fri, 28 Oct 2011 10:42:25 +0200 Subject: [Dnssec-trigger] A new kind of broken hotspot: RRSIG are OK but NSEC3 are deleted In-Reply-To: <4EA9927B.6010207@nlnetlabs.nl> References: <20111027073409.GA18123@laperouse.bortzmeyer.org> <4EA9927B.6010207@nlnetlabs.nl> Message-ID: <20111028084225.GA20525@nic.fr> On Thu, Oct 27, 2011 at 07:18:51PM +0200, W.C.A. Wijngaards wrote a message of 43 lines which said: > If you are still at the hotspot, Unfortunately no, I'll try to drive to this place again. From wouter at NLnetLabs.nl Fri Oct 28 09:14:39 2011 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Fri, 28 Oct 2011 11:14:39 +0200 Subject: [Dnssec-trigger] dnssec trigger 0.7 release Message-ID: <4EAA727F.20006@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, dnssec trigger 0.7, source at http://nlnetlabs.nl/downloads/dnssec-trigger/dnssec-trigger-0.7.tar.gz sha1 bb246a0e0aabffedf64112f033b82d4862b5ae64 sha256 b153068d834d3b5b26d2d378efb9dac5c60e598db1659f7bd58bfeb496851ecb Download http://nlnetlabs.nl/projects/dnssec-trigger/ There is a MacOS X installer dmg image (thanks Carsten). Extra NSEC3-probe to caches. Details: * fix that setup hint is not printed on a reinstall. * stop executables before re-install of dnssec-trigger. * tested to work on winXP (thanks Jan-Piet Mens). * fix printout of 1970 date, instead that no probe was performed. * fix unknown options for dnssec-trigger-panel, prints version too. * dmg installer for MacOS X, donated by Carsten Strotmann. * for caches, also test if NSEC3 is present for QTYPE=NULL nodata. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOqnJ6AAoJEJ9vHC1+BF+N/F4QAIfSSTJ1LMnNXoCGof4gwxTS tB9B7Etkv07TYXGCvKNpLSdDpb0IK9wRBUETJqH9zWiOu1Spo0FV6Jztjr7w5wUv dXjC2jZll07JWAyc1tGEGFQasyVFaLXjhbw40HWN9pygtc/kRLJS3U0kNxaecbYw YThhG/SX0Z7j0hdGvnYI4VexXlOTRWQ8Qi3RDzEEkPpI7VV3zoUhUlOcnFON5z1v JTZu9oYXvd5RvflKIx4Lw3qGG64opyajsswiAKDsIRsh3FDT6PeB0dgNvAyY1Jtv WD1gHjY74GfgDloPZzNLX7QBfH2ZNijdaRNNyQ8gTBlYjwB8w4FeJiUcUAQ0rUPr ymfx+y3iiTimMMmhz2Fi2JI+TOxOeSPEC2NtWe+X5+TG8VBgKfh+OAo6qv7UVBIm Mbxu25vLiw4izjUtpU6noKUf1Nc0KyHHxwa7U3nN7+lQzy0NRv0SqnXsNH8N6d/c duNnpzfKSTHNOXbQx9GsXQc+9UKWkFoJYFNQrxZhQvO6XMD7mcpNCZ5gED6XWPZM +sKRX6aXf1COR+k69yVMM8VjOEwLcIpO8myuE7rlZovItytvEWn5Bvs1HGXfTUbK Yn8DzKEmVoOMp3wfO4C3ZXXtWeBrO/6Ec4nkeOeA4iVaK+ojbwEXun++QLcWgHBw 6uc0N+eBddo1Ko61Qwe1 =vj+D -----END PGP SIGNATURE----- From paul at xelerance.com Fri Oct 28 17:02:16 2011 From: paul at xelerance.com (Paul Wouters) Date: Fri, 28 Oct 2011 13:02:16 -0400 (EDT) Subject: [Dnssec-trigger] dnssec trigger 0.7 release In-Reply-To: <4EAA727F.20006@nlnetlabs.nl> References: <4EAA727F.20006@nlnetlabs.nl> Message-ID: On Fri, 28 Oct 2011, W.C.A. Wijngaards wrote: > dnssec trigger 0.7, source at > http://nlnetlabs.nl/downloads/dnssec-trigger/dnssec-trigger-0.7.tar.gz You can find an updated spec file at: http://ftp.xelerance.com/dnssec-trigger/dnssec-trigger.spec rpms are also there. It mostly fixes the file types, desktop file handling and renames the application "DNSSEC Trigger" instead of "DNSSEC Trigger Panel" (which I think looks ugly in the pull down menu - nothing calls itself panel) Paul From regnauld at nsrc.org Fri Oct 28 17:43:57 2011 From: regnauld at nsrc.org (Phil Regnauld) Date: Fri, 28 Oct 2011 17:43:57 +0000 Subject: [Dnssec-trigger] dnssec trigger 0.7 release In-Reply-To: <4EAA727F.20006@nlnetlabs.nl> References: <4EAA727F.20006@nlnetlabs.nl> Message-ID: <20111028174357.GJ28021@macbook.bluepipe.net> W.C.A. Wijngaards (wouter) writes: > http://nlnetlabs.nl/downloads/dnssec-trigger/dnssec-trigger-0.7.tar.gz Building fails on Lion 10.7.2, it worked on 10.7.1. Failure: The following build commands failed: ProcessPCH /var/folders/wl/4nz7y3j165dgvw__ls7bmwlm0000z9/C/com.apple.Xcode.1001/SharedPrecompiledHeaders/RiggerStatusItem_Prefix-fubklqoljgcpdpdsuaqwebdqwlof/RiggerStatusItem_Prefix.pch.gch RiggerStatusItem_Prefix.pch normal x86_64 objective-c com.apple.compilers.llvmgcc42 ProcessPCH /var/folders/wl/4nz7y3j165dgvw__ls7bmwlm0000z9/C/com.apple.Xcode.1001/SharedPrecompiledHeaders/RiggerStatusItem_Prefix-dwfjojpfkqyhphcocbbclwhkzvlb/RiggerStatusItem_Prefix.pch.gch RiggerStatusItem_Prefix.pch normal i386 objective-c com.apple.compilers.llvmgcc42 ProcessPCH /var/folders/wl/4nz7y3j165dgvw__ls7bmwlm0000z9/C/com.apple.Xcode.1001/SharedPrecompiledHeaders/RiggerStatusItem_Prefix-dowsmicfsoqucpewznvaslibaeln/RiggerStatusItem_Prefix.pch.gch RiggerStatusItem_Prefix.pch normal x86_64 c com.apple.compilers.llvmgcc42 (3 failures) make: *** [osx/osx-riggerapp] Error 65 > Download http://nlnetlabs.nl/projects/dnssec-trigger/ > > There is a MacOS X installer dmg image (thanks Carsten). The installation failed - I had done make uninstall on the 0.6 before. Couldn't find any helpful message in the Installer log. Phil From bortzmeyer at nic.fr Fri Oct 28 18:32:02 2011 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Fri, 28 Oct 2011 20:32:02 +0200 Subject: [Dnssec-trigger] A new kind of broken hotspot: RRSIG are OK but NSEC3 are deleted In-Reply-To: <4EA9927B.6010207@nlnetlabs.nl> References: <20111027073409.GA18123@laperouse.bortzmeyer.org> <4EA9927B.6010207@nlnetlabs.nl> Message-ID: <20111028183202.GA3064@laperouse.bortzmeyer.org> On Thu, Oct 27, 2011 at 07:18:51PM +0200, W.C.A. Wijngaards wrote a message of 43 lines which said: > If you are still at the hotspot, it should now work (well, probe that it > does *not* work) :-) No need to go so far, at the RIPE meeting in Vienna, the hotel has a broken resolver :-) This is with 0.7, which seems to detect it and falls back to the authority: % dnssec-trigger-control status at 2011-10-28 20:15:40 authority 202.12.27.33: OK cache 10.0.0.1: error no NSEC3 in nodata reply state: auth secure From bortzmeyer at nic.fr Sat Oct 29 14:32:32 2011 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Sat, 29 Oct 2011 16:32:32 +0200 Subject: [Dnssec-trigger] Another problem: switching from forwarders to authority does not clean Unbound Message-ID: <20111029143232.GA15320@laperouse.bortzmeyer.org> I observed the following phenomenon at the RIPE meeting (SSID ripemtg, dnsse-trigger 0.7). 1) Resolvers are OK. dnssec-trigger tells Unbound to use them. Everything works. 2) Suddenly (unknown reasons), resolvers no longer transmit RRsigs. Unbound SERVFAILs 3) Reprobing does not help. dnssec-trigger correctly switches to authority name servers (and displays "no RRSIG in reply" for the resolvers). But Unbound still SERVFAILs. 4) Restarting Unbound solves the problem. So, apparently, something is not cleaned from the time were Unbound, using forwarders, were not receiving expected RRSIGs. I assume dnssec-trigger does not expect the resolvers to change behavior but reprobing should "reset" Unbound more completely. From regnauld at nsrc.org Sat Oct 29 16:57:26 2011 From: regnauld at nsrc.org (Phil Regnauld) Date: Sat, 29 Oct 2011 16:57:26 +0000 Subject: [Dnssec-trigger] Another problem: switching from forwarders to authority does not clean Unbound In-Reply-To: <20111029143232.GA15320@laperouse.bortzmeyer.org> References: <20111029143232.GA15320@laperouse.bortzmeyer.org> Message-ID: <20111029165726.GL39083@macbook.bluepipe.net> Stephane Bortzmeyer (bortzmeyer) writes: > > So, apparently, something is not cleaned from the time were Unbound, > using forwarders, were not receiving expected RRSIGs. I assume > dnssec-trigger does not expect the resolvers to change behavior but > reprobing should "reset" Unbound more completely. You'd have to keep track of the names for which you've just probed and issue a unbound-control flush - short of doing unbound-control flush_zone . (ugh, big hammer). From wouter at NLnetLabs.nl Mon Oct 31 08:26:14 2011 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Mon, 31 Oct 2011 09:26:14 +0100 Subject: [Dnssec-trigger] dnssec trigger 0.7 release In-Reply-To: <20111028174357.GJ28021@macbook.bluepipe.net> References: <4EAA727F.20006@nlnetlabs.nl> <20111028174357.GJ28021@macbook.bluepipe.net> Message-ID: <4EAE5BA6.1050606@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Phil, On 10/28/2011 07:43 PM, Phil Regnauld wrote: > W.C.A. Wijngaards (wouter) writes: >> http://nlnetlabs.nl/downloads/dnssec-trigger/dnssec-trigger-0.7.tar.gz > > Building fails on Lion 10.7.2, it worked on 10.7.1. > > Failure: > > The following build commands failed: > ProcessPCH /var/folders/wl/4nz7y3j165dgvw__ls7bmwlm0000z9/C/com.apple.Xcode.1001/SharedPrecompiledHeaders/RiggerStatusItem_Prefix-fubklqoljgcpdpdsuaqwebdqwlof/RiggerStatusItem_Prefix.pch.gch RiggerStatusItem_Prefix.pch normal x86_64 objective-c com.apple.compilers.llvmgcc42 > ProcessPCH /var/folders/wl/4nz7y3j165dgvw__ls7bmwlm0000z9/C/com.apple.Xcode.1001/SharedPrecompiledHeaders/RiggerStatusItem_Prefix-dwfjojpfkqyhphcocbbclwhkzvlb/RiggerStatusItem_Prefix.pch.gch RiggerStatusItem_Prefix.pch normal i386 objective-c com.apple.compilers.llvmgcc42 > ProcessPCH /var/folders/wl/4nz7y3j165dgvw__ls7bmwlm0000z9/C/com.apple.Xcode.1001/SharedPrecompiledHeaders/RiggerStatusItem_Prefix-dowsmicfsoqucpewznvaslibaeln/RiggerStatusItem_Prefix.pch.gch RiggerStatusItem_Prefix.pch normal x86_64 c com.apple.compilers.llvmgcc42 > (3 failures) > make: *** [osx/osx-riggerapp] Error 65 Can you scroll back up, and get the errors there? This is the summary. >> Download http://nlnetlabs.nl/projects/dnssec-trigger/ >> >> There is a MacOS X installer dmg image (thanks Carsten). > > The installation failed - I had done make uninstall on the 0.6 before. > > Couldn't find any helpful message in the Installer log. Run the uninstall script that comes with the DMG (just to be sure). Then reboot. (this clears launchd from strange entries). Then install again. I think you may have a conflict in launchd where paths change from /usr/local (from source) to /usr (in DMG). If it still fails I can create an installer dmg for you that stores debug logs. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOrlueAAoJEJ9vHC1+BF+NEXkP/RduOWfHDTRtSAnRJkBLwCJp ktu9Gjj2SgD3s6HMZREamTWOEhy35D92xBRgwHHoH/zTYPvCdJTft0mOwpeq9W4b jikbkx9tngaVe3q5LRdnm6vIJIema3RpQX3C7eicuzs7znGReFlYi8j+0Jh4ARnP cNdMLS5yPSem7rHhDJ4Bv41AyzDPx0EsI8j4wXYqJUngP1E30KedawjcSYFSHxPe sUvPre01KTr7v18dS80cfEjyQoeSUKX3A29ldCRPfJGMqZiuT3uuaw89Zvw5BO6n yd6ZCCA6tt2bRO2xB2DK0l9M973zqfwIcIGw9IsQQlzyJ9sAyWDrsoJOn0gGFwpR AqIU9E8uUoHWnaauh6S51HbUAiOGByfFEH9kjrO8jIBe6wVc08O5ZbZo13+Py1JD yrCvkjYTjG6uylSXFAZVLgL17+dr0LvA5wfhoktFa0mDzZP82SQxWIKsqM5YTxR8 aFYO3Ve0zSWwk2mAKEtSjdF7jWQ11ninQn27DsndQIAG5S9zaYiztKrOzhj+mtpA YGSkifkHykA06Jl9GrrGC6KI3cASRbm0PAPfRG2sOkNj8vJclbww6Szqtoso12At XZKugmusXlrog7CmKdQBiaOLAO0yJmhJNvGLDt723CzrQb/Q98Vqrb2/Q9RIW9D5 XMhPRn7lU1NTEJ2dkc6Z =/9Et -----END PGP SIGNATURE-----