[Dnssec-trigger] dnssec-trigger release 0.6

W.C.A. Wijngaards wouter at NLnetLabs.nl
Fri Oct 21 15:09:23 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Phil,

On 10/21/2011 04:34 PM, Phil Regnauld wrote:
> W.C.A. Wijngaards (wouter) writes:
>>> Can we get an option to specify the port 80/443 fallback server? :)
>>
>> It exists:
>> tcp80: <IP>
>> tcp443: <IP>
>> in dnssec-trigger.conf adds more entries.  Just add more of these lines
>> to enable more servers.  The nlnetlabs server is there as a start (you
>> can remove the lines with .42 in them to disable if you do not want to
>> send queries to nlnetlabs).
> 
> 	How to deal with a network that will allow tcp/53, but actually
> 	filter DNS on TCP 80/443 ?
> 
> 	Would it be an idea to have a more generic mechanism for specifying
> 	the port ? It doesn't like tcp53: :)

Can you try a number of probe digs?

dig @192.5.5.241   (f-root server over UDP).
dig @192.5.5.241 +vc   (f-root over TCP)

dig @213.154.224.42 +vc -p 80   (port80 over TCP)
dig @213.154.224.42 +vc -p 443  (port443 over TCP)
dig @213.154.224.42 +vc         (port53 over TCP)

Can you do https://www.nlnetlabs.nl?  We have a cert from CAcert, if you
can get that, then presumably DANE could work over port443.

And which ones work (if they all do, its a transparent proxy somehow,
try +dnssec and so on).

It would be interesting to see what sort of proxy this is :-)

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOoYsjAAoJEJ9vHC1+BF+NlM4P/RZG7Al+UdrjUH8ShVTgSYQ9
1MBEZvYPqjEoWOFM3XKGHvxeEaKN4gYBfGhq+CggRhvt8/4OeY9LY1BoU68EDVgO
7OIIMoMOh+lPiubp9gV1Uhtxi38hVj9K0t3SAtWM4cm2rAuH/iO5iy4NP87/Vu9a
XWtvbE/NtIz8fpba0kuF+zItja34lV49bMR4FZRmMy44kXcdAGnyKUTkD8ZKULym
Si3OZgZyIlE4kcZej1HTO9Ss0d5cG7k69sUniUlI0DOShkhNOCl3EsBnG4+BNsYN
bPFzxuMiqPwfwS81caQLygkNsjy8h8GF+q8VSC7dRIlWpolexJ+lxb/t+1elUzHt
xdWjI2SfbTv+2/WYtAxMq50cmpdtdBDUT+R9kkMvDu0yizTIa+qlRdUZ+XOFqVki
/dHyI384kRC1+NxkkahTWzPVrBTHOIzF7tpWHGC2oUlDIImsjiIK1Wei/blMymzU
uKrusCgvwhdyLcJW1nglG7JOfKqFimZeOe3oWWxpAiTUMfunZR5Yqg/ON2OXOlit
0IcCQY2oQsH1s9efoINZu6jYLZ+rKvA1/rfm2H00U42igWAiczF+vpdTpIkNcR2X
pULjtezLRoYRGL+ySD+IzCBR2Hr/3tbfJv9Er+XdeSsM9mvasLnIl0KC4dA7XAdB
rsdh/g2b64Wv11VHIyK7
=bHGH
-----END PGP SIGNATURE-----



More information about the dnssec-trigger mailing list