From bortzmeyer at nic.fr Mon Sep 19 15:35:32 2011 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Mon, 19 Sep 2011 17:35:32 +0200 Subject: [Dnssec-trigger] Compilation fails on Ubuntu (--with-gui) Message-ID: <20110919153532.GA30868@nic.fr> Ubuntu "oneiric ocelot", currently beta1. dnssec-trigger 0.3. configure --with-gui fails: rm -f dnssec-trigger-control-setup sed -e 's?0SHELL0?/bin/bash?' -e 's?0keydir0?/usr/local/etc?' -e 's?0configfile0?/usr/local/etc/dnssec-trigger.conf?' < dnssec-trigger-control-setup.sh.in > dnssec-trigger-control-setup chmod +x dnssec-trigger-control-setup make: *** No rule to make target `yes-hook', needed by `all'. Stop. If I use --with-gui=auto: make: *** No rule to make target `auto-hook', needed by `all'. Stop. Without --with-gui, it compiles. dnssec-trigger-panel shows nothing in the tray (or elsewhere). After that, it seems to do nothing. If I renew the DHCP lease (or if I 'sudo dnssec-trigger-control submit 192.134.4.162' is the local resolver, a BIND fully DNSSEC), unbound.conf is not modified. From bortzmeyer at nic.fr Mon Sep 19 14:56:38 2011 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Mon, 19 Sep 2011 16:56:38 +0200 Subject: [Dnssec-trigger] Compilation fails on Ubuntu Message-ID: <20110919145638.GA25394@nic.fr> Ubuntu "oneiric ocelot", currently beta1. dnssec-trigger 0.3. configure --with-gui fails: rm -f dnssec-trigger-control-setup sed -e 's?0SHELL0?/bin/bash?' -e 's?0keydir0?/usr/local/etc?' -e 's?0configfile0?/usr/local/etc/dnssec-trigger.conf?' < dnssec-trigger-control-setup.sh.in > dnssec-trigger-control-setup chmod +x dnssec-trigger-control-setup make: *** No rule to make target `yes-hook', needed by `all'. Stop. If I use --with-gui=auto: make: *** No rule to make target `auto-hook', needed by `all'. Stop. Without --with-gui, it compiles. dnssec-trigger-panel shows nothing in the tray (or elsewhere). After that, it seems to do nothing. If I renew the DHCP lease (or if I 'sudo dnssec-trigger-control submit 192.134.4.162' is the local resolver, a BIND fully DNSSEC), unbound.conf is not modified. From wouter at NLnetLabs.nl Tue Sep 20 07:19:17 2011 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Tue, 20 Sep 2011 09:19:17 +0200 Subject: [Dnssec-trigger] Compilation fails on Ubuntu (--with-gui) In-Reply-To: <20110919153532.GA30868@nic.fr> References: <20110919153532.GA30868@nic.fr> Message-ID: <4E783E75.2080003@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Stephane, On 09/19/2011 05:35 PM, Stephane Bortzmeyer wrote: > Ubuntu "oneiric ocelot", currently beta1. dnssec-trigger > 0.3. configure --with-gui fails: > > rm -f dnssec-trigger-control-setup > sed -e 's?0SHELL0?/bin/bash?' -e 's?0keydir0?/usr/local/etc?' -e 's?0configfile0?/usr/local/etc/dnssec-trigger.conf?' < dnssec-trigger-control-setup.sh.in > dnssec-trigger-control-setup > chmod +x dnssec-trigger-control-setup > make: *** No rule to make target `yes-hook', needed by `all'. Stop. > > If I use --with-gui=auto: > > make: *** No rule to make target `auto-hook', needed by `all'. Stop. Yes that is a bug in the configure script, I fixed it in the development version. (it set the hooks instead of the gui). > Without --with-gui, it compiles. > > dnssec-trigger-panel shows nothing in the tray (or elsewhere). This is probably because of Unity. I am working on better multiple-GUI support. For Unity that means libappindicator. For XFCE its plugin framework. For native windows its NotifyIcon API. And GNOME3 shell has no status icons at all. Cocoa has a status-menu icon. It seems to be different for every platform... > After that, it seems to do nothing. If I renew the DHCP lease (or if I > 'sudo dnssec-trigger-control submit 192.134.4.162' is the local > resolver, a BIND fully DNSSEC), unbound.conf is not modified. It probably works but you do not see the status icon in the tray (because Unity does not allow that). You can get results on the commandline with: $ dnssec-trigger-control status (no need for sudo) The popup dialog probably also still works, test it with: $ dnssec-trigger-control unsafe Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOeD50AAoJEJ9vHC1+BF+NjtQP/jtlXu36Ug04oJQBaMnt1lUa VQgrdHO62qx/ftc7zObrT4WYHM0fzJ77/LjYIn+p7GCAvrcE5AOQlyGgdn/mL7Id EBN+gVLa16N+sKpyI/dq+tbqIngD6pxgtBG97fnveeL27Gejr5fjNz31BJQYo19X Jle/GQLRRXXmMa6nGqQ6v2b+8aE26X/0QCWHDdpCIXvyVkbaL1PbpDwIdmuNXyH6 1VsqKpRT5seswT4YCJBusQMTmS7idlDz/xoErouBKqd3esheMy2Bl4U9iErQitfE Jsf0dD/bgQiA5qfzHLsGdH4EwK6/swqUuLdBn2D6bMUG96oJR0tosKQs2JI7VLE3 cCB13ymjZ4tjMu+Hu5+VU/jSk2QxPC73SzSYdPNg/dZluCLAjCvA3YzdID2nuSA4 wLlD6UBoLGpGIShfmZhaQyndEKqaDH8Kt/ob0je1NEfiLE3W3jq7Qaa9/05VxS1v QzBzOdS2b+MEn4vH8y0FwjPj/2UbYxP+ZfQNOAgOlV+0NsfUIIe4h5Hamfw3Ki0C r80hvbIvNIjd5SRfD9rwaYgmZEtoSpRXgTTG4khNEmQhTxMSLKTjmQcFnrZke2D9 sBwDPbwtVv5TkyK2OyD4Q4IVDBrTyXjUgwYV73H+ot22G3WzQZvSX7z5OpU7ZSkb 3hcfkk0ym0v78z7+l0Ks =E4hg -----END PGP SIGNATURE----- From bortzmeyer at nic.fr Tue Sep 20 08:06:54 2011 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Tue, 20 Sep 2011 10:06:54 +0200 Subject: [Dnssec-trigger] Compilation fails on Ubuntu (--with-gui) In-Reply-To: <4E783E75.2080003@nlnetlabs.nl> References: <20110919153532.GA30868@nic.fr> <4E783E75.2080003@nlnetlabs.nl> Message-ID: <20110920080654.GA27672@nic.fr> On Tue, Sep 20, 2011 at 09:19:17AM +0200, W.C.A. Wijngaards wrote a message of 68 lines which said: > > dnssec-trigger-panel shows nothing in the tray (or elsewhere). > > This is probably because of Unity. I am working on better multiple-GUI > support. For Unity that means libappindicator. For XFCE its plugin > framework. For native windows its NotifyIcon API. And GNOME3 shell has > no status icons at all. Cocoa has a status-menu icon. It seems to be > different for every platform... I don't even know what I use (and I suspect that many Unix users are in the same case, completely lost by the lack of stability of GUI interfaces). I installed an Ubuntu beta (because the laptop does not work with stable versions) and I got something which, I believe, is Gnome Shell. > $ dnssec-trigger-control status So it works: % dnssec-trigger-control status at 2011-09-20 10:01:09 cache 192.134.4.163: error no RRSIGs in reply cache 192.134.4.162: OK state: cache secure [The error is 192.134.4.163 is indeed a problem on our side, confirmed with dig.] And tcpdump shows that 192.134.4.162 is used, even if unbound.conf is not modified. [Any way to dump the live configuration of Unbound, by the way?] 10:04:14.508842 IP 10.1.86.54.51381 > 192.134.4.162.53: 54670+% [1au] DS? 208.in-addr.arpa. (45) > The popup dialog probably also still works, test it with: > $ dnssec-trigger-control unsafe Works OK. I'm going to test on more hotspots now. From bortzmeyer at nic.fr Tue Sep 20 08:25:05 2011 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Tue, 20 Sep 2011 10:25:05 +0200 Subject: [Dnssec-trigger] Compilation fails on Ubuntu (--with-gui) In-Reply-To: <20110920080654.GA27672@nic.fr> References: <20110919153532.GA30868@nic.fr> <4E783E75.2080003@nlnetlabs.nl> <20110920080654.GA27672@nic.fr> Message-ID: <20110920082505.GA1929@nic.fr> On Tue, Sep 20, 2011 at 10:06:54AM +0200, Stephane Bortzmeyer wrote a message of 47 lines which said: > I'm going to test on more hotspots now. I just discovered it works with RFC 6106. Great! at 2011-09-20 10:18:02 cache 2a01:e00::1: OK cache 2a01:e00::2: error no EDNS cache 212.27.40.240: error no EDNS cache 212.27.40.241: error no EDNS state: cache secure [The fact that the various name servers have different configurations is one of the pleasures of using Free Telecom, the company which pushes half of the IPv6 traffic in the world.] From wouter at NLnetLabs.nl Tue Sep 20 08:36:37 2011 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Tue, 20 Sep 2011 10:36:37 +0200 Subject: [Dnssec-trigger] Compilation fails on Ubuntu (--with-gui) In-Reply-To: <20110920080654.GA27672@nic.fr> References: <20110919153532.GA30868@nic.fr> <4E783E75.2080003@nlnetlabs.nl> <20110920080654.GA27672@nic.fr> Message-ID: <4E785095.6020103@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Stephane, On 09/20/2011 10:06 AM, Stephane Bortzmeyer wrote: > On Tue, Sep 20, 2011 at 09:19:17AM +0200, > W.C.A. Wijngaards wrote > a message of 68 lines which said: > >>> dnssec-trigger-panel shows nothing in the tray (or elsewhere). >> >> This is probably because of Unity. I am working on better multiple-GUI >> support. For Unity that means libappindicator. For XFCE its plugin >> framework. For native windows its NotifyIcon API. And GNOME3 shell has >> no status icons at all. Cocoa has a status-menu icon. It seems to be >> different for every platform... > > I don't even know what I use (and I suspect that many Unix users are > in the same case, completely lost by the lack of stability of GUI > interfaces). I installed an Ubuntu beta (because the laptop does not > work with stable versions) and I got something which, I believe, is > Gnome Shell. Yes >> $ dnssec-trigger-control status > > So it works: :-) > % dnssec-trigger-control status > at 2011-09-20 10:01:09 > cache 192.134.4.163: error no RRSIGs in reply > cache 192.134.4.162: OK > state: cache secure > > [The error is 192.134.4.163 is indeed a problem on our side, confirmed > with dig.] > > And tcpdump shows that 192.134.4.162 is used, even if unbound.conf is > not modified. [Any way to dump the live configuration of Unbound, by > the way?] Yes you can print the live configuration of unbound: $ unbound-control forward > 10:04:14.508842 IP 10.1.86.54.51381 > 192.134.4.162.53: 54670+% [1au] DS? 208.in-addr.arpa. (45) > >> The popup dialog probably also still works, test it with: >> $ dnssec-trigger-control unsafe > > Works OK. Good, so the basic GTK for the windows works on Ubuntu Unity GUI. > I'm going to test on more hotspots now. If they turn out insecure can you try: * reprobe after signon (you do not have the menu item; try dnssec-trigger-control submit * can you https to nlnetlabs.nl (selfsigned)? (can DANE work?) * can you dig dnssec over tcp80 or tcp443? dig @213.154.224.42 -p 80 +vc +dnssec . DNSKEY dig @213.154.224.42 -p 443 +vc +dnssec . DNSKEY dig @213.154.224.42 -p 80 +vc +dnssec se. DS dig @213.154.224.42 -p 443 +vc +dnssec se. DS Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOeFCUAAoJEJ9vHC1+BF+N5REQAJpL4/iwzGGtrPzrFHwG9O/k zdMVSWzC8fimndB8ounNrI9GSF4m5MdtCWK3lgVs/qzhU1tUp46O7wVPzGpWrKCh SdAMQCPx7opUTaEeytT1qqMN7M28Ih4eDqpfqSxRG5LpnII8/YuYmsN1CNCWW2Dq 1XPcBBnXbcoO3mHiSpCdCvtVkW85VWF8Nn3xmaPb+2lWEtzSRQefyXTC1S+xBNKq BzH9lStwkSLVcNjTnor36BDPdnmIxJgVYfFbBLIZgKTBs00F/rOa0B2QpzakrSbX mqQUs2OXwRudQHf9vExR3x01WO9mMESSpPkv2kKKumltsYlt5CfnJkzZJN0wkIVF K1OZjbf1QOlyT1pLrF4D+QW7YIaOCXSjNH0Z2oKYQbOwQ/cQSyOAK8Tgbaya/DO6 J7GRWSqkzbgLljtlFeYMunMN8qX1F4YVqhrP7TsyXsdLipWGLuMTwFsD0F7mTxQT zg/NUW7cvSiNLB0XtfWRYanfAppELBF7mu8DyisxNxSFrzxTk3+cfA+ae86iWhhp l2wD8HzvZHFeOsoJUtyouw/wKbXMN7PImOmqg2SNFo5Q6jvO6ScoFdVb6dbiUlZN 8Saxau6JRGdHjAU6ylYTM+q4158ZbTFi8h61QIwtskwcusG2M0y/koXhI24CRC5R dF/wH1jOLbQHrK4NCeZb =dyw2 -----END PGP SIGNATURE----- From bortzmeyer at nic.fr Tue Sep 20 11:54:49 2011 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Tue, 20 Sep 2011 13:54:49 +0200 Subject: [Dnssec-trigger] A few more hotspots (Was: Compilation fails on Ubuntu (--with-gui) In-Reply-To: <4E785095.6020103@nlnetlabs.nl> References: <20110919153532.GA30868@nic.fr> <4E783E75.2080003@nlnetlabs.nl> <20110920080654.GA27672@nic.fr> <4E785095.6020103@nlnetlabs.nl> Message-ID: <20110920115449.GA10191@nic.fr> On Tue, Sep 20, 2011 at 10:36:37AM +0200, W.C.A. Wijngaards wrote a message of 89 lines which said: > If they turn out insecure can you try: > * reprobe after signon (you do not have the menu item; try > dnssec-trigger-control submit > * can you https to nlnetlabs.nl (selfsigned)? (can DANE work?) > * can you dig dnssec over tcp80 or tcp443? > dig @213.154.224.42 -p 80 +vc +dnssec . DNSKEY > dig @213.154.224.42 -p 443 +vc +dnssec . DNSKEY > dig @213.154.224.42 -p 80 +vc +dnssec se. DS > dig @213.154.224.42 -p 443 +vc +dnssec se. DS Did not find yet a hotspot with broken resolvers *and* an access for me. What I saw: 1) What is the meaning of "dark" in "state: dark secure"? 2) When the popup is displayed, explaining there is no DNSSEC possible and asking to choose between Disconnect and Insecure, I get: at 2011-09-20 11:45:43 authority 192.58.128.30: error timeout cache 109.0.66.10: error no EDNS cache 109.0.66.20: error no EDNS state: dark secure How can I have "secure" when all three name servers are broken? 3) I found a broken access (Orange Business Everywhere, with a 3G key). The PPP negotiation works, I get an IP address and name servers but no packet goes through. The problem is that dnssec-trigger reports: at 2011-09-20 11:51:44 cache 192.168.10.110: OK cache 10.221.35.149: error timeout state: cache secure How can it say that 192.168.10.110 is OK when it does not even reply to dig, ping or traceroute? From wouter at NLnetLabs.nl Tue Sep 20 12:36:59 2011 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Tue, 20 Sep 2011 14:36:59 +0200 Subject: [Dnssec-trigger] A few more hotspots (Was: Compilation fails on Ubuntu (--with-gui) In-Reply-To: <20110920115449.GA10191@nic.fr> References: <20110919153532.GA30868@nic.fr> <4E783E75.2080003@nlnetlabs.nl> <20110920080654.GA27672@nic.fr> <4E785095.6020103@nlnetlabs.nl> <20110920115449.GA10191@nic.fr> Message-ID: <4E7888EB.9070908@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Stephane, On 09/20/2011 01:54 PM, Stephane Bortzmeyer wrote: > On Tue, Sep 20, 2011 at 10:36:37AM +0200, > W.C.A. Wijngaards wrote > a message of 89 lines which said: > >> If they turn out insecure can you try: >> * reprobe after signon (you do not have the menu item; try >> dnssec-trigger-control submit >> * can you https to nlnetlabs.nl (selfsigned)? (can DANE work?) >> * can you dig dnssec over tcp80 or tcp443? >> dig @213.154.224.42 -p 80 +vc +dnssec . DNSKEY >> dig @213.154.224.42 -p 443 +vc +dnssec . DNSKEY >> dig @213.154.224.42 -p 80 +vc +dnssec se. DS >> dig @213.154.224.42 -p 443 +vc +dnssec se. DS > > Did not find yet a hotspot with broken resolvers *and* an access for > me. What I saw: > > 1) What is the meaning of "dark" in "state: dark secure"? that you are disconnected. Perhaps I should change that text, in the GUI it is replaced with a userfriendly text. > 2) When the popup is displayed, explaining there is no DNSSEC possible > and asking to choose between Disconnect and Insecure, I get: > at 2011-09-20 11:45:43 > authority 192.58.128.30: error timeout > cache 109.0.66.10: error no EDNS > cache 109.0.66.20: error no EDNS > state: dark secure > How can I have "secure" when all three name servers are broken? But you are disconnected, and thus secure. It has told unbound to forward to 127.0.0.127 (nowhere and unbound has that in its donotquerylist, so it will not ask). > 3) I found a broken access (Orange Business Everywhere, with a 3G > key). The PPP negotiation works, I get an IP address and name servers > but no packet goes through. The problem is that dnssec-trigger > reports: > at 2011-09-20 11:51:44 > cache 192.168.10.110: OK > cache 10.221.35.149: error timeout > state: cache secure > How can it say that 192.168.10.110 is OK when it does not even reply to > dig, ping or traceroute? This is odd, because it seems it replies to the dnssec-trigger. So it should reply to dig @192.168.10.110 +dnssec +cdflag . DNSKEY If you submit it again, you can capture the tcpdump (queries and replies). (is there some bug?) Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOeIjrAAoJEJ9vHC1+BF+NTwkP+gO9MrULTWxBXjCkA8DOKCA5 /wS9ivb30/8Estk+VtbtfGR7cAdNSPXq7lWs8AHIkiC+sKuEYZmeug1431y6HELm 2Hurf7zQfxOe+yAbY0ErBmcNE/qWsOGZ9jquE3tXEsfk+ZPVoIX+YqojxpUzwhtL 7qqc8BSSpba9M3VMdJFeQFAqPWT5zKWmRe7TgQb3k6OXW+M/o6DEyYmJXbLqVHiz /1/Rx4OS4D3n88Ir16JLoTXRL8An6TgfvZCVuegJ9NbuHsieBOhJTAb9uU7QGyq1 qg54X+/wsy9+bLF/KHK7qszHfgYAbJ7Asjx4EJROHEEdnLMiIEpViQavFIqYtldN i6DpHCdD7MIDFkAW5iMYrCJYzOx9e/JTIf+3q5hYoXDWFTQpp7EZw1jurwkvUHfw dh6KpR7ywt5c6+T0Lbp1oGPH7qMAw677UX52UfDMPKK1xRvh6Per1qDntl/qn1Y4 ccUEz+/dWglcF0RMYdRGUlVQ2eXSBnUbaQd2SPsp+MuLSC92aNC1J8Uvl3nZ++Gk ie9LiM86g7SDKjcV/Yt9hdvUUqyU21drgwU+nPUlHqkBKVo+q1Rwe5+4XNPDlnWt rRDyzAqNyxE2lO8VfpA3maGusc0gksmxmgeIfg2prWYWAi1Pl6qL3O1bIWBaeqN2 NAhHHDtttd0/g4QU1da5 =p0dc -----END PGP SIGNATURE----- From bortzmeyer at nic.fr Tue Sep 20 13:38:53 2011 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Tue, 20 Sep 2011 15:38:53 +0200 Subject: [Dnssec-trigger] A few more hotspots (Was: Compilation fails on Ubuntu (--with-gui) In-Reply-To: <4E7888EB.9070908@nlnetlabs.nl> References: <20110919153532.GA30868@nic.fr> <4E783E75.2080003@nlnetlabs.nl> <20110920080654.GA27672@nic.fr> <4E785095.6020103@nlnetlabs.nl> <20110920115449.GA10191@nic.fr> <4E7888EB.9070908@nlnetlabs.nl> Message-ID: <20110920133853.GA30797@nic.fr> On Tue, Sep 20, 2011 at 02:36:59PM +0200, W.C.A. Wijngaards wrote a message of 79 lines which said: > But you are disconnected, and thus secure. It gives me ideas on how to secure my system (unplug it). From paul at xelerance.com Tue Sep 20 13:39:01 2011 From: paul at xelerance.com (Paul Wouters) Date: Tue, 20 Sep 2011 09:39:01 -0400 (EDT) Subject: [Dnssec-trigger] Compilation fails on Ubuntu (--with-gui) In-Reply-To: <4E785095.6020103@nlnetlabs.nl> References: <20110919153532.GA30868@nic.fr> <4E783E75.2080003@nlnetlabs.nl> <20110920080654.GA27672@nic.fr> <4E785095.6020103@nlnetlabs.nl> Message-ID: On Tue, 20 Sep 2011, W.C.A. Wijngaards wrote: > Yes you can print the live configuration of unbound: > $ unbound-control forward Any reason why not to put that as a comment in resolv.conf, together with a timestamp? For testing now, I keep doing "ls -l /etc/resolv.conf" and "unbound-control forward". Paul From paul at xelerance.com Tue Sep 20 13:34:45 2011 From: paul at xelerance.com (Paul Wouters) Date: Tue, 20 Sep 2011 09:34:45 -0400 (EDT) Subject: [Dnssec-trigger] A few more hotspots (Was: Compilation fails on Ubuntu (--with-gui) In-Reply-To: <4E7888EB.9070908@nlnetlabs.nl> References: <20110919153532.GA30868@nic.fr> <4E783E75.2080003@nlnetlabs.nl> <20110920080654.GA27672@nic.fr> <4E785095.6020103@nlnetlabs.nl> <20110920115449.GA10191@nic.fr> <4E7888EB.9070908@nlnetlabs.nl> Message-ID: On Tue, 20 Sep 2011, W.C.A. Wijngaards wrote: >> state: dark secure >> How can I have "secure" when all three name servers are broken? > > But you are disconnected, and thus secure. Perhaps call it "isolated" ? >> How can it say that 192.168.10.110 is OK when it does not even reply to >> dig, ping or traceroute? > > This is odd, because it seems it replies to the dnssec-trigger. So it > should reply to dig @192.168.10.110 +dnssec +cdflag . DNSKEY I think I've seen similar issues but I'll do more hotspot checking today. Paul From wouter at NLnetLabs.nl Tue Sep 20 14:39:11 2011 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Tue, 20 Sep 2011 16:39:11 +0200 Subject: [Dnssec-trigger] A few more hotspots (Was: Compilation fails on Ubuntu (--with-gui) In-Reply-To: <20110920133853.GA30797@nic.fr> References: <20110919153532.GA30868@nic.fr> <4E783E75.2080003@nlnetlabs.nl> <20110920080654.GA27672@nic.fr> <4E785095.6020103@nlnetlabs.nl> <20110920115449.GA10191@nic.fr> <4E7888EB.9070908@nlnetlabs.nl> <20110920133853.GA30797@nic.fr> Message-ID: <4E78A58F.8080206@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Stephane, Paul, On 09/20/2011 03:38 PM, Stephane Bortzmeyer wrote: > On Tue, Sep 20, 2011 at 02:36:59PM +0200, > W.C.A. Wijngaards wrote > a message of 79 lines which said: > >> But you are disconnected, and thus secure. > > It gives me ideas on how to secure my system (unplug it). I have called it 'nodnssec', that is what it means: there are no dnssec capable machines. If also secure, that means no communication. If insecure, then you are using the insecure IPs. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOeKWEAAoJEJ9vHC1+BF+Np0MP/j9GgiPsNlZS5XZg8KwVRlu2 FBDWpPlhsn2MUZzTxm+jV79tQH974urSlTnDdZP4Unn/E5OlSDHP/gHml0o3h787 oSZdNTU5+NxtPEoHbJ0Q0Me2Mq2MHfdKjmhHwlfn5npEVRrPIAbaUDqCV8Lt0GLX LX/2m9fnAg3ZsOwOPH4Rt1KLTxEswhApJB8x23e0c5FDtI73lGbabJD1QjP2lKTC qAHSPxglOF55cpit6qVnTyqer80tb0MIaR1kEm9p/whGqY8WS0Yu6zZIgCni+p4o TQSKKMvbfVewEACQMnVtE66VbwUO3ujB+k654qOuRJCp2EZTcZj/MkgMbmhTthUP 8tXkx+g/SypDrDg1PaPi88j4uv548oZqBM/okcEqR6pynhfjHSmnd1mTbbIa/nU9 eyx9V1THhyOX6o1Oe3m+sxkXV/48pE2uXCK5V9dP7U2rfNPoh7/xZ2JOJwwAs9+W 1DsgegxOHOnWBi81JvNihvG2bEklXQyYEv+hLE5KrlayAH6GVoKJ91x4U7rhI2Y+ efNpP2Gpob0Fsxb5qXI2WMRIMcr1HEBvDTFX7KJG+lJjlKLwGT5mlANQc5T8zIT4 6M4jAzy5Ak9U6wOUMItw6cFmWSvMXt03n8lPnP8lCSZ3gclMbktKjBFhSXAHlDHK RNsbMmfrtLuGjyuELCfe =apHZ -----END PGP SIGNATURE----- From wouter at NLnetLabs.nl Tue Sep 20 14:50:17 2011 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Tue, 20 Sep 2011 16:50:17 +0200 Subject: [Dnssec-trigger] native windows gui Message-ID: <4E78A829.8070809@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, For Carsten, a native windows gui, http://www.nlnetlabs.nl/~wouter/dnssec_trigger_setup_0.4_20110920.exe The executable dropped to about 90kb (+64k in icons), install size went from 17Mb to about 4Mb, with only a couple DLLs now (SSL and LDNS). It is functionally identical to the gtk version, except it starts very quickly on login, which is pleasant. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOeKgoAAoJEJ9vHC1+BF+N/yEP/ikxFy9JWdU51Ntv+Rv5dwO6 c5cwGqjdn0FBM+mHbvKDCMV7tOmvqGRSGrcMhY1PtvVrTHrsmj/dAe8PA97WJUdz 7bJd7V0innfCCdsLP8z3dE3mtqag8nOiUSlHVlOOWaZH+rr1QRbPMgoqR5WOxMhf XttVjSPtGRJOehOCd/5h/XG+8UgOKa+zfg7TFlcjzs7sPBBfwpRvg1D/jNjBDA+R eMtsr5ID8NEBY5YlbgOQQsyivGL6Em1T5yHjQ7LlBciFa7pWJrQQ/gtDz3KPMNEA rRX2ymMAaf2OJcspuVGWJs96EjG+X1p52xPW4H/TLBV4DtLf0MH39TH6qiUyiESk 4p2eyvGqt09N3ohEkbx7WqVudYjhA6I2o03VWeXXoQWP+ywZInz8hnk7rjvwWIDA 66PJgISpk6Bf3W6AtsqX4SOqXn7JtDh2kXXzck53WrF0OF4zNguZIWNXoOFDRp/N ts7aVGqxD1ckCzLOK9GFg9PES6kxG3AvId3TTYEV30DiMxdOet4PKQJPVj/VvKiN 9UleCdEXuPcmDjqueQfBZdf1wTySAsU9dT5DI7saHLew3Sa1BMXn2mF4O+p3A4qV c7TPLD9xE4M5dvRJzwpsPxcbhuu3KECG4JqeKhPWp2rgGywbdNdAXRVZKJMKXl9d EkWj0nYrP3NVMCsdfs8Q =HtOY -----END PGP SIGNATURE----- From paul at xelerance.com Tue Sep 20 15:26:29 2011 From: paul at xelerance.com (Paul Wouters) Date: Tue, 20 Sep 2011 11:26:29 -0400 (EDT) Subject: [Dnssec-trigger] Looking for dnssec-triggerd alpha testers! (fwd) Message-ID: FYI ---------- Forwarded message ---------- Date: Tue, 20 Sep 2011 10:19:15 -0500 From: Dan Williams Cc: networkmanager-list at gnome.org, W.C.A. Wijngaards To: Development discussions related to Fedora Subject: Re: Looking for dnssec-triggerd alpha testers! On Sat, 2011-09-17 at 14:00 -0400, Paul Wouters wrote: > Hi developers of NM and Fedora, > > We are trying to get DNSSEC validation on the end nodes. One way of doing > that is to run a caching resolver on every host, but that strains the > DNS infrastructure because all DNS caches would be circumvented. Since > DNSSEC data is signed, you can obtain it via "insecure channels" and then > validate it. So we want to try and use the DHCP obtained DNS caches as much > as possible. > > However, there are many networks out there that mess with DNS, and sometimes > we have to accept fake DNS to get past hotspot/login pages. Sometimes the > DNS proxies are broken for DNSSEC and we would prefer to run the queries > ourselves to the authoritative nameservers without using the broken caching > middle layer. > > This is where "dnssec-trigger" comes in. Users run a local validating > resolver with DNSSEC support (unbound) that can be dynamically reconfigured > to use different forwarders. dnssec-triggerd checks the DNS path by sending > a query to a root name server (via the caching resolver or directly) and > determines if the DHCP obtained DNS servers can be used, or if unbound should > attempt it directly. Or in the worst case, if DNS should be disabled completely > because it is proven untrusted. > > dnssec-trigger consists of NetworkManager hooks, a daemon that rewrites > resolv.conf and signals unbound, and a gnome applet to show the user the > DNSSEC status and to warn the user if the network is (too?) unsafe to use. We can do a much better job of NM integration here. We've already got a DNS local-caching plugin for dnsmasq, but that doesn't do IPv6 as well. We can easily create one for unbound. I tried to do one for bind, but bind's config format is arcane enough that I gave up trying to get it to do what I needed (local caching nameserver). NM handles rewriting resolv.conf too, so that would no longer be required here. Also, I saw mention of "DHCP obtained DNS caches" at the top of the mail; can somebody provide a pointer to how that works? It's something we should also expose via NM. NM already lets clients access all the DHCP-provided options via the D-Bus interface, but if this requires the DHCP client to request specific options from the server, that's something NM would want to know as well. > We'd love to hear from Fedora people how well this integrates and works in > various hotspot scenarios. We'd love to hear from NM developers to see if > the hooking have all been done in proper ways. Yeah, a DNS plugin would be the best way to go here. I've already implemented a local caching DNS plugin for dnsmasq, including reverse resolution for IPv4 addresses so that stuff like VPN IP lookups work correctly when they are in-use. I can provide pointers on how to set up a new DNS plugin, but the existing ones are here: http://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/src/dns-manager Each plugin is a subclass of NMDnsPlugin and it should be pretty self-explanatory. NM calls the plugin's update() method with a list of the IPv4 and IPv6 configs of all active interaces in priority order. The plugin then takes these and creates whatever configuration it needs for its DNS program (dnsmasq, bind, unbound, etc) and then spawns that program. You could also simply rewrite the program's config file and send SIGHUP or something too if it supports that. Dan > You can find source and package pre-releases at: > > ftp://ftp.xelerance.com/dnssec-trigger/ > > Install dnssec-trigger, which should drag in the unbound DNS server. Enable > the unbound and dnssec-triggerd services to start. the panel can be manually > started with "dnssec-trigger-panel". > > Cheers, > > Paul _______________________________________________ networkmanager-list mailing list networkmanager-list at gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list From carsten at strotmann.de Tue Sep 20 17:37:09 2011 From: carsten at strotmann.de (Carsten Strotmann (private)) Date: Tue, 20 Sep 2011 19:37:09 +0200 Subject: [Dnssec-trigger] dnssec-trigger at Hotel hotspot in Vienna Message-ID: <4E78CF45.3020700@strotmann.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I had an issue today at an hotspot in a hotel in Vienna (using MacOS X). The hotel has an captive portal WLAN. DNSSEC was working using the WLAN DNS (from DHCP), so DNSSEC-Trigger configured the use of the Unbound DNS on localhost. However the captive portal login page was only available when using the DHCP supplied DNS Servers (non-delegated private DNS name for the portal page). So the only way to do anything else then DNS (I know, who needs that :) ) did not work in this setup. Not sure how this can be solved, maybe by having DNSSEC-trigger to test a well known webpage of port 80 to detect a captive portal. MacOS X 10.7 now also has an automatic captive portal detection (ported from iOS). Not sure if there are APIs available to use the function. - -- Carsten -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk54z0UACgkQsUJ3c+pomYEq+gCgj+KrV3rRFjYtIJ3QW00unnLZ fvgAoNB6A3FfCNHiu9BT+bQjlpmuggGT =RvJO -----END PGP SIGNATURE----- From paul at xelerance.com Tue Sep 20 18:11:03 2011 From: paul at xelerance.com (Paul Wouters) Date: Tue, 20 Sep 2011 14:11:03 -0400 (EDT) Subject: [Dnssec-trigger] dnssec trigger 0.3 experimental In-Reply-To: <4E783B8B.9020404@nlnetlabs.nl> References: <4E71D33E.3010407@nlnetlabs.nl> <4E733C15.7070304@nlnetlabs.nl> <4E76EE29.6070906@menandmice.com> <4E7747EE.6020109@nlnetlabs.nl> <4E783B8B.9020404@nlnetlabs.nl> Message-ID: On Tue, 20 Sep 2011, W.C.A. Wijngaards wrote: > Well, does https work with some website? (like nlnetlabs, selfsigned)? Depends on the state/timing when you break my dns :) After portal login, all 80/443 works fine. Turns out the test I tend to do works: dig +dnssec dnskey xelerance.com @193.110.157.136 But what I had not noticed: ;; WARNING: Messages has 169 extra bytes at end So something very fishy happening..... > - - after sign-in you can Reprobe (tray menu) perhaps it works then. The difference before auth and after login to the portal is that queries to auth nameservers do work. Does dnssec-trigger do any exponential backof attempt at probing when the user put it in "insecure mode"? > - - perhaps dnssec-over-tcp80 and tcp443 works, can you try these digs? > dig @213.154.224.42 -p 80 +vc +dnssec . DNSKEY Timeout before login. There is a 302 redirect on port 80 to port 443, see below. Works after login > dig @213.154.224.42 -p 443 +vc +dnssec . DNSKEY Before login: ;; communications error to 213.154.224.42#443: end of file This is the secure login page capturing ANY port 443 for login Works after login > dig @213.154.224.42 -p 80 +vc +dnssec se. DS Time out before login. Works after login > dig @213.154.224.42 -p 443 +vc +dnssec se. DS same error as above on port 443 before login works after login Note that before login, port 80 traffic does reconnect me to port 443 Not sure why dig does not report an error for that at all. [paul at thinkpad ~]$ telnet 1.2.3.4 80 Trying 1.2.3.4... Connected to 1.2.3.4. Escape character is '^]'. lkfdfkhdf HTTP/1.1 400 Page not found Server: GoAhead-Webs Date: Tue, 20 Sep 2011 17:39:15 GMT Pragma: no-cache Cache-Control: no-cache Content-Type: text/html Document Error: Page not found

Access Error: Page not found

Bad request type

Connection closed by foreign host. [paul at thinkpad ~]$ telnet 1.2.3.4 80 Trying 1.2.3.4... Connected to 1.2.3.4. Escape character is '^]'. GET / / HTTP/1.0 302 Redirect Server: GoAhead-Webs Date: Tue, 20 Sep 2011 17:39:24 GMT Pragma: no-cache Cache-control: no-cache Content-Type: text/html Location: https://secure.boldstreet.com/SecondCup/Intercept.aspx?UI=00-03-52-EB-8C-E0&MA=00-21-5C-54-4F-E5&UIP=206.108.148.92&CIP=192.168.101.39&SSID=hotspot_Rogers&OS=http://www.google.ca/sd [...] After relogin, I did a reprobe. Tray icon still shows "!" results from probe at 2011-09-20 13:32:38 authority 199.7.83.42: error cannot disassemble reply: additional section incomplete cache 192.168.101.1: error timeout DNS queries are sent to INSECURE servers. Please, be careful out there. resolv.conf matches that: [paul at thinkpad ~]$ cat /etc/resolv.conf # Generated by dnssec-trigger 0.3 nameserver 192.168.101.1 [root at thinkpad paul]# unbound-control forward 127.0.0.127 and unbound blackholed (not sure why, as no one is asking it anything, why not leave it in "auth mode"? I then put unbound in regular auth mode: [root at thinkpad paul]# unbound-control flush all ok [root at thinkpad paul]# unbound-control forward off ok which seems to work: ; <<>> DiG 9.8.0-P4-RedHat-9.8.0-9.P4.fc14 <<>> +dnssec dnskey com @localhost ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17249 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 that worked, but the se DS set indeed is still borken: [root at thinkpad paul]# dig +dnssec se. DS @localhost ; <<>> DiG 9.8.0-P4-RedHat-9.8.0-9.P4.fc14 <<>> +dnssec se. DS @localhost ;; global options: +cmd ;; connection timed out; no servers could be reached and a dig for www.xelerance.com also failed then I noticed this is unbound 1.4.11. Repeated the test and got the same results for 1.4.13rc1 with EDNS patch. Note also that once you put yourself in "insecure" mode, you can never put yourself via the GUI back in "disconnected cache only mode" until you switch networks..... I also see these: (:30388): Gdk-CRITICAL **: IA__gdk_window_get_root_coords: assertion `GDK_IS_WINDOW (window)' failed Paul From paul at xelerance.com Tue Sep 20 18:12:54 2011 From: paul at xelerance.com (Paul Wouters) Date: Tue, 20 Sep 2011 14:12:54 -0400 (EDT) Subject: [Dnssec-trigger] dnssec-trigger at Hotel hotspot in Vienna In-Reply-To: <4E78CF45.3020700@strotmann.de> References: <4E78CF45.3020700@strotmann.de> Message-ID: On Tue, 20 Sep 2011, Carsten Strotmann (private) wrote: > The hotel has an captive portal WLAN. DNSSEC was working using the > WLAN DNS (from DHCP), so DNSSEC-Trigger configured the use of the > Unbound DNS on localhost. However the captive portal login page was > only available when using the DHCP supplied DNS Servers (non-delegated > private DNS name for the portal page). So the only way to do anything > else then DNS (I know, who needs that :) ) did not work in this setup. > > Not sure how this can be solved, maybe by having DNSSEC-trigger to A quick fix might be to hit "1.2.3.4" in your browser. A lot of captive portals then grab the stream into the captive portal. I thought DNS redirect portals were dying out in favour of ip port 80/443 grabbing portals, but I guess there might be a lot of cruft out there. Paul From carsten at strotmann.de Tue Sep 20 17:31:35 2011 From: carsten at strotmann.de (Carsten Strotmann (private)) Date: Tue, 20 Sep 2011 19:31:35 +0200 Subject: [Dnssec-trigger] native windows gui In-Reply-To: <4E78A829.8070809@nlnetlabs.nl> References: <4E78A829.8070809@nlnetlabs.nl> Message-ID: <4E78CDF7.6010607@strotmann.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Wouter, that was quick :) I will test asap. - -- Carsten On 9/20/11 4:50 PM, W.C.A. Wijngaards wrote: > Hi, > > For Carsten, a native windows gui, > http://www.nlnetlabs.nl/~wouter/dnssec_trigger_setup_0.4_20110920.exe > > The executable dropped to about 90kb (+64k in icons), install size > went from 17Mb to about 4Mb, with only a couple DLLs now (SSL and > LDNS). > > It is functionally identical to the gtk version, except it starts > very quickly on login, which is pleasant. > > Best regards, Wouter > _______________________________________________ dnssec-trigger > mailing list dnssec-trigger at NLnetLabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk54zfcACgkQsUJ3c+pomYFWCACfejYwxs6yVaDk1zmb9MYLvZ/F 17oAoIbBMT5WPnX2Cqdqd4XZFC7mYsRF =XboW -----END PGP SIGNATURE----- From paul at xelerance.com Tue Sep 20 18:35:20 2011 From: paul at xelerance.com (Paul Wouters) Date: Tue, 20 Sep 2011 14:35:20 -0400 (EDT) Subject: [Dnssec-trigger] more bugs :P Message-ID: When I got home, my laptop did not unsuspend, so i had to reboot it. After it was back, it came up before network manager had the connection on the wifi (init script for dnssec-triggerd stats after nm, but apparently nm was slow) and so it seemed to remain in "network disconnected" mode. bug #1: It should more often probe when in network disconnected mode, or better pick up NM changes. Then the results of my manual probe said: results from probe at 2011-09-20 14:29:44 authority 192.112.36.4: OK DNSSEC results fetched direct from authorities I was confused why it didn't say anything about the cache. bug #2: always display a line about the local cache even if just to say "status unknown". Meanwhile, I had no working DNS. Running unbound-control forward, I found out that unbound wasn't autostarted on boot on my laptop :) bug #3: Do not rewrite resolv.conf when unbound is not running, OR present a popup saying "I broke your dns please start unbound" OR start unbound for me :) Paul From paul at xelerance.com Tue Sep 20 18:41:23 2011 From: paul at xelerance.com (Paul Wouters) Date: Tue, 20 Sep 2011 14:41:23 -0400 (EDT) Subject: [Dnssec-trigger] dnssec-trigger at Hotel hotspot in Vienna In-Reply-To: <4E78CF45.3020700@strotmann.de> References: <4E78CF45.3020700@strotmann.de> Message-ID: On Tue, 20 Sep 2011, Carsten Strotmann (private) wrote: > Not sure how this can be solved, maybe by having DNSSEC-trigger to > test a well known webpage of port 80 to detect a captive portal. MacOS > X 10.7 now also has an automatic captive portal detection (ported from > iOS). Not sure if there are APIs available to use the function. I think it is :) http://www.apple.com/library/test/success.html The real question is should dnssec-trigger get involved here or not. Ideally, the OS or browser is going to do the portal detection. dnssec-trigger could decide to reprobe every 5 seconds if it sees this "portal" indicator? eg remain more aggressive while on a suspected landing page that hopefully soon will open up auth DNS. Paul From carsten at strotmann.de Tue Sep 20 19:56:27 2011 From: carsten at strotmann.de (Carsten Strotmann (private)) Date: Tue, 20 Sep 2011 21:56:27 +0200 Subject: [Dnssec-trigger] dnssec-trigger at Hotel hotspot in Vienna In-Reply-To: References: <4E78CF45.3020700@strotmann.de> Message-ID: <4E78EFEB.8060707@strotmann.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 9/20/11 8:41 PM, Paul Wouters wrote: > On Tue, 20 Sep 2011, Carsten Strotmann (private) wrote: > >> Not sure how this can be solved, maybe by having DNSSEC-trigger >> to test a well known webpage of port 80 to detect a captive >> portal. MacOS X 10.7 now also has an automatic captive portal >> detection (ported from iOS). Not sure if there are APIs available >> to use the function. > > I think it is :) > > http://www.apple.com/library/test/success.html > > The real question is should dnssec-trigger get involved here or > not. Ideally, the OS or browser is going to do the portal > detection. > > dnssec-trigger could decide to reprobe every 5 seconds if it sees > this "portal" indicator? eg remain more aggressive while on a > suspected landing page that hopefully soon will open up auth DNS. > > Paul dnssec-trigger thinks it succeeds, effectively disabling MacOS X portal detection, so if dnssec-trigger is executed before the portal detection, the system fails. Sometimes dnssec-trigger is running after the portal-detection, then it works. - -- Carsten -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk547+kACgkQsUJ3c+pomYFxKwCeIZ3PCJMCNc7ctnq4ZkDE6DiZ HZsAnAiG6L68eJSP1J91ijJUkSjPzJYP =wY2W -----END PGP SIGNATURE----- From bortzmeyer at nic.fr Tue Sep 20 19:29:21 2011 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Tue, 20 Sep 2011 21:29:21 +0200 Subject: [Dnssec-trigger] dnssec-trigger at Hotel hotspot in Vienna In-Reply-To: References: <4E78CF45.3020700@strotmann.de> Message-ID: <20110920192921.GA19675@sources.org> On Tue, Sep 20, 2011 at 02:12:54PM -0400, Paul Wouters wrote a message of 22 lines which said: > A quick fix might be to hit "1.2.3.4" in your browser. A lot of > captive portals then grab the stream into the captive portal. If the portal redirects to http://login.provider.local/, as Carsten described, it won't help. From paul at xelerance.com Tue Sep 20 20:17:23 2011 From: paul at xelerance.com (Paul Wouters) Date: Tue, 20 Sep 2011 16:17:23 -0400 (EDT) Subject: [Dnssec-trigger] dnssec-trigger at Hotel hotspot in Vienna In-Reply-To: <4E78EFEB.8060707@strotmann.de> References: <4E78CF45.3020700@strotmann.de> <4E78EFEB.8060707@strotmann.de> Message-ID: >> http://www.apple.com/library/test/success.html >> >> The real question is should dnssec-trigger get involved here or >> not. Ideally, the OS or browser is going to do the portal >> detection. >> >> dnssec-trigger could decide to reprobe every 5 seconds if it sees >> this "portal" indicator? eg remain more aggressive while on a >> suspected landing page that hopefully soon will open up auth DNS. > dnssec-trigger thinks it succeeds, effectively disabling MacOS X > portal detection, so if dnssec-trigger is executed before the portal > detection, the system fails. Sometimes dnssec-trigger is running after > the portal-detection, then it works. So if dnssec-trigger also GET's http://www.apple.com/library/test/success.html, it could leave unbound in 127.0.0.127 state while waiting on the portal page to become available. Once it does, do the DNS probe? Paul From bortzmeyer at nic.fr Tue Sep 20 20:24:18 2011 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Tue, 20 Sep 2011 22:24:18 +0200 Subject: [Dnssec-trigger] [OT] IPv6 is not only used for ping and traceroute Message-ID: <20110920202418.GA27491@nic.fr> Received: from mx2.nic.fr (mx2.nic.fr [IPv6:2001:660:3003:2::4:11]) by open.nlnetlabs.nl (8.14.4/8.14.4) with ESMTP id p8K8P6VJ081911; Tue, 20 Sep 2011 10:25:06 +0200 (CEST) (envelope-from bortzmeyer at nic.fr) :-) From wouter at NLnetLabs.nl Wed Sep 21 06:25:33 2011 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Wed, 21 Sep 2011 08:25:33 +0200 Subject: [Dnssec-trigger] dnssec trigger 0.3 experimental In-Reply-To: References: <4E71D33E.3010407@nlnetlabs.nl> <4E733C15.7070304@nlnetlabs.nl> <4E76EE29.6070906@menandmice.com> <4E7747EE.6020109@nlnetlabs.nl> <4E783B8B.9020404@nlnetlabs.nl> Message-ID: <4E79835D.6000702@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Paul, On 09/20/2011 08:11 PM, Paul Wouters wrote: > On Tue, 20 Sep 2011, W.C.A. Wijngaards wrote: > >> Well, does https work with some website? (like nlnetlabs, selfsigned)? > > Depends on the state/timing when you break my dns :) > After portal login, all 80/443 works fine. > > Turns out the test I tend to do works: > > dig +dnssec dnskey xelerance.com @193.110.157.136 Oh, so even UDP may work. > But what I had not noticed: > > ;; WARNING: Messages has 169 extra bytes at end > > So something very fishy happening..... Interesting. >> - - after sign-in you can Reprobe (tray menu) perhaps it works then. > > The difference before auth and after login to the portal is that queries > to auth nameservers do work. Does dnssec-trigger do any exponential backof > attempt at probing when the user put it in "insecure mode"? Not yet, it is a feature on my TODO. So, retry after 10 seconds and exponential backoff after that, in Insecure mode. >> - - perhaps dnssec-over-tcp80 and tcp443 works, can you try these digs? > >> dig @213.154.224.42 -p 80 +vc +dnssec . DNSKEY > > Timeout before login. There is a 302 redirect on port 80 to port 443, see > below. Works after login > >> dig @213.154.224.42 -p 443 +vc +dnssec . DNSKEY > > Before login: ;; communications error to 213.154.224.42#443: end of file > This is the secure login page capturing ANY port 443 for login > Works after login > >> dig @213.154.224.42 -p 80 +vc +dnssec se. DS > > Time out before login. > Works after login > >> dig @213.154.224.42 -p 443 +vc +dnssec se. DS > > same error as above on port 443 before login > works after login > > Note that before login, port 80 traffic does reconnect me to port 443 > Not sure why dig does not report an error for that at all. This is very nice, but I get the idea that perhaps normal UDP to authority servers may work after signon on this portal. > [paul at thinkpad ~]$ telnet 1.2.3.4 80 > Trying 1.2.3.4... > Connected to 1.2.3.4. > Escape character is '^]'. > lkfdfkhdf > HTTP/1.1 400 Page not found > Server: GoAhead-Webs > Date: Tue, 20 Sep 2011 17:39:15 GMT > Pragma: no-cache > Cache-Control: no-cache > Content-Type: text/html > > Document Error: Page not found >

Access Error: Page not found

>

Bad request type

> > Connection closed by foreign host. > > [paul at thinkpad ~]$ telnet 1.2.3.4 80 > Trying 1.2.3.4... > Connected to 1.2.3.4. > Escape character is '^]'. > GET / / > > HTTP/1.0 302 Redirect > Server: GoAhead-Webs > Date: Tue, 20 Sep 2011 17:39:24 GMT > Pragma: no-cache > Cache-control: no-cache > Content-Type: text/html > Location: > https://secure.boldstreet.com/SecondCup/Intercept.aspx?UI=00-03-52-EB-8C-E0&MA=00-21-5C-54-4F-E5&UIP=206.108.148.92&CIP=192.168.101.39&SSID=hotspot_Rogers&OS=http://www.google.ca/sd > > > [...] > > > After relogin, I did a reprobe. Tray icon still shows "!" > > results from probe at 2011-09-20 13:32:38 > > authority 199.7.83.42: error cannot disassemble reply: additional > section incomplete > cache 192.168.101.1: error timeout > > DNS queries are sent to INSECURE servers. > Please, be careful out there. Okay, so it cannot use UDP, but TCP may work in the port80/443 fallback. So it seems that feature could be worthwhile to implement. > resolv.conf matches that: > > [paul at thinkpad ~]$ cat /etc/resolv.conf > # Generated by dnssec-trigger 0.3 > nameserver 192.168.101.1 > > [root at thinkpad paul]# unbound-control forward > 127.0.0.127 > > and unbound blackholed (not sure why, as no one is asking it anything, > why not leave it in "auth mode"? Yes, because the user is using the insecure servers, but unbound could have some 'leftover' queries in its task list. If it tries to connect outside, it gets timeouts and this messes up the time detection of DNS hosts. Thus setting 127.0.0.127 stops unbound from sending queries, because its entries are leftover and useless anyway, and it cannot succeed either. At worst, it may timeout lots of times, on a root server perhaps, and put that server on the 'do not query it again it is offline' list. > I then put unbound in regular auth mode: > > [root at thinkpad paul]# unbound-control flush all > ok > [root at thinkpad paul]# unbound-control forward off > ok > > which seems to work: > > ; <<>> DiG 9.8.0-P4-RedHat-9.8.0-9.P4.fc14 <<>> +dnssec dnskey com > @localhost > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17249 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 > > that worked, but the se DS set indeed is still borken: You are querying the cache in unbound, but unbound cannot query to the network. tcp80 and tcp443 features are not implemented on dnssec-trigger. With 1.4.13, you could do: unbound-control forward 213.154.224.42 at 443 unbound-control set_option tcp-upstream: yes That makes unbound do TCP to port 443 (with open resolver NLnet Labs). And that is what dnssec-trigger can try to do. But it would be nice to know if that is useful. Your coffee network looks like it may be: UDP DNS looks like it is borked, even after signon (right?!) and TCP-intheclear-DNS-port443 works? > [root at thinkpad paul]# dig +dnssec se. DS @localhost > > ; <<>> DiG 9.8.0-P4-RedHat-9.8.0-9.P4.fc14 <<>> +dnssec se. DS @localhost > ;; global options: +cmd > ;; connection timed out; no servers could be reached > > and a dig for www.xelerance.com also failed > > then I noticed this is unbound 1.4.11. Repeated the test and got > the same results for 1.4.13rc1 with EDNS patch. > > Note also that once you put yourself in "insecure" mode, you can never put > yourself via the GUI back in "disconnected cache only mode" until you > switch > networks..... Yes, you can reprobe. If it then detects that it is secure, it switches to secure without a dialog (icon stops !). There is simply no need for a dialog here as the user need not click on 'Yes I am secure' or something. But perhaps this needs to change, if you have to go to the 'portal page' via the portal-page DNS somehow. So temporarily go insecure, and then go secure again (With dialog: Are you done with signon?)... > I also see these: > (:30388): Gdk-CRITICAL **: IA__gdk_window_get_root_coords: > assertion `GDK_IS_WINDOW (window)' failed This is a bug in GTK to do with trayicons. When you mouseover them. I think we can ignore it, although a fix in GTK could be good of course. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOeYNdAAoJEJ9vHC1+BF+NIQIP/3nzMykKA7FDZGiG8sF+NNhY pat2uFyEBBiaKUaWurQlaKzGUQQTYoPIlOwF6H/cUnfljmGUV4Dbhb2aKpvKqvsH 5OyBX5uh3nkE2+pYVca6g8WlrnOVauFeStzsRfXs4txjt9UUVv+nCK4wi0t3J1m0 Mp1YmFs3/WDFzje+TpIE0+QFGGGduYT9y4xhuhTrNdY83XLpvs1CocEWZF1ZGxdm L871ZE8pLUpR0rOSS56uAZa50twCp411tE6aX9uisppzC5IlFt7kMBY2bQ01YZAU N0K2VAAEMd5RUdT8RQq8E6Sjih1sps+zkE3nzs3aYUU3M6tdJ2z22N2OeMgmSJgy Xaa5kPtnthOuatiQXp0715wYmTUCNR6muA97bZLmZuCmXt4eMijrfrlGsIN55fc+ Oh8IEtDVtSebRgxR6XdcbN0WzmmAMyfu7A0M8DczB496VycGa8JxCOiV0PxHm7kP wrLqxKJWnp0rPqtDBLbYwZoPJulb3S29cZAl4bXrja35EovhCbT39WWeMnTFrdo0 PayvGoRdN/vIs9gXUo4lW2g9N1+GM1OD+pEHOW4Ge3OifHMf9WtfXnn2e/3mn2le KFYmvEpwCYPP5fMfcEcr6VRqAXlRZfgkpDGNF+k7Ar7C30bla7dgDn20h56Zyt1P N4uNrjgA11+FFPN2Pj1D =iwyc -----END PGP SIGNATURE----- From wouter at NLnetLabs.nl Wed Sep 21 07:06:52 2011 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Wed, 21 Sep 2011 09:06:52 +0200 Subject: [Dnssec-trigger] more bugs :P In-Reply-To: References: Message-ID: <4E798D0C.1060206@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Paul, On 09/20/2011 08:35 PM, Paul Wouters wrote: > > When I got home, my laptop did not unsuspend, so i had to reboot it. Ok, so a Linux, Networkmanager trigger hooks. > After it was back, it came up before network manager had the connection > on the wifi (init script for dnssec-triggerd stats after nm, but apparently > nm was slow) and so it seemed to remain in "network disconnected" mode. But your rc.d init script has the line where it starts the networkmanager/dispatcher.d/01-dnssec-trigger.sh script, right? Or did you update the rpm but not your laptop? > bug #1: It should more often probe when in network disconnected mode, or > better pick up NM changes. Yex exponential backoff probes when disconnected are probably useful. But it should also pickup the NM changes well. > Then the results of my manual probe said: > > results from probe at 2011-09-20 14:29:44 > authority 192.112.36.4: OK DNSSEC results fetched direct from authorities > > I was confused why it didn't say anything about the cache. Because there is no NM change, and it has 0 DNS servers from NM. > bug #2: always display a line about the local cache even if just to say > "status unknown". Yes, it means ' There are no DNS servers from DHCP ' > Meanwhile, I had no working DNS. Running unbound-control forward, I > found out that unbound wasn't autostarted on boot on my laptop :) > > bug #3: Do not rewrite resolv.conf when unbound is not running, OR > present a popup saying "I broke your dns please start unbound" OR > start unbound for me :) That should be the system's work to bootup unbound, or the unbound-rpm's work to set that up? I guess we could sortof check: it does tell you if unbound-control fails, that goes into the syslog I think. I think it already logs to syslog if unbound-control fails. You also forwarded Dan's NM mail to here, not sure where to reply now, to dnssec-trigger, the networkmanager-list or devel at fedora list? I just want the NM plugin to call: /usr/bin/dnssec-trigger-control submit ; the dnssec-triggerd has hooks where it wants to overwrite the resolv.conf - not sure how to feed that data into NM (there may be a delay for probes too) ? Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOeY0MAAoJEJ9vHC1+BF+NlaoP/0ReAC+RHyYxn2ac/Bohpq3L I838dovqFO3sXEQA1nU4ia4YFZ618+6x0Qa8U5HXBKsgjtjc+4i8ptjc8+c0id21 TJL5QC+yTqHrtbRiR5M0U2Dsq9c0i8JUBYk594+6ssjePW6EvQJJyf3KenRJ5x35 yKtFQ8LqHDcdXwqLhCWpH/ZBjULKTHoN5vFOQG66G6K+V2dYEypKb4aw4tj8INb+ QlhXlMyN8bwhyEY/WCMiDrTAMBLT/Csbw/cwcnxKhoE3BkErma2cwGD0qXzOiD67 fW5ERkPiVGjXfvIInremuTonwA8uCFcddRAxK3hxNOyQFX+WN5AOJxYI1fLBSWIi vTkVz3kGvRmh7ijqm7sS/h+A7BNyBagfr1z3B2bMhhjCmt8oG2PF0Uy89CukRUNO 9rDsLy2v3+MUJfnYxde2IgugKVEXfg5AUB7joS8XArhi4G6LvfH+18XDdNfX+In+ GcAoSKi9yDSlEFRi1iqOVoBN8j+8sMBeHv7qq8IZ1fhdtttIwtfkwZZQ0odcOQzs ea4/fmVE2pp22dp1qV/skjd/YIgYIGgTbOYCAo5c0GVfrC3F0AZZOwpvQ5HeAfgC PGe/dZhEBbePu1GyOkQyUSgpIdJgqqRMZWztHvvpE2DOF2NyuJvwpqq+H+jnHU/G IwxWnPzjoMiNzjyOVVnJ =bKaN -----END PGP SIGNATURE----- From wouter at NLnetLabs.nl Wed Sep 21 08:19:01 2011 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Wed, 21 Sep 2011 10:19:01 +0200 Subject: [Dnssec-trigger] dnssec-trigger at Hotel hotspot in Vienna In-Reply-To: <4E78EFEB.8060707@strotmann.de> References: <4E78CF45.3020700@strotmann.de> <4E78EFEB.8060707@strotmann.de> Message-ID: <4E799DF5.2050200@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, On 09/20/2011 09:56 PM, Carsten Strotmann (private) wrote: > On 9/20/11 8:41 PM, Paul Wouters wrote: >> On Tue, 20 Sep 2011, Carsten Strotmann (private) wrote: Apple portal detection? Seems like dnssec-trigger needs a way to use the portal for signon; even if 'authority DNS is available' so it can do DNSSEC; but you need the insecure DNS to get the portal pages. The user can click on a menu item : "Insecure Portal Sign-on" that goes into insecure mode (even if otherwise we can escape the insecure cache). Or, there can be some sort of portal-probe mechanism. It says that this is a portal, and dnssec-trigger sees that the cache cannot be used. What now? We need to warn the user somehow, thus a popup dialog. With the end-result the insecure portal sign-on status. The insecure portal-sign-on state cannot end with timered exponential backoff, because dnssec already works, and its hard to detect that sign-on succeeded. Unless we have a portal-probe mechanism that can tell the sign-on was successful. So, the user interface(s) need to be changed for this. I want less popups, no difficult choices and also popups can be triggered by hostiles (hostile hotspots). So, the menu item is the easiest perhaps? But may be confusing for the ordinary user, since there is no indication that they should click on the dnssec-trigger menu when their webpages fail to load. If some sort of portal-detection, it needs http/80 attempts, to a wellknown server (that someone runs). Privacy issues (can track your attempts). and a new dialog to show, and new state: portal-signon-insecure. We can retry the portal-detection perhaps with exponential backoff to see when http/80 opens up? Best regards, Wouter >>> Not sure how this can be solved, maybe by having DNSSEC-trigger >>> to test a well known webpage of port 80 to detect a captive >>> portal. MacOS X 10.7 now also has an automatic captive portal >>> detection (ported from iOS). Not sure if there are APIs available >>> to use the function. > >> I think it is :) > >> http://www.apple.com/library/test/success.html > >> The real question is should dnssec-trigger get involved here or >> not. Ideally, the OS or browser is going to do the portal >> detection. > >> dnssec-trigger could decide to reprobe every 5 seconds if it sees >> this "portal" indicator? eg remain more aggressive while on a >> suspected landing page that hopefully soon will open up auth DNS. > >> Paul > > dnssec-trigger thinks it succeeds, effectively disabling MacOS X > portal detection, so if dnssec-trigger is executed before the portal > detection, the system fails. Sometimes dnssec-trigger is running after > the portal-detection, then it works. > > -- Carsten _______________________________________________ dnssec-trigger mailing list dnssec-trigger at NLnetLabs.nl http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOeZ31AAoJEJ9vHC1+BF+NzoYQALGPLH6UiTt0tyuq/j9R96A3 jey5EIKOtbjaEkXvsJDKToxlBG33muBvSclArZcSDiChkupXrXjtwjLngwJqvJ23 z7fJfavEn5Nx2jJlGdqMobBd44y2WgDgzxoGLIKXR3bGhpqd9kSab/PvCpdMPLcj rSMByXFi8RTK8lh0hlr6OHX/cnNnljN/pf/wRzTaGbvpEXmUFzM1acW7ReT5SMm4 p+XmsEf+Ln+pDUCoOYWrhMHief2KQjcGXmMDn/9APGmZG3oWjnMRkbaoaDI28o3+ usbG9rRMj4FrcI/Vb9+E2RTAZY0EIBkFWtfdIS24U7qLsQGyammfUeXDHzZq2v5Y +1axZg5nah0dG9B23LpJRfbXXAZA8gTSLgMhYt1lrgYzuaz9hDPv0TQ/xC3VwNVC H9iS21lpxLJDpfIvUD4NqMrw8NHGMnAJ23JIiWIaFo1I9gFvwA7iSIqM7R30Edcr 7dZOEhhtKxoyYDD8uYezObZikmT+diqdiSMe7wKBZF2+I60W+SFiVs96HMYzBoB4 9RBx4OfalKtKp7zmZUHLWdM7qfeUvzBkfX6csqWI+I8Hz/t6QRxM6S8q3QQR77pW /zjZw7GJJARU3R3Jr8m/HML84mel/jaaOB6nvUBA1JQKwOFAxFUJhuJ+UMXW6GDk oGu7YY6L8cJjd1hWfHVf =2XVg -----END PGP SIGNATURE----- From wouter at NLnetLabs.nl Wed Sep 21 09:10:53 2011 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Wed, 21 Sep 2011 11:10:53 +0200 Subject: [Dnssec-trigger] more bugs :P In-Reply-To: <4E798D0C.1060206@nlnetlabs.nl> References: <4E798D0C.1060206@nlnetlabs.nl> Message-ID: <4E79AA1D.7080906@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/21/2011 09:06 AM, W.C.A. Wijngaards wrote: >> bug #2: always display a line about the local cache even if just to say >> "status unknown". Fixed in trunk. Also displays about probe in progress. (you can get some partial results if probes of some IPs have already concluded). Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOeaodAAoJEJ9vHC1+BF+Nor0QAKyhFah1XPtPXiLPmJP0urol k/fMAteTym5zXMADJLAZyXVQjlVlNWvGFE39kcgeSrCB4MUvIjot2hlGTWCXUKJg lT0DMOnyJLs8c9f9Xv3HTGT1qpOHvzgt7LqNU1z5P3ko8DiXfmbFAY+Ej81BXjmp ijpuz/I5p4eGLFqGHwQBv9CyMAeHPNB3wQ1Re1+IZx7nYjV8E6n7MCqrDSvCBaJK 8s/SQ1SP9aMvAm9xG+aGPKI18qP1s5lHnyfpKg/tggAiXtSYS607aL0JI+n5urNw rdwhlwP/Z6ZGXANOt6yGLDWNB4Xse19HXIAEaEwsfi9SMPpVHMLVAUQdn1eJ7Ur1 qoVWUCEtWsBvXdNhFRX5HKiOusJaiUj8kduiZ3qWWPmLxutz7O6ItCt51zEmi8Vy 7iaspTnAvJJQeKaS2nEY5aTUEKU/PDyr9OjzFWUDC3GVC2EEjJ8uqpR4X+sdNtwD 54DEXJGkJg6bBd1fr0kY17gIcYG5yvNcupD+jyjRazLzvj3fzBSUAGKLb6AyPh8r MF6doLJcP+yGf5xGmzX68Qt5LzpB0xUb1zRZHOc7YWNRozgv19pUxR0yG6UXVbuF iXATKiEGHDm612cndJzB9x/lOD1UIw0qLnRnoStPt2qhgq80meViUr7vhuGf74+P sMoq1Rldgah8KIoyTnEk =EOfY -----END PGP SIGNATURE----- From wouter at NLnetLabs.nl Fri Sep 23 08:28:57 2011 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Fri, 23 Sep 2011 10:28:57 +0200 Subject: [Dnssec-trigger] dnssec trigger 0.4 release Message-ID: <4E7C4349.2090303@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, The experimental version has been updated! http://www.nlnetlabs.nl/~wouter/dnssec-trigger-0.4.tar.gz sha1 067363cf0cb9266f063d6f6162307f6dc60ae579 sha256 9c28e8205970f666a73d951350d6447f56b0cb85fb30ee63dde3e3f60a8c378f http://www.nlnetlabs.nl/~wouter/dnssec_trigger_setup_0.4.exe * TCP80 and TCP443 fallback needs unbound 1.4.13 (logs error if older unbound, and no tcp fallback is attempted). Or unbound trunk. * For hotspots (no GUI for this (yet)): dnssec-trigger-control hotspot_signon forced insecure mode you can sign on and when you are done dnssec-trigger-control reprobe (or use the menu item). * if disconnected or insecure, exponential backoff retry probe. * if tcp-fallback a one-time retry after 20 seconds (in case the network needs to get up slowly). The config file can have other tcp80, tcp443 DNS servers. DNSSEC capable open resolver, that does plain DNS over TCP443 (port: 443 in config). Right now a (very small) server running unbound at NLnet Labs is in the example.conf. Detailed changelog: - - dnssec-trigger-control reprobe command from the commandline. - - dnssec-trigger-control hotspot_signon, forces insecure mode for a sign-on. The reprobe command can be used to stop forced_insecure. - - added probe tcp80 and tcp443 as last resort. - - retry for insecure and disconnect cases with exponential backoff, start 10 seconds, max 24h. - - tcp retry after 20 seconds, in case more opens up or it was slow. - - ignore UDP without QR flag: some DNS caches send echoes of the query back initially. If we ignore them we catch a (100 msec later) correct answer later. (or timeout if no answer comes). - - if probe is in progress it prints that in status. - - if no DNS servers via DHCP it prints that in status. - - antialiased fonts in windows native gui. - - fix configure --with-gui, it did not change the gui but hooks. - - refactor GUI panel SSL feed to be more portable. - - fix stop command. - - status 'dark' is now called 'nodnssec'. - - fix so that if it cannot bind socket the server fails to start. - - fix so that on OSX no zombie process remains. - - kill -HUP performs a reload on UNIX. It only reload the strings and that config, it keeps the running probe results and open sockets to panels and certificates. - - added fedora spec and init script. - - fix OSX get of DHCP options to use ipconfig API instead of faulty awk parse. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOfENEAAoJEJ9vHC1+BF+Ng28P/2CvX4hc0d4KnuIS9YV5ehp5 RpaQif0BIuVFGfJway7HLhik2QIyRLATEkQDpgqh5LffMfd861mJpeXqNK41Wqdd oegYcVbSHCDWXubdGV8g/WYWg9z+yXEELVzwHTevaGlO8SuIosGY6kOPs3DDQaAd C9Jev/FsDPWRLH0+tzwtprUUBZkmJwUjGDUfqfS7ZRtSKU7dq6Ixna1sy85Dr3PN 1norNOvn9bhUDm3UQgZ3L/J5X4XdE5LYR23XZCPaOeFWekRwZMZG46mCcgzybvPb Ir/adc8hrFXmUxtv2MQ5AXuNKCb9oqSXSg4poGlx79UyJXiz38NcsqzL7cqlHWfK 4lczIM9HGkK3zkniqjhyBuVF8gq/prYgzsvWuXhWR1RyKoHBQNSuFMJsFsMndKfJ PXsQETx5X73cSIYgx/TuhQkRWvPnHYjrdh7QY0mIZg/09WCGDqGKaUSq5BckjDWi O9/sUn3qKWYLdvFzoBPzaNqnEkvJSJiQNlCZrAOpevLUR3+ELIy7eEbjNF2XMnp8 0WQ8rFW6Cv627Bi3WwehrDVEQzVBK3+x9sdQmsinCDo15cxueHF7+xXAG+wilDpS CSqfEQBEbT52NEqbNST6wrZoFP0mjIaPr9LR4h7GaSLMPzXCYd4AIG1d2+VOEtqG iaXKvtX7x6FU/RQyhQZu =XD44 -----END PGP SIGNATURE----- From bortzmeyer at nic.fr Fri Sep 23 19:34:45 2011 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Fri, 23 Sep 2011 21:34:45 +0200 Subject: [Dnssec-trigger] dnssec trigger 0.4 release In-Reply-To: <4E7C4349.2090303@nlnetlabs.nl> References: <4E7C4349.2090303@nlnetlabs.nl> Message-ID: <20110923193445.GA21546@laperouse.bortzmeyer.org> On Fri, Sep 23, 2011 at 10:28:57AM +0200, W.C.A. Wijngaards wrote a message of 78 lines which said: > http://www.nlnetlabs.nl/~wouter/dnssec-trigger-0.4.tar.gz It no longer works on my Ubuntu Oneiric Ocelot (Beta, updated today). dnssec-trigger-control status reports properly: % dnssec-trigger-control status at 2011-09-23 21:31:30 cache 212.27.40.240: OK cache 212.27.40.241: error no EDNS state: cache secure But resolv.conf is the one from NetworkManager, it does not point towards the local Unbound: # Generated by NetworkManager nameserver 212.27.40.241 nameserver 212.27.40.240 nameserver 2a01:e00::2 # NOTE: the libc resolver may not support more than 3 nameservers. # The nameservers listed below may not be recognized. nameserver 2a01:e00::1 As a result, I no longer get my AD bit (since Free Telecom's name servers do not validate). From wouter at NLnetLabs.nl Sat Sep 24 08:47:37 2011 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Sat, 24 Sep 2011 10:47:37 +0200 Subject: [Dnssec-trigger] dnssec trigger 0.4 release In-Reply-To: <20110923193445.GA21546@laperouse.bortzmeyer.org> References: <4E7C4349.2090303@nlnetlabs.nl> <20110923193445.GA21546@laperouse.bortzmeyer.org> Message-ID: <4E7D9929.1060503@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Stephane, make uninstall makes resolv.conf writeable again, perhaps this is where NetworkManager snuck in the write? Best regards, Wouter On 09/23/2011 09:34 PM, Stephane Bortzmeyer wrote: > On Fri, Sep 23, 2011 at 10:28:57AM +0200, > W.C.A. Wijngaards wrote > a message of 78 lines which said: > >> http://www.nlnetlabs.nl/~wouter/dnssec-trigger-0.4.tar.gz > > It no longer works on my Ubuntu Oneiric Ocelot (Beta, updated today). > dnssec-trigger-control status reports properly: > > % dnssec-trigger-control status > at 2011-09-23 21:31:30 > cache 212.27.40.240: OK > cache 212.27.40.241: error no EDNS > state: cache secure > > But resolv.conf is the one from NetworkManager, it does not point > towards the local Unbound: > > # Generated by NetworkManager > nameserver 212.27.40.241 > nameserver 212.27.40.240 > nameserver 2a01:e00::2 > # NOTE: the libc resolver may not support more than 3 nameservers. > # The nameservers listed below may not be recognized. > nameserver 2a01:e00::1 > > As a result, I no longer get my AD bit (since Free Telecom's name > servers do not validate). -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOfZkpAAoJEJ9vHC1+BF+NF2oP/2L5cT4Asy95xlRYi5Qfgx37 7laDkDvPkooBtdkUe3OyoAgd6/X4pTz19DmSRuMliw2UAvXHomv2RS3kHdLIlUPM JztR0yLGXSjVoP7NyBwAPcDuqgbKktHG0fMzvh4lGSUu0rld6/CFxF2ePyRagonR 8kIonMLmuTSXyahWH9zwx9vHQv0JaOt6Jx3800IhmeMUvB23iNfya90Fdmt5bDOd hcDJlYpFL6H8R+m+qMmmegrp6UAWXDViasyLBRyd9e1PD5lTeH1FceWb/30ZbJx0 /qxXHeiHYupHkFYsipS5zyrKTeH0yv76j2xaKxD5ELQGrs3RnAUD3HZ70rcbqQ68 OVV78A1BzWi87cBmu/N2I4GRqyoEzKzGwOWypsCBvBTNgokYjl6aA9krUf49n7G/ d5Kk+nKr5crwGwS7bi+8GG0yodJ92Fj4wRjzr8WGAxXsHt++rYdaTvIvIGgwADUB BqO/I7nhF+FdsBCyp+KI2ASLfKqpHRu5JJe3oCwK94/Cl+CQ+yXTDTD0UV5z8w21 9PtqS8H3G5QHxweWtq03NzzmXRomO3f0+X876gdXJfwz7qtrfdLZMuL+VY4ZqpNy s3TOWbyTyLmm/bA/Vyzp33vhBdhFlDC6MAkVZ6di5kSqzS92U1JxbZcx04sAkNYA yIL+ZI8GP27WWRwFBSEe =c9I5 -----END PGP SIGNATURE----- From bortzmeyer at nic.fr Mon Sep 26 07:52:06 2011 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Mon, 26 Sep 2011 09:52:06 +0200 Subject: [Dnssec-trigger] dnssec trigger 0.4 release In-Reply-To: <4E7D9929.1060503@nlnetlabs.nl> References: <4E7C4349.2090303@nlnetlabs.nl> <20110923193445.GA21546@laperouse.bortzmeyer.org> <4E7D9929.1060503@nlnetlabs.nl> Message-ID: <20110926075206.GA9019@nic.fr> On Sat, Sep 24, 2011 at 10:47:37AM +0200, W.C.A. Wijngaards wrote a message of 59 lines which said: > make uninstall makes resolv.conf writeable again, perhaps this is > where NetworkManager snuck in the write? Hmmmm. Anyway, "make uninstall" && "make install" solved the problem. From wouter at NLnetLabs.nl Thu Sep 29 14:23:43 2011 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Thu, 29 Sep 2011 16:23:43 +0200 Subject: [Dnssec-trigger] dnssec trigger release 0.5 Message-ID: <4E847F6F.3060307@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi guys, Dnssec trigger 0.5 is released today with some features. Now with a webpage: http://www.nlnetlabs.nl/projects/dnssec-trigger/ http://www.nlnetlabs.nl/downloads/dnssec-trigger-0.5.tar.gz http://www.nlnetlabs.nl/downloads/dnssec_trigger_setup_0.5.exe source tarball hash sha1 658831c66c56d1f55d1dbaec06b2580c34763c76 sha256 5da6eee616ec670f372fa1f654b03c520e5c9856cb262a509f605870aeb3d219 * The windows installer includes unbound and is much improved. Note it is untested(!). * There is a GUI for Hotspot Signon (menu item). Use it to go without DNSSEC to sign into the hotel hotspot. * windows README is a proper .txt files for dos * windows loop bug is fixed. * new IP6 address for the open resolver service at nlnetlabs. ip4 is .42 and ip6 has ::42. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOhH9uAAoJEJ9vHC1+BF+NwAcP/3C78eBgHRa8NIAiL275l8ck 7Jyj/Co6fXeAFgsR3XW7VUvs6+OfwL/57896Ti5VpIMArHjGQJNJgDbRX2iGQvh2 +C0KI3hsnM/odl+b+XKJyae0TKcYh3AAii4nh5WtqbPf2N9+WFcgVr7lvawokd3F hs5oM23japlD4qdgyLlLbZbhu07iEDxJ3NETzg/26hIPtRIX3COxQwz3pkKcuHit Z08X/jLzWniDA3eg29LxW3gwcOBXGwpoAg04os5Xyz5P4VAgbMPfGZMg3ju0k6Er KgeU08yZdPlHmmj8KuGTVXb7zZctYpxwUD1wVbeDZRXiiDRKCGtcIFvTpp+5kcEQ I9Q1K3GqonbIEkjNEXWDmcQhLHMMUB2AvqDAUUAGH2yxSs3w5qGgw0jKKhDon8hA 7Nocm3Ksc5Q4qXjo9Bty3nxYBUHnUmSChC6bnBB7QcYFAVYtqDxuQSYGF4UNix5n acw/UrZn1qfkidYpqLqfu8T+EjWL5KxMW65u3tynJFiot0/L89F4rFg1qysIJaKF tAAqKXYa31uSQXDzSSFER23gIqpqVLB8n64lWouY3ffy9LFd/X+/LeF+e7vNH8MN bM0yK8spBMcNMncPTRi81FcWjFONQHoum5EKPXHNovhMyBQ3mMYRozQSpWCmF+er vOxQACQA4Uo1ahOeEtfe =1+g6 -----END PGP SIGNATURE-----