[Dnssec-trigger] A few more hotspots (Was: Compilation fails on Ubuntu (--with-gui)

Stephane Bortzmeyer bortzmeyer at nic.fr
Tue Sep 20 11:54:49 UTC 2011

On Tue, Sep 20, 2011 at 10:36:37AM +0200,
 W.C.A. Wijngaards <wouter at NLnetLabs.nl> wrote 
 a message of 89 lines which said:

> If they turn out insecure can you try:
> * reprobe after signon  (you do not have the menu item; try
> dnssec-trigger-control submit <ips of the caches that you see in status>
> * can you https to nlnetlabs.nl (selfsigned)?  (can DANE work?)
> * can you dig dnssec over tcp80 or tcp443?
> dig @ -p 80 +vc +dnssec . DNSKEY
> dig @ -p 443 +vc +dnssec . DNSKEY
> dig @ -p 80 +vc +dnssec se. DS
> dig @ -p 443 +vc +dnssec se. DS

Did not find yet a hotspot with broken resolvers *and* an access for
me. What I saw:

1) What is the meaning of "dark" in "state: dark secure"?

2) When the popup is displayed, explaining there is no DNSSEC possible
and asking to choose between Disconnect and Insecure, I get:
at 2011-09-20 11:45:43
authority error timeout
cache error no EDNS
cache error no EDNS
state: dark secure
How can I have "secure" when all three name servers are broken?

3) I found a broken access (Orange Business Everywhere, with a 3G
key). The PPP negotiation works, I get an IP address and name servers
but no packet goes through. The problem is that dnssec-trigger
at 2011-09-20 11:51:44
cache OK
cache error timeout
state: cache secure
How can it say that is OK when it does not even reply to
dig, ping or traceroute?

More information about the dnssec-trigger mailing list