[Dnssec-trigger] A few more hotspots (Was: Compilation fails on Ubuntu (--with-gui)
Stephane Bortzmeyer
bortzmeyer at nic.fr
Tue Sep 20 11:54:49 UTC 2011
On Tue, Sep 20, 2011 at 10:36:37AM +0200,
W.C.A. Wijngaards <wouter at NLnetLabs.nl> wrote
a message of 89 lines which said:
> If they turn out insecure can you try:
> * reprobe after signon (you do not have the menu item; try
> dnssec-trigger-control submit <ips of the caches that you see in status>
> * can you https to nlnetlabs.nl (selfsigned)? (can DANE work?)
> * can you dig dnssec over tcp80 or tcp443?
> dig @213.154.224.42 -p 80 +vc +dnssec . DNSKEY
> dig @213.154.224.42 -p 443 +vc +dnssec . DNSKEY
> dig @213.154.224.42 -p 80 +vc +dnssec se. DS
> dig @213.154.224.42 -p 443 +vc +dnssec se. DS
Did not find yet a hotspot with broken resolvers *and* an access for
me. What I saw:
1) What is the meaning of "dark" in "state: dark secure"?
2) When the popup is displayed, explaining there is no DNSSEC possible
and asking to choose between Disconnect and Insecure, I get:
at 2011-09-20 11:45:43
authority 192.58.128.30: error timeout
cache 109.0.66.10: error no EDNS
cache 109.0.66.20: error no EDNS
state: dark secure
How can I have "secure" when all three name servers are broken?
3) I found a broken access (Orange Business Everywhere, with a 3G
key). The PPP negotiation works, I get an IP address and name servers
but no packet goes through. The problem is that dnssec-trigger
reports:
at 2011-09-20 11:51:44
cache 192.168.10.110: OK
cache 10.221.35.149: error timeout
state: cache secure
How can it say that 192.168.10.110 is OK when it does not even reply to
dig, ping or traceroute?
More information about the dnssec-trigger
mailing list