[Dnssec-trigger] A few more hotspots (Was: Compilation fails on Ubuntu (--with-gui)

W.C.A. Wijngaards wouter at NLnetLabs.nl
Tue Sep 20 12:36:59 UTC 2011

Hash: SHA1

Hi Stephane,

On 09/20/2011 01:54 PM, Stephane Bortzmeyer wrote:
> On Tue, Sep 20, 2011 at 10:36:37AM +0200,
>  W.C.A. Wijngaards <wouter at NLnetLabs.nl> wrote 
>  a message of 89 lines which said:
>> If they turn out insecure can you try:
>> * reprobe after signon  (you do not have the menu item; try
>> dnssec-trigger-control submit <ips of the caches that you see in status>
>> * can you https to nlnetlabs.nl (selfsigned)?  (can DANE work?)
>> * can you dig dnssec over tcp80 or tcp443?
>> dig @ -p 80 +vc +dnssec . DNSKEY
>> dig @ -p 443 +vc +dnssec . DNSKEY
>> dig @ -p 80 +vc +dnssec se. DS
>> dig @ -p 443 +vc +dnssec se. DS
> Did not find yet a hotspot with broken resolvers *and* an access for
> me. What I saw:
> 1) What is the meaning of "dark" in "state: dark secure"?

that you are disconnected.  Perhaps I should change that text, in the
GUI it is replaced with a userfriendly text.

> 2) When the popup is displayed, explaining there is no DNSSEC possible
> and asking to choose between Disconnect and Insecure, I get:
> at 2011-09-20 11:45:43
> authority error timeout
> cache error no EDNS
> cache error no EDNS
> state: dark secure
> How can I have "secure" when all three name servers are broken?

But you are disconnected, and thus secure.

It has told unbound to forward to (nowhere and unbound has
that in its donotquerylist, so it will not ask).

> 3) I found a broken access (Orange Business Everywhere, with a 3G
> key). The PPP negotiation works, I get an IP address and name servers
> but no packet goes through. The problem is that dnssec-trigger
> reports:
> at 2011-09-20 11:51:44
> cache OK
> cache error timeout
> state: cache secure
> How can it say that is OK when it does not even reply to
> dig, ping or traceroute?

This is odd, because it seems it replies to the dnssec-trigger.  So it
should reply to  dig @ +dnssec +cdflag . DNSKEY

If you submit it again, you can capture the tcpdump (queries and
replies).  (is there some bug?)

Best regards,
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/


More information about the dnssec-trigger mailing list