[Dnssec-trigger] A few more hotspots (Was: Compilation fails on Ubuntu (--with-gui)
wouter at NLnetLabs.nl
Tue Sep 20 12:36:59 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
On 09/20/2011 01:54 PM, Stephane Bortzmeyer wrote:
> On Tue, Sep 20, 2011 at 10:36:37AM +0200,
> W.C.A. Wijngaards <wouter at NLnetLabs.nl> wrote
> a message of 89 lines which said:
>> If they turn out insecure can you try:
>> * reprobe after signon (you do not have the menu item; try
>> dnssec-trigger-control submit <ips of the caches that you see in status>
>> * can you https to nlnetlabs.nl (selfsigned)? (can DANE work?)
>> * can you dig dnssec over tcp80 or tcp443?
>> dig @18.104.22.168 -p 80 +vc +dnssec . DNSKEY
>> dig @22.214.171.124 -p 443 +vc +dnssec . DNSKEY
>> dig @126.96.36.199 -p 80 +vc +dnssec se. DS
>> dig @188.8.131.52 -p 443 +vc +dnssec se. DS
> Did not find yet a hotspot with broken resolvers *and* an access for
> me. What I saw:
> 1) What is the meaning of "dark" in "state: dark secure"?
that you are disconnected. Perhaps I should change that text, in the
GUI it is replaced with a userfriendly text.
> 2) When the popup is displayed, explaining there is no DNSSEC possible
> and asking to choose between Disconnect and Insecure, I get:
> at 2011-09-20 11:45:43
> authority 184.108.40.206: error timeout
> cache 220.127.116.11: error no EDNS
> cache 18.104.22.168: error no EDNS
> state: dark secure
> How can I have "secure" when all three name servers are broken?
But you are disconnected, and thus secure.
It has told unbound to forward to 127.0.0.127 (nowhere and unbound has
that in its donotquerylist, so it will not ask).
> 3) I found a broken access (Orange Business Everywhere, with a 3G
> key). The PPP negotiation works, I get an IP address and name servers
> but no packet goes through. The problem is that dnssec-trigger
> at 2011-09-20 11:51:44
> cache 192.168.10.110: OK
> cache 10.221.35.149: error timeout
> state: cache secure
> How can it say that 192.168.10.110 is OK when it does not even reply to
> dig, ping or traceroute?
This is odd, because it seems it replies to the dnssec-trigger. So it
should reply to dig @192.168.10.110 +dnssec +cdflag . DNSKEY
If you submit it again, you can capture the tcpdump (queries and
replies). (is there some bug?)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the dnssec-trigger