[Dnssec-trigger] A few more hotspots (Was: Compilation fails on Ubuntu (--with-gui)

W.C.A. Wijngaards wouter at NLnetLabs.nl
Tue Sep 20 12:36:59 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Stephane,

On 09/20/2011 01:54 PM, Stephane Bortzmeyer wrote:
> On Tue, Sep 20, 2011 at 10:36:37AM +0200,
>  W.C.A. Wijngaards <wouter at NLnetLabs.nl> wrote 
>  a message of 89 lines which said:
> 
>> If they turn out insecure can you try:
>> * reprobe after signon  (you do not have the menu item; try
>> dnssec-trigger-control submit <ips of the caches that you see in status>
>> * can you https to nlnetlabs.nl (selfsigned)?  (can DANE work?)
>> * can you dig dnssec over tcp80 or tcp443?
>> dig @213.154.224.42 -p 80 +vc +dnssec . DNSKEY
>> dig @213.154.224.42 -p 443 +vc +dnssec . DNSKEY
>> dig @213.154.224.42 -p 80 +vc +dnssec se. DS
>> dig @213.154.224.42 -p 443 +vc +dnssec se. DS
> 
> Did not find yet a hotspot with broken resolvers *and* an access for
> me. What I saw:
> 
> 1) What is the meaning of "dark" in "state: dark secure"?

that you are disconnected.  Perhaps I should change that text, in the
GUI it is replaced with a userfriendly text.

> 2) When the popup is displayed, explaining there is no DNSSEC possible
> and asking to choose between Disconnect and Insecure, I get:
> at 2011-09-20 11:45:43
> authority 192.58.128.30: error timeout
> cache 109.0.66.10: error no EDNS
> cache 109.0.66.20: error no EDNS
> state: dark secure
> How can I have "secure" when all three name servers are broken?

But you are disconnected, and thus secure.

It has told unbound to forward to 127.0.0.127 (nowhere and unbound has
that in its donotquerylist, so it will not ask).

> 3) I found a broken access (Orange Business Everywhere, with a 3G
> key). The PPP negotiation works, I get an IP address and name servers
> but no packet goes through. The problem is that dnssec-trigger
> reports:
> at 2011-09-20 11:51:44
> cache 192.168.10.110: OK
> cache 10.221.35.149: error timeout
> state: cache secure
> How can it say that 192.168.10.110 is OK when it does not even reply to
> dig, ping or traceroute?

This is odd, because it seems it replies to the dnssec-trigger.  So it
should reply to  dig @192.168.10.110 +dnssec +cdflag . DNSKEY

If you submit it again, you can capture the tcpdump (queries and
replies).  (is there some bug?)

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOeIjrAAoJEJ9vHC1+BF+NTwkP+gO9MrULTWxBXjCkA8DOKCA5
/wS9ivb30/8Estk+VtbtfGR7cAdNSPXq7lWs8AHIkiC+sKuEYZmeug1431y6HELm
2Hurf7zQfxOe+yAbY0ErBmcNE/qWsOGZ9jquE3tXEsfk+ZPVoIX+YqojxpUzwhtL
7qqc8BSSpba9M3VMdJFeQFAqPWT5zKWmRe7TgQb3k6OXW+M/o6DEyYmJXbLqVHiz
/1/Rx4OS4D3n88Ir16JLoTXRL8An6TgfvZCVuegJ9NbuHsieBOhJTAb9uU7QGyq1
qg54X+/wsy9+bLF/KHK7qszHfgYAbJ7Asjx4EJROHEEdnLMiIEpViQavFIqYtldN
i6DpHCdD7MIDFkAW5iMYrCJYzOx9e/JTIf+3q5hYoXDWFTQpp7EZw1jurwkvUHfw
dh6KpR7ywt5c6+T0Lbp1oGPH7qMAw677UX52UfDMPKK1xRvh6Per1qDntl/qn1Y4
ccUEz+/dWglcF0RMYdRGUlVQ2eXSBnUbaQd2SPsp+MuLSC92aNC1J8Uvl3nZ++Gk
ie9LiM86g7SDKjcV/Yt9hdvUUqyU21drgwU+nPUlHqkBKVo+q1Rwe5+4XNPDlnWt
rRDyzAqNyxE2lO8VfpA3maGusc0gksmxmgeIfg2prWYWAi1Pl6qL3O1bIWBaeqN2
NAhHHDtttd0/g4QU1da5
=p0dc
-----END PGP SIGNATURE-----



More information about the dnssec-trigger mailing list