[Dnssec-trigger] dnssec-trigger at Hotel hotspot in Vienna

W.C.A. Wijngaards wouter at NLnetLabs.nl
Wed Sep 21 08:19:01 UTC 2011

Hash: SHA1


On 09/20/2011 09:56 PM, Carsten Strotmann (private) wrote:
> On 9/20/11 8:41 PM, Paul Wouters wrote:
>> On Tue, 20 Sep 2011, Carsten Strotmann (private) wrote:

Apple portal detection?

Seems like dnssec-trigger needs a way to use the portal for signon; even
if 'authority DNS is available' so it can do DNSSEC; but you need the
insecure DNS to get the portal pages.

The user can click on a menu item : "Insecure Portal Sign-on"  that goes
into insecure mode (even if otherwise we can escape the insecure cache).

Or, there can be some sort of portal-probe mechanism.  It says that this
is a portal, and dnssec-trigger sees that the cache cannot be used.
What now?  We need to warn the user somehow, thus a popup dialog.  With
the end-result the insecure portal sign-on status.

The insecure portal-sign-on state cannot end with timered exponential
backoff, because dnssec already works, and its hard to detect that
sign-on succeeded.  Unless we have a portal-probe mechanism that can
tell the sign-on was successful.

So, the user interface(s) need to be changed for this. I want less
popups, no difficult choices and also popups can be triggered by
hostiles (hostile hotspots).  So, the menu item is the easiest perhaps?
 But may be confusing for the ordinary user, since there is no
indication that they should click on the dnssec-trigger menu when their
webpages fail to load.

If some sort of portal-detection, it needs http/80 attempts, to a
wellknown server (that someone runs).  Privacy issues (can track your
attempts).  and a new dialog to show, and new state:
portal-signon-insecure.  We can retry the portal-detection perhaps with
exponential backoff to see when http/80 opens up?

Best regards,

>>> Not sure how this can be solved, maybe by having DNSSEC-trigger
>>> to test a well known webpage of port 80 to detect a captive
>>> portal. MacOS X 10.7 now also has an automatic captive portal
>>> detection (ported from iOS). Not sure if there are APIs available
>>> to use the function.
>> I think it is :)
>> http://www.apple.com/library/test/success.html
>> The real question is should dnssec-trigger get involved here or
>> not. Ideally, the OS or browser is going to do the portal
>> detection.
>> dnssec-trigger could decide to reprobe every 5 seconds if it sees 
>> this "portal" indicator? eg remain more aggressive while on a
>> suspected landing page that hopefully soon will open up auth DNS.
>> Paul
> dnssec-trigger thinks it succeeds, effectively disabling MacOS X
> portal detection, so if dnssec-trigger is executed before the portal
> detection, the system fails. Sometimes dnssec-trigger is running after
> the portal-detection, then it works.
> -- Carsten
dnssec-trigger mailing list
dnssec-trigger at NLnetLabs.nl

Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/


More information about the dnssec-trigger mailing list