[Dnssec-trigger] dnssec trigger 0.4 release

W.C.A. Wijngaards wouter at NLnetLabs.nl
Fri Sep 23 08:28:57 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

The experimental version has been updated!

http://www.nlnetlabs.nl/~wouter/dnssec-trigger-0.4.tar.gz
sha1 067363cf0cb9266f063d6f6162307f6dc60ae579
sha256 9c28e8205970f666a73d951350d6447f56b0cb85fb30ee63dde3e3f60a8c378f
http://www.nlnetlabs.nl/~wouter/dnssec_trigger_setup_0.4.exe

* TCP80 and TCP443 fallback needs unbound 1.4.13 (logs error if older
unbound, and no tcp fallback is attempted).  Or unbound trunk.
* For hotspots (no GUI for this (yet)):
dnssec-trigger-control hotspot_signon
forced insecure mode you can sign on and when you are done
dnssec-trigger-control reprobe   (or use the menu item).
* if disconnected or insecure, exponential backoff retry probe.
* if tcp-fallback a one-time retry after 20 seconds (in case the network
needs to get up slowly).

The config file can have other tcp80, tcp443 DNS servers.  DNSSEC
capable open resolver, that does plain DNS over TCP443 (port: 443 in
config).  Right now a (very small) server running unbound at NLnet Labs
is in the example.conf.

Detailed changelog:
- - dnssec-trigger-control reprobe command from the commandline.
- - dnssec-trigger-control hotspot_signon, forces insecure mode for
a sign-on.  The reprobe command can be used to stop forced_insecure.
- - added probe tcp80 and tcp443 as last resort.
- - retry for insecure and disconnect cases with exponential backoff,
start 10 seconds, max 24h.
- - tcp retry after 20 seconds, in case more opens up or it was slow.
- - ignore UDP without QR flag: some DNS caches send echoes of the query
  back initially.  If we ignore them we catch a (100 msec later)
  correct answer later.  (or timeout if no answer comes).
- - if probe is in progress it prints that in status.
- - if no DNS servers via DHCP it prints that in status.
- - antialiased fonts in windows native gui.
- - fix configure --with-gui, it did not change the gui but hooks.
- - refactor GUI panel SSL feed to be more portable.
- - fix stop command.
- - status 'dark' is now called 'nodnssec'.
- - fix so that if it cannot bind socket the server fails to start.
- - fix so that on OSX no zombie process remains.
- - kill -HUP performs a reload on UNIX. It only reload the strings
and that config, it keeps the running probe results and open
sockets to panels and certificates.
- - added fedora spec and init script.
- - fix OSX get of DHCP options to use ipconfig API instead of faulty awk
parse.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOfENEAAoJEJ9vHC1+BF+Ng28P/2CvX4hc0d4KnuIS9YV5ehp5
RpaQif0BIuVFGfJway7HLhik2QIyRLATEkQDpgqh5LffMfd861mJpeXqNK41Wqdd
oegYcVbSHCDWXubdGV8g/WYWg9z+yXEELVzwHTevaGlO8SuIosGY6kOPs3DDQaAd
C9Jev/FsDPWRLH0+tzwtprUUBZkmJwUjGDUfqfS7ZRtSKU7dq6Ixna1sy85Dr3PN
1norNOvn9bhUDm3UQgZ3L/J5X4XdE5LYR23XZCPaOeFWekRwZMZG46mCcgzybvPb
Ir/adc8hrFXmUxtv2MQ5AXuNKCb9oqSXSg4poGlx79UyJXiz38NcsqzL7cqlHWfK
4lczIM9HGkK3zkniqjhyBuVF8gq/prYgzsvWuXhWR1RyKoHBQNSuFMJsFsMndKfJ
PXsQETx5X73cSIYgx/TuhQkRWvPnHYjrdh7QY0mIZg/09WCGDqGKaUSq5BckjDWi
O9/sUn3qKWYLdvFzoBPzaNqnEkvJSJiQNlCZrAOpevLUR3+ELIy7eEbjNF2XMnp8
0WQ8rFW6Cv627Bi3WwehrDVEQzVBK3+x9sdQmsinCDo15cxueHF7+xXAG+wilDpS
CSqfEQBEbT52NEqbNST6wrZoFP0mjIaPr9LR4h7GaSLMPzXCYd4AIG1d2+VOEtqG
iaXKvtX7x6FU/RQyhQZu
=XD44
-----END PGP SIGNATURE-----



More information about the dnssec-trigger mailing list