From jpmens.dns at gmail.com Tue Apr 3 11:27:57 2012 From: jpmens.dns at gmail.com (Jan-Piet Mens) Date: Tue, 3 Apr 2012 13:27:57 +0200 Subject: [Dnssec-trigger] Captive portal detection for DNSSEC-Trigger? Message-ID: <20120403112757.GB2650@jmbp.jpmens.org> Hello, I've been travelling a bit lately and have had plenty of opportunities to test DNSSEC-Trigger, which usually works very well, thank you! There is though, one situation which is a bit of a pain: having to deactivate (Hotspot Signon) it whilst connecting to, say, a hotel's captive portal. A tweet from Tony Finch this morning prompts me to ask something which I believe has already been discussed, but I can't find it... Would it be possible for DNSSEC-Trigger to implement captive portal detection, just as e.g. Safari on iOS does it? My understanding is that iOS (Safari, etc.) attempts to retrieve a well-known URL on apple.com and compares the results; if they're not as expected, iOS is behind a captive portal. DNSSEC-Trigger could probably easily do similarly, deactivating DNSSEC during "captivity" and attempting a few minutes later to enable DNSSEC. Is this realistic? Regards, -JP From regnauld at nsrc.org Tue Apr 3 12:31:57 2012 From: regnauld at nsrc.org (Phil Regnauld) Date: Tue, 3 Apr 2012 14:31:57 +0200 Subject: [Dnssec-trigger] Captive portal detection for DNSSEC-Trigger? In-Reply-To: <20120403112757.GB2650@jmbp.jpmens.org> References: <20120403112757.GB2650@jmbp.jpmens.org> Message-ID: <20120403123157.GA3729@macbook.bluepipe.net> Jan-Piet Mens (jpmens.dns) writes: > > DNSSEC-Trigger could probably easily do similarly, deactivating DNSSEC > during "captivity" and attempting a few minutes later to enable DNSSEC. > > Is this realistic? That's a policy decision, being made on behalf of the user, that their resolution will be insecure for a certain amount of time - they should be told. I like the idea of the detection, but there may be a smarter way than waiting a predefined amount of minutes. Cheers, Phil From paul at nohats.ca Tue Apr 3 14:14:19 2012 From: paul at nohats.ca (Paul Wouters) Date: Tue, 3 Apr 2012 10:14:19 -0400 (EDT) Subject: [Dnssec-trigger] Captive portal detection for DNSSEC-Trigger? In-Reply-To: <20120403112757.GB2650@jmbp.jpmens.org> References: <20120403112757.GB2650@jmbp.jpmens.org> Message-ID: On Tue, 3 Apr 2012, Jan-Piet Mens wrote: > I've been travelling a bit lately and have had plenty of opportunities > to test DNSSEC-Trigger, which usually works very well, thank you! There > is though, one situation which is a bit of a pain: having to deactivate > (Hotspot Signon) it whilst connecting to, say, a hotel's captive portal. At first glance, you would say that probing and re-activating dnssec would be the right thing to do in hotspot signon. But the issue Wouter described in the past is that some captive portals return fully valid DNSSEC data, plus the bogus DNS for the captive portal redirect. So from a DNS point of view, you do not know when this process has completed. You can tell from a special URL, and that is for example what iOS does. We have implemented that on the server side at Fedora http://fedoraproject.org/static/hotspot.txt and I believe Wouter started work on using this additional probe to detect when captivity has ended, and dnssec can be turned on again. Paul