[Dnssec-trigger] Captive portal detection for DNSSEC-Trigger?
paul at nohats.ca
Tue Apr 3 14:14:19 UTC 2012
On Tue, 3 Apr 2012, Jan-Piet Mens wrote:
> I've been travelling a bit lately and have had plenty of opportunities
> to test DNSSEC-Trigger, which usually works very well, thank you! There
> is though, one situation which is a bit of a pain: having to deactivate
> (Hotspot Signon) it whilst connecting to, say, a hotel's captive portal.
At first glance, you would say that probing and re-activating dnssec
would be the right thing to do in hotspot signon. But the issue Wouter
described in the past is that some captive portals return fully valid
DNSSEC data, plus the bogus DNS for the captive portal redirect. So from
a DNS point of view, you do not know when this process has completed.
You can tell from a special URL, and that is for example what iOS does.
We have implemented that on the server side at Fedora
and I believe Wouter started work on using this additional probe to
detect when captivity has ended, and dnssec can be turned on again.
More information about the dnssec-trigger