From wouter at nlnetlabs.nl Fri Feb 17 09:50:21 2012 From: wouter at nlnetlabs.nl (W.C.A. Wijngaards) Date: Fri, 17 Feb 2012 10:50:21 +0100 Subject: [Dnssec-trigger] dnssec trigger 0.10 release Message-ID: <4F3E22DD.3010602@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, dnssec-trigger 0.10 is released, http://www.nlnetlabs.nl/projects/dnssec-trigger/ source tarball hashes sha1 92d09fa5fff490feadbd3b927478d51e0001a6e1 sha256 2d4e95413dbc8249f152f9cc1d1d1449f2c9d0e8d64839d8b7686d0250f54fde This version has some bugfixes. The alert icon is more readable, more visible red mark on it. Bugfixes: Windows-installer fixes. If you use hotspot signon it takes effect immediately (not in 10 seconds). Does not show two popups at the same time. On OSX popups work and pop on top. The windows installer contains a snapshot of unbound's development version, so that it contains the rename() fix that bugged windows unbound-users. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPPiLdAAoJEJ9vHC1+BF+NFYsP/iATcEw4Fs+jJy+VP3tbW2Ub Oey6chKB4cfkZ52U9YNlXt778owzvVcEbB/0gm8ZUcEepG0Mhu/mazFAyLK+eRse KFJFZ2JVO13kNungKUmUBZU+1tBiOmPEaFuvR21qpF8NXoczh9awLI7JvbA2eLva NWzcaZ88mHMeo4zGKBSeRpKVIqt0wjSfOa7pxEQ9e2l2Id3bfD1oPm9N2msM57E6 rV2y+/nT/KRq1bP725JPdpWB6GhUZRnass3r20YC+n/Afb3oJfJR2yFEE7/Kgsnc zXCLphemWf+QW73nq90cHAg15PnUaBB5CJLTTfH0/Rl41fY2TRkMIo9vo1UzHdT9 T6iH/60E+OGGWjPLvxZxHb9Blt08Oy9rk/pvxUP+3pFcVV7OzvBdKcuJcKDAdkzx ybL5B8uEfx3dOUP5o/mjdKG85SnXhvriab3zz2cztCIv4Qiz/rwcJze6XWvDenkw f6FCmTnytN4YbBIVH0PPuSpafbbC+wTkOEF+LmelF4msYe13lY5BJBpswZS/kVu4 LTqPzURK+yPttPQf31mmfInOC07AE4bKUarwg3TxaW50V6ZsFKQlxVrVVcosnoUu uj/05SgmE3pfcYeY9RNsySaxpSWDMiTHFY5VzlQpPZO/jZoVG2qFR/2oQVWnGlXu slH8hXikufW2HZ64ZlXD =zTIE -----END PGP SIGNATURE----- From paul at nohats.ca Fri Feb 17 14:42:32 2012 From: paul at nohats.ca (Paul Wouters) Date: Fri, 17 Feb 2012 09:42:32 -0500 (EST) Subject: [Dnssec-trigger] dnssec trigger 0.10 release In-Reply-To: <4F3E22DD.3010602@nlnetlabs.nl> References: <4F3E22DD.3010602@nlnetlabs.nl> Message-ID: On Fri, 17 Feb 2012, W.C.A. Wijngaards wrote: > dnssec-trigger 0.10 is released, > http://www.nlnetlabs.nl/projects/dnssec-trigger/ > > source tarball hashes > sha1 92d09fa5fff490feadbd3b927478d51e0001a6e1 > sha256 2d4e95413dbc8249f152f9cc1d1d1449f2c9d0e8d64839d8b7686d0250f54fde > > This version has some bugfixes. The alert icon is more readable, more > visible red mark on it. Does it now never write a resolv.conf with just the single line: # Generated by dnssec-trigger 0.xxx That's the one big show stopper for me. Paul From wouter at nlnetlabs.nl Fri Feb 17 15:29:42 2012 From: wouter at nlnetlabs.nl (W.C.A. Wijngaards) Date: Fri, 17 Feb 2012 16:29:42 +0100 Subject: [Dnssec-trigger] dnssec trigger 0.10 release In-Reply-To: References: <4F3E22DD.3010602@nlnetlabs.nl> Message-ID: <4F3E7266.5050701@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Paul, It did hotspot_signon when dnssec-trigger thinks there are zero DHCP DNS servers. Hence it writes zero DHCP DNS servers to resolv.conf. Fix 1. Fork off the DHCP hook on linuxes (like it does on OSX and Windows). So it does not think the list is empty at start-up. Fix 2. Run the DHCP hook from the startup scripts (are they missing?). But those get difficult with systemd and whatnot? Easier if no special processing, its forked from the daemon? (is this also the case for unbound-anchor? Does that need to get forked from the main daemon too?) Fix 3. Bug is something else, not to do with DHCP script and startup I want to get to the root cause here: you press the hotsign button, but dnssec-trigger think: no DNS servers. Best regards, Wouter On 02/17/2012 03:42 PM, Paul Wouters wrote: > On Fri, 17 Feb 2012, W.C.A. Wijngaards wrote: > >> dnssec-trigger 0.10 is released, >> http://www.nlnetlabs.nl/projects/dnssec-trigger/ >> >> source tarball hashes sha1 >> 92d09fa5fff490feadbd3b927478d51e0001a6e1 sha256 >> 2d4e95413dbc8249f152f9cc1d1d1449f2c9d0e8d64839d8b7686d0250f54fde >> >> This version has some bugfixes. The alert icon is more readable, >> more visible red mark on it. > > Does it now never write a resolv.conf with just the single line: # > Generated by dnssec-trigger 0.xxx > > That's the one big show stopper for me. > > Paul -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPPnJmAAoJEJ9vHC1+BF+NGU0P/AtTz+W6DA1WvOL85x/jJwXw 3YXgHb1t1Dcl/l6OE21L0j23qrHw+ZJqJzZ3WYV3bJ+PElGbRNMXWMeOBAE/AXta BMzf4ajGTaYCx7CHE9atnxUEW+ggaiYPYeEj2fxG8k6uP8ZUnqAudjv5rOw5tbkh AQFyKv4oL/x8z92lOdlakO3S2lleyA3HD+dy7wKBy5J9B9tL0DPyg+1uZCm6ziiT dhXQEWjrVctMXpZqFW+3QbA+WDQH/GlahcBhrHbN/g1XMHm55VFk/izr63/GskgK bqaRgdyvpV4MyqNOOsj1Z6OFS8zR4x8EAJYzMoKgNnXBA9QOaOcGSwoE8wcQkQrm rcNezB/vKggK2hMootMh/5cs5vK8BT1XPRzZHbWYl020fds6SNn+vo3aapln1Ysa zVy5VpfQLqxPeLT+Hb+PB6Lwq4t3RBFlTvXNQmE31tYlicEcmHO5p2Wrl+2voxXN yWWuKUZEf3zP9JPQl2gmvCFO+vwv5l5PgW+e/Rz1JLoDE+KlfDWcWMdNuHu9qoi9 feCYMQ/Ar5ooxscVo9Rz9z2OuzI7qYnqGVgo1nOU7zUc6ZPfqcqlTrceM1lNdJ7Q OfIhYRXPjHvEPjjzAW6bj3NhUPyEkI5z8WIYI+pyzPG/I2ola4WwPxG68jzKa7Kw j+CZyfsTwb4pD6u0oO0S =/UHo -----END PGP SIGNATURE----- From paul at nohats.ca Mon Feb 20 18:20:52 2012 From: paul at nohats.ca (Paul Wouters) Date: Mon, 20 Feb 2012 13:20:52 -0500 (EST) Subject: [Dnssec-trigger] dnssec trigger 0.10 release In-Reply-To: <4F3E7266.5050701@nlnetlabs.nl> References: <4F3E22DD.3010602@nlnetlabs.nl> <4F3E7266.5050701@nlnetlabs.nl> Message-ID: On Fri, 17 Feb 2012, W.C.A. Wijngaards wrote: > It did hotspot_signon when dnssec-trigger thinks there are zero DHCP > DNS servers. Hence it writes zero DHCP DNS servers to resolv.conf. 0.10 still shows this problem Yes. IMHO, it should never ever write an empty resolv.conf. Worse, it makes it immutable, so even if I click "disconnect" and "connect" in NM, it fails to overwrite resolv.conf (I guess to protect it, but it means I have to manually chattr to fix this, not something a user should ever engage in) > Fix 1. Fork off the DHCP hook on linuxes (like it does on OSX and > Windows). So it does not think the list is empty at start-up. > Fix 2. Run the DHCP hook from the startup scripts (are they > missing?). But those get difficult with systemd and whatnot? Easier > if no special processing, its forked from the daemon? (is this also > the case for unbound-anchor? Does that need to get forked from the > main daemon too?) from the init script: # if not running, start it up here daemon --pidfile=$pidfile $exec retval=$? [ $retval -eq 0 ] && touch $lockfile # start the first probe, the daemon missed any previous events. /etc/NetworkManager/dispatcher.d/01-dnssec-trigger-hook "all" "bootup" echo So it should be doing that? > Fix 3. Bug is something else, not to do with DHCP script and startup > > I want to get to the root cause here: you press the hotsign button, > but dnssec-trigger think: no DNS servers. I think the file is immutable by the trigger pointing to localhost. I close my laptop, go elsewhere, open it. NM connects to a new network and fails to write the resolv.conf (though the cli util seems to remember?). I hit "hotspot" and somehow trigger thinks NM got no DNS servers... The timing of this last happens differently too. Sometimes I click "hotspot" before the wifi signal picked up and NM connected to it. Perhaps that is part of the problem? Paul From wouter at nlnetlabs.nl Tue Feb 21 08:16:34 2012 From: wouter at nlnetlabs.nl (W.C.A. Wijngaards) Date: Tue, 21 Feb 2012 09:16:34 +0100 Subject: [Dnssec-trigger] dnssec trigger 0.10 release In-Reply-To: References: <4F3E22DD.3010602@nlnetlabs.nl> <4F3E7266.5050701@nlnetlabs.nl> Message-ID: <4F4352E2.6090008@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Paul, On 02/20/2012 07:20 PM, Paul Wouters wrote: > On Fri, 17 Feb 2012, W.C.A. Wijngaards wrote: > >> It did hotspot_signon when dnssec-trigger thinks there are zero >> DHCP DNS servers. Hence it writes zero DHCP DNS servers to >> resolv.conf. > > 0.10 still shows this problem > > Yes. IMHO, it should never ever write an empty resolv.conf. Worse, > it makes it immutable, so even if I click "disconnect" and > "connect" in NM, it fails to overwrite resolv.conf (I guess to > protect it, but it means I have to manually chattr to fix this, not > something a user should ever engage in) So, you are using hotspot-signon (insecure mode). NM disconnect and connect would trigger dnssec-trigger to rewrite the resolv.conf file. And reprobe the network too. But dnssec-trigger thinks there are zero DHCP DNS servers. That is the root cause of the problem, and I think that is what we need to fix. >> Fix 1. Fork off the DHCP hook on linuxes (like it does on OSX >> and Windows). So it does not think the list is empty at >> start-up. Fix 2. Run the DHCP hook from the startup scripts (are >> they missing?). But those get difficult with systemd and >> whatnot? Easier if no special processing, its forked from the >> daemon? (is this also the case for unbound-anchor? Does that >> need to get forked from the main daemon too?) > > from the init script: > > # if not running, start it up here daemon --pidfile=$pidfile $exec > retval=$? [ $retval -eq 0 ] && touch $lockfile # start the first > probe, the daemon missed any previous events. > /etc/NetworkManager/dispatcher.d/01-dnssec-trigger-hook "all" > "bootup" echo > > So it should be doing that? Yes that looks OK. You can see inside that shell script, that it uses nmcli to get the DHCP DNS servers. somehow that list is empty. You can enable more verbosity in dnssec-trigger.conf, and you can use nmcli yourself. Can you get more information what dnssec-trigger.conf thinks is the DHCP state? Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPQ1LiAAoJEJ9vHC1+BF+NuAcQAIMOB3qDahZTpJ4mrM+QYHJc r+fmsEFC/rIhGxmpuggIaCsRZi9HkXq+u0k/JLeXbEy+bbdOn/dO1+2g3KFDdEUD lw0JnHn8l32l/z//lO9HihItIwO7aDTEBQJLgEMMhZ2rmaH+JKA0gUzUE2lDFZYw NO0J4C5ZLzLmRvfxDLMeG/vexPB3ECGsYN8+AIu2+eWaG47dYRdt+Y1PGqpsZosm P32oQi873bp7+HJZ9hLtnnX2Qeet7/IdffU/h9o2jGlumwKsaEITBkLaaytY1mbA hqwqgWEE1M+iegP6JjJgvCgw6aftbIrIdKs3E6jwXcTdXcnjdUV3nqKSQSWko1dA vbKbX2t5PEUsdKb1ZBbM5bq8sDZq7oLfIHOVi9DQ8wYgCNQqUf0vFvjiVmjUV73H puBHR1xxHBq78tBkdIGbDUFNBOV8CzCA5kfzMdS4p6CI921EpTtmJ87s4mX4pMSg numj389Gv/ARWjqd0PpFef/xRzdrhP3Kz3QqNHi8EGmBisgLUsxdAHub9dhJ5Kn8 Pz0kQQY0LobaWhehNRlYBdyGCcHQ1sBIXUpGlhIyOmyfxhR+YbWyXBPisoi8pBKl +3tQ0+g4JeJh+Bz8mfbKjheNGujtvXx/bDGqfahK6H/KtkqmBNZj/N0I6V580d1L LQn91IaQckYsJ867mVnV =Jld/ -----END PGP SIGNATURE----- From paul at nohats.ca Tue Feb 21 19:22:38 2012 From: paul at nohats.ca (Paul Wouters) Date: Tue, 21 Feb 2012 14:22:38 -0500 (EST) Subject: [Dnssec-trigger] dnssec trigger 0.10 release In-Reply-To: <4F4352E2.6090008@nlnetlabs.nl> References: <4F3E22DD.3010602@nlnetlabs.nl> <4F3E7266.5050701@nlnetlabs.nl> <4F4352E2.6090008@nlnetlabs.nl> Message-ID: On Tue, 21 Feb 2012, W.C.A. Wijngaards wrote: > So, you are using hotspot-signon (insecure mode). NM disconnect and > connect would trigger dnssec-trigger to rewrite the resolv.conf file. > And reprobe the network too. But dnssec-trigger thinks there are > zero DHCP DNS servers. That is the root cause of the problem, and I > think that is what we need to fix. laptop opened at coffee please. did not do anything for 5 minutes while talking to owner :) then did: [paul at thinkpad ~]$ nmcli -f IP4-DNS,IP6-DNS dev list IP4-DNS1.DNS: 192.168.101.1 [paul at thinkpad ~]$ cat /etc/resolv.conf # Generated by dnssec-trigger 0.10 nameserver 127.0.0.1 tried browsing, I got redirected to the internal-only dns, so firefox failed lookup (because unbound could not get the name). I then selected "hotspot signon" and ran: [paul at thinkpad ~]$ cat /etc/resolv.conf # Generated by dnssec-trigger 0.10 [paul at thinkpad ~]$ *poof* logs only show: Feb 21 13:31:16 thinkpad logger: dnssec-trigger-hook(networkmanager) wlan1 up DNS 192.168.101.1 Feb 21 13:36:52 thinkpad dnssec-triggerd: [19165] notice: state dark forced_insecure That's not very verbosity:4 ? [paul at thinkpad ~]$ dnssec-trigger-control verbosity 4 error unknown command [paul at thinkpad ~]$ not like unbound I guess. Paul From wouter at nlnetlabs.nl Wed Feb 22 08:10:16 2012 From: wouter at nlnetlabs.nl (W.C.A. Wijngaards) Date: Wed, 22 Feb 2012 09:10:16 +0100 Subject: [Dnssec-trigger] dnssec trigger 0.10 release In-Reply-To: References: <4F3E22DD.3010602@nlnetlabs.nl> <4F3E7266.5050701@nlnetlabs.nl> <4F4352E2.6090008@nlnetlabs.nl> Message-ID: <4F44A2E8.4010908@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Paul, On 02/21/2012 08:22 PM, Paul Wouters wrote: > On Tue, 21 Feb 2012, W.C.A. Wijngaards wrote: > >> So, you are using hotspot-signon (insecure mode). NM disconnect >> and connect would trigger dnssec-trigger to rewrite the >> resolv.conf file. And reprobe the network too. But >> dnssec-trigger thinks there are zero DHCP DNS servers. That is >> the root cause of the problem, and I think that is what we need >> to fix. > > laptop opened at coffee please. did not do anything for 5 minutes > while talking to owner :) > > then did: > > [paul at thinkpad ~]$ nmcli -f IP4-DNS,IP6-DNS dev list IP4-DNS1.DNS: > 192.168.101.1 > > [paul at thinkpad ~]$ cat /etc/resolv.conf # Generated by > dnssec-trigger 0.10 nameserver 127.0.0.1 > > tried browsing, I got redirected to the internal-only dns, so > firefox failed lookup (because unbound could not get the name). I > then selected "hotspot signon" and ran: > > [paul at thinkpad ~]$ cat /etc/resolv.conf # Generated by > dnssec-trigger 0.10 [paul at thinkpad ~]$ > > *poof* > > logs only show: > > Feb 21 13:31:16 thinkpad logger: > dnssec-trigger-hook(networkmanager) wlan1 up DNS 192.168.101.1 This looks good, so the script does pick up the DHCP DNS. But does not tell dnssec-trigger, the next command is (from /etc/NetworkManager.d/dispatcher.d/01-dnssec-trigger-hook ..) dnssec-trigger-control submit "$ips" Can it be that the config script is in a non-default location? That the control key files have wrong permissions? You coudl change the last line to read: dnssec-trigger-control submit "$ips" 2>&1 | logger and then see from syslog what goes wrong here? Since dnssec-triggerd has no DHCP DNS, this command must fail. (verbosity: set in dnssec-trigger.conf; reload or restart). Best regards, Wouter > Feb 21 13:36:52 thinkpad dnssec-triggerd: [19165] notice: state > dark forced_insecure > > That's not very verbosity:4 ? > > [paul at thinkpad ~]$ dnssec-trigger-control verbosity 4 error unknown > command [paul at thinkpad ~]$ > > not like unbound I guess. > > Paul -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPRKLoAAoJEJ9vHC1+BF+NKwAQAISIbY96UdK404ODe1aNkBzy VWFMJAKKhopR/tg3ymc70kOm+jkPY/fqMKdl7FoNTC5PFGT0ME6MVQCCxP0rHoVp rT7TDuUttArr+eBNayRrXBcLp1QD5vQAndkyiVzhSVaE/J3MfFtFbL86YSf11jlX KUgmppdVW9oDSKP32HKsM/8VM5IFK0KeftBEYQiR9cgKi+JETFzDn8KZlbtUv6YD 42n9OX0XKjmHXpXT9gmJPy9sh96gALhsWHaoBb2ZuFOCHIABE07mgfJ8goNOtAEv vB7/ggZOynHk4FjJPrdXlUb9Mw1t/n07lH5gGcmQ678iGjhkLZ00BrwZZtvKhST1 3awn1n5KyYf2bPp6Q+kr10HSMqV7UqSgHUhCxRoOqynEF6GNyFhmwb6avyvPsiWQ BahUh6Yy5BdVR9UGKXNQFok5CnXhzwpA1sPynAYyHZq1SK0b8dw8nab9e7zAAAph PFHqJGLeALF7rf2JkFu33SzuS6XRbRrlIfJVJDaqYZi1b8AeNpO5sEkJTkkLK13B pmX1/RRSCMcn4glZBqVn5RdPuvtncDPa5YwtDdHNyp0117V/JyJROXu/IQ1EKH7J ymjebic8RXIm2vGa+qmyb1CVu6Y7fkaWeMHWC0VRUWypZ5Rc31gPJQquOUYX2JC4 +BfH1SLvjBq2GlS5d2SG =cGJi -----END PGP SIGNATURE----- From paul at nohats.ca Wed Feb 22 14:40:19 2012 From: paul at nohats.ca (Paul Wouters) Date: Wed, 22 Feb 2012 09:40:19 -0500 (EST) Subject: [Dnssec-trigger] dnssec trigger 0.10 release In-Reply-To: <4F44A2E8.4010908@nlnetlabs.nl> References: <4F3E22DD.3010602@nlnetlabs.nl> <4F3E7266.5050701@nlnetlabs.nl> <4F4352E2.6090008@nlnetlabs.nl> <4F44A2E8.4010908@nlnetlabs.nl> Message-ID: On Wed, 22 Feb 2012, W.C.A. Wijngaards wrote: > This looks good, so the script does pick up the DHCP DNS. But does > not tell dnssec-trigger, the next command is > (from /etc/NetworkManager.d/dispatcher.d/01-dnssec-trigger-hook ..) > dnssec-trigger-control submit "$ips" > > Can it be that the config script is in a non-default location? Indeed, the path for NM did not include /usr/sbin, fixed packages for fedora rawhide testing with this fixed have been pushed, also bumping the release to 0.10 Fedora users, please test: http://lists.fedoraproject.org/pipermail/devel/2012-February/163072.html Paul