[Dnssec-trigger] dnssec trigger 0.10 release
wouter at nlnetlabs.nl
Tue Feb 21 08:16:34 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
On 02/20/2012 07:20 PM, Paul Wouters wrote:
> On Fri, 17 Feb 2012, W.C.A. Wijngaards wrote:
>> It did hotspot_signon when dnssec-trigger thinks there are zero
>> DHCP DNS servers. Hence it writes zero DHCP DNS servers to
> 0.10 still shows this problem
> Yes. IMHO, it should never ever write an empty resolv.conf. Worse,
> it makes it immutable, so even if I click "disconnect" and
> "connect" in NM, it fails to overwrite resolv.conf (I guess to
> protect it, but it means I have to manually chattr to fix this, not
> something a user should ever engage in)
So, you are using hotspot-signon (insecure mode). NM disconnect and
connect would trigger dnssec-trigger to rewrite the resolv.conf file.
And reprobe the network too. But dnssec-trigger thinks there are
zero DHCP DNS servers. That is the root cause of the problem, and I
think that is what we need to fix.
>> Fix 1. Fork off the DHCP hook on linuxes (like it does on OSX
>> and Windows). So it does not think the list is empty at
>> start-up. Fix 2. Run the DHCP hook from the startup scripts (are
>> they missing?). But those get difficult with systemd and
>> whatnot? Easier if no special processing, its forked from the
>> daemon? (is this also the case for unbound-anchor? Does that
>> need to get forked from the main daemon too?)
> from the init script:
> # if not running, start it up here daemon --pidfile=$pidfile $exec
> retval=$? [ $retval -eq 0 ] && touch $lockfile # start the first
> probe, the daemon missed any previous events.
> /etc/NetworkManager/dispatcher.d/01-dnssec-trigger-hook "all"
> "bootup" echo
> So it should be doing that?
Yes that looks OK. You can see inside that shell script, that it uses
nmcli to get the DHCP DNS servers. somehow that list is empty. You
can enable more verbosity in dnssec-trigger.conf, and you can use
nmcli yourself. Can you get more information what dnssec-trigger.conf
thinks is the DHCP state?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the dnssec-trigger