[Dnssec-trigger] dnssec trigger 0.10 release
W.C.A. Wijngaards
wouter at nlnetlabs.nl
Tue Feb 21 08:16:34 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Paul,
On 02/20/2012 07:20 PM, Paul Wouters wrote:
> On Fri, 17 Feb 2012, W.C.A. Wijngaards wrote:
>
>> It did hotspot_signon when dnssec-trigger thinks there are zero
>> DHCP DNS servers. Hence it writes zero DHCP DNS servers to
>> resolv.conf.
>
> 0.10 still shows this problem
>
> Yes. IMHO, it should never ever write an empty resolv.conf. Worse,
> it makes it immutable, so even if I click "disconnect" and
> "connect" in NM, it fails to overwrite resolv.conf (I guess to
> protect it, but it means I have to manually chattr to fix this, not
> something a user should ever engage in)
So, you are using hotspot-signon (insecure mode). NM disconnect and
connect would trigger dnssec-trigger to rewrite the resolv.conf file.
And reprobe the network too. But dnssec-trigger thinks there are
zero DHCP DNS servers. That is the root cause of the problem, and I
think that is what we need to fix.
>> Fix 1. Fork off the DHCP hook on linuxes (like it does on OSX
>> and Windows). So it does not think the list is empty at
>> start-up. Fix 2. Run the DHCP hook from the startup scripts (are
>> they missing?). But those get difficult with systemd and
>> whatnot? Easier if no special processing, its forked from the
>> daemon? (is this also the case for unbound-anchor? Does that
>> need to get forked from the main daemon too?)
>
> from the init script:
>
> # if not running, start it up here daemon --pidfile=$pidfile $exec
> retval=$? [ $retval -eq 0 ] && touch $lockfile # start the first
> probe, the daemon missed any previous events.
> /etc/NetworkManager/dispatcher.d/01-dnssec-trigger-hook "all"
> "bootup" echo
>
> So it should be doing that?
Yes that looks OK. You can see inside that shell script, that it uses
nmcli to get the DHCP DNS servers. somehow that list is empty. You
can enable more verbosity in dnssec-trigger.conf, and you can use
nmcli yourself. Can you get more information what dnssec-trigger.conf
thinks is the DHCP state?
Best regards,
Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJPQ1LiAAoJEJ9vHC1+BF+NuAcQAIMOB3qDahZTpJ4mrM+QYHJc
r+fmsEFC/rIhGxmpuggIaCsRZi9HkXq+u0k/JLeXbEy+bbdOn/dO1+2g3KFDdEUD
lw0JnHn8l32l/z//lO9HihItIwO7aDTEBQJLgEMMhZ2rmaH+JKA0gUzUE2lDFZYw
NO0J4C5ZLzLmRvfxDLMeG/vexPB3ECGsYN8+AIu2+eWaG47dYRdt+Y1PGqpsZosm
P32oQi873bp7+HJZ9hLtnnX2Qeet7/IdffU/h9o2jGlumwKsaEITBkLaaytY1mbA
hqwqgWEE1M+iegP6JjJgvCgw6aftbIrIdKs3E6jwXcTdXcnjdUV3nqKSQSWko1dA
vbKbX2t5PEUsdKb1ZBbM5bq8sDZq7oLfIHOVi9DQ8wYgCNQqUf0vFvjiVmjUV73H
puBHR1xxHBq78tBkdIGbDUFNBOV8CzCA5kfzMdS4p6CI921EpTtmJ87s4mX4pMSg
numj389Gv/ARWjqd0PpFef/xRzdrhP3Kz3QqNHi8EGmBisgLUsxdAHub9dhJ5Kn8
Pz0kQQY0LobaWhehNRlYBdyGCcHQ1sBIXUpGlhIyOmyfxhR+YbWyXBPisoi8pBKl
+3tQ0+g4JeJh+Bz8mfbKjheNGujtvXx/bDGqfahK6H/KtkqmBNZj/N0I6V580d1L
LQn91IaQckYsJ867mVnV
=Jld/
-----END PGP SIGNATURE-----
More information about the dnssec-trigger
mailing list