[Dnssec-trigger] dnssec trigger 0.10 release

W.C.A. Wijngaards wouter at nlnetlabs.nl
Wed Feb 22 08:10:16 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Paul,

On 02/21/2012 08:22 PM, Paul Wouters wrote:
> On Tue, 21 Feb 2012, W.C.A. Wijngaards wrote:
> 
>> So, you are using hotspot-signon (insecure mode).  NM disconnect
>> and connect would trigger dnssec-trigger to rewrite the
>> resolv.conf file. And reprobe the network too.  But
>> dnssec-trigger thinks there are zero DHCP DNS servers.  That is
>> the root cause of the problem, and I think that is what we need
>> to fix.
> 
> laptop opened at coffee please. did not do anything for 5 minutes
> while talking to owner :)
> 
> then did:
> 
> [paul at thinkpad ~]$ nmcli -f IP4-DNS,IP6-DNS dev list IP4-DNS1.DNS:
> 192.168.101.1
> 
> [paul at thinkpad ~]$ cat /etc/resolv.conf # Generated by
> dnssec-trigger 0.10 nameserver 127.0.0.1
> 
> tried browsing, I got redirected to the internal-only dns, so
> firefox failed lookup (because unbound could not get the name). I
> then selected "hotspot signon" and ran:
> 
> [paul at thinkpad ~]$ cat /etc/resolv.conf # Generated by
> dnssec-trigger 0.10 [paul at thinkpad ~]$
> 
> *poof*
> 
> logs only show:
> 
> Feb 21 13:31:16 thinkpad logger:
> dnssec-trigger-hook(networkmanager) wlan1 up DNS 192.168.101.1

This looks good, so the script does pick up the DHCP DNS.  But does
not tell dnssec-trigger, the next command is
(from /etc/NetworkManager.d/dispatcher.d/01-dnssec-trigger-hook ..)
dnssec-trigger-control submit "$ips"

Can it be that the config script is in a non-default location?
That the control key files have wrong permissions?

You coudl change the last line to read:
dnssec-trigger-control submit "$ips" 2>&1 | logger
and then see from syslog what goes wrong here?

Since dnssec-triggerd has no DHCP DNS, this command must fail.

(verbosity: set in dnssec-trigger.conf; reload or restart).

Best regards,
   Wouter


> Feb 21 13:36:52 thinkpad dnssec-triggerd: [19165] notice: state
> dark forced_insecure
> 
> That's not very verbosity:4 ?
> 
> [paul at thinkpad ~]$ dnssec-trigger-control verbosity 4 error unknown
> command [paul at thinkpad ~]$
> 
> not like unbound I guess.
> 
> Paul

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPRKLoAAoJEJ9vHC1+BF+NKwAQAISIbY96UdK404ODe1aNkBzy
VWFMJAKKhopR/tg3ymc70kOm+jkPY/fqMKdl7FoNTC5PFGT0ME6MVQCCxP0rHoVp
rT7TDuUttArr+eBNayRrXBcLp1QD5vQAndkyiVzhSVaE/J3MfFtFbL86YSf11jlX
KUgmppdVW9oDSKP32HKsM/8VM5IFK0KeftBEYQiR9cgKi+JETFzDn8KZlbtUv6YD
42n9OX0XKjmHXpXT9gmJPy9sh96gALhsWHaoBb2ZuFOCHIABE07mgfJ8goNOtAEv
vB7/ggZOynHk4FjJPrdXlUb9Mw1t/n07lH5gGcmQ678iGjhkLZ00BrwZZtvKhST1
3awn1n5KyYf2bPp6Q+kr10HSMqV7UqSgHUhCxRoOqynEF6GNyFhmwb6avyvPsiWQ
BahUh6Yy5BdVR9UGKXNQFok5CnXhzwpA1sPynAYyHZq1SK0b8dw8nab9e7zAAAph
PFHqJGLeALF7rf2JkFu33SzuS6XRbRrlIfJVJDaqYZi1b8AeNpO5sEkJTkkLK13B
pmX1/RRSCMcn4glZBqVn5RdPuvtncDPa5YwtDdHNyp0117V/JyJROXu/IQ1EKH7J
ymjebic8RXIm2vGa+qmyb1CVu6Y7fkaWeMHWC0VRUWypZ5Rc31gPJQquOUYX2JC4
+BfH1SLvjBq2GlS5d2SG
=cGJi
-----END PGP SIGNATURE-----



More information about the dnssec-trigger mailing list