[Dnssec-trigger] DNSSEC trigger and v6 DNS servers

W.C.A. Wijngaards wouter at NLnetLabs.nl
Mon Jan 2 08:44:50 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Stephan,

On 12/28/2011 04:58 PM, Stephan Lagerholm wrote:
> Hi,
> 
> I can still access www.trasigdnssec.se (a deliberately DNSSEC
> broken domain) with DNSSEC trigger 0.9 installed and running on my
> windows 7 laptop when using v6 capable applications such as
> firefox.
> 
> ----------------------------------------------- The probe results
> are: results from probe at 2011-12-28 09:26:37
> 
> cache 64.92.220.220: OK cache 208.67.222.222: error no RRSIGs in
> reply
> 
> DNSSEC results fetched from (DHCP) cache(s)
> 
> ---------------------------------------------
> 
> What appears to happen is the firefox/IE is sending queries to the
> IPv6 DNS server 2001:5c0:1000:11::2 that I got provisioned via
> DHCPv6. Shouldn't dnssec-trigger rewrite both the 'resolv.conf' for
> IPv4 and IPv6 and start a local unbound on both ::1 and 127.0.0.1?

Unbound is on ::1, but there is no resolv.conf on windows7, it writes
into the registry.  There must be an additional entry to overwrite
with tthe DHCPv6 results.  I would like you to search your registry
for that DNS server (as a string), it should give you a hit in
HKEY_LOCAL_MACHINE (abbrev to HKLM):
SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\<someGUID

What is the entire contents of that 'folder' in the registry?  I mean
DNS related, such as 'Nameserver' or 'DNS' in the name?  Now, it sets
the 'Nameserver' entry to 127.0.0.1.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPAW6BAAoJEJ9vHC1+BF+Nk1YP/2hfzvUBQPd+Ul9D/ThaZuF6
3/M3CpzVUGjOhSAqf2+YRfe2FP/IqR5b0Jv0myg1ZemIjHq6cGPDvHinNpwOtvTw
noTflUqM+IDwmTl2VEp3KxXTySEgZhk75nBKA4rZWzGhHKAiMcFfDyDQmvm+j0pR
GtED8I8a7bZVHhP7EktLBK6p11QRcsTiFejJaVV88+BX9W1UalZG2eIgXZQqMcr7
WYLQ2CLZM49Bu9p/vvAJm1pEnZUD/puWeGhJma9HANwA2VlyoR9YJzwiplIMpwvR
oPrnseGAF9PEcamavSULYYQ1Lmx6EdsqCgWYG7UEvl7iQK72e8o53t6UvsxdFsaT
07jZaKZBHHBtZFMl7GRSAv6U1kcrHvFIsDnf1+Z3LHmI2yRXMIzIlvVYfKtir4vQ
lJcJOw7BuAAqiipzAYft4ilELHRkIIAuRovmbQEtd5TCtgCVF58IDuJW8VIo233u
4YaX3lS8r0lrzs7oqj5mzSmK4+A9c30Np9AwWu8GuiNqRVIKwzrILI3plLt/aGtk
HSGLqfCO/FJ7v13TTJyrJo+jg7jqDR0iYYzoSvVATPos5GaG6hOOpu8NpMoodpeQ
NGUcAb9hSr6uFi7pt4AepNsr5uDS583vdeUztcFk0oI93OAamyLPNV0/VpfFIlx5
vHU4X1eu2/DnjHzl9DLB
=FGXu
-----END PGP SIGNATURE-----

More information about the dnssec-trigger mailing list