[Dnssec-trigger] bugzilla can be used to file dnssec-trigger bug reports via the web browser

W.C.A. Wijngaards wouter at nlnetlabs.nl
Thu Jan 26 21:55:05 UTC 2012

Hash: SHA1

Hi Paul,

On 01/26/2012 03:56 PM, Paul Wouters wrote:
> On Thu, 26 Jan 2012, W.C.A. Wijngaards wrote:
>> There is a bugzilla location for dnssec-trigger bug reports:
>> http://nlnetlabs.nl/bugs-script/enter_bug.cgi?product=dnssec-trigger
>> So we can track them, and it is friendly to non-mailinglist-members
>> that want to file a bugreport.
> So let me use this opportunity to talk about features :)

Yes, this is an experimental product to see how we can have DNSSEC at
end hosts.

> The first is, why do we need to have the user decide when to switch from
> hotspot mode to secure mode?

There are two insecure modes right now:
hotspot mode: use chose hotspot mode to sign in. stay insecure until
reprobe menu item.
insecure dialog: probe failed, insecure dialog shown to user (disconnect
or insecure?).  Silent reprobes with timeouts in the background (with no
popups, but if secure, takes it).

> Why Can't we probe every 5 seconds? Perhaps
> with some exponential backoff? I really would like to see that process
> automated - it should not need user input.

Yes, if the insecure-ness was because of a failed probe, then an
exponential backoff timer is implemented today.

If insecure-ness is because user chose hotspot-mode we keep that mode
until the user clicks to exit it.  Because, as Stephane found out, some
hotspots can have DNSSEC (via some workaround), but then you cannot
actually sign-on anymore (that uses the insecure local cache).

This user hotspot and reprobe menu item thing works with you tech-guys,
but it is difficult.  I would like something easier, but I do not know
how to help the user here.  To dnssec-trigger everything may seem to be
fine (dnssec with some workaround, yay), but then the web browser cannot
connect anywhere and cannot sign-in either ...

> The second is, with Linux, there is network manager that keeps track of
> connections and properties. It would be nice if we could store and
> remember the brokenness/failures so when we reconnect to the same
> network, we could switch to the expected mode. This latter one is harder
> because hotspots function in two modes, pre and post the hotspot magic.


Somehow know that 'hotspot signon' mode is necessary, and sign-in
completion can trigger a reprobe somehow...

Best regards,
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/


More information about the dnssec-trigger mailing list