[Dnssec-trigger] Open Issues

Paul Wouters paul at nohats.ca
Fri Jan 27 14:05:16 UTC 2012

On Fri, 27 Jan 2012, W.C.A. Wijngaards wrote:

> Dnssec trigger (now at version 0.9) is an experiment to put DNSSEC on
> your laptop.  It works, people are using it.  Most of the bugs seem to
> have been worked out of the system.  The issues that remain are visual
> and feature-completeness.  They center on user-friendliness (i.e. for
> computer illiterate people), and on enterprise-site-configuration.

For linux, a few issues remain:

o Integrate with NM fully, so no chattr +i on resolv.conf is needed.
o Convert the daemon to a plugin to be run by NM
o Convert the panel to fully integrate in NM
o Remember wireless network DNS problems? (specifically with DNS
   views and VPN's, where one might have to reject dnssec to get intranet
   DNS access)

a "command line" version of the probe giving the results would be nice.

> o Resolvers that can do tcp-dns-port80 and ssl-dns-port443 to be able
> to handle a large user group.

We will have a few from the Fedora infrastructure. We can see what load
they will receive and how well they will work for people. Perhaps we can
convert that in an "ntp.pool.org" type pool. I will disabled udp 53 on
those instances so they cannot be used for amplification attacks.

> o some people have expressed porting wishes, like app-store, ports to
> iPhone, Android.

It would be nice, but probably better left for iphone experts. I'm going
to poll some of those and see what they can do :)

> o an anti-idea that cropped up a couple times is to provide
> error-analysis of dnssec failures.

It would be nice to be able to submit the failed hotspots and perhaps
build up a list. opt-in only, prob using a separate command so only
experts will do this. It might provide useful information?

> o do we really need a go-insecure-connect-to-this-wifi button?  This
> button turns off dnssec, you have your old-fashioned dnssec-less
> experience.

Awareness is good, but perhaps the message can be changed to say "this
network is broken, advise the DNS admin to fix it"


More information about the dnssec-trigger mailing list