From wouter at nlnetlabs.nl Thu Jun 7 14:11:24 2012 From: wouter at nlnetlabs.nl (W.C.A. Wijngaards) Date: Thu, 07 Jun 2012 16:11:24 +0200 Subject: [Dnssec-trigger] dnssec trigger 0.11 release Message-ID: <4FD0B68C.6000000@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, There is version 0.11 for dnssec-trigger: http://www.nlnetlabs.nl/projects/dnssec-trigger/ source tarball hashes sha1 3e67ed39b936ce8297fb3888c09c1dba6e86c2ad sha256 c22cff6a51f0ae8e07393ab7935d44faaabfe3d8341ba8bb85189391dcdfd9fb Pictures can say a lot: www.nlnetlabs.nl/projects/dnssec-trigger/Screenshot-softwareupdate.png www.nlnetlabs.nl/projects/dnssec-trigger/Screenshot-noweb.png software update http://www.nlnetlabs.nl/projects/dnssec-trigger/Screenshot-softwareupdate.png - - when a software update is available for Windows or OSX, it prompts the user to install it. Disabled by default on Unix (it would download the tarball to /tmp if enabled). Hotspot probes http://www.nlnetlabs.nl/projects/dnssec-trigger/Screenshot-noweb.png - - when the internet is not accessible, we prompt the user to see if they need to sign on. If so, a web browser is popped up. Please provide feedback if this new system works on your local strain of hotspot. This means the 'hotspot signon' does not need to be manually enabled, because there is a more userfriendly popup dialog. The menu item is still there as a forced override. Bug Fixes: o This release has selfupdate enabled for Windows and OSX. There is no implementation for Unix (it downloads the tarball to /tmp for you if enabled). o This release detects hotspots and shows a login prompt, opens a web browser for you and in the background retries to enable dnssec every 10 seconds. o Fix Fedora bug with no DNS servers in resolv.conf with absolute path in networkmanager hook script. o The .desktop entry name without 'panel'. o fedora package files updated. o http check is performed, nonblocking. Lookup of addres(es), A, AAAA to the (up to 5) DHCP DNS resolvers. 3 urls are checked, until one connects, then it checks content. IP4 and IP6, until first works. o url for ster.nlnetlabs.nl and fedoraproject.org added in default config. o absolute sbindir in netconfig hooks. o ssl can list multiple hashes (for certificate rollover). o probe logic that keeps track of http_insecure mode. o skip_http control command. o raise dialog to top on GTK. o gui for hot spot sign on. opens web browser if user wants to sign on. o OSX update dnssec-trigger.conf with new url settings. o OSX fix the double-window shown bug, bug in NSWindow deminiaturize func. o configure windows detects GetAdaptersAdresses (XP and later). o Fix compatibility with VirtualBox on Windows, that messes with the network adapters. Solution works on windows XP and later (detected by configure). o Fix trayicon on windows high DPI settings to look better. o silence connect() http errors, unless verbosity 2. o stop other download if one succeeds (happy eyeballs) on selfupdate. o fix exit of panel and threads o fix read multiple persist actions in one SSL packet frame. o Fix FIONBIO error on windows. o improved printout of SSL_ERROR_SYSCALL errors. o do not print interface-unknown and conn-reset errors upon system restart for windows, only printed on high verbosity. o windows dnssectrigger depends on unbound for boot invocation, this fixes an error where it cannot tell unbound what to do. o linebuffer for dnssec-trigger-control stdout, for results printout. o Fix windows upgrade to preserve config files and to preserve the installed (or not-installed) startmenu links. o fix osx comma in multiple DNS servers. o fix OSX unbound to be able to write root.key from the chroot. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP0LaMAAoJEJ9vHC1+BF+NkhcP/0plr2AhIpEtOMaVRDplBy5s o1oQQbyrZx/bZtvcW174IreZ7c5tcLeHnrLU5i6CWcmPJvAtx4WePdTtZtqjD43c Z7VN8wUBiFC0TrLOF/JTCpmlXpDhGZqf3HjgrLNv42XmyVItcfZeE0VB5fO+W/V7 ZcR0Y3uuQiQVqUJtb9DDIF28LxFsfaV0rRj1tqF9yHAKPlOsfXhd25RWQGw2cp8i bMjLMB38hhKb6JpriX6Gso0XC7PRyrAXOHVDL5m2Nv73GFCETk0P+24SxTGi+7K5 +8nNndJaBGBAuF8dfp+cwvcuvnvqKb/Rgwi9CTbATdYgvcA5AGhYwe1bwYe/TF94 jtbztSDyxgL1ji89byVlkmWgrsiprCahTDRao1q2DXUlH5NqJvKh2sTLvNs7PjfE 82fJv4/DXjz8cJa+HyO/PDUwjvuHdDMGy9YJey6PIhaAcfgq3HpzWjKOkimHdXBS EORCIzkyzMfTnydkJ1ueU5wwyGlbRf616WG47W9F98ULBLkuI3g6fJXLc9HEBHeu qScHWXwRp9ttgnjnIA2jg42aT4mzYDG6MX3OLG0lPNWocMe27IE8galBXyZn9Q2r NLgFf13SY2NF80LRsZmSaROqlGj5jstmAgk7Q+Ce+SI+NkQpPmAKbKC3dDD4C78H pdCsuNSrHJmCruBcvlnj =2AtI -----END PGP SIGNATURE----- From jpmens.dns at gmail.com Thu Jun 7 14:56:25 2012 From: jpmens.dns at gmail.com (Jan-Piet Mens) Date: Thu, 7 Jun 2012 16:56:25 +0200 Subject: [Dnssec-trigger] dnssec trigger 0.11 release In-Reply-To: <4FD0B68C.6000000@nlnetlabs.nl> References: <4FD0B68C.6000000@nlnetlabs.nl> Message-ID: <20120607145625.GA7465@jmbp.ww.mens.de> > There is version 0.11 for dnssec-trigger: Just installed on OS/X 10.6.8, thank you. I note the following: 1. The status bar thingy (blue anchor) still showed version 0.10 until I "Quit" it, whereupon it restarted and then showed the correct version number 0.11. Not a problem, just noting. 2. I probably missed it in the changelog, but my existing dnssec-trigger.conf was overwritten. 3. In addition to the two DNS servers I obtain via DHCP, probe results here now show an additional entry http serv.nlnetlabs.nl (213.154.224.1) OK I'm surprised to see that, because 0.10 worked with with the two Unbound (!) server I have configured via DHCP. :) The changelog shows > o url for ster.nlnetlabs.nl and fedoraproject.org added in default config. but why is DNSSEC-Trigger using that in my environment, I wonder? > o gui for hot spot sign on. opens web browser if user wants to sign on. Cool: I'll be testing that next week when I get back to the dreadful hotel with its dreadful WiFi. Regards, -JP From wouter at nlnetlabs.nl Thu Jun 7 15:18:07 2012 From: wouter at nlnetlabs.nl (W.C.A. Wijngaards) Date: Thu, 07 Jun 2012 17:18:07 +0200 Subject: [Dnssec-trigger] dnssec trigger 0.11 release In-Reply-To: <20120607145625.GA7465@jmbp.ww.mens.de> References: <4FD0B68C.6000000@nlnetlabs.nl> <20120607145625.GA7465@jmbp.ww.mens.de> Message-ID: <4FD0C62F.4040809@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Jan-Piet, On 06/07/2012 04:56 PM, Jan-Piet Mens wrote: >> There is version 0.11 for dnssec-trigger: > > Just installed on OS/X 10.6.8, thank you. > > I note the following: > > 1. The status bar thingy (blue anchor) still showed version 0.10 > until I "Quit" it, whereupon it restarted and then showed the > correct version number 0.11. Not a problem, just noting. Yes, thanks, I have changed it to do this Quit for you automatically after the installer is done. I have added some commands for this, but they quit and restart the panel, this can get confusing a people see a dialog reappear twice. > 2. I probably missed it in the changelog, but my existing > dnssec-trigger.conf was overwritten. Because the new default entries for the http probe have to be added. > 3. In addition to the two DNS servers I obtain via DHCP, probe > results here now show an additional entry http serv.nlnetlabs.nl > (213.154.224.1) OK I'm surprised to see that, because 0.10 worked > with with the two Unbound (!) server I have configured via DHCP. > :) So, ster.nlnetlabs.nl is a HTTP server, that serves a known, fixed html page. This is probed to see if web access is available. If the page comes back altered into "signon on with your credit card here", then we go into hotspot signon mode. > The changelog shows >> o url for ster.nlnetlabs.nl and fedoraproject.org added in >> default config. > > but why is DNSSEC-Trigger using that in my environment, I wonder? It is using these servers to see if it is connected to the internet. Both serve fixed static pages that are known in advance by the dnssec-trigger code. You can configure your own servers, or remove the two existing entries, if you want. >> o gui for hot spot sign on. opens web browser if user wants to >> sign on. > > Cool: I'll be testing that next week when I get back to the > dreadful hotel with its dreadful WiFi. Yes this works via the above new configured entries. And to add those entries with a default value it has overwritten your config ... It tries to preserve your config otherwise. I am very interested if it works at that hotel :-) On windows it now also preserves your config (when you update via the popup dialog). Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP0MYvAAoJEJ9vHC1+BF+NowYP/j+h8F+1nqJOg/xdwQW3u/lz y8tOdNGcP05R6AyaajhnBr/qXUBZp8WXrZBkvikEG+RfTZ3Xz/HAWL+zSIOv3230 ObBiriJPWiD8k1K5naRClOyzDi0BnKYoGfNTK7IUAOSdchQvF/grlxWV7XoQueB4 0tu2L4ip0hL9Dz2t4cHhRQpWHk6+ZF+nJla+gCL84ajuTheLoYln1cZXBaK3HugU hTnuo95/GYQ1+wB07ZtgzFaxJu88YWhTy3kDLWiKubst7uaXJLYR3UeK2tFoGbwh h2K/l90Fzq0iO7+68KJI2/9P4zyc0pRSoLRwPavHibPHyxJ9s7Kli/5BwONqysvw WypNBu13ZPEsGsu22eTQ4+WAvoasrLFgUHaPAvQNPHrFW+kDrffseACKm3Px1I2K ZOHUgs7MvLqE1D8sAoJ8pbB5DpkiwsNa1QObLcHI7/QEOohyD1p5x2g8+dZWDIme VAmN9ZSg3YDpZDSMLgHub7iKc4U0x7+Wcgy+Jsqa1T0T7OyIg2PmcOiHmV9h2Cwc 1H8o8MmA/aXblR6kqzCZfxo1guCPMswQsBpbuPL/lTKM5bln0xnGOIQy20JLubnw 7uMlvD7Nno35xjJP8OV2r9Adhqwac1rf0EaEAeDX5l1dkySiuIuZ+3F4MgsQYh29 ADlw/G0qONqvWXKFZ3e5 =REMj -----END PGP SIGNATURE----- From bocat01 at gmail.com Sun Jun 10 20:04:04 2012 From: bocat01 at gmail.com (Bob Katz) Date: Sun, 10 Jun 2012 16:04:04 -0400 Subject: [Dnssec-trigger] Dnssec Problem Message-ID: Hi I have just installed dnssec?trigger on my mac 10.7.4. The problem is after running the command dnssec?trigger?control?setup I don't know if dnssec is enabled. After I run the dig command I do not get the ad flag and one dnssec test website states no dnssec. However another test website states the dnssec is enabled. I have included in this email a terminal output and a probe result. What am I missing ? Thanks Bob bash-3.2$ sudo dnssec-trigger-control-setup Password: setup in directory /etc/dnssec-trigger dnssec_trigger_server.key exists dnssec_trigger_control.key exists create dnssec_trigger_server.pem (self signed certificate) create dnssec_trigger_control.pem (signed client certificate) Signature ok subject=/CN=dnssec-trigger-control Getting CA Private Key Setup success. Certificates created. run this script again with -i to: - enable remote-control in unbound.conf - start unbound-control-setup - add root trust anchor to unbound.conf if you have not done this already bash-3.2$ sudo dnssec-trigger-control-setup -i setup in directory /etc/dnssec-trigger unbound-checkconf: no errors in /etc/unbound/unbound.conf checking if unbound-control needs to be enabled checking if root trust anchor needs to be enabled check for search path in resolv.conf and edit /etc/dnssec-trigger/dnssec-trigger.conf check for domain in resolv.conf and edit /etc/dnssec-trigger/dnssec-trigger.conf bash-3.2$ sudo dig www.slashdot.org @127.0.0.1 ; <<>> DiG 9.7.3-P3 <<>> www.slashdot.org @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27876 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.slashdot.org. IN A ;; ANSWER SECTION: www.slashdot.org. 1546 IN A 216.34.181.48 ;; AUTHORITY SECTION: slashdot.org. 84346 IN NS ns4.p03.dynect.net. slashdot.org. 84346 IN NS ns3.p03.dynect.net. slashdot.org. 84346 IN NS ns2.p03.dynect.net. slashdot.org. 84346 IN NS ns1.p03.dynect.net. ;; Query time: 9 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Jun 10 15:59:11 2012 ;; MSG SIZE rcvd: 136 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Screen Shot 2012-06-10 at 3.56.42 PM.png Type: image/png Size: 30414 bytes Desc: not available URL: From thomas at dupas.be Sun Jun 10 20:15:56 2012 From: thomas at dupas.be (Thomas Dupas) Date: Sun, 10 Jun 2012 22:15:56 +0200 Subject: [Dnssec-trigger] Dnssec Problem In-Reply-To: References: Message-ID: <5A48C9CB-223D-4505-9DE1-BB797D592E4A@dupas.be> Hi Bob, as a starter, slashdot.org is not dnssec-signed, hence it also can't be dnssec-validated / have an authoritative data flag on the query. Try a dig towards www.nlnetlabs.nl. I can't comment on the dnssec-trigger-control-setup output, but I'm pretty certain that dnssec validation is enabled Br, Thomas Dupas On 10 Jun 2012, at 22:04, Bob Katz wrote: Hi I have just installed dnssec?trigger on my mac 10.7.4. The problem is after running the command dnssec?trigger?control?setup I don't know if dnssec is enabled. After I run the dig command I do not get the ad flag and one dnssec test website states no dnssec. However another test website states the dnssec is enabled. I have included in this email a terminal output and a probe result. What am I missing ? Thanks Bob bash-3.2$ sudo dnssec-trigger-control-setup Password: setup in directory /etc/dnssec-trigger dnssec_trigger_server.key exists dnssec_trigger_control.key exists create dnssec_trigger_server.pem (self signed certificate) create dnssec_trigger_control.pem (signed client certificate) Signature ok subject=/CN=dnssec-trigger-control Getting CA Private Key Setup success. Certificates created. run this script again with -i to: - enable remote-control in unbound.conf - start unbound-control-setup - add root trust anchor to unbound.conf if you have not done this already bash-3.2$ sudo dnssec-trigger-control-setup -i setup in directory /etc/dnssec-trigger unbound-checkconf: no errors in /etc/unbound/unbound.conf checking if unbound-control needs to be enabled checking if root trust anchor needs to be enabled check for search path in resolv.conf and edit /etc/dnssec-trigger/dnssec-trigger.conf check for domain in resolv.conf and edit /etc/dnssec-trigger/dnssec-trigger.conf bash-3.2$ sudo dig www.slashdot.org @127.0.0.1 ; <<>> DiG 9.7.3-P3 <<>> www.slashdot.org @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27876 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.slashdot.org. IN A ;; ANSWER SECTION: www.slashdot.org. 1546 IN A 216.34.181.48 ;; AUTHORITY SECTION: slashdot.org. 84346 IN NS ns4.p03.dynect.net. slashdot.org. 84346 IN NS ns3.p03.dynect.net. slashdot.org. 84346 IN NS ns2.p03.dynect.net. slashdot.org. 84346 IN NS ns1.p03.dynect.net. ;; Query time: 9 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Jun 10 15:59:11 2012 ;; MSG SIZE rcvd: 136 _______________________________________________ dnssec-trigger mailing list dnssec-trigger at NLnetLabs.nl http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger -------------- next part -------------- An HTML attachment was scrubbed... URL: From matthaeus.wander at uni-due.de Sun Jun 10 21:14:00 2012 From: matthaeus.wander at uni-due.de (=?windows-1252?Q?Matth=E4us_Wander?=) Date: Sun, 10 Jun 2012 23:14:00 +0200 Subject: [Dnssec-trigger] Dnssec Problem In-Reply-To: References: Message-ID: <4FD50E18.1050704@uni-due.de> Hi, Am 10.06.2012 22:04, schrieb Bob Katz: > I have just installed dnssec?trigger on my mac 10.7.4. The problem is > after running the command dnssec?trigger?control?setup I don't know if > dnssec is enabled. After I run the dig command I do not get the ad flag > and one dnssec test website states no dnssec. However another test > website states the dnssec is enabled. I have included in this email a > terminal output and a probe result. What am I missing ? You can test these names: sigok.verteiltesysteme.net (should return A record) sigfail.verteiltesysteme.net (should return SERVFAIL) Different results from test websites may be caused by browser cache or a secondary DNS resolver. You can check with "scutil --dns" that you only use 127.0.0.1 as resolver. Could you run the test at http://dnssec.vs.uni-due.de and tell me which test returned a no previously? Kind regards, Matt From jpmens.dns at gmail.com Wed Jun 13 15:27:56 2012 From: jpmens.dns at gmail.com (Jan-Piet Mens) Date: Wed, 13 Jun 2012 17:27:56 +0200 Subject: [Dnssec-trigger] dnssec trigger 0.11 release In-Reply-To: <4FD0C62F.4040809@nlnetlabs.nl> References: <4FD0B68C.6000000@nlnetlabs.nl> <20120607145625.GA7465@jmbp.ww.mens.de> <4FD0C62F.4040809@nlnetlabs.nl> Message-ID: <20120613152756.GB45530@jmbp.ww.mens.de> Hello Wouter, > I am very interested if it works at that hotel :-) I'm a bit late, but I'm pleased to report back that it does indeed work! Until dnssec-trigger 0.10 I had to switch to hotspot-signon mode; now it's automagic: info: ssl443 213.154.224.3: OK info: tcp80 213.154.224.3: OK info: authority 192.33.4.12: error no RRSIGs in reply info: http 213.154.224.1: OK info: cache 168.95.1.1: error no RRSIGs in reply Congratulations & best regards, -JP From pwouters at redhat.com Thu Jun 21 21:05:09 2012 From: pwouters at redhat.com (Paul Wouters) Date: Thu, 21 Jun 2012 17:05:09 -0400 (EDT) Subject: [Dnssec-trigger] DNS handling In-Reply-To: <201206212232.53329.bjorn@xn--rombobjrn-67a.se> References: <1340207237.32038.163.camel@willson.li.ssimo.org> <201206212232.53329.bjorn@xn--rombobjrn-67a.se> Message-ID: On Thu, 21 Jun 2012, Bj?rn Persson wrote: > > I installed DNSsec-trigger a few months ago and tried it out in a few > networks. It seemed to work as advertised in all cases. A hotspot run by a > nearby shopping center turned out to be a very hostile network where pretty > much everything except HTTPS was blocked or mangled, and DNSsec-trigger > correctly detected that it had to mask DNS as HTTPS. Great! Let me know how dnssec-trigger 0.11 works, with the additional hotspot port 80 manglign detection. > The only problem I found was in how the local DNS cache interacts with > internal domains on NATed networks. I have a DNS server at home that > translates names in my own domain to private IPv4 addresses. Some of those > names are also visible publicly, but then they all point to my one public IPv4 > address. When I moved from my own network to another Unbound still remembered > the private addresses, which were of course not reachable from the other > network, and when I moved back to my own network Unbound remembered the public > address, which is the wrong address to use there. (With IPv6 I don't have this > problem but IPv6 isn't exactly available in every hotspot...) > > I'm not sure there is anything that DNSsec-trigger can do to work around this > if you want it to be able to work from the cache when even HTTPS is blocked. > Perhaps dual-view setups like mine should simply use a short TTL to minimize > the problem. Openswan deals with this because it gets the domain from the IKE protocol, so it can flush the domain and everything under it from the cache. Currently there is no way to signal this with NM. However, if your domain is the "search prefix" in your home network, then perhaps it would be enough if NM/dnssec-trigger would flush everything of the previous "search domain" from the cache. Using TTL=0 or something fairly short should help you in your case though. Paul > Bj?rn Persson > From ewout at mijndomein.nl Wed Jun 27 09:45:22 2012 From: ewout at mijndomein.nl (Ewout de Graaf) Date: Wed, 27 Jun 2012 11:45:22 +0200 Subject: [Dnssec-trigger] Installing dnssec-trigger on Windows Message-ID: Just installed dnssec-trigger on a windows-7 machine with Avast as anti-virus solution during the ICANN presentation. Please note that Avast issues a whole set of errors when installing dnssec-trigger. To perform a succesful install you have to adapt the avast installation to stop autosandboxing when the file prevalence / reputation is low. Ewout de Graaf mijndomein.nl -------------- next part -------------- An HTML attachment was scrubbed... URL: From robe at amd.co.at Fri Jun 29 13:49:34 2012 From: robe at amd.co.at (Michael Renner) Date: Fri, 29 Jun 2012 15:49:34 +0200 Subject: [Dnssec-trigger] Issues with dnssec-trigger 0.11 on OSX Lion Message-ID: <0DA5899F-577D-43DF-969F-BA1D8932DC90@amd.co.at> Hey, first - thanks for the work on dnssec-trigger so far, I used it for some days but removed it again because of these outstanding issues: Adium online-detection code: Adium will only automatically connect to servers on system resume/boot if it thinks that it's online. dnssec-trigger interferes with this which means that I always have to connect manually. No way to quit/disable: There's no way to disable dnssec-trigger at the moment - quitting the tray icon causes it to restart after a few seconds. Killing the process manually results in the same. I had to uninstall it to get non-dnssec-trigger DNS again. Unconfirmed - seems to interfere with mDNS/avahi resolution: I noticed that I couldn't resolve local mDNS hostnames via their non-FQDN names anymore. If need be I can look deeper into this. On the plus side - hotspot login worked as intended and I didn't notice any issues during normal daily use - thanks! all the best, Michael From wouter at nlnetlabs.nl Fri Jun 29 15:08:55 2012 From: wouter at nlnetlabs.nl (W.C.A. Wijngaards) Date: Fri, 29 Jun 2012 17:08:55 +0200 Subject: [Dnssec-trigger] Issues with dnssec-trigger 0.11 on OSX Lion In-Reply-To: <0DA5899F-577D-43DF-969F-BA1D8932DC90@amd.co.at> References: <0DA5899F-577D-43DF-969F-BA1D8932DC90@amd.co.at> Message-ID: <4FEDC507.7060801@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Michael, On 06/29/2012 03:49 PM, Michael Renner wrote: > Hey, > > first - thanks for the work on dnssec-trigger so far, I used it for > some days but removed it again because of these outstanding > issues: Thanks for testing our software and let's get to work on improving these points. > > Adium online-detection code: > > Adium will only automatically connect to servers on system > resume/boot if it thinks that it's online. dnssec-trigger > interferes with this which means that I always have to connect > manually. How does Adium think its online? Dnssec trigger only changes the dns resolver to point to 127.0.0.1 at certain times. It does not change network status. Does Adium think it is online all the time (because of the local DNS cache?) ? Or Adium thinks it is offline all the time (but why)? > No way to quit/disable: > > There's no way to disable dnssec-trigger at the moment - quitting > the tray icon causes it to restart after a few seconds. Killing the > process manually results in the same. I had to uninstall it to get > non-dnssec-trigger DNS again. The menu item 'Hotspot Signon' disables dnssec-trigger until you use the menu item 'Reprobe'. It causes dnssec-trigger to list the DNS you got from DHCP as the DNS servers to use. Why did you want to quit it? Perhaps the stop feature is simply not needed (except for some experts). > Unconfirmed - seems to interfere with mDNS/avahi resolution: > > I noticed that I couldn't resolve local mDNS hostnames via their > non-FQDN names anymore. If need be I can look deeper into this. I have had other (OSX) users complain, about mDNS, but I do not understand why it is affected. Likely the script /usr/libexec/dnssec-trigger-setdns.sh is doing something that affects mDNS. It is likely at the end of that script where it attempts to set the DNS servers in use that it somehow inadvertently changes mdns information? > On the plus side - hotspot login worked as intended and I didn't > notice any issues during normal daily use - thanks! You mean the Do-You-Need-To-Login dialog that pops up? Nice! Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP7cUHAAoJEJ9vHC1+BF+NxGAP/2/zeG+p/MqyR7LDiL7/bzAG BrVSNECye3tZ9STCb1qdJvO0kcUUavMhTKX6lxCr/EYJXKBDObwAs1kwXx2zSh8U oOw/JAPkMGJnrGnA8izicL+wRSY1f3HrKR/HrfGXF8WEuiemERO36+weGmb/NoWh Vl0HR4EQbrJdxXZipzxlqvWaxCNruWS8m+pVCK+nCckU5Kol5ehIg6DDhPyvrfQM xDzCahYw21He5Bw5Espejrz2eMBmKPpZqRCXWk884WNKLhODU2DoFEJPbzAu3kKn KGTN1q34+6drGCr2SABt9OTONvQmo1RlfG9RQYVIlgmA5c2altizWPYtVgNXFxCM g0PVsa08S9QJOISJv9RyM1lijnuGDV9ICkNqV5z2T4Jxn2igYnnhw3FN5xB4LbQy OFmt7OhohEcvJqGQ9onzMhj04tahaJIog+pss4UWYtxLOkbBA10pQt+xCop0J52X 7esiGe2NRaWkez2aTyXDGhR3r46T4PgkdFF18bm5+fkZlfHS0WBCl2ImUAnnBaUK 1yMw/9Y/tQ2qKezwlsSHmkCr3M1z0ZfQ2RkX0Uu91QS//ltw4yxDTQ9Zc/8S3eRr 4piFuTesn6Pyud0YsEDD4NFSdqveeHGHelSkTsG+NxbX8ZTrmRQ5ZeeL+NRFWOMH OC6ODuoA+v3GYJv+YVLr =xI9a -----END PGP SIGNATURE----- From paul at cypherpunks.ca Fri Jun 29 17:12:24 2012 From: paul at cypherpunks.ca (Paul Wouters) Date: Fri, 29 Jun 2012 13:12:24 -0400 (EDT) Subject: [Dnssec-trigger] 0.11 uses wrong nmcli parameters on NM > 0.9.[34] Message-ID: It seems the nmcl syntax has changed. For Fedora 16 and 17, I needed: ips="`$nmcli -f IP4,IP6 dev list | fgrep 'DNS' | awk '{print $2;}'`" instead of: ips="`$nmcli -f IP4-DNS,IP6-DNS dev list | awk '{print $2;}'`" It seems this change was made in NetworkManager 0.9.3 or 0.9.4. (0.9.3 never shipped in Fedora) I've fired of builds with this change for F16 anf F17, but perhaps dnssec-trigger should check using nmcli -v ? something like: $nmcli -f IP4-DNS dev list > /dev/null 2>/dev/null RETVAL=$? if [ $RETVAL = 0 ] ; then ips="`$nmcli -f IP4-DNS,IP6-DNS dev list | awk '{print $2;}'`" else # NM < 0.9.4 ips="`$nmcli -f IP4,IP6 dev list | fgrep 'DNS' | awk '{print $2;}'`" fi Paul From ogud at ogud.com Fri Jun 29 17:33:23 2012 From: ogud at ogud.com (Olafur Gudmundsson) Date: Fri, 29 Jun 2012 13:33:23 -0400 Subject: [Dnssec-trigger] Feature request: Restart unbound Message-ID: <4FEDE6E3.6090801@ogud.com> For some reason unbound crashes upon occasion (looking for the source of that problem by reading logs). It would be nice if DNSSEC-trigger detects that unbound has crashed/gone unresponsive and attempts to restart it. Olafur From paul at cypherpunks.ca Fri Jun 29 17:58:23 2012 From: paul at cypherpunks.ca (Paul Wouters) Date: Fri, 29 Jun 2012 13:58:23 -0400 (EDT) Subject: [Dnssec-trigger] Feature request: Restart unbound In-Reply-To: <4FEDE6E3.6090801@ogud.com> References: <4FEDE6E3.6090801@ogud.com> Message-ID: On Fri, 29 Jun 2012, Olafur Gudmundsson wrote: > For some reason unbound crashes upon occasion (looking for the source of that > problem by reading logs). > > It would be nice if DNSSEC-trigger detects that unbound has crashed/gone > unresponsive and attempts to restart it. On what OS? On Fedora 16/17, systemd should restart it, though it will have lost the dnssec-trigger configuration, and I'm not sure the trigger can detect unbound restarted easilly/cheaply/continiously. Paul From ogud at ogud.com Fri Jun 29 18:04:16 2012 From: ogud at ogud.com (Olafur Gudmundsson) Date: Fri, 29 Jun 2012 14:04:16 -0400 Subject: [Dnssec-trigger] Feature request: Restart unbound In-Reply-To: References: <4FEDE6E3.6090801@ogud.com> Message-ID: <4FEDEE20.1090209@ogud.com> On 29/06/2012 13:58, Paul Wouters wrote: > On Fri, 29 Jun 2012, Olafur Gudmundsson wrote: > >> For some reason unbound crashes upon occasion (looking for the source >> of that problem by reading logs). >> >> It would be nice if DNSSEC-trigger detects that unbound has >> crashed/gone unresponsive and attempts to restart it. > > On what OS? On Fedora 16/17, systemd should restart it, though it will > have lost the dnssec-trigger configuration, and I'm not sure the trigger > can detect unbound restarted easilly/cheaply/continiously. > > Paul > > > In my case: Win-7, DD-WRT, Open-WRT Olafur From paul at cypherpunks.ca Fri Jun 29 19:25:44 2012 From: paul at cypherpunks.ca (Paul Wouters) Date: Fri, 29 Jun 2012 15:25:44 -0400 (EDT) Subject: [Dnssec-trigger] insecure/hotspot state lingers over network change Message-ID: Hi, When you get to a hotspot that is so broken that you select "insecure", dnssec-trigger does not default back to secure+probing when entering another network, and it remains "insecure". This is of course not good per default, but for me it causes an actual problem, because in "insecure" mode, unbound is bypassed, so when I bring up my VPN using openswan, it sends unbound a forward_zone request for the VPN domain, but it is never used because resolv.conf does not lead into unbound. Can we go back to "secure" when we switch networks? If not, why is that? Paul