[Dnssec-trigger] Resolution on resume from hibernate (MacOS 10.8)
wouter at nlnetlabs.nl
Wed Apr 10 07:18:35 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
On 04/09/2013 07:38 PM, Phil Pennock wrote:
> On 2013-04-09 at 15:22 +0200, W.C.A. Wijngaards wrote:
>> You can install it over your current 0.11. It includes newer
>> ldns and unbound versions as well as some OSX specific
>> improvements in dnssec-trigger: - install on Mountain Lion -
>> phil's search domain patch for OSX. - hibernation fix for OSX
> A colleague installed, reported that DNS resolution was broken,
> same as before when he tried 0.11, uninstalled, got DNS resolution
> I'll take a look, if I can persuade him, when I'm in the same town
> as him next week.
Is this VPN related? There is something wrong when VPNs are used? I
think it gets confused about nameservers, or VPN and dnssec-trigger
software conflict about updating nameserver settings.
>> If you have this, does that still need a kill of mDNSResponder?
> Will let you know when I've been through a few hibernate/resume
> cycles without issue. :)
>> If adventurous users feel like it, go on and try out this
>> version, it should hopefully remove OSX irritations.
> I was slightly disconcerted that
> /etc/dnssec-trigger/dnssec_trigger_control.key is now installed
> 0644 since the "submit" command means an untrusted service account
> can now subvert DNS for the more trusted accounts.
Yes. The tray icon menu is also something for admins, because it can
click on dialogs 'yes dnssec really fails here'.
Your colleague could use the commandline for something like:
> Of course, since my "trusted" account runs a web-browser, that's
> not a clear point in favour of the distinction being meaningful. On
> a server, I think it is more meaningful.
> For myself, my logbook shows I used:
> sudo chmod +a "pdp allow read" \
> /etc/dnssec-trigger/dnssec_trigger_control.key sudo chmod +a "pdp
> allow read" \ /etc/unbound/unbound_control.key
> /etc/unbound/unbound_control.pem \ /etc/unbound/unbound_server.pem
> I suspect that the right approach, on MacOS, is to use the "admin"
> group, so `chmod +a "group:admin allow read" $files` should be the
> safest invocation (handling when a user called admin exists too).
That could be a good idea.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the dnssec-trigger