[Dnssec-trigger] [PATCH] Improved NM dispatcher hook script

W.C.A. Wijngaards wouter at nlnetlabs.nl
Tue Aug 6 14:53:17 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Tomas,

Committed, I changed this bit:
            # Remove forward zone from unbound
            if [ "$validate_forward_zones" == "no" ]; then
                unbound-control forward_remove +i $domain &> /dev/null
            else
                unbound-control forward_remove $domain &> /dev/null
            fi
The forward_remove also needs the +i flag to remove the insecure point
that was created by the forward_add +i.

Thank you for the patch!  VPN support is very nice to have.

Best regards,
   Wouter

On 08/06/2013 03:42 PM, Tomas Hozza wrote:
> Hello.
> 
> In July I proposed a new modified NM dispatcher hook script. I have
> been working on it and after discussion with Pavel Simerda I came
> up with a new version of the script that covers some corner cases.
> Hopefully it is also easier to understand.
> 
> Corner cases that I'm speaking of are particularly those when you
> connect to a VPN or any network that provides you with a
> nameservers and a domain, but those nameservers have broken DNSSEC
> configuration. In this case you would be possibly unable to resolve
> domain names from the provided domain, if only those provided
> nameservers can resolve them. The reason is that dnssec-trigger
> would ignore those nameservers because of the broken DNSSEC
> configuration. In this particular situation I think the user would
> like to be able to resolve those internal domain names using
> provided nameservers even though the DNSSEC is broken. But only
> domain names from the provided domain. For the rest, nameservers
> chosen by dnssec-trigger based on its configuration should be
> used.
> 
> Described corner cases can be solved by adding a insecure forward
> zone into unbound. Unfortunately dnssec-trigger-control does not
> provides an interface to do this, therefore I used unbound-control
> directly. There is also a possibility by changing single script
> variable to change the behaviour of the script so it adds secure
> instead of insecure forward zones.
> 
> I'm attaching the patch for the latest trunk version and also the
> NM script itself because it is more readable than from patch.
> 
> Regards,
> 
> Tomas Hozza
> 
> 
> 
> _______________________________________________ dnssec-trigger
> mailing list dnssec-trigger at NLnetLabs.nl 
> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSAQ3dAAoJEJ9vHC1+BF+NhnIP/2301lp6saB3knSDphqwVykZ
jGpnYAcbniqj/8lGcgYUMxEjdUCFWyzBhXBs0gX+3JrJa/lqZ1X1o2hupizljwjp
3L1IYdnnDE78jp92qnWaepRT4pfxPKkDmVaDq5QXxL67d8QxJWM3Fo+ip+y/MsN8
hKSjjQkQZkRXRg5H44sC9+WtBo1bwaQjAemtHvuK8ftu9VW0KyoDggkXIxEIbGN3
ltKK82D84E8dYfjlwxugstZYpNpM0ALojLAjoAU6gogYRVAprFDM8XzF/cDUy1Vc
GROa2/L+ijtUlQPaZj2gvfySxTt1RefHH9y9KFPTMutcC0WMYa/OEhb6rANNK5E5
4WkphzU6/VxfNrv+UNglJ78RPY0x+ojJ2+VtkCWOxpjvHafQ8HmTzvNjHvcTg6b/
NziGS9WAZzOKqweJlgxsnQRxEKOAVgZSaWpNX09B8+unzvTagBaUxXS0fRgbNvSF
tbRamNMkjI6zUw7CF0aV6j44m8YOFrQwjeCKrwmrZ62pRgZzhjhfEW3GYjUzPp+v
kcJbLcIlNqFl+pJHlWuzD5S9tkEPjXut4rtnwfoBzHKvGHvvUZNsBpuW20UisAsJ
4naiNlted9DTy38VzBRbq1BRcM93tm2ZeAKM81GdMSs+b8MULKdkreXlqPPbAjMk
mNPHOfU4oZglWW+AC/fv
=HUOt
-----END PGP SIGNATURE-----



More information about the dnssec-trigger mailing list