[Dnssec-trigger] Install issues on MacOS 10.8: user, config

Mon Mar 18 21:59:41 UTC 2013

Any chance of a 0.12 build of dnssec-trigger for MacOS, to include
Wouter's July 31st fixes of user creation for MacOS 10.8?  I just found
http://www.nlnetlabs.nl/projects/dnssec-trigger/#changelog and see that
0.11 was built somewhere around 2012-06-07.

There are more issues than just user creation.  Here's my experience.

So, I installed dnssec-trigger on my laptop last Friday and everything
went great.  10.8.3.  No problems encountered.  I just made sure to
uninstall unbound from MacPorts afterwards.

And that's why it worked great for me: MacPorts had created the unbound
runtime user, and dnssec-trigger used it.  At the time, I was unaware of
how important this was to my positive experience.

SHA256(Downloads/dnssectrigger-0.11.dmg)= 77565ef4a25f07383c57ae4d96cd3bd5fcfe089301f2054ccf20fc636c76e710

(And yes, to answer a question in the archives from August, it works
okay in the presence of the new MacOS install controls.  You open the
.dmg in Finder, and in the mounted volume, control-click (right-click)
the .mpkg file, select Open, and this adds a "do it anyway" option to
the dialog).

Today, I gave a tech talk on DNSSEC and demo'd an install of
dnssec-trigger on the mac (10.8.2) used for the presentation.  It failed
miserably, leaving the system without DNS resolution.  The uninstall
script worked.  Same thing on a co-workers mac laptop, so it's not an
isolated occurrence.

Problems:
 1. Failed to create the runtime user
 2. No logfile preserved past install that I could see
 3. Install claimed to succeed, rewrote resolv.conf and system resolver
    stuff (scutil) to reference 127.0.0.1; because there was no unbound
    user, unbound refused to start, so there was no DNS server
    listening.
 4. dnssec-trigger doesn't test localhost unbound is up before
    configuring to use it, that seems like something that should be done
    at runtime, always.  First problem: the install fails to create the
    run-time user.  Second problem: the install 
 5. The unbound.conf file was not modified with the
    linetag-dnssec-trigger rules; this is after removing /etc/unbound,
    creating the user manually, and then installing the package.  As a
    result, the resolver couldn't be configured with forwarders and also
    didn't have a trust anchor, so there was no validation.

Looking through:
  https://github.com/miekg/dnssec-trigger/blob/master/osx/pkg/makepackage
the "/Local/Default/Users/unbound UserShell" setting had been done, but
not RealName, PrimaryGroupID, UniqueID and I think not NFSHomeDirectory.
I created the user using the steps as per that postflight script.

I copied the linetag-dnssec-trigger lines from my laptop, where things
had worked, and after that unbound and dnssec-trigger worked fine.

I'm willing to work with folks to understand what's gone wrong, and
there are a number of co-workers with clean Macs who might be bribed
into trying to install dnssec-trigger test images.

Thanks,
-Phil