[Dnssec-trigger] Install issues on MacOS 10.8: user, config
dnssec-trigger+phil at spodhuis.org
Mon Mar 18 21:59:41 UTC 2013
Any chance of a 0.12 build of dnssec-trigger for MacOS, to include
Wouter's July 31st fixes of user creation for MacOS 10.8? I just found
http://www.nlnetlabs.nl/projects/dnssec-trigger/#changelog and see that
0.11 was built somewhere around 2012-06-07.
There are more issues than just user creation. Here's my experience.
So, I installed dnssec-trigger on my laptop last Friday and everything
went great. 10.8.3. No problems encountered. I just made sure to
uninstall unbound from MacPorts afterwards.
And that's why it worked great for me: MacPorts had created the unbound
runtime user, and dnssec-trigger used it. At the time, I was unaware of
how important this was to my positive experience.
(And yes, to answer a question in the archives from August, it works
okay in the presence of the new MacOS install controls. You open the
.dmg in Finder, and in the mounted volume, control-click (right-click)
the .mpkg file, select Open, and this adds a "do it anyway" option to
Today, I gave a tech talk on DNSSEC and demo'd an install of
dnssec-trigger on the mac (10.8.2) used for the presentation. It failed
miserably, leaving the system without DNS resolution. The uninstall
script worked. Same thing on a co-workers mac laptop, so it's not an
1. Failed to create the runtime user
2. No logfile preserved past install that I could see
3. Install claimed to succeed, rewrote resolv.conf and system resolver
stuff (scutil) to reference 127.0.0.1; because there was no unbound
user, unbound refused to start, so there was no DNS server
4. dnssec-trigger doesn't test localhost unbound is up before
configuring to use it, that seems like something that should be done
at runtime, always. First problem: the install fails to create the
run-time user. Second problem: the install
5. The unbound.conf file was not modified with the
linetag-dnssec-trigger rules; this is after removing /etc/unbound,
creating the user manually, and then installing the package. As a
result, the resolver couldn't be configured with forwarders and also
didn't have a trust anchor, so there was no validation.
the "/Local/Default/Users/unbound UserShell" setting had been done, but
not RealName, PrimaryGroupID, UniqueID and I think not NFSHomeDirectory.
I created the user using the steps as per that postflight script.
I copied the linetag-dnssec-trigger lines from my laptop, where things
had worked, and after that unbound and dnssec-trigger worked fine.
I'm willing to work with folks to understand what's gone wrong, and
there are a number of co-workers with clean Macs who might be bribed
into trying to install dnssec-trigger test images.
More information about the dnssec-trigger