[Dnssec-trigger] Install issues on MacOS 10.8: user, config

W.C.A. Wijngaards wouter at nlnetlabs.nl
Wed Mar 20 16:10:30 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Phil,

Thank you for the reports.

The 0.12 had no progress because apart from annoyances there are no
bugs or activities to perform, and my attention has gone to other
projects (e.g. NSD 4).  It is a good idea to get some 0.12 on the road
on the near term, and incorporate the fixes for Mountain Lion.  As
well as other annoyances that have been reported (VPN confusion).

Is this some sort of conflict between MacPorts and dnssec-trigger, if
you uninstalled unbound macports did that also stop the unbound that
came with dnssec-trigger somehow?

Perhaps we should have website instructions to use the DMG for OSX
users.  Or get it signed via Apple somehow.  Or even the App Store,
alhough I believe that stuff is sandboxed and dnssec-trigger needs root.

Best regards,
   Wouter

On 03/18/2013 10:59 PM, Phil Pennock wrote:
> Any chance of a 0.12 build of dnssec-trigger for MacOS, to include 
> Wouter's July 31st fixes of user creation for MacOS 10.8?  I just
> found http://www.nlnetlabs.nl/projects/dnssec-trigger/#changelog
> and see that 0.11 was built somewhere around 2012-06-07.
> 
> There are more issues than just user creation.  Here's my
> experience.
> 
> So, I installed dnssec-trigger on my laptop last Friday and
> everything went great.  10.8.3.  No problems encountered.  I just
> made sure to uninstall unbound from MacPorts afterwards.
> 
> And that's why it worked great for me: MacPorts had created the
> unbound runtime user, and dnssec-trigger used it.  At the time, I
> was unaware of how important this was to my positive experience.
> 
> SHA256(Downloads/dnssectrigger-0.11.dmg)=
> 77565ef4a25f07383c57ae4d96cd3bd5fcfe089301f2054ccf20fc636c76e710
> 
> (And yes, to answer a question in the archives from August, it
> works okay in the presence of the new MacOS install controls.  You
> open the .dmg in Finder, and in the mounted volume, control-click
> (right-click) the .mpkg file, select Open, and this adds a "do it
> anyway" option to the dialog).
> 
> Today, I gave a tech talk on DNSSEC and demo'd an install of 
> dnssec-trigger on the mac (10.8.2) used for the presentation.  It
> failed miserably, leaving the system without DNS resolution.  The
> uninstall script worked.  Same thing on a co-workers mac laptop, so
> it's not an isolated occurrence.
> 
> Problems: 1. Failed to create the runtime user 2. No logfile
> preserved past install that I could see 3. Install claimed to
> succeed, rewrote resolv.conf and system resolver stuff (scutil) to
> reference 127.0.0.1; because there was no unbound user, unbound
> refused to start, so there was no DNS server listening. 4.
> dnssec-trigger doesn't test localhost unbound is up before 
> configuring to use it, that seems like something that should be
> done at runtime, always.  First problem: the install fails to
> create the run-time user.  Second problem: the install 5. The
> unbound.conf file was not modified with the linetag-dnssec-trigger
> rules; this is after removing /etc/unbound, creating the user
> manually, and then installing the package.  As a result, the
> resolver couldn't be configured with forwarders and also didn't
> have a trust anchor, so there was no validation.
> 
> Looking through: 
> https://github.com/miekg/dnssec-trigger/blob/master/osx/pkg/makepackage
>
> 
the "/Local/Default/Users/unbound UserShell" setting had been done, but
> not RealName, PrimaryGroupID, UniqueID and I think not
> NFSHomeDirectory. I created the user using the steps as per that
> postflight script.
> 
> I copied the linetag-dnssec-trigger lines from my laptop, where
> things had worked, and after that unbound and dnssec-trigger worked
> fine.
> 
> I'm willing to work with folks to understand what's gone wrong,
> and there are a number of co-workers with clean Macs who might be
> bribed into trying to install dnssec-trigger test images.
> 
> Thanks, -Phil _______________________________________________ 
> dnssec-trigger mailing list dnssec-trigger at NLnetLabs.nl 
> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRSd92AAoJEJ9vHC1+BF+N+2sP/0rTefI6B+xnV5rjL2GKPTmI
SoFzKxYgj8Wj4xjCLMjCYHqD+k2dZ9KVHcfuUcKx0uD0rTMBbk9rTTas8odH43U9
VkFToGvfM6nRvWW7RBIvT9XbgDDZw04mtNhkjR5ZQ78ZwV+uVbpE7n1IVDhCiClt
ET2BUjHoHp7UONCUtIkkJb6AKfa1s845I+3i4dVG8/W8dlxXiWpvG3t6w2YZds6m
PMd73lRrmoE5WCDQZvwbtxeRj75J5gYLGFH0p2Ke5OHxHD9lU1X8McgvRh9R493H
3pllAj5Iu57cX5NK/9MLjX10kpmlGHjcgxQnl0Nc9kdSvcaYjJ5quK7C4vX+UCgH
UMhnQpSw4rYmMPIroUNu+4z7eRjUfGa10Ra8QzJl86Gk0ZdDsoqHWNBMDZkF4QQj
nQRBuFCAJ1iRRpKq6CX4NsWddAqme7a2qrqOPvfdMUJQuT/gPJGwq2DoDGB/p1wI
nq7MthyeDgFSzQKgF1hGB3pyjxGUUtq6OEXsiC6xF2JskzI3hY31iugVqEMRBl+5
C1KfPVjXyp0+dyCvOubfln4oUbh1CST2KJoaxBML3J8QOjL5GouqK0sPELAKnudJ
bKnX2gg6yfZ41r4HvFR83HjBL5cnCXs7bS2ppByqWx5bcKjpb823DmwHSLhlNHBd
VLMhf+3Avc8ZMMFSvp8B
=f0+g
-----END PGP SIGNATURE-----



More information about the dnssec-trigger mailing list