[Dnssec-trigger] Install issues on MacOS 10.8: user, config

W.C.A. Wijngaards wouter at nlnetlabs.nl
Wed Mar 20 16:10:30 UTC 2013

Hash: SHA1

Hi Phil,

Thank you for the reports.

The 0.12 had no progress because apart from annoyances there are no
bugs or activities to perform, and my attention has gone to other
projects (e.g. NSD 4).  It is a good idea to get some 0.12 on the road
on the near term, and incorporate the fixes for Mountain Lion.  As
well as other annoyances that have been reported (VPN confusion).

Is this some sort of conflict between MacPorts and dnssec-trigger, if
you uninstalled unbound macports did that also stop the unbound that
came with dnssec-trigger somehow?

Perhaps we should have website instructions to use the DMG for OSX
users.  Or get it signed via Apple somehow.  Or even the App Store,
alhough I believe that stuff is sandboxed and dnssec-trigger needs root.

Best regards,

On 03/18/2013 10:59 PM, Phil Pennock wrote:
> Any chance of a 0.12 build of dnssec-trigger for MacOS, to include 
> Wouter's July 31st fixes of user creation for MacOS 10.8?  I just
> found http://www.nlnetlabs.nl/projects/dnssec-trigger/#changelog
> and see that 0.11 was built somewhere around 2012-06-07.
> There are more issues than just user creation.  Here's my
> experience.
> So, I installed dnssec-trigger on my laptop last Friday and
> everything went great.  10.8.3.  No problems encountered.  I just
> made sure to uninstall unbound from MacPorts afterwards.
> And that's why it worked great for me: MacPorts had created the
> unbound runtime user, and dnssec-trigger used it.  At the time, I
> was unaware of how important this was to my positive experience.
> SHA256(Downloads/dnssectrigger-0.11.dmg)=
> 77565ef4a25f07383c57ae4d96cd3bd5fcfe089301f2054ccf20fc636c76e710
> (And yes, to answer a question in the archives from August, it
> works okay in the presence of the new MacOS install controls.  You
> open the .dmg in Finder, and in the mounted volume, control-click
> (right-click) the .mpkg file, select Open, and this adds a "do it
> anyway" option to the dialog).
> Today, I gave a tech talk on DNSSEC and demo'd an install of 
> dnssec-trigger on the mac (10.8.2) used for the presentation.  It
> failed miserably, leaving the system without DNS resolution.  The
> uninstall script worked.  Same thing on a co-workers mac laptop, so
> it's not an isolated occurrence.
> Problems: 1. Failed to create the runtime user 2. No logfile
> preserved past install that I could see 3. Install claimed to
> succeed, rewrote resolv.conf and system resolver stuff (scutil) to
> reference; because there was no unbound user, unbound
> refused to start, so there was no DNS server listening. 4.
> dnssec-trigger doesn't test localhost unbound is up before 
> configuring to use it, that seems like something that should be
> done at runtime, always.  First problem: the install fails to
> create the run-time user.  Second problem: the install 5. The
> unbound.conf file was not modified with the linetag-dnssec-trigger
> rules; this is after removing /etc/unbound, creating the user
> manually, and then installing the package.  As a result, the
> resolver couldn't be configured with forwarders and also didn't
> have a trust anchor, so there was no validation.
> Looking through: 
> https://github.com/miekg/dnssec-trigger/blob/master/osx/pkg/makepackage
the "/Local/Default/Users/unbound UserShell" setting had been done, but
> not RealName, PrimaryGroupID, UniqueID and I think not
> NFSHomeDirectory. I created the user using the steps as per that
> postflight script.
> I copied the linetag-dnssec-trigger lines from my laptop, where
> things had worked, and after that unbound and dnssec-trigger worked
> fine.
> I'm willing to work with folks to understand what's gone wrong,
> and there are a number of co-workers with clean Macs who might be
> bribed into trying to install dnssec-trigger test images.
> Thanks, -Phil _______________________________________________ 
> dnssec-trigger mailing list dnssec-trigger at NLnetLabs.nl 
> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger

Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the dnssec-trigger mailing list