[Dnssec-trigger] Dnssec-Trigger and MacOSX 10.8.3

Bry8 Star bry8star at inventati.org
Fri Nov 1 06:30:53 UTC 2013

Hash: SHA512

A follow-up.

On that/mentioned Mac OS X 10.8.3 computer, when i applied same
temporary solution from 10.6.8 (mentioned in last email), unbound
still didn't work.

And, i had to set these below 3 additional lines:

username: ""
chroot: ""
directory: ""

... for unbound to start and stay running.

Unbound's script file need to be fixed so it can create "unbound"
username correctly on correct time, and null/erase it when not needed.

By the way, i forgot to place a double-quote symbol at the end of
this/below essential line in previous email, so correct line for
default level installation cases, is:

auto-trust-anchor-file: "/etc/unbound/root.key"

And few other extra & optional configuration lines (and few
corrected lines) which were also helpful, are:

port: 53
access-control: allow
dlv-anchor-file: "/etc/unbound/dlv.isc.org.key"
# Above ISC DLV helps domain-names, when owner added
# their DNSSEC related DNS record there, as Domain's
# Registry company/entity do not yet fully support DNSSEC.
# domain-insecure: "42"
# domain-insecure: "bit"
# domain-insecure: "ovh"
# TLDs which are still not yet DNSSEC signed,
# needs to be added like above, for accessing.
# Forwarding/Stub zone related to above insecure domains,
# are not shown/included here.
local-zone: "onion." refuse
local-zone: "exit." refuse
local-zone: "noconnect." refuse
local-zone: "i2p." refuse
# Above 4 lines, block above TLD types of DNS leaks.
control-enable: yes
control-port: 8953
server-key-file: "/etc/unbound/unbound_server.key"
server-cert-file: "/etc/unbound/unbound_server.pem"
control-key-file: "/etc/unbound/unbound_control.key"
control-cert-file: "/etc/unbound/unbound_control.pem"

The file "dlv.isc.org.key" is not present in Mac OS X by default, so
i had to copy from another (Windows) computer into it.

And, to see all hidden files try both below commands, as newer OSX
changed few parameter's case:

defaults write com.apple.Finder AppleShowAllFiles TRUE
defaults write com.apple.finder AppleShowAllFiles TRUE

After setting above configuration, and restarting Mac computer once,
"unbound" started to work (in Mac OSX 10.8.3).

- -- Bright Star.

Received from Bry8 Star, on 2013-09-18 7:03 PM:
> Another test on another Apple-Mac OSX 10.6.8 (Snow Leopard):
> (I have intentionally described some steps/stages in detail, so that
> its easier for those users who are new or comparatively new to
> MacOSX or these type of enhancements).
> Initially, Firefox(FF) already have these addons/extensions: (1)
> DNSSEC Validator (2) Extended DNSSEC Validator.
> FF ext (1) is configured to use "Without Resolver" (default).  And
> no DNS server ip-address is specified inside FF ext (2) settings, so
> its using its own internal pre-settings.
> Wi-Fi Network adapter (connected to router/internet) showing DNS
> With such as above settings, when site like www.StatDNS.net is
> visited using HTTPS scheme in firefox, then firefox's url bar's
> right side icon (from DNSSEC Validator, icon which shows different
> colored 'key' shapes) shows a green colored 'key' and when icon is
> clicked-on it shows "Site is Secured by DNSSEC". DNSSEC Validator
> uses a separate Firefox Plugin Process. I think it runs libunbound
> based own dns-resolving functions inside that plugin process.
> Firefox's URL bar's left side icon (from Extended DNSSEC Validator,
> which shows ether a 'World' or 'Lock' image/picture) shows a 'Lock'
> shape and when clicked-on, shows info, that, "Site is secured by
> DNSSEC and SSL cert is verified by (both) DNSSEC (TLSA) and CA." or
> it shows "Your connection to this website is encrypted to prevent
> evesdropiing" and "Verified by StartCom Ltd".  Other apps like "App
> Store" can retrieve content from apple website and show it. In
> Terminal: ping statdns.net <- works, dig @ -t any
> statdns.net. and dig any statdns.net. <- works.
> dig @ -t any statdns.net. +dnssec <- do not shows "ad"
> flags, as is not a DNSSEC-based Validating DNS-Resolver.
> - - - - - - -
> After installing DnssecTrigger 0.11 in MacOSX:
> DNS in WiFi adapter is changed into
> When icon of DnssecTrigger in top menu bar is clicked-on and "Probe
> Results" option is selected, then it shows info such as: http
> fedoraproject.org ( OK. cache OK.
> DNSSEC results fetched from (DHCP) cache(s).
> Apps like "App Store" can retrieve content from apple website and
> show it, ping to statdns.net works. dig @ any statdns.net.
> +dnssec shows SERVFAIL.
> Firefox's two DNSSEC related icons stops working properly.
> I can indeed see OSX process named "unbound" and "dnssec-triggerd"
> running.
> - - - - - - -
> So this is what i did on that MacOSX 10.6.8:
> (In brief: only Unbound will run, DnssecTrigger portion will be
> disabled, all apps will always use local unbound as a
> local validating DNS Resolver/Server.  But by doing these, i (or who
> will follow, he/she/they), will loose ability to use DnssecTrigger
> which have advanced features to switch between different regular and
> encrypted DNS-Servers on different scenario.  I'm doing this now,
> because DNSSEC-trigger portion causing Unbound to not work properly).
> Enabled viewing all hidden files & folders, by running below
> command-line inside Terminal:
> defaults write com.apple.Finder AppleShowAllFiles TRUE
> Then restarted OSX machine once.
> List of TextEditor type of software:
> http://technologytosoftware.com/best-free-mac-os-text-editors-for-web-developers-2.html
> Edited /etc/unbound/unbound.conf file to have these lines only, all
> other lines have # symbol at left most side, (later i added other
> lines for tuning unbound further):
>  server:
>  verbosity: 1
>  do-udp: yes
>  do-tcp: yes
>  do-daemonize: yes
>  # use-syslog: yes
>  hide-identity: yes
>  hide-version: yes
>  module-config: "validator iterator"
>  auto-trust-anchor-file: "/etc/unbound/root.key
>  python:
>  remote-control:
>  control-enable: yes
>  control-interface:
>  control-port: 8953
> Edited /etc/dnssec-trigger/dnssec-trigger.conf file, and made sure,
> all lines are Disabled, that is all lines have the "#" symbol at
> left most side.
> Then went into /Library/LaunchDaemons folder and 1st made backup
> copy of below two files into
> /Users/[my-user-name]/Documents/bkup/Lib/LaunchDaemons folder:
> nl.nlnetlabs.dnsec-trigger-hook.plist
> nl.nlnetlabs.dnsec-triggerd.plist
> And then trashed/deleted those two from /Library/LaunchDaemons folder.
> (You may use a software like Lingon for this step. And if you use
> different OSX then you may need to also look for above two files
> inside any one of these folders/directories :
> /Library/LaunchDaemons, /Library/LaunchAgents,
> /System/Library/LaunchAgents, /System/Library/LaunchDaemons,
> ~/Library/LaunchDaemons, ~/Library/LaunchAgents,
> ~/Library/StartupItems, and /Library/StartupItems).
> Similarly like above, made backup copy and removed below file:
> /Library/LaunchAgents/nl.nlnetlabs.dnssec-trigger-panel.plist
> And, made sure /etc/resolv.conf file showing following line in it:
> nameserver
> And made sure two extensions/addons related to DNSSEC in Firefox is
> using specifically.
> By the way, can someone pls let us/users know, what this file by
> default contains ? Thanks.
> OSX machine must have to be restarted.
> - - - - - - - - - -
> Finally now, Firefox url bar's two icons related to DNSSEC working &
> displaying properly. Pre-known DNSSEC signed sites and known DANE
> based sites, showed fairly and better icon than before.  Those two
> addons definitely need more improvements.
> Other/system apps are also able to access internet and working.
> ping statdns.net etc working.
> dig @ -t any statdns.net. +dnssec (working, showed
> "NOERROR" and "ad")
> :)
> - - - - - - - - - -
> I'm sure i can now apply this process on that 10.8.3 machine and
> there should be NO reason for that local Unbound to not work.
> And when a new dnssec-trigger will for sure work, then i can get
> that new dnssectrigger pkg from NLnetLabs website and install that
> over the older one.
> I'm now happy with at-least a working DNSSEC based Validating
> DNS-Resolver/DNS-Server. :)
> Thanks,
> -- Bright Star.


More information about the dnssec-trigger mailing list