[Dnssec-trigger] Dnssec-Trigger and MacOSX 10.8.3
bry8star at inventati.org
Fri Nov 1 06:30:53 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
On that/mentioned Mac OS X 10.8.3 computer, when i applied same
temporary solution from 10.6.8 (mentioned in last email), unbound
still didn't work.
And, i had to set these below 3 additional lines:
... for unbound to start and stay running.
Unbound's script file need to be fixed so it can create "unbound"
username correctly on correct time, and null/erase it when not needed.
By the way, i forgot to place a double-quote symbol at the end of
this/below essential line in previous email, so correct line for
default level installation cases, is:
And few other extra & optional configuration lines (and few
corrected lines) which were also helpful, are:
access-control: 127.0.0.0/8 allow
# Above ISC DLV helps domain-names, when owner added
# their DNSSEC related DNS record there, as Domain's
# Registry company/entity do not yet fully support DNSSEC.
# domain-insecure: "42"
# domain-insecure: "bit"
# domain-insecure: "ovh"
# TLDs which are still not yet DNSSEC signed,
# needs to be added like above, for accessing.
# Forwarding/Stub zone related to above insecure domains,
# are not shown/included here.
local-zone: "onion." refuse
local-zone: "exit." refuse
local-zone: "noconnect." refuse
local-zone: "i2p." refuse
# Above 4 lines, block above TLD types of DNS leaks.
The file "dlv.isc.org.key" is not present in Mac OS X by default, so
i had to copy from another (Windows) computer into it.
And, to see all hidden files try both below commands, as newer OSX
changed few parameter's case:
defaults write com.apple.Finder AppleShowAllFiles TRUE
defaults write com.apple.finder AppleShowAllFiles TRUE
After setting above configuration, and restarting Mac computer once,
"unbound" started to work (in Mac OSX 10.8.3).
- -- Bright Star.
Received from Bry8 Star, on 2013-09-18 7:03 PM:
> Another test on another Apple-Mac OSX 10.6.8 (Snow Leopard):
> (I have intentionally described some steps/stages in detail, so that
> its easier for those users who are new or comparatively new to
> MacOSX or these type of enhancements).
> Initially, Firefox(FF) already have these addons/extensions: (1)
> DNSSEC Validator (2) Extended DNSSEC Validator.
> FF ext (1) is configured to use "Without Resolver" (default). And
> no DNS server ip-address is specified inside FF ext (2) settings, so
> its using its own internal pre-settings.
> Wi-Fi Network adapter (connected to router/internet) showing DNS
> With such as above settings, when site like www.StatDNS.net is
> visited using HTTPS scheme in firefox, then firefox's url bar's
> right side icon (from DNSSEC Validator, icon which shows different
> colored 'key' shapes) shows a green colored 'key' and when icon is
> clicked-on it shows "Site is Secured by DNSSEC". DNSSEC Validator
> uses a separate Firefox Plugin Process. I think it runs libunbound
> based own dns-resolving functions inside that plugin process.
> Firefox's URL bar's left side icon (from Extended DNSSEC Validator,
> which shows ether a 'World' or 'Lock' image/picture) shows a 'Lock'
> shape and when clicked-on, shows info, that, "Site is secured by
> DNSSEC and SSL cert is verified by (both) DNSSEC (TLSA) and CA." or
> it shows "Your connection to this website is encrypted to prevent
> evesdropiing" and "Verified by StartCom Ltd". Other apps like "App
> Store" can retrieve content from apple website and show it. In
> Terminal: ping statdns.net <- works, dig @192.168.0.1 -t any
> statdns.net. and dig any statdns.net. <- works.
> dig @192.168.0.1 -t any statdns.net. +dnssec <- do not shows "ad"
> flags, as 192.168.0.1 is not a DNSSEC-based Validating DNS-Resolver.
> - - - - - - -
> PROBLEMS WHICH I FACED:
> After installing DnssecTrigger 0.11 in MacOSX:
> DNS in WiFi adapter is changed into 127.0.0.1.
> When icon of DnssecTrigger in top menu bar is clicked-on and "Probe
> Results" option is selected, then it shows info such as: http
> fedoraproject.org (22.214.171.124): OK. cache 192.168.0.1: OK.
> DNSSEC results fetched from (DHCP) cache(s).
> Apps like "App Store" can retrieve content from apple website and
> show it, ping to statdns.net works. dig @127.0.0.1 any statdns.net.
> +dnssec shows SERVFAIL.
> Firefox's two DNSSEC related icons stops working properly.
> I can indeed see OSX process named "unbound" and "dnssec-triggerd"
> - - - - - - -
> (Temporary) SOLUTION PROCESS/STEPS:
> So this is what i did on that MacOSX 10.6.8:
> (In brief: only Unbound will run, DnssecTrigger portion will be
> disabled, all apps will always use local 127.0.0.1 unbound as a
> local validating DNS Resolver/Server. But by doing these, i (or who
> will follow, he/she/they), will loose ability to use DnssecTrigger
> which have advanced features to switch between different regular and
> encrypted DNS-Servers on different scenario. I'm doing this now,
> because DNSSEC-trigger portion causing Unbound to not work properly).
> Enabled viewing all hidden files & folders, by running below
> command-line inside Terminal:
> defaults write com.apple.Finder AppleShowAllFiles TRUE
> Then restarted OSX machine once.
> List of TextEditor type of software:
> Edited /etc/unbound/unbound.conf file to have these lines only, all
> other lines have # symbol at left most side, (later i added other
> lines for tuning unbound further):
> verbosity: 1
> do-udp: yes
> do-tcp: yes
> do-daemonize: yes
> # use-syslog: yes
> hide-identity: yes
> hide-version: yes
> module-config: "validator iterator"
> auto-trust-anchor-file: "/etc/unbound/root.key
> control-enable: yes
> control-interface: 127.0.0.1
> control-port: 8953
> Edited /etc/dnssec-trigger/dnssec-trigger.conf file, and made sure,
> all lines are Disabled, that is all lines have the "#" symbol at
> left most side.
> Then went into /Library/LaunchDaemons folder and 1st made backup
> copy of below two files into
> /Users/[my-user-name]/Documents/bkup/Lib/LaunchDaemons folder:
> And then trashed/deleted those two from /Library/LaunchDaemons folder.
> (You may use a software like Lingon for this step. And if you use
> different OSX then you may need to also look for above two files
> inside any one of these folders/directories :
> /Library/LaunchDaemons, /Library/LaunchAgents,
> /System/Library/LaunchAgents, /System/Library/LaunchDaemons,
> ~/Library/LaunchDaemons, ~/Library/LaunchAgents,
> ~/Library/StartupItems, and /Library/StartupItems).
> Similarly like above, made backup copy and removed below file:
> And, made sure /etc/resolv.conf file showing following line in it:
> nameserver 127.0.0.1
> And made sure two extensions/addons related to DNSSEC in Firefox is
> using 127.0.0.1 specifically.
> By the way, can someone pls let us/users know, what this file by
> default contains ? Thanks.
> OSX machine must have to be restarted.
> - - - - - - - - - -
> Finally now, Firefox url bar's two icons related to DNSSEC working &
> displaying properly. Pre-known DNSSEC signed sites and known DANE
> based sites, showed fairly and better icon than before. Those two
> addons definitely need more improvements.
> Other/system apps are also able to access internet and working.
> ping statdns.net etc working.
> dig @127.0.0.1 -t any statdns.net. +dnssec (working, showed
> "NOERROR" and "ad")
> - - - - - - - - - -
> I'm sure i can now apply this process on that 10.8.3 machine and
> there should be NO reason for that local Unbound to not work.
> And when a new dnssec-trigger will for sure work, then i can get
> that new dnssectrigger pkg from NLnetLabs website and install that
> over the older one.
> I'm now happy with at-least a working DNSSEC based Validating
> DNS-Resolver/DNS-Server. :)
> -- Bright Star.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the dnssec-trigger