From bry8star at inventati.org Wed Sep 18 06:47:34 2013 From: bry8star at inventati.org (Bry8 Star) Date: Tue, 17 Sep 2013 23:47:34 -0700 Subject: [Dnssec-trigger] Dnssec-Trigger and MacOSX 10.8.3 Message-ID: <52394C86.4030504@inventati.org> Hi, dnssectrigger-0.11.dmg was installed on (a user's) MacOSX 10.8.3. This Mac has Firefox. Firefox has two extensions : (1) DNSSEC Validator, (2) Extended DNSSEC Validator. (1) is configured to use CZ.NIC's/OARC's remote DNSSEC servers. (2) is configured to use extension's own internal default DNSSEC server. (that is, i did not specify any custom DNS-server in its DNS configuration box). DnssecTrigger has changed system's default DNS settings and placed 127.0.0.1 inside it, so Network Adapter's DNS settings now showing 127.0.0.1 as DNS-Server. Apps which use system's DNS settings, are not able to access internet sites. Visiting to any websites via Firefox has also stopped working. I changed FF extension (1) and (2) settings both, and specified 127.0.0.1 inside them, but did not work. (could not visit websites, dns-resolving did not work). When i changed system's DNS settings into local router's IP-Address, for example, 192.168.0.1, then all started to work back. I want to disable DnssecTrigger portion only, and enable/use only "Unbound" resolver portion in Mac OSX, how do i do that ? Since i want to disable DnssecTrigger portion, i also want to remove the DnssecTrigger icon from top bar. And i also want to know how do i uninstall the full dnssectrigger package ? Thanks in advance, -- Bright Star. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From wouter at nlnetlabs.nl Wed Sep 18 08:06:25 2013 From: wouter at nlnetlabs.nl (W.C.A. Wijngaards) Date: Wed, 18 Sep 2013 10:06:25 +0200 Subject: [Dnssec-trigger] Dnssec-Trigger and MacOSX 10.8.3 In-Reply-To: <52394C86.4030504@inventati.org> References: <52394C86.4030504@inventati.org> Message-ID: <52395F01.8060608@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Bright Star, In the file you downloaded to install, the dmg, there is an uninstall script. You can download the dmg again if you removed it. Doubleclick on the uninstall script and it uninstalls dnssec-trigger. If you want to use unbound without dnssec-trigger, perhaps you can use unbound from macports? On 09/18/2013 08:47 AM, Bry8 Star wrote: > Hi, dnssectrigger-0.11.dmg was installed on (a user's) MacOSX > 10.8.3. This Mac has Firefox. Firefox has two extensions : (1) > DNSSEC Validator, (2) Extended DNSSEC Validator. (1) is configured > to use CZ.NIC's/OARC's remote DNSSEC servers. (2) is configured to > use extension's own internal default DNSSEC server. (that is, i did > not specify any custom DNS-server in its DNS configuration box). > > DnssecTrigger has changed system's default DNS settings and placed > 127.0.0.1 inside it, so Network Adapter's DNS settings now showing > 127.0.0.1 as DNS-Server. > > Apps which use system's DNS settings, are not able to access > internet sites. It should have worked, I wonder why, this would need debugging with setting verbosity in the dnssec-trigger.conf and unbound.conf higher and looking in the system logs. But if you do not want to use it, then, the easiest is to manually compile and install unbound. Best regards, Wouter > Visiting to any websites via Firefox has also stopped working. > > I changed FF extension (1) and (2) settings both, and specified > 127.0.0.1 inside them, but did not work. (could not visit > websites, dns-resolving did not work). > > When i changed system's DNS settings into local router's > IP-Address, for example, 192.168.0.1, then all started to work > back. > > I want to disable DnssecTrigger portion only, and enable/use only > "Unbound" resolver portion in Mac OSX, how do i do that ? Since i > want to disable DnssecTrigger portion, i also want to remove the > DnssecTrigger icon from top bar. > > And i also want to know how do i uninstall the full dnssectrigger > package ? > > Thanks in advance, -- Bright Star. > > > > _______________________________________________ dnssec-trigger > mailing list dnssec-trigger at NLnetLabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJSOV8BAAoJEJ9vHC1+BF+NkkEP/09FoXBSL+hzGqkiIze5lkN4 /MnSXWv7hPHa6vGF5uwa5HqNNf8x7GPuFswicR8hkSGbV8P5drsXoIPmBM/8GmiO er3wSpClb+LadUTljYSaNxsBhe4D4Jbb54jnLm/5ea7kqArdi/zqfOSin/HP/Wr+ s8UGcbr6Gx31Fk9e5uPmLPVskX1LgMGhYmcI/bXyMpp5JdbrAw0ldODNkSny4ZgX nPMlx+mAq3gcTS93HopM9z7IaiYgOqcokXIHqpF8Xs3QLpaFIcAZhWkmvoK4NJyi SKNBrZF7wCQ03WCCyjVHHwI/QNEArBFr+QoqnzFYknmJo/IalrD9GFdMyk6rk5vn 6BKFZUwd+YPk7Kuu83LlmCpLjISbD2aanvz/KWmtEOu38/0TJPtPlxsUkm+yAzNX +v/EBO1QWCm4NVoFNRS4GRS8fAU++VJL4XTUrOkEeOhNz+eLVt1ZnY9ZAQoZnRDS egHAdp3p7CST835jm6e9kvheZ6v4Kx54wvCrlQNYkBQ97pYIxNfsK5HuDhP5Mpnk +Qj/NtJj7oxZOLTv2rgy6PPgY0+0NHrevMYk08+z3FyC8SF35E6ss8dL2hNfvLrb FzPUB1AkLkdbDqsjQbRk7fqUyrd4AgveOENR6DuN3Dz8Y2z9fVldLZRXiRifGadu +/LRmFD9Rd9oyVPjxXlW =20/F -----END PGP SIGNATURE----- From bry8star at inventati.org Wed Sep 18 09:50:04 2013 From: bry8star at inventati.org (Bry8 Star) Date: Wed, 18 Sep 2013 02:50:04 -0700 Subject: [Dnssec-trigger] Dnssec-Trigger and MacOSX 10.8.3 In-Reply-To: <52395F01.8060608@nlnetlabs.nl> References: <52394C86.4030504@inventati.org> <52395F01.8060608@nlnetlabs.nl> Message-ID: <5239774C.90905@inventati.org> Hi Wouter, THANKS. (Yes, the uninstall script was there, sorry for adding request on that too quickly). Earlier i used unbound from homebrew, on another apple-mac, that worked fine as expected. But if i could disable DnssecTrigger portion, and keep Unbound running, then that would have been better. I will request the user to let me have access to it for few more days, and will enable debugging. (Direct IP-address based connections are working fine). Brand new Apple-Mac, just taken out of box. DnssecTrigger was installed as 6th, right after : (1) system update, (2) Firefox, (3) Firefox extensions, (4) Microsoft Office, (5) Office update. I think i also noticed such, few times after restart, in Firefox few selective site worked/resolved for first few minutes, then they stopped working. Could it be, that, DnssecTrigger 1st starts to use dns-result from some cache, and then DnssecTrigger may be switching into another cache or another dns-resolver, and that 2nd cache is empty or that another dns-resolver is inaccessible. None of the other/system apps was able to resolve dns after installing DnssecTrigger. Anyway needs more debugging. Thanks again, -- Bright Star. Received from W.C.A. Wijngaards, on 2013-09-18 1:06 AM: > Hi Bright Star, > > In the file you downloaded to install, the dmg, there is an uninstall > script. You can download the dmg again if you removed it. > Doubleclick on the uninstall script and it uninstalls dnssec-trigger. > > If you want to use unbound without dnssec-trigger, perhaps you can use > unbound from macports? > > > On 09/18/2013 08:47 AM, Bry8 Star wrote: >> Hi, dnssectrigger-0.11.dmg was installed on (a user's) MacOSX >> 10.8.3. This Mac has Firefox. Firefox has two extensions : (1) >> DNSSEC Validator, (2) Extended DNSSEC Validator. (1) is configured >> to use CZ.NIC's/OARC's remote DNSSEC servers. (2) is configured to >> use extension's own internal default DNSSEC server. (that is, i did >> not specify any custom DNS-server in its DNS configuration box). > >> DnssecTrigger has changed system's default DNS settings and placed >> 127.0.0.1 inside it, so Network Adapter's DNS settings now showing >> 127.0.0.1 as DNS-Server. > >> Apps which use system's DNS settings, are not able to access >> internet sites. > > It should have worked, I wonder why, this would need debugging with > setting verbosity in the dnssec-trigger.conf and unbound.conf higher > and looking in the system logs. But if you do not want to use it, > then, the easiest is to manually compile and install unbound. > > Best regards, > Wouter > > >> Visiting to any websites via Firefox has also stopped working. > >> I changed FF extension (1) and (2) settings both, and specified >> 127.0.0.1 inside them, but did not work. (could not visit >> websites, dns-resolving did not work). > >> When i changed system's DNS settings into local router's >> IP-Address, for example, 192.168.0.1, then all started to work >> back. > >> I want to disable DnssecTrigger portion only, and enable/use only >> "Unbound" resolver portion in Mac OSX, how do i do that ? Since i >> want to disable DnssecTrigger portion, i also want to remove the >> DnssecTrigger icon from top bar. > >> And i also want to know how do i uninstall the full dnssectrigger >> package ? > >> Thanks in advance, -- Bright Star. > > > >> _______________________________________________ dnssec-trigger >> mailing list dnssec-trigger at NLnetLabs.nl >> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger > > > _______________________________________________ > dnssec-trigger mailing list > dnssec-trigger at NLnetLabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From bry8star at inventati.org Thu Sep 19 02:03:06 2013 From: bry8star at inventati.org (Bry8 Star) Date: Wed, 18 Sep 2013 19:03:06 -0700 Subject: [Dnssec-trigger] Dnssec-Trigger and MacOSX 10.8.3 In-Reply-To: <5239774C.90905@inventati.org> References: <52394C86.4030504@inventati.org> <52395F01.8060608@nlnetlabs.nl> <5239774C.90905@inventati.org> Message-ID: <523A5B5A.3020203@inventati.org> Another test on another Apple-Mac OSX 10.6.8 (Snow Leopard): (I have intentionally described some steps/stages in detail, so that its easier for those users who are new or comparatively new to MacOSX or these type of enhancements). Initially, Firefox(FF) already have these addons/extensions: (1) DNSSEC Validator (2) Extended DNSSEC Validator. FF ext (1) is configured to use "Without Resolver" (default). And no DNS server ip-address is specified inside FF ext (2) settings, so its using its own internal pre-settings. Wi-Fi Network adapter (connected to router/internet) showing DNS 192.168.0.1. With such as above settings, when site like www.StatDNS.net is visited using HTTPS scheme in firefox, then firefox's url bar's right side icon (from DNSSEC Validator, icon which shows different colored 'key' shapes) shows a green colored 'key' and when icon is clicked-on it shows "Site is Secured by DNSSEC". DNSSEC Validator uses a separate Firefox Plugin Process. I think it runs libunbound based own dns-resolving functions inside that plugin process. Firefox's URL bar's left side icon (from Extended DNSSEC Validator, which shows ether a 'World' or 'Lock' image/picture) shows a 'Lock' shape and when clicked-on, shows info, that, "Site is secured by DNSSEC and SSL cert is verified by (both) DNSSEC (TLSA) and CA." or it shows "Your connection to this website is encrypted to prevent evesdropiing" and "Verified by StartCom Ltd". Other apps like "App Store" can retrieve content from apple website and show it. In Terminal: ping statdns.net <- works, dig @192.168.0.1 -t any statdns.net. and dig any statdns.net. <- works. dig @192.168.0.1 -t any statdns.net. +dnssec <- do not shows "ad" flags, as 192.168.0.1 is not a DNSSEC-based Validating DNS-Resolver. - - - - - - - PROBLEMS WHICH I FACED: After installing DnssecTrigger 0.11 in MacOSX: DNS in WiFi adapter is changed into 127.0.0.1. When icon of DnssecTrigger in top menu bar is clicked-on and "Probe Results" option is selected, then it shows info such as: http fedoraproject.org (140.211.169.197): OK. cache 192.168.0.1: OK. DNSSEC results fetched from (DHCP) cache(s). Apps like "App Store" can retrieve content from apple website and show it, ping to statdns.net works. dig @127.0.0.1 any statdns.net. +dnssec shows SERVFAIL. Firefox's two DNSSEC related icons stops working properly. I can indeed see OSX process named "unbound" and "dnssec-triggerd" running. - - - - - - - (Temporary) SOLUTION PROCESS/STEPS: So this is what i did on that MacOSX 10.6.8: (In brief: only Unbound will run, DnssecTrigger portion will be disabled, all apps will always use local 127.0.0.1 unbound as a local validating DNS Resolver/Server. But by doing these, i (or who will follow, he/she/they), will loose ability to use DnssecTrigger which have advanced features to switch between different regular and encrypted DNS-Servers on different scenario. I'm doing this now, because DNSSEC-trigger portion causing Unbound to not work properly). Enabled viewing all hidden files & folders, by running below command-line inside Terminal: defaults write com.apple.Finder AppleShowAllFiles TRUE Then restarted OSX machine once. List of TextEditor type of software: http://technologytosoftware.com/best-free-mac-os-text-editors-for-web-developers-2.html Edited /etc/unbound/unbound.conf file to have these lines only, all other lines have # symbol at left most side, (later i added other lines for tuning unbound further): server: verbosity: 1 do-udp: yes do-tcp: yes do-daemonize: yes # use-syslog: yes hide-identity: yes hide-version: yes module-config: "validator iterator" auto-trust-anchor-file: "/etc/unbound/root.key python: remote-control: control-enable: yes control-interface: 127.0.0.1 control-port: 8953 Edited /etc/dnssec-trigger/dnssec-trigger.conf file, and made sure, all lines are Disabled, that is all lines have the "#" symbol at left most side. Then went into /Library/LaunchDaemons folder and 1st made backup copy of below two files into /Users/[my-user-name]/Documents/bkup/Lib/LaunchDaemons folder: nl.nlnetlabs.dnsec-trigger-hook.plist nl.nlnetlabs.dnsec-triggerd.plist And then trashed/deleted those two from /Library/LaunchDaemons folder. (You may use a software like Lingon for this step. And if you use different OSX then you may need to also look for above two files inside any one of these folders/directories : /Library/LaunchDaemons, /Library/LaunchAgents, /System/Library/LaunchAgents, /System/Library/LaunchDaemons, ~/Library/LaunchDaemons, ~/Library/LaunchAgents, ~/Library/StartupItems, and /Library/StartupItems). Similarly like above, made backup copy and removed below file: /Library/LaunchAgents/nl.nlnetlabs.dnssec-trigger-panel.plist And, made sure /etc/resolv.conf file showing following line in it: nameserver 127.0.0.1 And made sure two extensions/addons related to DNSSEC in Firefox is using 127.0.0.1 specifically. By the way, can someone pls let us/users know, what this file by default contains ? Thanks. OSX machine must have to be restarted. - - - - - - - - - - RESULT: Finally now, Firefox url bar's two icons related to DNSSEC working & displaying properly. Pre-known DNSSEC signed sites and known DANE based sites, showed fairly and better icon than before. Those two addons definitely need more improvements. Other/system apps are also able to access internet and working. ping statdns.net etc working. dig @127.0.0.1 -t any statdns.net. +dnssec (working, showed "NOERROR" and "ad") :) - - - - - - - - - - I'm sure i can now apply this process on that 10.8.3 machine and there should be NO reason for that local Unbound to not work. And when a new dnssec-trigger will for sure work, then i can get that new dnssectrigger pkg from NLnetLabs website and install that over the older one. I'm now happy with at-least a working DNSSEC based Validating DNS-Resolver/DNS-Server. :) Thanks, -- Bright Star. Received from Bry8 Star, on 2013-09-18 2:50 AM: > Hi Wouter, > > THANKS. > > (Yes, the uninstall script was there, sorry for adding request on > that too quickly). > > Earlier i used unbound from homebrew, on another apple-mac, that > worked fine as expected. > > But if i could disable DnssecTrigger portion, and keep Unbound > running, then that would have been better. > > I will request the user to let me have access to it for few more > days, and will enable debugging. > > (Direct IP-address based connections are working fine). > > Brand new Apple-Mac, just taken out of box. DnssecTrigger was > installed as 6th, right after : (1) system update, (2) Firefox, (3) > Firefox extensions, (4) Microsoft Office, (5) Office update. > > I think i also noticed such, few times after restart, in Firefox few > selective site worked/resolved for first few minutes, then they > stopped working. Could it be, that, DnssecTrigger 1st starts to use > dns-result from some cache, and then DnssecTrigger may be switching > into another cache or another dns-resolver, and that 2nd cache is > empty or that another dns-resolver is inaccessible. None of the > other/system apps was able to resolve dns after installing > DnssecTrigger. > > Anyway needs more debugging. > > Thanks again, > -- Bright Star. > > > > > Received from W.C.A. Wijngaards, on 2013-09-18 1:06 AM: >> Hi Bright Star, >> >> In the file you downloaded to install, the dmg, there is an uninstall >> script. You can download the dmg again if you removed it. >> Doubleclick on the uninstall script and it uninstalls dnssec-trigger. >> >> If you want to use unbound without dnssec-trigger, perhaps you can use >> unbound from macports? >> >> >> On 09/18/2013 08:47 AM, Bry8 Star wrote: >>> Hi, dnssectrigger-0.11.dmg was installed on (a user's) MacOSX >>> 10.8.3. This Mac has Firefox. Firefox has two extensions : (1) >>> DNSSEC Validator, (2) Extended DNSSEC Validator. (1) is configured >>> to use CZ.NIC's/OARC's remote DNSSEC servers. (2) is configured to >>> use extension's own internal default DNSSEC server. (that is, i did >>> not specify any custom DNS-server in its DNS configuration box). >> >>> DnssecTrigger has changed system's default DNS settings and placed >>> 127.0.0.1 inside it, so Network Adapter's DNS settings now showing >>> 127.0.0.1 as DNS-Server. >> >>> Apps which use system's DNS settings, are not able to access >>> internet sites. >> >> It should have worked, I wonder why, this would need debugging with >> setting verbosity in the dnssec-trigger.conf and unbound.conf higher >> and looking in the system logs. But if you do not want to use it, >> then, the easiest is to manually compile and install unbound. >> >> Best regards, >> Wouter >> >> >>> Visiting to any websites via Firefox has also stopped working. >> >>> I changed FF extension (1) and (2) settings both, and specified >>> 127.0.0.1 inside them, but did not work. (could not visit >>> websites, dns-resolving did not work). >> >>> When i changed system's DNS settings into local router's >>> IP-Address, for example, 192.168.0.1, then all started to work >>> back. >> >>> I want to disable DnssecTrigger portion only, and enable/use only >>> "Unbound" resolver portion in Mac OSX, how do i do that ? Since i >>> want to disable DnssecTrigger portion, i also want to remove the >>> DnssecTrigger icon from top bar. >> >>> And i also want to know how do i uninstall the full dnssectrigger >>> package ? >> >>> Thanks in advance, -- Bright Star. >> >> >> >>> _______________________________________________ dnssec-trigger >>> mailing list dnssec-trigger at NLnetLabs.nl >>> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger >> >> >> _______________________________________________ >> dnssec-trigger mailing list >> dnssec-trigger at NLnetLabs.nl >> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger >> > > > > _______________________________________________ > dnssec-trigger mailing list > dnssec-trigger at NLnetLabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: