[Dnssec-trigger] Dnssec-Trigger and MacOSX 10.8.3

Bry8 Star bry8star at inventati.org
Thu Sep 19 02:03:06 UTC 2013 

Another test on another Apple-Mac OSX 10.6.8 (Snow Leopard):

(I have intentionally described some steps/stages in detail, so that
its easier for those users who are new or comparatively new to
MacOSX or these type of enhancements).

Initially, Firefox(FF) already have these addons/extensions: (1)
DNSSEC Validator (2) Extended DNSSEC Validator.
FF ext (1) is configured to use "Without Resolver" (default).  And
no DNS server ip-address is specified inside FF ext (2) settings, so
its using its own internal pre-settings.
Wi-Fi Network adapter (connected to router/internet) showing DNS
192.168.0.1.

With such as above settings, when site like www.StatDNS.net is
visited using HTTPS scheme in firefox, then firefox's url bar's
right side icon (from DNSSEC Validator, icon which shows different
colored 'key' shapes) shows a green colored 'key' and when icon is
clicked-on it shows "Site is Secured by DNSSEC". DNSSEC Validator
uses a separate Firefox Plugin Process. I think it runs libunbound
based own dns-resolving functions inside that plugin process.
Firefox's URL bar's left side icon (from Extended DNSSEC Validator,
which shows ether a 'World' or 'Lock' image/picture) shows a 'Lock'
shape and when clicked-on, shows info, that, "Site is secured by
DNSSEC and SSL cert is verified by (both) DNSSEC (TLSA) and CA." or
it shows "Your connection to this website is encrypted to prevent
evesdropiing" and "Verified by StartCom Ltd".  Other apps like "App
Store" can retrieve content from apple website and show it. In
Terminal: ping statdns.net <- works, dig @192.168.0.1 -t any
statdns.net. and dig any statdns.net. <- works.

dig @192.168.0.1 -t any statdns.net. +dnssec <- do not shows "ad"
flags, as 192.168.0.1 is not a DNSSEC-based Validating DNS-Resolver.


- - - - - - -

PROBLEMS WHICH I FACED:

After installing DnssecTrigger 0.11 in MacOSX:

DNS in WiFi adapter is changed into 127.0.0.1.

When icon of DnssecTrigger in top menu bar is clicked-on and "Probe
Results" option is selected, then it shows info such as: http
fedoraproject.org (140.211.169.197): OK. cache 192.168.0.1: OK.
DNSSEC results fetched from (DHCP) cache(s).

Apps like "App Store" can retrieve content from apple website and
show it, ping to statdns.net works. dig @127.0.0.1 any statdns.net.
+dnssec shows SERVFAIL.

Firefox's two DNSSEC related icons stops working properly.

I can indeed see OSX process named "unbound" and "dnssec-triggerd"
running.

- - - - - - -


(Temporary) SOLUTION PROCESS/STEPS:

So this is what i did on that MacOSX 10.6.8:
(In brief: only Unbound will run, DnssecTrigger portion will be
disabled, all apps will always use local 127.0.0.1 unbound as a
local validating DNS Resolver/Server.  But by doing these, i (or who
will follow, he/she/they), will loose ability to use DnssecTrigger
which have advanced features to switch between different regular and
encrypted DNS-Servers on different scenario.  I'm doing this now,
because DNSSEC-trigger portion causing Unbound to not work properly).

Enabled viewing all hidden files & folders, by running below
command-line inside Terminal:

defaults write com.apple.Finder AppleShowAllFiles TRUE

Then restarted OSX machine once.

List of TextEditor type of software:
http://technologytosoftware.com/best-free-mac-os-text-editors-for-web-developers-2.html

Edited /etc/unbound/unbound.conf file to have these lines only, all
other lines have # symbol at left most side, (later i added other
lines for tuning unbound further):

 server:
 verbosity: 1
 do-udp: yes
 do-tcp: yes
 do-daemonize: yes
 # use-syslog: yes
 hide-identity: yes
 hide-version: yes
 module-config: "validator iterator"
 auto-trust-anchor-file: "/etc/unbound/root.key
 python:
 remote-control:
 control-enable: yes
 control-interface: 127.0.0.1
 control-port: 8953


Edited /etc/dnssec-trigger/dnssec-trigger.conf file, and made sure,
all lines are Disabled, that is all lines have the "#" symbol at
left most side.

Then went into /Library/LaunchDaemons folder and 1st made backup
copy of below two files into
/Users/[my-user-name]/Documents/bkup/Lib/LaunchDaemons folder:
nl.nlnetlabs.dnsec-trigger-hook.plist
nl.nlnetlabs.dnsec-triggerd.plist
And then trashed/deleted those two from /Library/LaunchDaemons folder.

(You may use a software like Lingon for this step. And if you use
different OSX then you may need to also look for above two files
inside any one of these folders/directories :
/Library/LaunchDaemons, /Library/LaunchAgents,
/System/Library/LaunchAgents, /System/Library/LaunchDaemons,
~/Library/LaunchDaemons, ~/Library/LaunchAgents,
~/Library/StartupItems, and /Library/StartupItems).

Similarly like above, made backup copy and removed below file:
/Library/LaunchAgents/nl.nlnetlabs.dnssec-trigger-panel.plist

And, made sure /etc/resolv.conf file showing following line in it:
nameserver 127.0.0.1

And made sure two extensions/addons related to DNSSEC in Firefox is
using 127.0.0.1 specifically.

By the way, can someone pls let us/users know, what this file by
default contains ? Thanks.

OSX machine must have to be restarted.

- - - - - - - - - -

RESULT:

Finally now, Firefox url bar's two icons related to DNSSEC working &
displaying properly. Pre-known DNSSEC signed sites and known DANE
based sites, showed fairly and better icon than before.  Those two
addons definitely need more improvements.
Other/system apps are also able to access internet and working.
ping statdns.net etc working.
dig @127.0.0.1 -t any statdns.net. +dnssec (working, showed
"NOERROR" and "ad")
:)

- - - - - - - - - -

I'm sure i can now apply this process on that 10.8.3 machine and
there should be NO reason for that local Unbound to not work.

And when a new dnssec-trigger will for sure work, then i can get
that new dnssectrigger pkg from NLnetLabs website and install that
over the older one.

I'm now happy with at-least a working DNSSEC based Validating
DNS-Resolver/DNS-Server. :)

Thanks,
-- Bright Star.




Received from Bry8 Star, on 2013-09-18 2:50 AM:
> Hi Wouter,
> 
> THANKS.
> 
> (Yes, the uninstall script was there, sorry for adding request on
> that too quickly).
> 
> Earlier i used unbound from homebrew, on another apple-mac, that
> worked fine as expected.
> 
> But if i could disable DnssecTrigger portion, and keep Unbound
> running, then that would have been better.
> 
> I will request the user to let me have access to it for few more
> days, and will enable debugging.
> 
> (Direct IP-address based connections are working fine).
> 
> Brand new Apple-Mac, just taken out of box.  DnssecTrigger was
> installed as 6th, right after : (1) system update, (2) Firefox, (3)
> Firefox extensions, (4) Microsoft Office, (5) Office update.
> 
> I think i also noticed such, few times after restart, in Firefox few
> selective site worked/resolved for first few minutes, then they
> stopped working.  Could it be, that, DnssecTrigger 1st starts to use
> dns-result from some cache, and then DnssecTrigger may be switching
> into another cache or another dns-resolver, and that 2nd cache is
> empty or that another dns-resolver is inaccessible.  None of the
> other/system apps was able to resolve dns after installing
> DnssecTrigger.
> 
> Anyway needs more debugging.
> 
> Thanks again,
> -- Bright Star.
> 
> 
> 
> 
> Received from W.C.A. Wijngaards, on 2013-09-18 1:06 AM:
>> Hi Bright Star,
>>
>> In the file you downloaded to install, the dmg, there is an uninstall
>> script.  You can download the dmg again if you removed it.
>> Doubleclick on the uninstall script and it uninstalls dnssec-trigger.
>>
>> If you want to use unbound without dnssec-trigger, perhaps you can use
>> unbound from macports?
>>
>>
>> On 09/18/2013 08:47 AM, Bry8 Star wrote:
>>> Hi, dnssectrigger-0.11.dmg was installed on (a user's) MacOSX
>>> 10.8.3. This Mac has Firefox. Firefox has two extensions : (1)
>>> DNSSEC Validator, (2) Extended DNSSEC Validator. (1) is configured
>>> to use CZ.NIC's/OARC's remote DNSSEC servers. (2) is configured to
>>> use extension's own internal default DNSSEC server. (that is, i did
>>> not specify any custom DNS-server in its DNS configuration box).
>>
>>> DnssecTrigger has changed system's default DNS settings and placed 
>>> 127.0.0.1 inside it, so Network Adapter's DNS settings now showing 
>>> 127.0.0.1 as DNS-Server.
>>
>>> Apps which use system's DNS settings, are not able to access 
>>> internet sites.
>>
>> It should have worked, I wonder why, this would need debugging with
>> setting verbosity in the dnssec-trigger.conf and unbound.conf higher
>> and looking in the system logs.  But if you do not want to use it,
>> then, the easiest is to manually compile and install unbound.
>>
>> Best regards,
>>    Wouter
>>
>>
>>> Visiting to any websites via Firefox has also stopped working.
>>
>>> I changed FF extension (1) and (2) settings both, and specified 
>>> 127.0.0.1 inside them, but did not work. (could not visit
>>> websites, dns-resolving did not work).
>>
>>> When i changed system's DNS settings into local router's
>>> IP-Address, for example, 192.168.0.1, then all started to work
>>> back.
>>
>>> I want to disable DnssecTrigger portion only, and enable/use only 
>>> "Unbound" resolver portion in Mac OSX, how do i do that ?  Since i 
>>> want to disable DnssecTrigger portion, i also want to remove the 
>>> DnssecTrigger icon from top bar.
>>
>>> And i also want to know how do i uninstall the full dnssectrigger 
>>> package ?
>>
>>> Thanks in advance, -- Bright Star.
>>
>>
>>
>>> _______________________________________________ dnssec-trigger
>>> mailing list dnssec-trigger at NLnetLabs.nl 
>>> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger
>>
>>
>> _______________________________________________
>> dnssec-trigger mailing list
>> dnssec-trigger at NLnetLabs.nl
>> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger
>>
> 
> 
> 
> _______________________________________________
> dnssec-trigger mailing list
> dnssec-trigger at NLnetLabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20130918/df948c21/attachment.bin>

More information about the dnssec-trigger mailing list