From psimerda at redhat.com Tue Jun 3 17:08:55 2014 From: psimerda at redhat.com (Pavel Simerda) Date: Tue, 3 Jun 2014 13:08:55 -0400 (EDT) Subject: [Dnssec-trigger] a couple of patches for dnssec-trigger-script In-Reply-To: <2121921567.8097380.1401815301759.JavaMail.zimbra@redhat.com> Message-ID: <356762229.8097530.1401815335086.JavaMail.zimbra@redhat.com> Hi, I'm sending a couple of post release fixes for dnssec-trigger-scripts. Cheers, Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-handle-dns-none-and-dns-unbound-properly.patch Type: text/x-patch Size: 1021 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-avoid-FileNotFoundError-not-available-in-Python-2.patch Type: text/x-patch Size: 1250 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-fix-unbound-output-parser.patch Type: text/x-patch Size: 917 bytes Desc: not available URL: From wouter at nlnetlabs.nl Wed Jun 4 14:16:30 2014 From: wouter at nlnetlabs.nl (W.C.A. Wijngaards) Date: Wed, 04 Jun 2014 16:16:30 +0200 Subject: [Dnssec-trigger] a couple of patches for dnssec-trigger-script In-Reply-To: <356762229.8097530.1401815335086.JavaMail.zimbra@redhat.com> References: <356762229.8097530.1401815335086.JavaMail.zimbra@redhat.com> Message-ID: <538F2A3E.90703@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Pavel, Committed, thanks, Wouter On 06/03/2014 07:08 PM, Pavel Simerda wrote: > Hi, > > I'm sending a couple of post release fixes for > dnssec-trigger-scripts. > > Cheers, > > Pavel > > > > _______________________________________________ dnssec-trigger > mailing list dnssec-trigger at NLnetLabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTjyo+AAoJEJ9vHC1+BF+N0ksQAIgnTsL2e2peUXOhbWaVL95y R5ImvyrM/prGX20sq8vLmKuWczDxgJis1jypxz4Zyp+pfBXzWif5COOhT2dAJnGe +WYdJN10SN7siNIczSfxbMxvm8qOBRgUfUnbmkthHEUwsGOO4QldMhJ1j/PWabJG E7E0xofNut/ChC5FATMWO2kbhYFpyWhL8yMgMaKbIuCQKVL2awSBNIXTF/anPYuo 7X3ISwuVqTPv29y0QySEvDTw2Oe21oOBEK6Ey5Qc9z7evNWHGYLv9s/gljn2Un4R FoXjhSOMH6Nw2tkbKLJ/MYGfgymk84VVRuv06FCeyFfGeePQMg9CV2Ph6hWkbEVq Nsivh4Vq1ywHom0VbNFc5StjMm4R9h5g/VRh0RK7PCj5bMLuySKYOqQWM/HC60Cw NbbwUD+5mbT9LLhyUftGB+rUMnRNsIHRA3MKINliF65kKPB03z94QSqlPsJDT7cO 5T/5KFeFDxpgkIsIZ8QyGQCsnUXR10fxuLkHFTFG+fXIEn3mtB06h0XIVofQly9E B07WUKp6HpX6jLfnwsRpCWmDuVkGkpO8aBD5pMbRvxcA3hvYdJdmbLanYH9j4yj7 ebvubMS1oYuUsk3FF0Zk7Ro0EHzpESA2ecCnTqEGwZ2SnktBQIZT1GvRZ1XNVnQu yA8+qJxzzIqBrGonIB25 =1sMs -----END PGP SIGNATURE----- From ondrej at caletka.cz Wed Jun 11 07:37:06 2014 From: ondrej at caletka.cz (=?UTF-8?B?T25kxZllaiBDYWxldGth?=) Date: Wed, 11 Jun 2014 09:37:06 +0200 Subject: [Dnssec-trigger] Detecting and configuring DNS64 by DNSSEC-Trigger Message-ID: <53980722.6040701@caletka.cz> Hello list, I think it would be nice if DNSSEC-Trigger would be able to do a discovery of NAT64 device in connected network by method described in RFC 7050. It should then set up DNS64 in local unbound to do the AAAA synthesis after DNSSEC validation. The only problem is that unbound still don't support DNS64. However, patches exist in Ecdysis project [1]. Discovery of NAT64 prefix can be done in the same way it works for clatd[2]. [1]: http://ecdysis.viagenie.ca/download.html [2]: https://github.com/toreanderson/clatd Cheers, Ond?ej Caletka -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4287 bytes Desc: Elektronicky podpis S/MIME URL: From thozza at redhat.com Fri Jun 13 06:24:48 2014 From: thozza at redhat.com (Tomas Hozza) Date: Fri, 13 Jun 2014 02:24:48 -0400 (EDT) Subject: [Dnssec-trigger] c-ares + DANE In-Reply-To: <5399C3ED.3020307@redhat.com> References: <1402496189.2305.16.camel@dhcp-2-127.brq.redhat.com> <1402563751.27931.29.camel@dhcp-2-127.brq.redhat.com> <5399902F.4080501@redhat.com> <1402575573.27931.39.camel@dhcp-2-127.brq.redhat.com> <53999D0D.8090805@redhat.com> <1402577035.27931.41.camel@dhcp-2-127.brq.redhat.com> <1402578450.22737.31.camel@willson.usersys.redhat.com> <5399C3ED.3020307@redhat.com> Message-ID: <1926698659.11112895.1402640688399.JavaMail.zimbra@redhat.com> ----- Original Message ----- > On 12.6.2014 15:07, Simo Sorce wrote: > > On Thu, 2014-06-12 at 14:43 +0200, Nikos Mavrogiannopoulos wrote: > >> On Thu, 2014-06-12 at 14:29 +0200, Petr Spacek wrote: > >> > >>> Short answer: "containers" > >>> Long answer: I certain cases (Docker et al.) we want to have one > >>> system-wide > >>> validating resolver running on host and use it from all running docker > >>> containers. > >>> It is not desirable to have hundred instances of validating resolver > >>> (unbound) > >>> for hundred of containers just because glibc/random other library cannot > >>> be > >>> configured to trust AD bits from address different than 127.0.0.1. > >> > >> Ok. I've sent the e-mail. > >> > >>> Also, dnsmasq and similar crap cannot be reasonably trusted for DNSSEC > >>> validation even if it is running on 127.0.0.1 so in some cases you may > >>> want to > >>> let the list empty. > >> > >> Why dnsmasq cannot be trusted for validation? I guess its dnssec > >> implementation is new, but is there something inherently wrong there? > > Thozza can tell you horribly stories about dnsmasq ... Well, to make the long story short, dnsmasq used to reuse the client query packet for the answer, before it implemented DNSSEC. So if the AD bit was set in the client query, it was also set in the reply, even though dnsmasq did not do any validation. It just blindly copied all flags from the query to the answer. > AFAIK it is light years from being good-enough for any crypto-related > operation. Also, old versions handled AD bit in a very funky (i.e. > non-standard and insecure) way. I would say that it is not well tested enough, not that it is broken. For example, the 2.69 (2014-04-09) version already supported DNSSEC. However there were so many issues, that a new version 2.70 (2014-04-24) was released, which included also some issues that needed to be fixed ASAP (it segfaulted in some situations, etc.) so the last version was released 2.71 (2014-05-20). The last version seems to be "stable enough" to be used with DNSSEC. > Local library cannot know if local resolver is new (hopefully fixed) dnsmasq > or old one (insecure). That is another reason why local resolver cannot be > trusted implicitly. So exactly because of that the administrator should be given the chance to configure if he trusts the locally running resolver enough to do the DNSSEC validation and consider its result as trustworthy. The library can not know which version of dnsmasq is running on the system. > -- > Petr^2 Spacek > Regards, -- Tomas Hozza Software Engineer - EMEA ENG Developer Experience PGP: 1D9F3C2D Red Hat Inc. http://cz.redhat.com From thozza at redhat.com Fri Jun 13 07:23:16 2014 From: thozza at redhat.com (Tomas Hozza) Date: Fri, 13 Jun 2014 03:23:16 -0400 (EDT) Subject: [Dnssec-trigger] c-ares + DANE In-Reply-To: <1926698659.11112895.1402640688399.JavaMail.zimbra@redhat.com> References: <1402496189.2305.16.camel@dhcp-2-127.brq.redhat.com> <5399902F.4080501@redhat.com> <1402575573.27931.39.camel@dhcp-2-127.brq.redhat.com> <53999D0D.8090805@redhat.com> <1402577035.27931.41.camel@dhcp-2-127.brq.redhat.com> <1402578450.22737.31.camel@willson.usersys.redhat.com> <5399C3ED.3020307@redhat.com> <1926698659.11112895.1402640688399.JavaMail.zimbra@redhat.com> Message-ID: <459398781.11122015.1402644196760.JavaMail.zimbra@redhat.com> Sorry for my email. I sent it to the wrong mailing list. Regards, Tomas From psimerda at redhat.com Wed Jun 18 18:42:05 2014 From: psimerda at redhat.com (Pavel Simerda) Date: Wed, 18 Jun 2014 14:42:05 -0400 (EDT) Subject: [Dnssec-trigger] dnssec-trigger-script patches In-Reply-To: <1449335857.12571371.1403116772138.JavaMail.zimbra@redhat.com> Message-ID: <879364627.12571852.1403116925412.JavaMail.zimbra@redhat.com> Patches for dnssec-trigger-script: - fix bug https://bugzilla.redhat.com/show_bug.cgi?id=1105896 - avoid depedency on pidof - avoid a traceback -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-fix-bug-that-prevents-calling-dnssec-trigger-control.patch Type: text/x-patch Size: 1089 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-avoid-dependency-on-pidof.patch Type: text/x-patch Size: 2958 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-handle-missing-resolv.conf-backup-gracefully.patch Type: text/x-patch Size: 1992 bytes Desc: not available URL: From regnauld at nsrc.org Wed Jun 18 20:39:46 2014 From: regnauld at nsrc.org (Phil Regnauld) Date: Wed, 18 Jun 2014 22:39:46 +0200 Subject: [Dnssec-trigger] Timer/timeout for hotspot mode and reprobe Message-ID: <20140618203946.GR96484@macbook.bluepipe.net> Running the latest and greatest version on OX X 10.9 Occasionnally, I have to disable dnssec validation by going into Hotspot Signon mode. But I realized that I hadn't reenabled it in a few weeks ! Question (before I dig into the source): - do I remember wrongly or didn't dnssec-trigger use to attempt to reprobe when changing networks ? - if not, shouldn't it ? - somewhat related, wouldn't it be smart to have some kind of configurable timer (or option when selecting Hotspot Signon), for instance: Remind me in 1 hour / 1 day / Until I say so. Cheers, Phil From paul at nohats.ca Wed Jun 18 20:55:26 2014 From: paul at nohats.ca (Paul Wouters) Date: Wed, 18 Jun 2014 16:55:26 -0400 (EDT) Subject: [Dnssec-trigger] Timer/timeout for hotspot mode and reprobe In-Reply-To: <20140618203946.GR96484@macbook.bluepipe.net> References: <20140618203946.GR96484@macbook.bluepipe.net> Message-ID: On Wed, 18 Jun 2014, Phil Regnauld wrote: > - do I remember wrongly or didn't dnssec-trigger use to attempt to > reprobe when changing networks ? It does, but not if you have manually disabled it. I agree that a network change should reset it. I run into this problem myself too when it is left on, and I bring up my VPN that installs a few forwards into unbound - but unbound is still bypassed by having gotten left in "insecure mode" > - somewhat related, wouldn't it be smart to have some kind of > configurable timer (or option when selecting Hotspot Signon), > for instance: > > Remind me in 1 hour / 1 day / Until I say so. I don't think a timer makes much sense. A network change or network reconnect event should cause a reprobe. Paul From regnauld at nsrc.org Thu Jun 19 09:54:36 2014 From: regnauld at nsrc.org (Phil Regnauld) Date: Thu, 19 Jun 2014 11:54:36 +0200 Subject: [Dnssec-trigger] Timer/timeout for hotspot mode and reprobe In-Reply-To: References: <20140618203946.GR96484@macbook.bluepipe.net> Message-ID: <20140619095436.GK96484@macbook.bluepipe.net> Paul Wouters (paul) writes: > >- do I remember wrongly or didn't dnssec-trigger use to attempt to > > reprobe when changing networks ? > > It does, but not if you have manually disabled it. What's "manually disabled it" ? Hotspot Signon ? Maybe it should remind the user that it will be off even across network changes. > I agree that a network change should reset it. Ok, we're on the same page :) > > Remind me in 1 hour / 1 day / Until I say so. > > I don't think a timer makes much sense. A network change or network > reconnect event should cause a reprobe. I think that's a good compromise. Should I submit a bug report somewhere ? From wouter at nlnetlabs.nl Thu Jun 19 09:58:01 2014 From: wouter at nlnetlabs.nl (W.C.A. Wijngaards) Date: Thu, 19 Jun 2014 11:58:01 +0200 Subject: [Dnssec-trigger] Timer/timeout for hotspot mode and reprobe In-Reply-To: <20140619095436.GK96484@macbook.bluepipe.net> References: <20140618203946.GR96484@macbook.bluepipe.net> <20140619095436.GK96484@macbook.bluepipe.net> Message-ID: <53A2B429.8050005@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, On 06/19/2014 11:54 AM, Phil Regnauld wrote: > Paul Wouters (paul) writes: >>> - do I remember wrongly or didn't dnssec-trigger use to attempt >>> to reprobe when changing networks ? >> >> It does, but not if you have manually disabled it. > > What's "manually disabled it" ? Hotspot Signon ? > > Maybe it should remind the user that it will be off even across > network changes. > >> I agree that a network change should reset it. > > Ok, we're on the same page :) Are you sure? That could get annoying. Network changes happen very often. For example on sleep/lidclose and lid-open. Every DHCP-renewal. Wifi-reassociations. Network changes may happen a lot more often that the user's idea of network-location change. Reset on a network-location change sounds reasonable. I mean, network location like NetworkManager has this defined, i.e. this known network. Best regards, Wouter >>> Remind me in 1 hour / 1 day / Until I say so. >> >> I don't think a timer makes much sense. A network change or >> network reconnect event should cause a reprobe. > > I think that's a good compromise. Should I submit a bug report > somewhere ? > > _______________________________________________ dnssec-trigger > mailing list dnssec-trigger at NLnetLabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTorQpAAoJEJ9vHC1+BF+NaCMP/3OWplpPuGFBy67BS2IuFrbL ar/wFwQrGnXQVvTQA9efAB1I9zaLDp3L/5XZ8BF/i8Zv+IEDGgaJUt/XuC1OMGz3 JEZRxnaizj7PUnCPahkv3CCmucauoK83UFkgMl/ra7ktkK+CdZl80Hh8KK7tnNRU OA04wKXyT42DxpWgoKVD7dTQEYvYaaoBw4+hyZv7phQhqZAbpyKnzdrM0t6MUGKk E+uDIKuC/VK15LzvLxoVUZzsC+gyEAe1WGyHVmSAg+Xfbad7+Jls5ZUUjPZ8B6K2 VY7aDcUf+oyPecRRAhVjgQeLNY70tWUiDspO720n4iq/g58pEN6CxhlxfQPOq52k 1489qEA8YIvjdwfwWDMnaaY30+x+DAXVDxzaF7JwzSqeO+8pqRncwmyDC/7ucPv8 YSi3BZnIup1y2ZhYHr5uka6cVLa2EeC4+Qu13ZJ+6wIFY48g3UgAIzj9VGLn6ZGM 1fk+//wirKOUAP/ee/Wx0JHoZcoFNk4QqMqtwLqnnk2xT5JRbyDsaoSKX+Zq++/b C7PKRa/u+9qQiHTbAerYXvyRvIngsQK/WgHVOI39H52nSHEQuRhqCPQa6f1VCNjg 95YwnLPoJUdElCjZ7M4Flyw45YFLyZCywwp3WIx2g4v+Tjoh/Kkpek6bzVDy6WTv C2iabO7WHe6W5+k6Ivgm =NRr4 -----END PGP SIGNATURE----- From regnauld at nsrc.org Thu Jun 19 11:35:11 2014 From: regnauld at nsrc.org (Phil Regnauld) Date: Thu, 19 Jun 2014 13:35:11 +0200 Subject: [Dnssec-trigger] Timer/timeout for hotspot mode and reprobe In-Reply-To: <53A2B429.8050005@nlnetlabs.nl> References: <20140618203946.GR96484@macbook.bluepipe.net> <20140619095436.GK96484@macbook.bluepipe.net> <53A2B429.8050005@nlnetlabs.nl> Message-ID: <20140619113511.GP96484@macbook.bluepipe.net> W.C.A. Wijngaards (wouter) writes: > >> I agree that a network change should reset it. > > > > Ok, we're on the same page :) > > Are you sure? That could get annoying. Network changes happen very > often. For example on sleep/lidclose and lid-open. Every > DHCP-renewal. Wifi-reassociations. Network changes may happen a lot > more often that the user's idea of network-location change. Thanks for the clarification. > Reset on a network-location change sounds reasonable. Yes, and that's closer to what I was thinking. > I mean, network > location like NetworkManager has this defined, i.e. this known network. That would definitely work. Cheers, Phil From wouter at nlnetlabs.nl Thu Jun 19 11:38:23 2014 From: wouter at nlnetlabs.nl (W.C.A. Wijngaards) Date: Thu, 19 Jun 2014 13:38:23 +0200 Subject: [Dnssec-trigger] Timer/timeout for hotspot mode and reprobe In-Reply-To: <20140619113511.GP96484@macbook.bluepipe.net> References: <20140618203946.GR96484@macbook.bluepipe.net> <20140619095436.GK96484@macbook.bluepipe.net> <53A2B429.8050005@nlnetlabs.nl> <20140619113511.GP96484@macbook.bluepipe.net> Message-ID: <53A2CBAF.5080100@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Phil, On 06/19/2014 01:35 PM, Phil Regnauld wrote: > W.C.A. Wijngaards (wouter) writes: >>>> I agree that a network change should reset it. >>> >>> Ok, we're on the same page :) >> >> Are you sure? That could get annoying. Network changes happen >> very often. For example on sleep/lidclose and lid-open. Every >> DHCP-renewal. Wifi-reassociations. Network changes may happen >> a lot more often that the user's idea of network-location >> change. > > Thanks for the clarification. > >> Reset on a network-location change sounds reasonable. > > Yes, and that's closer to what I was thinking. >> I mean, network location like NetworkManager has this defined, >> i.e. this known network. > > That would definitely work. Yes but I do not know how to implement that. NetworkManager may have such a concept, but dnssec-trigger does not have it. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTosuvAAoJEJ9vHC1+BF+NibEQAJzHzpHrvu0b+8N5cvCdI58p 6/cbHTu/0grD12DPnDmRP7B3BZDM/UxXoRbj93mj4CXkvQgvDe6OE0Mbj7Ufbdhs PVxSROAlxxB6Tt2OqtP0pC8zuHzjd8oh/I/M2BocEHZ13ES18D2NN06aGK5wDFGu 7Xgkd1xTnWA1Ou7KrtuNJ8pmJeg1ujzSK/M1nPcBvUIfBpArLuESny/exYK74DpU r2FTuIfXRwkpsBImh31T4K1JcWQIZHcCx6/oLf38atAaJHfxRplEnyV+TcjCajjL 1oVnwGEXaZ+CYshsjoWXvgLxw3G0UEGxaYw4ER0i7W6iSJE0lwxpBBKl3Un8SVvY JIVdh32tDNwTloHUPLnpEZ0ws7WLzt8GoZCEmHof38mQ08QUn5512kzXyPfnSlxV XMoFgOw8IVYbKT/ccv3AWDU0EdV4au0M6ynXAIJ8qO2Idbf0zeirnMI9Mg02Zj8w 0ag6g1pY6Fdx9pGBYRMldJPHJ7ct9FozXvmGEU60vikRUH95aP8Wc9KLJ9rbwrXh WPiq+i3cNaNhiuE2k8AOkeWpEo9b3tf/smTAvBBHm1DTIubmDFQNAC8lj8vpRs2Q V2b1iGCQP8LztVYo8wxTXIcrKJ9ypnNNa08+jIXT2pKhensYilC3B/wNp4FaHrkr cDFgSNUxlivuz8ZibrwX =Cp91 -----END PGP SIGNATURE----- From psimerda at redhat.com Thu Jun 19 15:06:38 2014 From: psimerda at redhat.com (Pavel Simerda) Date: Thu, 19 Jun 2014 11:06:38 -0400 (EDT) Subject: [Dnssec-trigger] dnssec-trigger-script patches In-Reply-To: <879364627.12571852.1403116925412.JavaMail.zimbra@redhat.com> References: <879364627.12571852.1403116925412.JavaMail.zimbra@redhat.com> Message-ID: <416934838.12881602.1403190398349.JavaMail.zimbra@redhat.com> Two more patches to the bundle (sending all at once). Cheers, Pavel ----- Original Message ----- > From: "Pavel Simerda" > To: dnssec-trigger at NLnetLabs.nl > Sent: Wednesday, June 18, 2014 8:42:05 PM > Subject: [Dnssec-trigger] dnssec-trigger-script patches > > Patches for dnssec-trigger-script: > > - fix bug https://bugzilla.redhat.com/show_bug.cgi?id=1105896 > - avoid depedency on pidof > - avoid a traceback > _______________________________________________ > dnssec-trigger mailing list > dnssec-trigger at NLnetLabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger > -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-fix-bug-that-prevents-calling-dnssec-trigger-control.patch Type: text/x-patch Size: 1089 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-avoid-dependency-on-pidof.patch Type: text/x-patch Size: 2958 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-handle-missing-resolv.conf-backup-gracefully.patch Type: text/x-patch Size: 1992 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0004-upgrade-zone-cache-format-at-startup.patch Type: text/x-patch Size: 1521 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0005-always-log-to-stderr.patch Type: text/x-patch Size: 898 bytes Desc: not available URL: From wouter at nlnetlabs.nl Fri Jun 20 13:57:18 2014 From: wouter at nlnetlabs.nl (W.C.A. Wijngaards) Date: Fri, 20 Jun 2014 15:57:18 +0200 Subject: [Dnssec-trigger] dnssec-trigger-script patches In-Reply-To: <416934838.12881602.1403190398349.JavaMail.zimbra@redhat.com> References: <879364627.12571852.1403116925412.JavaMail.zimbra@redhat.com> <416934838.12881602.1403190398349.JavaMail.zimbra@redhat.com> Message-ID: <53A43DBE.5060401@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Pavel, Thank you for the patches, included. Best regards, Wouter On 06/19/2014 05:06 PM, Pavel Simerda wrote: > Two more patches to the bundle (sending all at once). > > Cheers, > > Pavel > > ----- Original Message ----- >> From: "Pavel Simerda" To: >> dnssec-trigger at NLnetLabs.nl Sent: Wednesday, June 18, 2014 >> 8:42:05 PM Subject: [Dnssec-trigger] dnssec-trigger-script >> patches >> >> Patches for dnssec-trigger-script: >> >> - fix bug https://bugzilla.redhat.com/show_bug.cgi?id=1105896 - >> avoid depedency on pidof - avoid a traceback >> _______________________________________________ dnssec-trigger >> mailing list dnssec-trigger at NLnetLabs.nl >> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger >> >> >> >> _______________________________________________ dnssec-trigger >> mailing list dnssec-trigger at NLnetLabs.nl >> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTpD2+AAoJEJ9vHC1+BF+NbUMP/jEQWJ5JbI1oaRUjUlGHwMlG 5GHnhlGtNoJLwFceQyqnTsw+rR87LBMcDl77EjpNzsDIBc1RHutUL0tI1CDcVYN0 cKK5rO0cO8HuZDq3V7Cbk/wVqmOdKIwOTRPcHQMu4FueHalLEpD3RPXuObfSiZ9o H3doduRMMblmaCDlpoXmWexhoOqLD4bWtAwXqi7LK5RZg4KhizB+H3ztEuCC5wHV 1i6gvlcFPwf/rwiayrYwqryMbTTQDILsmqAZHe78AsSBKJlYl9F0Uu+lMGt8vtyV fJ79t8aI3ol4BBpL+oR9RRY4RmlEPKf9ERU9VYkrLCwI3UcgoEOiw+OfE9ev1dco NkTy4xpuXNBTrhfDRN3miIcfs/ulg8RA+Tf3n0g8F/f9cqb6EHbJeMqUU2jNyUq1 BZnBn8VbVU/jJQbdz6MnVK/lVOSx8Yw9CaJPEi7jT4FQnG4mLvOv4Z1EqiulTHbU q04rGDjbpWTkuI5QcK+pvHQ5NVnjHPyNuTqHfZC2Fiqc60DIhG76eXwViQpWu01t P7Vkj7R7S6TWDB2RCokwMYIm5I48GoT4ekWC5SPILf3ePyF0QRrfkGr+JljJ2d7z yO6IswGHvq5ShcR5KxsG9DKbyI1Vni+x//0aXYf5zExYMxvwDBLaK+qhRJFQ1qF0 3FL11lp8Nr04WE1KBRCa =XRiN -----END PGP SIGNATURE----- From psimerda at redhat.com Fri Jun 20 14:44:56 2014 From: psimerda at redhat.com (Pavel Simerda) Date: Fri, 20 Jun 2014 10:44:56 -0400 (EDT) Subject: [Dnssec-trigger] dnssec-trigger-script patches In-Reply-To: <53A43DBE.5060401@nlnetlabs.nl> References: <879364627.12571852.1403116925412.JavaMail.zimbra@redhat.com> <416934838.12881602.1403190398349.JavaMail.zimbra@redhat.com> <53A43DBE.5060401@nlnetlabs.nl> Message-ID: <1262129410.13120797.1403275496542.JavaMail.zimbra@redhat.com> Hi Wouter, sending a fixup for a bug introduced in the previous patches. Pavel ----- Original Message ----- > From: "W.C.A. Wijngaards" > To: dnssec-trigger at NLnetLabs.nl > Sent: Friday, June 20, 2014 3:57:18 PM > Subject: Re: [Dnssec-trigger] dnssec-trigger-script patches > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Pavel, > > Thank you for the patches, included. > > Best regards, Wouter > > On 06/19/2014 05:06 PM, Pavel Simerda wrote: > > Two more patches to the bundle (sending all at once). > > > > Cheers, > > > > Pavel > > > > ----- Original Message ----- > >> From: "Pavel Simerda" To: > >> dnssec-trigger at NLnetLabs.nl Sent: Wednesday, June 18, 2014 > >> 8:42:05 PM Subject: [Dnssec-trigger] dnssec-trigger-script > >> patches > >> > >> Patches for dnssec-trigger-script: > >> > >> - fix bug https://bugzilla.redhat.com/show_bug.cgi?id=1105896 - > >> avoid depedency on pidof - avoid a traceback > >> _______________________________________________ dnssec-trigger > >> mailing list dnssec-trigger at NLnetLabs.nl > >> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger > >> > >> > >> > >> _______________________________________________ dnssec-trigger > >> mailing list dnssec-trigger at NLnetLabs.nl > >> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBAgAGBQJTpD2+AAoJEJ9vHC1+BF+NbUMP/jEQWJ5JbI1oaRUjUlGHwMlG > 5GHnhlGtNoJLwFceQyqnTsw+rR87LBMcDl77EjpNzsDIBc1RHutUL0tI1CDcVYN0 > cKK5rO0cO8HuZDq3V7Cbk/wVqmOdKIwOTRPcHQMu4FueHalLEpD3RPXuObfSiZ9o > H3doduRMMblmaCDlpoXmWexhoOqLD4bWtAwXqi7LK5RZg4KhizB+H3ztEuCC5wHV > 1i6gvlcFPwf/rwiayrYwqryMbTTQDILsmqAZHe78AsSBKJlYl9F0Uu+lMGt8vtyV > fJ79t8aI3ol4BBpL+oR9RRY4RmlEPKf9ERU9VYkrLCwI3UcgoEOiw+OfE9ev1dco > NkTy4xpuXNBTrhfDRN3miIcfs/ulg8RA+Tf3n0g8F/f9cqb6EHbJeMqUU2jNyUq1 > BZnBn8VbVU/jJQbdz6MnVK/lVOSx8Yw9CaJPEi7jT4FQnG4mLvOv4Z1EqiulTHbU > q04rGDjbpWTkuI5QcK+pvHQ5NVnjHPyNuTqHfZC2Fiqc60DIhG76eXwViQpWu01t > P7Vkj7R7S6TWDB2RCokwMYIm5I48GoT4ekWC5SPILf3ePyF0QRrfkGr+JljJ2d7z > yO6IswGHvq5ShcR5KxsG9DKbyI1Vni+x//0aXYf5zExYMxvwDBLaK+qhRJFQ1qF0 > 3FL11lp8Nr04WE1KBRCa > =XRiN > -----END PGP SIGNATURE----- > _______________________________________________ > dnssec-trigger mailing list > dnssec-trigger at NLnetLabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger > -------------- next part -------------- A non-text attachment was scrubbed... Name: 0006-fix-for-python2.patch Type: text/x-patch Size: 785 bytes Desc: not available URL: From wouter at nlnetlabs.nl Mon Jun 23 06:58:39 2014 From: wouter at nlnetlabs.nl (W.C.A. Wijngaards) Date: Mon, 23 Jun 2014 08:58:39 +0200 Subject: [Dnssec-trigger] dnssec-trigger-script patches In-Reply-To: <1262129410.13120797.1403275496542.JavaMail.zimbra@redhat.com> References: <879364627.12571852.1403116925412.JavaMail.zimbra@redhat.com> <416934838.12881602.1403190398349.JavaMail.zimbra@redhat.com> <53A43DBE.5060401@nlnetlabs.nl> <1262129410.13120797.1403275496542.JavaMail.zimbra@redhat.com> Message-ID: <53A7D01F.3010002@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Pavel, Got it too. Best regards, Wouter On 06/20/2014 04:44 PM, Pavel Simerda wrote: > Hi Wouter, > > sending a fixup for a bug introduced in the previous patches. > > Pavel > > ----- Original Message ----- >> From: "W.C.A. Wijngaards" To: >> dnssec-trigger at NLnetLabs.nl Sent: Friday, June 20, 2014 3:57:18 >> PM Subject: Re: [Dnssec-trigger] dnssec-trigger-script patches >> > Hi Pavel, > > Thank you for the patches, included. > > Best regards, Wouter > > On 06/19/2014 05:06 PM, Pavel Simerda wrote: >>>> Two more patches to the bundle (sending all at once). >>>> >>>> Cheers, >>>> >>>> Pavel >>>> >>>> ----- Original Message ----- >>>>> From: "Pavel Simerda" To: >>>>> dnssec-trigger at NLnetLabs.nl Sent: Wednesday, June 18, 2014 >>>>> 8:42:05 PM Subject: [Dnssec-trigger] dnssec-trigger-script >>>>> patches >>>>> >>>>> Patches for dnssec-trigger-script: >>>>> >>>>> - fix bug >>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1105896 - avoid >>>>> depedency on pidof - avoid a traceback >>>>> _______________________________________________ >>>>> dnssec-trigger mailing list dnssec-trigger at NLnetLabs.nl >>>>> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> dnssec-trigger mailing list dnssec-trigger at NLnetLabs.nl >>>>> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger > >> _______________________________________________ dnssec-trigger >> mailing list dnssec-trigger at NLnetLabs.nl >> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger >> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTp9AfAAoJEJ9vHC1+BF+NqyEP/jFfiOYrJ71lDiMu9gqNGs0Y OBwHKE27ck6L8rQEsQqr8U9y8ToVaApnUi06iRs7oxDZkQDbxgLRQgTF0uaUxZbq vDsLY3BnXE6Yx221vaQigI7aZIbPBcElQdDoiIJ2nxUGEmIfjUbbyjJZh38b+Xmb GY1nfJQx4PmgbC1Oub54dH+9gps3sBsrkplWKlJCmJ58CoK/SvJmKXDbzzFo3ehr kH88qIyEni6mNik+BFaqvGGqK1dqJ0SB14/LEeBUquaw3L5nYojk/nDigxXaWyQv YbTlp61rkkAihdKcNnqXviDkf8l0HaGV/x+kwn+ix+KhBQG/ViaL1skBUaskdes8 dR1IOEf4m0jsQLadt4DFHL2GjSy2WkxVQfYOM2u0dg1JzVuWs7I1ucoUVVtimBXm MxrVekGb+lGBPnsuEl6LCgXlANoGSElTqxaPfyIrpfW7i5lIryn69DA7R0CTH4sP HJWg5wG5fO52gQYBREgyGLUNQaD7L9ehLpRpAaaubJkS4CVQZSEWqhtSxVIeYIe1 rquyK6cZIhSeQQWxOCKKkPYOFxITcfXPvKBZOZtJ+ukYN0LvumEZjEFVvJlpRXIT 8Kle9JibEwYEDCzK1ui4CxOUnYBDlaAhv3gZOYtVZJeOIOXlIYMqkY3JJfO4w9Eu vWvFlo//q4LexFz1x8HN =XMU5 -----END PGP SIGNATURE----- From psimerda at redhat.com Mon Jun 23 12:19:10 2014 From: psimerda at redhat.com (Pavel Simerda) Date: Mon, 23 Jun 2014 08:19:10 -0400 (EDT) Subject: [Dnssec-trigger] dnssec-trigger-script patches In-Reply-To: <53A7D01F.3010002@nlnetlabs.nl> References: <879364627.12571852.1403116925412.JavaMail.zimbra@redhat.com> <416934838.12881602.1403190398349.JavaMail.zimbra@redhat.com> <53A43DBE.5060401@nlnetlabs.nl> <1262129410.13120797.1403275496542.JavaMail.zimbra@redhat.com> <53A7D01F.3010002@nlnetlabs.nl> Message-ID: <1158025864.13381693.1403525950265.JavaMail.zimbra@redhat.com> Thanks, two more fixups here, hopefully we're heading towards a stable state. Pavel ----- Original Message ----- > From: "W.C.A. Wijngaards" > To: "Pavel Simerda" > Cc: dnssec-trigger at nlnetlabs.nl > Sent: Monday, June 23, 2014 8:58:39 AM > Subject: Re: [Dnssec-trigger] dnssec-trigger-script patches > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Pavel, > > Got it too. > > Best regards, Wouter > > On 06/20/2014 04:44 PM, Pavel Simerda wrote: > > Hi Wouter, > > > > sending a fixup for a bug introduced in the previous patches. > > > > Pavel > > > > ----- Original Message ----- > >> From: "W.C.A. Wijngaards" To: > >> dnssec-trigger at NLnetLabs.nl Sent: Friday, June 20, 2014 3:57:18 > >> PM Subject: Re: [Dnssec-trigger] dnssec-trigger-script patches > >> > > Hi Pavel, > > > > Thank you for the patches, included. > > > > Best regards, Wouter > > > > On 06/19/2014 05:06 PM, Pavel Simerda wrote: > >>>> Two more patches to the bundle (sending all at once). > >>>> > >>>> Cheers, > >>>> > >>>> Pavel > >>>> > >>>> ----- Original Message ----- > >>>>> From: "Pavel Simerda" To: > >>>>> dnssec-trigger at NLnetLabs.nl Sent: Wednesday, June 18, 2014 > >>>>> 8:42:05 PM Subject: [Dnssec-trigger] dnssec-trigger-script > >>>>> patches > >>>>> > >>>>> Patches for dnssec-trigger-script: > >>>>> > >>>>> - fix bug > >>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1105896 - avoid > >>>>> depedency on pidof - avoid a traceback > >>>>> _______________________________________________ > >>>>> dnssec-trigger mailing list dnssec-trigger at NLnetLabs.nl > >>>>> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger > >>>>> > >>>>> > >>>>> > >>>>> _______________________________________________ > >>>>> dnssec-trigger mailing list dnssec-trigger at NLnetLabs.nl > >>>>> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger > > > >> _______________________________________________ dnssec-trigger > >> mailing list dnssec-trigger at NLnetLabs.nl > >> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger > >> > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBAgAGBQJTp9AfAAoJEJ9vHC1+BF+NqyEP/jFfiOYrJ71lDiMu9gqNGs0Y > OBwHKE27ck6L8rQEsQqr8U9y8ToVaApnUi06iRs7oxDZkQDbxgLRQgTF0uaUxZbq > vDsLY3BnXE6Yx221vaQigI7aZIbPBcElQdDoiIJ2nxUGEmIfjUbbyjJZh38b+Xmb > GY1nfJQx4PmgbC1Oub54dH+9gps3sBsrkplWKlJCmJ58CoK/SvJmKXDbzzFo3ehr > kH88qIyEni6mNik+BFaqvGGqK1dqJ0SB14/LEeBUquaw3L5nYojk/nDigxXaWyQv > YbTlp61rkkAihdKcNnqXviDkf8l0HaGV/x+kwn+ix+KhBQG/ViaL1skBUaskdes8 > dR1IOEf4m0jsQLadt4DFHL2GjSy2WkxVQfYOM2u0dg1JzVuWs7I1ucoUVVtimBXm > MxrVekGb+lGBPnsuEl6LCgXlANoGSElTqxaPfyIrpfW7i5lIryn69DA7R0CTH4sP > HJWg5wG5fO52gQYBREgyGLUNQaD7L9ehLpRpAaaubJkS4CVQZSEWqhtSxVIeYIe1 > rquyK6cZIhSeQQWxOCKKkPYOFxITcfXPvKBZOZtJ+ukYN0LvumEZjEFVvJlpRXIT > 8Kle9JibEwYEDCzK1ui4CxOUnYBDlaAhv3gZOYtVZJeOIOXlIYMqkY3JJfO4w9Eu > vWvFlo//q4LexFz1x8HN > =XMU5 > -----END PGP SIGNATURE----- > -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-fix-a-race-condition-with-NetworkManager-restart.patch Type: text/x-patch Size: 783 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-don-t-fail-on-empty-connection-list.patch Type: text/x-patch Size: 1238 bytes Desc: not available URL: From wouter at nlnetlabs.nl Mon Jun 23 12:22:09 2014 From: wouter at nlnetlabs.nl (W.C.A. Wijngaards) Date: Mon, 23 Jun 2014 14:22:09 +0200 Subject: [Dnssec-trigger] dnssec-trigger-script patches In-Reply-To: <1158025864.13381693.1403525950265.JavaMail.zimbra@redhat.com> References: <879364627.12571852.1403116925412.JavaMail.zimbra@redhat.com> <416934838.12881602.1403190398349.JavaMail.zimbra@redhat.com> <53A43DBE.5060401@nlnetlabs.nl> <1262129410.13120797.1403275496542.JavaMail.zimbra@redhat.com> <53A7D01F.3010002@nlnetlabs.nl> <1158025864.13381693.1403525950265.JavaMail.zimbra@redhat.com> Message-ID: <53A81BF1.5020005@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Pavel, Okay, we'll get there. Committed. Best regards, Wouter On 06/23/2014 02:19 PM, Pavel Simerda wrote: > Thanks, > > two more fixups here, hopefully we're heading towards a stable > state. > > Pavel > > ----- Original Message ----- >> From: "W.C.A. Wijngaards" To: "Pavel >> Simerda" Cc: dnssec-trigger at nlnetlabs.nl >> Sent: Monday, June 23, 2014 8:58:39 AM Subject: Re: >> [Dnssec-trigger] dnssec-trigger-script patches >> > Hi Pavel, > > Got it too. > > Best regards, Wouter > > On 06/20/2014 04:44 PM, Pavel Simerda wrote: >>>> Hi Wouter, >>>> >>>> sending a fixup for a bug introduced in the previous >>>> patches. >>>> >>>> Pavel >>>> >>>> ----- Original Message ----- >>>>> From: "W.C.A. Wijngaards" To: >>>>> dnssec-trigger at NLnetLabs.nl Sent: Friday, June 20, 2014 >>>>> 3:57:18 PM Subject: Re: [Dnssec-trigger] >>>>> dnssec-trigger-script patches >>>>> >>>> Hi Pavel, >>>> >>>> Thank you for the patches, included. >>>> >>>> Best regards, Wouter >>>> >>>> On 06/19/2014 05:06 PM, Pavel Simerda wrote: >>>>>>> Two more patches to the bundle (sending all at once). >>>>>>> >>>>>>> Cheers, >>>>>>> >>>>>>> Pavel >>>>>>> >>>>>>> ----- Original Message ----- >>>>>>>> From: "Pavel Simerda" To: >>>>>>>> dnssec-trigger at NLnetLabs.nl Sent: Wednesday, June 18, >>>>>>>> 2014 8:42:05 PM Subject: [Dnssec-trigger] >>>>>>>> dnssec-trigger-script patches >>>>>>>> >>>>>>>> Patches for dnssec-trigger-script: >>>>>>>> >>>>>>>> - fix bug >>>>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1105896 - >>>>>>>> avoid depedency on pidof - avoid a traceback >>>>>>>> _______________________________________________ >>>>>>>> dnssec-trigger mailing list >>>>>>>> dnssec-trigger at NLnetLabs.nl >>>>>>>> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> dnssec-trigger mailing list >>>>>>>> dnssec-trigger at NLnetLabs.nl >>>>>>>> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger >>>> >>>>> >>>>>>>> _______________________________________________ dnssec-trigger >>>>> mailing list dnssec-trigger at NLnetLabs.nl >>>>> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger >>>>> > >> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTqBvxAAoJEJ9vHC1+BF+Ni7UP/R7rWVkldk5UUtLlgE+iatQi mQuvg8z15LZz/8LBg8H7FWaD4/QFd7g7InOuZFJLJ3ib6RpAfoJQSrSA4v9RINth UHu7N5Ii0vdKGi2P/tQs3eepOQkU9KQ0NZWRL161JBpt7adWpZdmV1WdrIq3waET Y81xHDM8Hj9knmeqbrA6rhuF+rRC5HdAGJOyzj0vTphhT9m63C/f3NPymLAuJ0xl v4oIsKKHabTGHCX5uq+8qmFXGEncAIbORGvXrL5FPVL0YMPmvjxb92GGjQF0Arz1 JnRUMVk449VIFUeNoG6uq9pdrCY3FNp9XO095graVEzK9LMYzUkmeXVZrtwWXs7E 6Hu381dnO3IIOtA4nbwkEI1cXaleRixAD88u48zpFMxF+JyyXH8UuNYMzJ1qtWUw rDTfw2Onp/J9Wxzui8NWJyKhqORJsJLHN4AtRpxoa61enw3Sx6Losb+f+17K9B9p MiGeh8L0zDxjoo1wB1U74Ky9gQrodFI7A8taQmGcuJCCXC0USyNQxu8FWGSh0QNV YDgUoS5NPqadwtga8AtCbtvdbLaHcxX1A3UyqZvOafjepdkB5kS8idszqfSRFYzn iFWFeCdx4taz3kgHN4sBXE2QP2pyHDeTDpNKXLSBckEZglcAa7RhOwTd6n5ZMPEQ 4xRgHWXsnk2tGEXiG5TC =sBJk -----END PGP SIGNATURE----- From psimerda at redhat.com Mon Jun 23 14:09:51 2014 From: psimerda at redhat.com (Pavel Simerda) Date: Mon, 23 Jun 2014 10:09:51 -0400 (EDT) Subject: [Dnssec-trigger] dnssec-trigger-script patches In-Reply-To: <53A81BF1.5020005@nlnetlabs.nl> References: <879364627.12571852.1403116925412.JavaMail.zimbra@redhat.com> <416934838.12881602.1403190398349.JavaMail.zimbra@redhat.com> <53A43DBE.5060401@nlnetlabs.nl> <1262129410.13120797.1403275496542.JavaMail.zimbra@redhat.com> <53A7D01F.3010002@nlnetlabs.nl> <1158025864.13381693.1403525950265.JavaMail.zimbra@redhat.com> <53A81BF1.5020005@nlnetlabs.nl> Message-ID: <1562887291.13422360.1403532591396.JavaMail.zimbra@redhat.com> Another two patches. Cheers, Pavel ----- Original Message ----- > From: "W.C.A. Wijngaards" > To: "Pavel Simerda" > Cc: dnssec-trigger at nlnetlabs.nl > Sent: Monday, June 23, 2014 2:22:09 PM > Subject: Re: [Dnssec-trigger] dnssec-trigger-script patches > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Pavel, > > Okay, we'll get there. Committed. > > Best regards, Wouter > > On 06/23/2014 02:19 PM, Pavel Simerda wrote: > > Thanks, > > > > two more fixups here, hopefully we're heading towards a stable > > state. > > > > Pavel > > > > ----- Original Message ----- > >> From: "W.C.A. Wijngaards" To: "Pavel > >> Simerda" Cc: dnssec-trigger at nlnetlabs.nl > >> Sent: Monday, June 23, 2014 8:58:39 AM Subject: Re: > >> [Dnssec-trigger] dnssec-trigger-script patches > >> > > Hi Pavel, > > > > Got it too. > > > > Best regards, Wouter > > > > On 06/20/2014 04:44 PM, Pavel Simerda wrote: > >>>> Hi Wouter, > >>>> > >>>> sending a fixup for a bug introduced in the previous > >>>> patches. > >>>> > >>>> Pavel > >>>> > >>>> ----- Original Message ----- > >>>>> From: "W.C.A. Wijngaards" To: > >>>>> dnssec-trigger at NLnetLabs.nl Sent: Friday, June 20, 2014 > >>>>> 3:57:18 PM Subject: Re: [Dnssec-trigger] > >>>>> dnssec-trigger-script patches > >>>>> > >>>> Hi Pavel, > >>>> > >>>> Thank you for the patches, included. > >>>> > >>>> Best regards, Wouter > >>>> > >>>> On 06/19/2014 05:06 PM, Pavel Simerda wrote: > >>>>>>> Two more patches to the bundle (sending all at once). > >>>>>>> > >>>>>>> Cheers, > >>>>>>> > >>>>>>> Pavel > >>>>>>> > >>>>>>> ----- Original Message ----- > >>>>>>>> From: "Pavel Simerda" To: > >>>>>>>> dnssec-trigger at NLnetLabs.nl Sent: Wednesday, June 18, > >>>>>>>> 2014 8:42:05 PM Subject: [Dnssec-trigger] > >>>>>>>> dnssec-trigger-script patches > >>>>>>>> > >>>>>>>> Patches for dnssec-trigger-script: > >>>>>>>> > >>>>>>>> - fix bug > >>>>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1105896 - > >>>>>>>> avoid depedency on pidof - avoid a traceback > >>>>>>>> _______________________________________________ > >>>>>>>> dnssec-trigger mailing list > >>>>>>>> dnssec-trigger at NLnetLabs.nl > >>>>>>>> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > _______________________________________________ > >>>>>>>> dnssec-trigger mailing list > >>>>>>>> dnssec-trigger at NLnetLabs.nl > >>>>>>>> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger > >>>> > >>>>> > >>>>>>>> > _______________________________________________ dnssec-trigger > >>>>> mailing list dnssec-trigger at NLnetLabs.nl > >>>>> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger > >>>>> > > > >> > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBAgAGBQJTqBvxAAoJEJ9vHC1+BF+Ni7UP/R7rWVkldk5UUtLlgE+iatQi > mQuvg8z15LZz/8LBg8H7FWaD4/QFd7g7InOuZFJLJ3ib6RpAfoJQSrSA4v9RINth > UHu7N5Ii0vdKGi2P/tQs3eepOQkU9KQ0NZWRL161JBpt7adWpZdmV1WdrIq3waET > Y81xHDM8Hj9knmeqbrA6rhuF+rRC5HdAGJOyzj0vTphhT9m63C/f3NPymLAuJ0xl > v4oIsKKHabTGHCX5uq+8qmFXGEncAIbORGvXrL5FPVL0YMPmvjxb92GGjQF0Arz1 > JnRUMVk449VIFUeNoG6uq9pdrCY3FNp9XO095graVEzK9LMYzUkmeXVZrtwWXs7E > 6Hu381dnO3IIOtA4nbwkEI1cXaleRixAD88u48zpFMxF+JyyXH8UuNYMzJ1qtWUw > rDTfw2Onp/J9Wxzui8NWJyKhqORJsJLHN4AtRpxoa61enw3Sx6Losb+f+17K9B9p > MiGeh8L0zDxjoo1wB1U74Ky9gQrodFI7A8taQmGcuJCCXC0USyNQxu8FWGSh0QNV > YDgUoS5NPqadwtga8AtCbtvdbLaHcxX1A3UyqZvOafjepdkB5kS8idszqfSRFYzn > iFWFeCdx4taz3kgHN4sBXE2QP2pyHDeTDpNKXLSBckEZglcAa7RhOwTd6n5ZMPEQ > 4xRgHWXsnk2tGEXiG5TC > =sBJk > -----END PGP SIGNATURE----- > -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-move-legacy-connection-handling-to-the-cleanup-phase.patch Type: text/x-patch Size: 2467 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-don-t-block-on-systemctl-restart-NetworkManager.patch Type: text/x-patch Size: 1071 bytes Desc: not available URL: From wouter at nlnetlabs.nl Mon Jun 23 14:16:05 2014 From: wouter at nlnetlabs.nl (W.C.A. Wijngaards) Date: Mon, 23 Jun 2014 16:16:05 +0200 Subject: [Dnssec-trigger] dnssec-trigger-script patches In-Reply-To: <1562887291.13422360.1403532591396.JavaMail.zimbra@redhat.com> References: <879364627.12571852.1403116925412.JavaMail.zimbra@redhat.com> <416934838.12881602.1403190398349.JavaMail.zimbra@redhat.com> <53A43DBE.5060401@nlnetlabs.nl> <1262129410.13120797.1403275496542.JavaMail.zimbra@redhat.com> <53A7D01F.3010002@nlnetlabs.nl> <1158025864.13381693.1403525950265.JavaMail.zimbra@redhat.com> <53A81BF1.5020005@nlnetlabs.nl> <1562887291.13422360.1403532591396.JavaMail.zimbra@redhat.com> Message-ID: <53A836A5.8070608@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Pavel, Committed. I note from __future_ import statement that was just added a patch or two ago has been removed in these patches, I hope it doesn't undo the python2 compatibility patch. Best regards, Wouter On 06/23/2014 04:09 PM, Pavel Simerda wrote: > Another two patches. > > Cheers, > > Pavel > > ----- Original Message ----- >> From: "W.C.A. Wijngaards" To: "Pavel >> Simerda" Cc: dnssec-trigger at nlnetlabs.nl >> Sent: Monday, June 23, 2014 2:22:09 PM Subject: Re: >> [Dnssec-trigger] dnssec-trigger-script patches >> > Hi Pavel, > > Okay, we'll get there. Committed. > > Best regards, Wouter > > On 06/23/2014 02:19 PM, Pavel Simerda wrote: >>>> Thanks, >>>> >>>> two more fixups here, hopefully we're heading towards a >>>> stable state. >>>> >>>> Pavel >>>> >>>> ----- Original Message ----- >>>>> From: "W.C.A. Wijngaards" To: "Pavel >>>>> Simerda" Cc: >>>>> dnssec-trigger at nlnetlabs.nl Sent: Monday, June 23, 2014 >>>>> 8:58:39 AM Subject: Re: [Dnssec-trigger] >>>>> dnssec-trigger-script patches >>>>> >>>> Hi Pavel, >>>> >>>> Got it too. >>>> >>>> Best regards, Wouter >>>> >>>> On 06/20/2014 04:44 PM, Pavel Simerda wrote: >>>>>>> Hi Wouter, >>>>>>> >>>>>>> sending a fixup for a bug introduced in the previous >>>>>>> patches. >>>>>>> >>>>>>> Pavel >>>>>>> >>>>>>> ----- Original Message ----- >>>>>>>> From: "W.C.A. Wijngaards" To: >>>>>>>> dnssec-trigger at NLnetLabs.nl Sent: Friday, June 20, >>>>>>>> 2014 3:57:18 PM Subject: Re: [Dnssec-trigger] >>>>>>>> dnssec-trigger-script patches >>>>>>>> >>>>>>> Hi Pavel, >>>>>>> >>>>>>> Thank you for the patches, included. >>>>>>> >>>>>>> Best regards, Wouter >>>>>>> >>>>>>> On 06/19/2014 05:06 PM, Pavel Simerda wrote: >>>>>>>>>> Two more patches to the bundle (sending all at >>>>>>>>>> once). >>>>>>>>>> >>>>>>>>>> Cheers, >>>>>>>>>> >>>>>>>>>> Pavel >>>>>>>>>> >>>>>>>>>> ----- Original Message ----- >>>>>>>>>>> From: "Pavel Simerda" >>>>>>>>>>> To: dnssec-trigger at NLnetLabs.nl Sent: >>>>>>>>>>> Wednesday, June 18, 2014 8:42:05 PM Subject: >>>>>>>>>>> [Dnssec-trigger] dnssec-trigger-script patches >>>>>>>>>>> >>>>>>>>>>> Patches for dnssec-trigger-script: >>>>>>>>>>> >>>>>>>>>>> - fix bug >>>>>>>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1105896 >>>>>>>>>>> - avoid depedency on pidof - avoid a traceback >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> >>>>>>>>>>> dnssec-trigger mailing list >>>>>>>>>>> dnssec-trigger at NLnetLabs.nl >>>>>>>>>>> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> > >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> dnssec-trigger mailing list >>>>>>>>>>> dnssec-trigger at NLnetLabs.nl >>>>>>>>>>> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger >>>>>>> >>>>>>>> >>>>>>>>>>> > >>>>>>>>>>> _______________________________________________ dnssec-trigger >>>>>>>> mailing list dnssec-trigger at NLnetLabs.nl >>>>>>>> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger >>>>>>>> >>>> >>>>> > >>>>>>>> >> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTqDalAAoJEJ9vHC1+BF+N1fQQAKZFVRmrQyAuo1fCsEOFKrPY UCdMe8SwbDGIM3wmIzTnRWSG98eqJdLgnuVY+FPlrsz5qevVBPNjUQgZ4HkvF1kk 5a5FShXCDY78BnXrHTOKNFKo39br94d28k2kLeD87HbUgBCm+lDt3BKL8QfpKLbF bxk1HBSnU6/ytIUjbZQQwLWUWDPmB6d9rX2AH4UEoVYL5PRE1jtmvVY+uOGbr/kT xWHy78eTYKhjiafQBBfq2I+AXR3feYQobYPhH+Q8hKH7VQd/EUevIFPEijhFoG7B eNGu7IURgHd8IuOXqpet/p/3PJK5YuEJodI/c4HaaK7e5nBvihUQfbfrpQDsd8DN B/3gT/aK+1lYMN4xf2KT2ht1qh0Hd1IXS2B1LxDuauXZF9lh1DLmTINrlTTYrvPM nL/svfsM8voqhiBGnJCiCwbkuIyiA2brYcQn1JqTv2cmhg5MIuyRF0UkhC0L3968 j+3bjgKBDGSeIDAa+3bFFWqBpoHI61aEvzB9kWoWXAtJBm/iGBitoCA2vFZK0IvN L3Y3I9ecEMwHNqBvBBTuqOml/2Fwj36zf9WC5LYHQbI72SuZgHrXIOQaNRHgsPqf zNBsFZAvblQiDJTP6aNRN5EcET9NbJo8ODQj2SEbcFKNe3yAyiylpd7zxGZUy0Er CYllKUmtar/L6K2QT1TB =mxXD -----END PGP SIGNATURE----- From psimerda at redhat.com Mon Jun 23 14:22:20 2014 From: psimerda at redhat.com (Pavel Simerda) Date: Mon, 23 Jun 2014 10:22:20 -0400 (EDT) Subject: [Dnssec-trigger] dnssec-trigger-script patches In-Reply-To: <53A836A5.8070608@nlnetlabs.nl> References: <879364627.12571852.1403116925412.JavaMail.zimbra@redhat.com> <53A43DBE.5060401@nlnetlabs.nl> <1262129410.13120797.1403275496542.JavaMail.zimbra@redhat.com> <53A7D01F.3010002@nlnetlabs.nl> <1158025864.13381693.1403525950265.JavaMail.zimbra@redhat.com> <53A81BF1.5020005@nlnetlabs.nl> <1562887291.13422360.1403532591396.JavaMail.zimbra@redhat.com> <53A836A5.8070608@nlnetlabs.nl> Message-ID: <599502611.13426283.1403533340128.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "W.C.A. Wijngaards" > To: "Pavel Simerda" > Cc: dnssec-trigger at nlnetlabs.nl > Sent: Monday, June 23, 2014 4:16:05 PM > Subject: Re: [Dnssec-trigger] dnssec-trigger-script patches > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Pavel, > > Committed. I note from __future_ import statement that was just added > a patch or two ago has been removed in these patches, I hope it > doesn't undo the python2 compatibility patch. That is because also the print statement was removed and I don't expect to add any other. Thanks > Best regards, > Wouter > > On 06/23/2014 04:09 PM, Pavel Simerda wrote: > > Another two patches. > > > > Cheers, > > > > Pavel > > > > ----- Original Message ----- > >> From: "W.C.A. Wijngaards" To: "Pavel > >> Simerda" Cc: dnssec-trigger at nlnetlabs.nl > >> Sent: Monday, June 23, 2014 2:22:09 PM Subject: Re: > >> [Dnssec-trigger] dnssec-trigger-script patches > >> > > Hi Pavel, > > > > Okay, we'll get there. Committed. > > > > Best regards, Wouter > > > > On 06/23/2014 02:19 PM, Pavel Simerda wrote: > >>>> Thanks, > >>>> > >>>> two more fixups here, hopefully we're heading towards a > >>>> stable state. > >>>> > >>>> Pavel > >>>> > >>>> ----- Original Message ----- > >>>>> From: "W.C.A. Wijngaards" To: "Pavel > >>>>> Simerda" Cc: > >>>>> dnssec-trigger at nlnetlabs.nl Sent: Monday, June 23, 2014 > >>>>> 8:58:39 AM Subject: Re: [Dnssec-trigger] > >>>>> dnssec-trigger-script patches > >>>>> > >>>> Hi Pavel, > >>>> > >>>> Got it too. > >>>> > >>>> Best regards, Wouter > >>>> > >>>> On 06/20/2014 04:44 PM, Pavel Simerda wrote: > >>>>>>> Hi Wouter, > >>>>>>> > >>>>>>> sending a fixup for a bug introduced in the previous > >>>>>>> patches. > >>>>>>> > >>>>>>> Pavel > >>>>>>> > >>>>>>> ----- Original Message ----- > >>>>>>>> From: "W.C.A. Wijngaards" To: > >>>>>>>> dnssec-trigger at NLnetLabs.nl Sent: Friday, June 20, > >>>>>>>> 2014 3:57:18 PM Subject: Re: [Dnssec-trigger] > >>>>>>>> dnssec-trigger-script patches > >>>>>>>> > >>>>>>> Hi Pavel, > >>>>>>> > >>>>>>> Thank you for the patches, included. > >>>>>>> > >>>>>>> Best regards, Wouter > >>>>>>> > >>>>>>> On 06/19/2014 05:06 PM, Pavel Simerda wrote: > >>>>>>>>>> Two more patches to the bundle (sending all at > >>>>>>>>>> once). > >>>>>>>>>> > >>>>>>>>>> Cheers, > >>>>>>>>>> > >>>>>>>>>> Pavel > >>>>>>>>>> > >>>>>>>>>> ----- Original Message ----- > >>>>>>>>>>> From: "Pavel Simerda" > >>>>>>>>>>> To: dnssec-trigger at NLnetLabs.nl Sent: > >>>>>>>>>>> Wednesday, June 18, 2014 8:42:05 PM Subject: > >>>>>>>>>>> [Dnssec-trigger] dnssec-trigger-script patches > >>>>>>>>>>> > >>>>>>>>>>> Patches for dnssec-trigger-script: > >>>>>>>>>>> > >>>>>>>>>>> - fix bug > >>>>>>>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1105896 > >>>>>>>>>>> - avoid depedency on pidof - avoid a traceback > >>>>>>>>>>> _______________________________________________ > >>>>>>>>>>> > >>>>>>>>>>> > dnssec-trigger mailing list > >>>>>>>>>>> dnssec-trigger at NLnetLabs.nl > >>>>>>>>>>> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > > > >>>>>>>>>>> > _______________________________________________ > >>>>>>>>>>> dnssec-trigger mailing list > >>>>>>>>>>> dnssec-trigger at NLnetLabs.nl > >>>>>>>>>>> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger > >>>>>>> > >>>>>>>> > >>>>>>>>>>> > > > >>>>>>>>>>> > _______________________________________________ dnssec-trigger > >>>>>>>> mailing list dnssec-trigger at NLnetLabs.nl > >>>>>>>> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger > >>>>>>>> > >>>> > >>>>> > > > >>>>>>>> > >> > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBAgAGBQJTqDalAAoJEJ9vHC1+BF+N1fQQAKZFVRmrQyAuo1fCsEOFKrPY > UCdMe8SwbDGIM3wmIzTnRWSG98eqJdLgnuVY+FPlrsz5qevVBPNjUQgZ4HkvF1kk > 5a5FShXCDY78BnXrHTOKNFKo39br94d28k2kLeD87HbUgBCm+lDt3BKL8QfpKLbF > bxk1HBSnU6/ytIUjbZQQwLWUWDPmB6d9rX2AH4UEoVYL5PRE1jtmvVY+uOGbr/kT > xWHy78eTYKhjiafQBBfq2I+AXR3feYQobYPhH+Q8hKH7VQd/EUevIFPEijhFoG7B > eNGu7IURgHd8IuOXqpet/p/3PJK5YuEJodI/c4HaaK7e5nBvihUQfbfrpQDsd8DN > B/3gT/aK+1lYMN4xf2KT2ht1qh0Hd1IXS2B1LxDuauXZF9lh1DLmTINrlTTYrvPM > nL/svfsM8voqhiBGnJCiCwbkuIyiA2brYcQn1JqTv2cmhg5MIuyRF0UkhC0L3968 > j+3bjgKBDGSeIDAa+3bFFWqBpoHI61aEvzB9kWoWXAtJBm/iGBitoCA2vFZK0IvN > L3Y3I9ecEMwHNqBvBBTuqOml/2Fwj36zf9WC5LYHQbI72SuZgHrXIOQaNRHgsPqf > zNBsFZAvblQiDJTP6aNRN5EcET9NbJo8ODQj2SEbcFKNe3yAyiylpd7zxGZUy0Er > CYllKUmtar/L6K2QT1TB > =mxXD > -----END PGP SIGNATURE----- > From psimerda at redhat.com Mon Jun 23 15:01:06 2014 From: psimerda at redhat.com (Pavel Simerda) Date: Mon, 23 Jun 2014 11:01:06 -0400 (EDT) Subject: [Dnssec-trigger] status of dnssec-trigger and NetworkManager in upstream and Fedora In-Reply-To: <1134881611.13427360.1403533548957.JavaMail.zimbra@redhat.com> Message-ID: <1002797025.13442649.1403535666732.JavaMail.zimbra@redhat.com> Hi, a number of patches have been accepted to dnssec-trigger upstream to support seamless integration with NetworkManager. We're not done yet and but at least we have something to test. The target release is Fedora 22: https://fedoraproject.org/wiki/Changes/Default_Local_DNS_Resolver I'm using Fedora rawhide for testing, always using the latest f21 koji build: http://koji.fedoraproject.org/koji/packageinfo?packageID=13240 We hope to release an update for Fedora 20 as soon as possible. Upstream SVN trunk can be used for testing as well ? I'm using it on Gentoo using a live ebuild: https://github.com/okias/ixit/blob/master/net-misc/dnssec-trigger/dnssec-trigger-9999.ebuild During the testing I found out that the fallback mechanisms don't work for me at all. This is covered by the following Fedora bug report: https://bugzilla.redhat.com/show_bug.cgi?id=1109292 Another issue is that full recursion is treated as a fallback that always works and the user doesn't get the chance to use a non-DNSSEC configuration as he doesn't even know why DNS resolution fails: https://bugzilla.redhat.com/show_bug.cgi?id=1112310 While there are other issues to be considered, the former issue linked here seems to spoil the whole user experience of dnssec-trigger. I don't currently have any more information to identify the version where the issue appeared. I'm just notifying you that about its existence for now. Cheers, Pavel From pjp at fedoraproject.org Tue Jun 24 06:11:02 2014 From: pjp at fedoraproject.org (P J P) Date: Tue, 24 Jun 2014 14:11:02 +0800 Subject: [Dnssec-trigger] status of dnssec-trigger and NetworkManager in upstream and Fedora In-Reply-To: <1002797025.13442649.1403535666732.JavaMail.zimbra@redhat.com> References: <1134881611.13427360.1403533548957.JavaMail.zimbra@redhat.com> <1002797025.13442649.1403535666732.JavaMail.zimbra@redhat.com> Message-ID: <1403590262.70646.YahooMailNeo@web192403.mail.sg3.yahoo.com> ? ?Hello Pavel, Thank you so much for the update! :) > On Tuesday, 24 June 2014 1:19 AM, Pavel Simerda wrote: > I'm using Fedora rawhide for testing, always using the latest f21 koji? > build: >? > http://koji.fedoraproject.org/koji/packageinfo?packageID=13240 >? > We hope to release an update for Fedora 20 as soon as possible. I did some testing of the previous -5 build, on a local F20 machine. While it could resolve the public domains over ethernet, internal domains were still amiss. ? ? ? $?unbound-control list_forwards did not show any output.? ?-> http://fpaste.org/112146/03519995/ And over wi-fi, even internet domains could not be resolved. I'll continue testing with the latest build above. Thank you. --- Regards ?? -Prasad http://feedmug.com From psimerda at redhat.com Tue Jun 24 18:21:55 2014 From: psimerda at redhat.com (Pavel Simerda) Date: Tue, 24 Jun 2014 14:21:55 -0400 (EDT) Subject: [Dnssec-trigger] dnssec-trigger-script patches In-Reply-To: <53A836A5.8070608@nlnetlabs.nl> References: <879364627.12571852.1403116925412.JavaMail.zimbra@redhat.com> <53A43DBE.5060401@nlnetlabs.nl> <1262129410.13120797.1403275496542.JavaMail.zimbra@redhat.com> <53A7D01F.3010002@nlnetlabs.nl> <1158025864.13381693.1403525950265.JavaMail.zimbra@redhat.com> <53A81BF1.5020005@nlnetlabs.nl> <1562887291.13422360.1403532591396.JavaMail.zimbra@redhat.com> <53A836A5.8070608@nlnetlabs.nl> Message-ID: <1107524365.13868224.1403634115060.JavaMail.zimbra@redhat.com> Two new patches. Right now I don't see any serious problems in dnssec-trigger-script but instead in dnssec-trigger itself (as described in the other mail) and in NetworkManager (described in the bug report linked from the patches). Cheers, Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-improve-systemctl-call.patch Type: text/x-patch Size: 1071 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-serialize-script-instances.patch Type: text/x-patch Size: 1286 bytes Desc: not available URL: From thozza at redhat.com Fri Jun 27 07:11:32 2014 From: thozza at redhat.com (Tomas Hozza) Date: Fri, 27 Jun 2014 03:11:32 -0400 (EDT) Subject: [Dnssec-trigger] status of dnssec-trigger and NetworkManager in upstream and Fedora In-Reply-To: <1403852299.27502.YahooMailNeo@web192405.mail.sg3.yahoo.com> References: <1134881611.13427360.1403533548957.JavaMail.zimbra@redhat.com> <1002797025.13442649.1403535666732.JavaMail.zimbra@redhat.com> <1403590262.70646.YahooMailNeo@web192403.mail.sg3.yahoo.com> <1403852299.27502.YahooMailNeo@web192405.mail.sg3.yahoo.com> Message-ID: <823678426.14698322.1403853092562.JavaMail.zimbra@redhat.com> ----- Original Message ----- > ? ?Hello Pavel, > > > On Tuesday, 24 June 2014 11:41 AM, P J P wrote: > > And over wi-fi, even internet domains could not be resolved. I'll continue > > testing with the latest build above. > > Please see -> http://fpaste.org/113693/51627140/ > > I'm testing the latest build of dnssec-trigger-0.12.11.f20.x86_64. It seems > to work quite well so far. It received the local forwarders list via DHCP > and uses the same to resolve domains. It's able to resolve internal domains > and it seems to work seamlessly across ethernet and wi-fi networks too. > > One glithc though, if I set chroot="/var/lib/unbound" in > /etc/unbound/unbound.conf, the unbound service fails to start citing missing > configuration files error. IMO, it'd be better to start unbound service > under chroot(2) jail by default. I think this is expected since the configuration is not present in the chroot. Although we could provide a new systemd service file unbound-chroot.service, like we do for BIND. It would prepare the chroot before starting (bind-mount all necessary configuration files into the chroot), start unbound in chroot and when stopping, unmount all files from the chroot. It would be better for this purpose if unbound could take the chroot dir as a command line argument. But we can drop a config file into /etc/unbound/conf.d/ when starting unbound and then remove it when stopping unbound. What do you think? > > I'll continue to use/test it and let you know if anything fails. Thank you! > :) > --- > > Regards > ?? -Prasad > http://feedmug.com > Regards, -- Tomas Hozza Software Engineer - EMEA ENG Developer Experience PGP: 1D9F3C2D Red Hat Inc. http://cz.redhat.com From pjp at fedoraproject.org Fri Jun 27 06:58:19 2014 From: pjp at fedoraproject.org (P J P) Date: Fri, 27 Jun 2014 14:58:19 +0800 Subject: [Dnssec-trigger] status of dnssec-trigger and NetworkManager in upstream and Fedora In-Reply-To: <1403590262.70646.YahooMailNeo@web192403.mail.sg3.yahoo.com> References: <1134881611.13427360.1403533548957.JavaMail.zimbra@redhat.com> <1002797025.13442649.1403535666732.JavaMail.zimbra@redhat.com> <1403590262.70646.YahooMailNeo@web192403.mail.sg3.yahoo.com> Message-ID: <1403852299.27502.YahooMailNeo@web192405.mail.sg3.yahoo.com> ? ?Hello Pavel, > On Tuesday, 24 June 2014 11:41 AM, P J P wrote: > And over wi-fi, even internet domains could not be resolved. I'll continue? > testing with the latest build above. Please see -> http://fpaste.org/113693/51627140/ I'm testing the latest build of dnssec-trigger-0.12.11.f20.x86_64. It seems to work quite well so far. It received the local forwarders list via DHCP and uses the same to resolve domains. It's able to resolve internal domains and it seems to work seamlessly across ethernet and wi-fi networks too. One glithc though, if I set chroot="/var/lib/unbound" in /etc/unbound/unbound.conf, the unbound service fails to start citing missing configuration files error. IMO, it'd be better to start unbound service under chroot(2) jail by default. I'll continue to use/test it and let you know if anything fails. Thank you! :) --- Regards ?? -Prasad http://feedmug.com From pspacek at redhat.com Fri Jun 27 07:28:24 2014 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 27 Jun 2014 09:28:24 +0200 Subject: [Dnssec-trigger] unbound in chroot In-Reply-To: <823678426.14698322.1403853092562.JavaMail.zimbra@redhat.com> References: <1134881611.13427360.1403533548957.JavaMail.zimbra@redhat.com> <1002797025.13442649.1403535666732.JavaMail.zimbra@redhat.com> <1403590262.70646.YahooMailNeo@web192403.mail.sg3.yahoo.com> <1403852299.27502.YahooMailNeo@web192405.mail.sg3.yahoo.com> <823678426.14698322.1403853092562.JavaMail.zimbra@redhat.com> Message-ID: <53AD1D18.7040100@redhat.com> On 27.6.2014 09:11, Tomas Hozza wrote: > ----- Original Message ----- >> Hello Pavel, >> >>> On Tuesday, 24 June 2014 11:41 AM, P J P wrote: >>> And over wi-fi, even internet domains could not be resolved. I'll continue >>> testing with the latest build above. >> >> Please see -> http://fpaste.org/113693/51627140/ >> >> I'm testing the latest build of dnssec-trigger-0.12.11.f20.x86_64. It seems >> to work quite well so far. It received the local forwarders list via DHCP >> and uses the same to resolve domains. It's able to resolve internal domains >> and it seems to work seamlessly across ethernet and wi-fi networks too. >> >> One glithc though, if I set chroot="/var/lib/unbound" in >> /etc/unbound/unbound.conf, the unbound service fails to start citing missing >> configuration files error. IMO, it'd be better to start unbound service >> under chroot(2) jail by default. > > I think this is expected since the configuration is not present in the chroot. > Although we could provide a new systemd service file unbound-chroot.service, > like we do for BIND. It would prepare the chroot before starting (bind-mount > all necessary configuration files into the chroot), start unbound in chroot > and when stopping, unmount all files from the chroot. > > It would be better for this purpose if unbound could take the chroot dir as > a command line argument. But we can drop a config file into /etc/unbound/conf.d/ > when starting unbound and then remove it when stopping unbound. > > What do you think? Is it worth? Chroot on Linux is notoriously broken/leaky. I'm not entirely sure that it adds more than false sense of security... -- Petr^2 Spacek From pjp at fedoraproject.org Fri Jun 27 08:35:27 2014 From: pjp at fedoraproject.org (P J P) Date: Fri, 27 Jun 2014 16:35:27 +0800 Subject: [Dnssec-trigger] status of dnssec-trigger and NetworkManager in upstream and Fedora In-Reply-To: <823678426.14698322.1403853092562.JavaMail.zimbra@redhat.com> References: <1134881611.13427360.1403533548957.JavaMail.zimbra@redhat.com> <1002797025.13442649.1403535666732.JavaMail.zimbra@redhat.com> <1403590262.70646.YahooMailNeo@web192403.mail.sg3.yahoo.com> <1403852299.27502.YahooMailNeo@web192405.mail.sg3.yahoo.com> <823678426.14698322.1403853092562.JavaMail.zimbra@redhat.com> Message-ID: <1403858127.26976.YahooMailNeo@web192403.mail.sg3.yahoo.com> ? Hello Tomas, > On Friday, 27 June 2014 12:41 PM, Tomas Hozza wrote: > I think this is expected since the configuration is not present in the chroot. > Although we could provide a new systemd service file unbound-chroot.service, > like we do for BIND. It would prepare the chroot before starting (bind-mount > all necessary configuration files into the chroot), start unbound in chroot > and when stopping, unmount all files from the chroot. >? > It would be better for this purpose if unbound could take the chroot dir as > a command line argument. But we can drop a config file into /etc/unbound/conf.d/ > when starting unbound and then remove it when stopping unbound. ? Yes, that'd be great. Thank you. --- Regards ?? -Prasad http://feedmug.com From pjp at fedoraproject.org Fri Jun 27 08:36:43 2014 From: pjp at fedoraproject.org (P J P) Date: Fri, 27 Jun 2014 16:36:43 +0800 Subject: [Dnssec-trigger] unbound in chroot In-Reply-To: <53AD1D18.7040100@redhat.com> References: <1134881611.13427360.1403533548957.JavaMail.zimbra@redhat.com> <1002797025.13442649.1403535666732.JavaMail.zimbra@redhat.com> <1403590262.70646.YahooMailNeo@web192403.mail.sg3.yahoo.com> <1403852299.27502.YahooMailNeo@web192405.mail.sg3.yahoo.com> <823678426.14698322.1403853092562.JavaMail.zimbra@redhat.com> <53AD1D18.7040100@redhat.com> Message-ID: <1403858203.65874.YahooMailNeo@web192401.mail.sg3.yahoo.com> ? ?Hi, > On Friday, 27 June 2014 1:04 PM, Petr Spacek wrote: > Is it worth? Chroot on Linux is notoriously broken/leaky. I'm not entirely? > sure that it adds more than false sense of security... Broken/leaky, how so? --- Regards ?? -Prasad http://feedmug.com From ssorce at redhat.com Fri Jun 27 13:03:12 2014 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 27 Jun 2014 09:03:12 -0400 Subject: [Dnssec-trigger] unbound in chroot In-Reply-To: <1403858203.65874.YahooMailNeo@web192401.mail.sg3.yahoo.com> References: <1134881611.13427360.1403533548957.JavaMail.zimbra@redhat.com> <1002797025.13442649.1403535666732.JavaMail.zimbra@redhat.com> <1403590262.70646.YahooMailNeo@web192403.mail.sg3.yahoo.com> <1403852299.27502.YahooMailNeo@web192405.mail.sg3.yahoo.com> <823678426.14698322.1403853092562.JavaMail.zimbra@redhat.com> <53AD1D18.7040100@redhat.com> <1403858203.65874.YahooMailNeo@web192401.mail.sg3.yahoo.com> Message-ID: <1403874192.3551.5.camel@willson.usersys.redhat.com> On Fri, 2014-06-27 at 16:36 +0800, P J P wrote: > Hi, > > > On Friday, 27 June 2014 1:04 PM, Petr Spacek wrote: > > Is it worth? Chroot on Linux is notoriously broken/leaky. I'm not entirely > > sure that it adds more than false sense of security... > > Broken/leaky, how so? chroots are not security measures. It is easy to escape a chroot, so we need to carefully asses if the additional burden it imposes is worth it. If the main reason to use a chroot is to make unbound "more secure", well I would drop it, it's not really worth it. If you want to make unbound more secure then we should use a container (which is also not completely secure, but it is much harder to attack if namespaces and selinux are used correctly), but I think this is excessive for most setups too. Simo. From pwouters at redhat.com Fri Jun 27 16:10:17 2014 From: pwouters at redhat.com (Paul Wouters) Date: Fri, 27 Jun 2014 12:10:17 -0400 Subject: [Dnssec-trigger] unbound in chroot In-Reply-To: <53AD1D18.7040100@redhat.com> References: <1134881611.13427360.1403533548957.JavaMail.zimbra@redhat.com> <1002797025.13442649.1403535666732.JavaMail.zimbra@redhat.com> <1403590262.70646.YahooMailNeo@web192403.mail.sg3.yahoo.com> <1403852299.27502.YahooMailNeo@web192405.mail.sg3.yahoo.com> <823678426.14698322.1403853092562.JavaMail.zimbra@redhat.com> <53AD1D18.7040100@redhat.com> Message-ID: <53AD9769.6020802@redhat.com> On 06/27/2014 03:28 AM, Petr Spacek wrote: >>> One glithc though, if I set chroot="/var/lib/unbound" in >>> /etc/unbound/unbound.conf, the unbound service fails to start citing >>> missing >>> configuration files error. IMO, it'd be better to start unbound service >>> under chroot(2) jail by default. >> >> I think this is expected since the configuration is not present in the >> chroot. >> Although we could provide a new systemd service file >> unbound-chroot.service, >> like we do for BIND. It would prepare the chroot before starting >> (bind-mount >> all necessary configuration files into the chroot), start unbound in >> chroot >> and when stopping, unmount all files from the chroot. >> >> It would be better for this purpose if unbound could take the chroot >> dir as >> a command line argument. But we can drop a config file into >> /etc/unbound/conf.d/ >> when starting unbound and then remove it when stopping unbound. >> >> What do you think? > > Is it worth? Chroot on Linux is notoriously broken/leaky. I'm not > entirely sure that it adds more than false sense of security... When I started packaging unbound, there were lots of chroot() issues and it just made sense to rely on selinux and not chroot. I don't think chroot offers anything over selinux, but it comes with a set of problems dealing with reloading, signaling and maintaining a chroot. Paul