From psimerda at redhat.com Mon May 5 15:05:31 2014 From: psimerda at redhat.com (Pavel Simerda) Date: Mon, 5 May 2014 11:05:31 -0400 (EDT) Subject: [Dnssec-trigger] dnssec-trigger-script patches In-Reply-To: <1343256592.351273.1399302078758.JavaMail.zimbra@redhat.com> Message-ID: <714991433.352358.1399302331579.JavaMail.zimbra@redhat.com> Hi, I'm sending two patches for dnssec-trigger. The former adds support to distinguish secure and insecure zones, while the latter flushes the unbound cache on DNS server list changes. Especially the latter isn't perfect but I believe it should be applied now as is and improved later. Cheers, Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-read-insecure-flag-from-unbound-control-list_forward.patch Type: text/x-patch Size: 5839 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-flush-global-zone-on-configuration-change.patch Type: text/x-patch Size: 4309 bytes Desc: not available URL: From wouter at nlnetlabs.nl Wed May 7 06:46:23 2014 From: wouter at nlnetlabs.nl (W.C.A. Wijngaards) Date: Wed, 07 May 2014 08:46:23 +0200 Subject: [Dnssec-trigger] dnssec-trigger-script patches In-Reply-To: <714991433.352358.1399302331579.JavaMail.zimbra@redhat.com> References: <714991433.352358.1399302331579.JavaMail.zimbra@redhat.com> Message-ID: <5369D6BF.5090202@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Pavel, Thanks, applied. Does this finish up the items you wanted to do, or are you still working your way through the bugzilla list? Best regards, Wouter On 05/05/2014 05:05 PM, Pavel Simerda wrote: > Hi, > > I'm sending two patches for dnssec-trigger. The former adds support > to distinguish secure and insecure zones, while the latter flushes > the unbound cache on DNS server list changes. Especially the latter > isn't perfect but I believe it should be applied now as is and > improved later. > > Cheers, > > Pavel > > > > _______________________________________________ dnssec-trigger > mailing list dnssec-trigger at NLnetLabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTada/AAoJEJ9vHC1+BF+NlyoQAI+Prnw93zsnKFaquO+GH0q/ uV/F2ZHhYIMRBMBsubyOs01P86ODmOfA/b2tg2QpY6HCH/Wtx14CAdo8g75nDgXx vrzJpfGRzqFU59bpm2RKaLYZK+/6TyMMqtl3JPnQsefG+O9iOn6QLedu6XDqzDeV wpreNP+HJ4K5izAyMLPCvpVSRtxC4bWOU4eBBRPJvStMQmJy11EMfFguPHPqHic/ 2UruNAiRyhNUOFFEc5pZOmLeG68pFYeFdoBN1y85gQbtmtaQ5CETwPhybPpFMCDy aR7TXBkYuUR1eqycJ7twGj01YQ6G546ffjN6HtVaZFE1tk+e8dYOsF/1fnSofCtp JdhyEnFUeYMuO0B8Ln5pPCzlrvbli19lUgUTs2GUHQ0ualBbWpgX/YJZOjqnJrtw XD35YU4jGp4bhil/8jvF4rJofK5epQGmwqC+xCTJRkX9bFuiNLY9PK5hLSG2hV50 OLp2mytxSDt5yDsReWRHHsNgHDbFE3nI6v+DHutI7bb7onFqgaonewPgnCPfmXRA BHiMi7wNqT99xC2cdu0davAxzswyZchVc3BLWXroQyYgQjLLy3fa8uPXT1xmUaEi V1CcXtdBs/zBtcudNqN4kLpXi9HFbEbtiXW0lqvwe6KN0/NNVp6QlfUsaEVv1e9l 9wlEwh5Y5heEqw9R+SXI =bEMS -----END PGP SIGNATURE----- From psimerda at redhat.com Wed May 7 06:58:03 2014 From: psimerda at redhat.com (Pavel Simerda) Date: Wed, 7 May 2014 02:58:03 -0400 (EDT) Subject: [Dnssec-trigger] dnssec-trigger-script patches In-Reply-To: <5369D6BF.5090202@nlnetlabs.nl> References: <714991433.352358.1399302331579.JavaMail.zimbra@redhat.com> <5369D6BF.5090202@nlnetlabs.nl> Message-ID: <303635734.976328.1399445883462.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "W.C.A. Wijngaards" > To: "Pavel Simerda" , dnssec-trigger at nlnetlabs.nl > Cc: "Petr Spacek" , "Paul Wouters" > Sent: Wednesday, May 7, 2014 8:46:23 AM > Subject: Re: [Dnssec-trigger] dnssec-trigger-script patches > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Pavel, > > Thanks, applied. Does this finish up the items you wanted to do, or > are you still working your way through the bugzilla list? Hi Wouter, There's one item that I would like to solve soon and that's basically described in bugzilla comment: https://bugzilla.redhat.com/show_bug.cgi?id=1089910#c6 It could look like: flush_global_zone=yes|negative-only|no Any suggestions regarding the name of the option and of negative-only value? That would be the last thing for the release. Or, if we are in hurry, we can leave it for the next release. Cheers, Pavel > Best regards, > Wouter > > On 05/05/2014 05:05 PM, Pavel Simerda wrote: > > Hi, > > > > I'm sending two patches for dnssec-trigger. The former adds support > > to distinguish secure and insecure zones, while the latter flushes > > the unbound cache on DNS server list changes. Especially the latter > > isn't perfect but I believe it should be applied now as is and > > improved later. > > > > Cheers, > > > > Pavel > > > > > > > > _______________________________________________ dnssec-trigger > > mailing list dnssec-trigger at NLnetLabs.nl > > http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBAgAGBQJTada/AAoJEJ9vHC1+BF+NlyoQAI+Prnw93zsnKFaquO+GH0q/ > uV/F2ZHhYIMRBMBsubyOs01P86ODmOfA/b2tg2QpY6HCH/Wtx14CAdo8g75nDgXx > vrzJpfGRzqFU59bpm2RKaLYZK+/6TyMMqtl3JPnQsefG+O9iOn6QLedu6XDqzDeV > wpreNP+HJ4K5izAyMLPCvpVSRtxC4bWOU4eBBRPJvStMQmJy11EMfFguPHPqHic/ > 2UruNAiRyhNUOFFEc5pZOmLeG68pFYeFdoBN1y85gQbtmtaQ5CETwPhybPpFMCDy > aR7TXBkYuUR1eqycJ7twGj01YQ6G546ffjN6HtVaZFE1tk+e8dYOsF/1fnSofCtp > JdhyEnFUeYMuO0B8Ln5pPCzlrvbli19lUgUTs2GUHQ0ualBbWpgX/YJZOjqnJrtw > XD35YU4jGp4bhil/8jvF4rJofK5epQGmwqC+xCTJRkX9bFuiNLY9PK5hLSG2hV50 > OLp2mytxSDt5yDsReWRHHsNgHDbFE3nI6v+DHutI7bb7onFqgaonewPgnCPfmXRA > BHiMi7wNqT99xC2cdu0davAxzswyZchVc3BLWXroQyYgQjLLy3fa8uPXT1xmUaEi > V1CcXtdBs/zBtcudNqN4kLpXi9HFbEbtiXW0lqvwe6KN0/NNVp6QlfUsaEVv1e9l > 9wlEwh5Y5heEqw9R+SXI > =bEMS > -----END PGP SIGNATURE----- > From psimerda at redhat.com Wed May 7 10:13:07 2014 From: psimerda at redhat.com (Pavel Simerda) Date: Wed, 7 May 2014 06:13:07 -0400 (EDT) Subject: [Dnssec-trigger] dnssec-trigger-script patches In-Reply-To: <303635734.976328.1399445883462.JavaMail.zimbra@redhat.com> References: <714991433.352358.1399302331579.JavaMail.zimbra@redhat.com> <5369D6BF.5090202@nlnetlabs.nl> <303635734.976328.1399445883462.JavaMail.zimbra@redhat.com> Message-ID: <459912909.1009298.1399457587518.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Pavel Simerda" > To: "W.C.A. Wijngaards" > Cc: dnssec-trigger at nlnetlabs.nl, "Petr Spacek" , "Paul Wouters" , "Tomas > Hozza" > Sent: Wednesday, May 7, 2014 8:58:03 AM > Subject: Re: [Dnssec-trigger] dnssec-trigger-script patches > > ----- Original Message ----- > > From: "W.C.A. Wijngaards" > > To: "Pavel Simerda" , dnssec-trigger at nlnetlabs.nl > > Cc: "Petr Spacek" , "Paul Wouters" > > > > Sent: Wednesday, May 7, 2014 8:46:23 AM > > Subject: Re: [Dnssec-trigger] dnssec-trigger-script patches > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Hi Pavel, > > > > Thanks, applied. Does this finish up the items you wanted to do, or > > are you still working your way through the bugzilla list? > > Hi Wouter, > > There's one item that I would like to solve soon and that's basically > described in bugzilla comment: > > https://bugzilla.redhat.com/show_bug.cgi?id=1089910#c6 > > It could look like: > > flush_global_zone=yes|negative-only|no > > Any suggestions regarding the name of the option and of negative-only value? > That > would be the last thing for the release. Or, if we are in hurry, we can leave > it > for the next release. There's no consensus on this, yet, so we can keep the current implementation for now. I've a new ticket for the NM unbound plugin interoperability but there's time for it... https://bugzilla.redhat.com/show_bug.cgi?id=1095214 I think we're ok for now and can start working on changes for the next release. Pavel > Cheers, > > Pavel > > > Best regards, > > Wouter > > > > On 05/05/2014 05:05 PM, Pavel Simerda wrote: > > > Hi, > > > > > > I'm sending two patches for dnssec-trigger. The former adds support > > > to distinguish secure and insecure zones, while the latter flushes > > > the unbound cache on DNS server list changes. Especially the latter > > > isn't perfect but I believe it should be applied now as is and > > > improved later. > > > > > > Cheers, > > > > > > Pavel > > > > > > > > > > > > _______________________________________________ dnssec-trigger > > > mailing list dnssec-trigger at NLnetLabs.nl > > > http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger > > > > > > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1 > > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > > > iQIcBAEBAgAGBQJTada/AAoJEJ9vHC1+BF+NlyoQAI+Prnw93zsnKFaquO+GH0q/ > > uV/F2ZHhYIMRBMBsubyOs01P86ODmOfA/b2tg2QpY6HCH/Wtx14CAdo8g75nDgXx > > vrzJpfGRzqFU59bpm2RKaLYZK+/6TyMMqtl3JPnQsefG+O9iOn6QLedu6XDqzDeV > > wpreNP+HJ4K5izAyMLPCvpVSRtxC4bWOU4eBBRPJvStMQmJy11EMfFguPHPqHic/ > > 2UruNAiRyhNUOFFEc5pZOmLeG68pFYeFdoBN1y85gQbtmtaQ5CETwPhybPpFMCDy > > aR7TXBkYuUR1eqycJ7twGj01YQ6G546ffjN6HtVaZFE1tk+e8dYOsF/1fnSofCtp > > JdhyEnFUeYMuO0B8Ln5pPCzlrvbli19lUgUTs2GUHQ0ualBbWpgX/YJZOjqnJrtw > > XD35YU4jGp4bhil/8jvF4rJofK5epQGmwqC+xCTJRkX9bFuiNLY9PK5hLSG2hV50 > > OLp2mytxSDt5yDsReWRHHsNgHDbFE3nI6v+DHutI7bb7onFqgaonewPgnCPfmXRA > > BHiMi7wNqT99xC2cdu0davAxzswyZchVc3BLWXroQyYgQjLLy3fa8uPXT1xmUaEi > > V1CcXtdBs/zBtcudNqN4kLpXi9HFbEbtiXW0lqvwe6KN0/NNVp6QlfUsaEVv1e9l > > 9wlEwh5Y5heEqw9R+SXI > > =bEMS > > -----END PGP SIGNATURE----- > > > From paul at nohats.ca Wed May 7 15:25:38 2014 From: paul at nohats.ca (Paul Wouters) Date: Wed, 7 May 2014 11:25:38 -0400 (EDT) Subject: [Dnssec-trigger] dnssec-trigger-script patches In-Reply-To: <459912909.1009298.1399457587518.JavaMail.zimbra@redhat.com> References: <714991433.352358.1399302331579.JavaMail.zimbra@redhat.com> <5369D6BF.5090202@nlnetlabs.nl> <303635734.976328.1399445883462.JavaMail.zimbra@redhat.com> <459912909.1009298.1399457587518.JavaMail.zimbra@redhat.com> Message-ID: On Wed, 7 May 2014, Pavel Simerda wrote: >>> Thanks, applied. Does this finish up the items you wanted to do, or >>> are you still working your way through the bugzilla list? >> >> Hi Wouter, >> >> There's one item that I would like to solve soon and that's basically >> described in bugzilla comment: >> >> https://bugzilla.redhat.com/show_bug.cgi?id=1089910#c6 >> >> It could look like: >> >> flush_global_zone=yes|negative-only|no >> >> Any suggestions regarding the name of the option and of negative-only value? >> That >> would be the last thing for the release. Or, if we are in hurry, we can leave >> it >> for the next release. > > There's no consensus on this, yet, so we can keep the current implementation for > now. While not everyone might want to use the feature, I think there is consensus that it does no harm for those who want it? There are clear privacy advantages to not flushing your entire cache upon every network switch. Paul From psimerda at redhat.com Wed May 7 15:48:25 2014 From: psimerda at redhat.com (Pavel Simerda) Date: Wed, 7 May 2014 11:48:25 -0400 (EDT) Subject: [Dnssec-trigger] dnssec-trigger-script patches In-Reply-To: References: <714991433.352358.1399302331579.JavaMail.zimbra@redhat.com> <5369D6BF.5090202@nlnetlabs.nl> <303635734.976328.1399445883462.JavaMail.zimbra@redhat.com> <459912909.1009298.1399457587518.JavaMail.zimbra@redhat.com> Message-ID: <1412748960.1131052.1399477705013.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Paul Wouters" > To: "Pavel Simerda" > Cc: "W.C.A. Wijngaards" , "Petr Spacek" , dnssec-trigger at NLnetLabs.nl > Sent: Wednesday, May 7, 2014 5:25:38 PM > Subject: Re: [Dnssec-trigger] dnssec-trigger-script patches > > On Wed, 7 May 2014, Pavel Simerda wrote: > > >>> Thanks, applied. Does this finish up the items you wanted to do, or > >>> are you still working your way through the bugzilla list? > >> > >> Hi Wouter, > >> > >> There's one item that I would like to solve soon and that's basically > >> described in bugzilla comment: > >> > >> https://bugzilla.redhat.com/show_bug.cgi?id=1089910#c6 > >> > >> It could look like: > >> > >> flush_global_zone=yes|negative-only|no > >> > >> Any suggestions regarding the name of the option and of negative-only > >> value? > >> That > >> would be the last thing for the release. Or, if we are in hurry, we can > >> leave > >> it > >> for the next release. > > > > There's no consensus on this, yet, so we can keep the current > > implementation for > > now. > > While not everyone might want to use the feature, I think there is > consensus that it does no harm for those who want it? There are clear > privacy advantages to not flushing your entire cache upon every network > switch. Hi Paul, See https://bugzilla.redhat.com/show_bug.cgi?id=1089910 According to the above Fedora bug report, there is a privacy leak as well, and our colleagues are also calling for keeping the dnssec.conf as simple as possible. Those are the reasons why I'm not posting a last minute fix to the upcoming release. I also think the patch will be fairly simple comparing to the patches I wanted to get there in time. I think we can use that bugzilla to discuss the balance between the two possible privicy issues, one caused by not flushing non-negative items, the other by doing it. Cheers, Pavel From thozza at redhat.com Wed May 14 12:55:34 2014 From: thozza at redhat.com (Tomas Hozza) Date: Wed, 14 May 2014 08:55:34 -0400 (EDT) Subject: [Dnssec-trigger] Extracting hot-spot detection and servers probing code into a library In-Reply-To: <1017466473.2890712.1400071782790.JavaMail.zimbra@redhat.com> Message-ID: <1412685414.2892448.1400072134064.JavaMail.zimbra@redhat.com> Hi. Since we plan to implement NetworkManager DNS plugin for unbound that would in the end replace dnssec-trigger, it will have to do the same set of tests as dnssec-trigger daemon does right now. We are thinking about extracting the necessary code dnssec-trigger uses into a separate library. The library could be then used by the unbound NM plugin. We are also interested in possibly extending the set of nameservers tests based on [1]. We are interested in your opinion on this. Would you be OK with the extraction of the code into a library? The library could be then distributed as a part of dnssec-trigger. [1] https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-roadblock-avoidance/ Thanks. Regards, -- Tomas Hozza Software Engineer - EMEA ENG Developer Experience PGP: 1D9F3C2D Red Hat Inc. http://cz.redhat.com From thozza at redhat.com Wed May 14 14:14:09 2014 From: thozza at redhat.com (Tomas Hozza) Date: Wed, 14 May 2014 10:14:09 -0400 (EDT) Subject: [Dnssec-trigger] Extracting hot-spot detection and servers probing code into a library In-Reply-To: <53737932.8000509@redhat.com> References: <1412685414.2892448.1400072134064.JavaMail.zimbra@redhat.com> <53737596.8060601@redhat.com> <53737932.8000509@redhat.com> Message-ID: <486802359.2930310.1400076849707.JavaMail.zimbra@redhat.com> ----- Original Message ----- > On 14.5.2014 15:54, Paul Wouters wrote: > > On 05/14/2014 08:55 AM, Tomas Hozza wrote: > > > >> Since we plan to implement NetworkManager DNS plugin for > >> unbound that would in the end replace dnssec-trigger, it > >> will have to do the same set of tests as dnssec-trigger > >> daemon does right now. > >> > >> We are thinking about extracting the necessary code > >> dnssec-trigger uses into a separate library. The library > >> could be then used by the unbound NM plugin. We are also > >> interested in possibly extending the set of nameservers > >> tests based on [1]. > > > > That would be great! > > > >> We are interested in your opinion on this. Would you be > >> OK with the extraction of the code into a library? > >> The library could be then distributed as a part of > >> dnssec-trigger. > >> > >> [1] > >> https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-roadblock-avoidance/ > > > > > > Note that I asked a few ccTLD operators for a stable wildcard record for > > testing the forwarder for the "bad old bind cname/wildcard bug" and > > CentralNic assisted > > us and put a stable record in at: > > > > *._probe.uk.com. IN CNAME fedoraproject.org. > > *._probe.us.com. IN CNAME fedoraproject.org. > > *._probe.cn.com. IN CNAME fedoraproject.org. > > > > > > This can be used for a new test for > > https://bugzilla.redhat.com/show_bug.cgi?id=1096240 > > I think we should: > - Make test names/records configurable in the library. > - Deploy own Fedora-sub-tree dedicated to DNS-tests. It can be something like > dnstest.fedoraproject.org. and put all necessary records there. > > This allows every distributor to build the library with it's own set of > names. > This avoids single point of failure (from the perspective of all library > users) and removes dependency on external entity. I totally agree. We should not hardcode anything in the library if possible! -- Tomas Hozza Software Engineer - EMEA ENG Developer Experience PGP: 1D9F3C2D Red Hat Inc. http://cz.redhat.com From pwouters at redhat.com Wed May 14 13:54:30 2014 From: pwouters at redhat.com (Paul Wouters) Date: Wed, 14 May 2014 09:54:30 -0400 Subject: [Dnssec-trigger] Extracting hot-spot detection and servers probing code into a library In-Reply-To: <1412685414.2892448.1400072134064.JavaMail.zimbra@redhat.com> References: <1412685414.2892448.1400072134064.JavaMail.zimbra@redhat.com> Message-ID: <53737596.8060601@redhat.com> On 05/14/2014 08:55 AM, Tomas Hozza wrote: > Since we plan to implement NetworkManager DNS plugin for > unbound that would in the end replace dnssec-trigger, it > will have to do the same set of tests as dnssec-trigger > daemon does right now. > > We are thinking about extracting the necessary code > dnssec-trigger uses into a separate library. The library > could be then used by the unbound NM plugin. We are also > interested in possibly extending the set of nameservers > tests based on [1]. That would be great! > We are interested in your opinion on this. Would you be > OK with the extraction of the code into a library? > The library could be then distributed as a part of > dnssec-trigger. > > [1] https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-roadblock-avoidance/ Note that I asked a few ccTLD operators for a stable wildcard record for testing the forwarder for the "bad old bind cname/wildcard bug" and CentralNic assisted us and put a stable record in at: *._probe.uk.com. IN CNAME fedoraproject.org. *._probe.us.com. IN CNAME fedoraproject.org. *._probe.cn.com. IN CNAME fedoraproject.org. This can be used for a new test for https://bugzilla.redhat.com/show_bug.cgi?id=1096240 Paul From pwouters at redhat.com Wed May 14 14:19:57 2014 From: pwouters at redhat.com (Paul Wouters) Date: Wed, 14 May 2014 10:19:57 -0400 Subject: [Dnssec-trigger] Extracting hot-spot detection and servers probing code into a library In-Reply-To: <53737932.8000509@redhat.com> References: <1412685414.2892448.1400072134064.JavaMail.zimbra@redhat.com> <53737596.8060601@redhat.com> <53737932.8000509@redhat.com> Message-ID: <53737B8D.4040001@redhat.com> On 05/14/2014 10:09 AM, Petr Spacek wrote: >> This can be used for a new test for https://bugzilla.redhat.com/show_bug.cgi?id=1096240 > > I think we should: > - Make test names/records configurable in the library. > - Deploy own Fedora-sub-tree dedicated to DNS-tests. It can be something like dnstest.fedoraproject.org. and put all necessary records there. > > This allows every distributor to build the library with it's own set of names. This avoids single point of failure (from the perspective of all library users) > and removes dependency on external entity. I do not agree. The tests are carefully selected to 1) be run against very stable zones (hence TLD sized zones) 2) not have a privacy impact (hence TLD sized zones) 3) not have all eggs in one basket fedoraproject.org has already proven to be too unstable when they changed CA provider without updating their TLSA record after heartbleed. Having different tests also means all different library users have their own bugs, their own false positives, and no one gets the advantage of new test cases found in the wild, some of which might be difficult to reproduce in other zones. Paul From pspacek at redhat.com Wed May 14 14:09:54 2014 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 14 May 2014 16:09:54 +0200 Subject: [Dnssec-trigger] Extracting hot-spot detection and servers probing code into a library In-Reply-To: <53737596.8060601@redhat.com> References: <1412685414.2892448.1400072134064.JavaMail.zimbra@redhat.com> <53737596.8060601@redhat.com> Message-ID: <53737932.8000509@redhat.com> On 14.5.2014 15:54, Paul Wouters wrote: > On 05/14/2014 08:55 AM, Tomas Hozza wrote: > >> Since we plan to implement NetworkManager DNS plugin for >> unbound that would in the end replace dnssec-trigger, it >> will have to do the same set of tests as dnssec-trigger >> daemon does right now. >> >> We are thinking about extracting the necessary code >> dnssec-trigger uses into a separate library. The library >> could be then used by the unbound NM plugin. We are also >> interested in possibly extending the set of nameservers >> tests based on [1]. > > That would be great! > >> We are interested in your opinion on this. Would you be >> OK with the extraction of the code into a library? >> The library could be then distributed as a part of >> dnssec-trigger. >> >> [1] https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-roadblock-avoidance/ > > > Note that I asked a few ccTLD operators for a stable wildcard record for testing the forwarder for the "bad old bind cname/wildcard bug" and CentralNic assisted > us and put a stable record in at: > > *._probe.uk.com. IN CNAME fedoraproject.org. > *._probe.us.com. IN CNAME fedoraproject.org. > *._probe.cn.com. IN CNAME fedoraproject.org. > > > This can be used for a new test for https://bugzilla.redhat.com/show_bug.cgi?id=1096240 I think we should: - Make test names/records configurable in the library. - Deploy own Fedora-sub-tree dedicated to DNS-tests. It can be something like dnstest.fedoraproject.org. and put all necessary records there. This allows every distributor to build the library with it's own set of names. This avoids single point of failure (from the perspective of all library users) and removes dependency on external entity. -- Petr^2 Spacek From wouter at nlnetlabs.nl Fri May 16 07:51:30 2014 From: wouter at nlnetlabs.nl (W.C.A. Wijngaards) Date: Fri, 16 May 2014 09:51:30 +0200 Subject: [Dnssec-trigger] Extracting hot-spot detection and servers probing code into a library In-Reply-To: <53737B8D.4040001@redhat.com> References: <1412685414.2892448.1400072134064.JavaMail.zimbra@redhat.com> <53737596.8060601@redhat.com> <53737932.8000509@redhat.com> <53737B8D.4040001@redhat.com> Message-ID: <5375C382.3040301@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I think that the library idea is great, and I would like that. Best regards, Wouter On 05/14/2014 04:19 PM, Paul Wouters wrote: > On 05/14/2014 10:09 AM, Petr Spacek wrote: > >>> This can be used for a new test for >>> https://bugzilla.redhat.com/show_bug.cgi?id=1096240 >> >> I think we should: - Make test names/records configurable in the >> library. - Deploy own Fedora-sub-tree dedicated to DNS-tests. It >> can be something like dnstest.fedoraproject.org. and put all >> necessary records there. >> >> This allows every distributor to build the library with it's own >> set of names. This avoids single point of failure (from the >> perspective of all library users) and removes dependency on >> external entity. > > I do not agree. The tests are carefully selected to > > 1) be run against very stable zones (hence TLD sized zones) > > 2) not have a privacy impact (hence TLD sized zones) > > 3) not have all eggs in one basket > > fedoraproject.org has already proven to be too unstable when they > changed CA provider without updating their TLSA record after > heartbleed. > > Having different tests also means all different library users have > their own bugs, their own false positives, and no one gets the > advantage of new test cases found in the wild, some of which might > be difficult to reproduce in other zones. > > Paul > > > > _______________________________________________ dnssec-trigger > mailing list dnssec-trigger at NLnetLabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTdcOCAAoJEJ9vHC1+BF+NYg4P/1JvVRHl89bx3reT40bFMX+5 5Hez3oVk/+wQljHRa3J/NwTQ3oKX42Y1Xvh+hQW1+DJappRBYL48cSqTQGx/hir4 SsYoj9Gu13SLANGyE9p/HKsZMabrKMaWHwNE1NlMz1J3mlLMwFaTzVO7++l9T78m ZZ/u4Ez38wbyPFpljc7AwTUDTVHI/LT8AblcMLVzdDkxDsgJHd8cScdiRbNW/81M m+VZDKGXnGZBV71z58p6ews0PKbibu4vIWBAtV6musEAe3UMi8iXw8hys/0yS9i6 xd0+j1OxiKBgoTvx0JNI+Dcj/vGdDJrgX/PwYnMm35cBLd+OqfYmHET35JB9Xcw9 Vv8aho4ZzN0Z5VKFHsAPJ+h5US2jJ3K9/Y/OIKk90AJiAvWhLvhnBOafMUcNbggC aVJsYAhYSY7FO2XKNsXCsPs+YWe1q8MKA0sBXcQw1B5HWcb7jyoRL1kj4pqeNH0L aLW7Yw0IT+Q5V6MpEDWEfRVDNdSez0pt/tryyUbKNw2b0nt3N3g/QbIe6ZyGw2Om N5ymtm0RVQghwVGO+ksjJ7o2kTWxq/fRLP+zmJvCIIVsFAno6yYwXQNKvbZ7m+bR 9PADO0Oeg+jg3EVEywS89IYRyxO+bjrFXBlir1bdnxoOylr+Yj5auQ5YEYVqx0uq 8sYOB6kU+bHBZ2+Ddm8+ =tHg8 -----END PGP SIGNATURE----- From wouter at nlnetlabs.nl Thu May 22 08:03:28 2014 From: wouter at nlnetlabs.nl (W.C.A. Wijngaards) Date: Thu, 22 May 2014 10:03:28 +0200 Subject: [Dnssec-trigger] dnssec-trigger 0.12 release Message-ID: <537DAF50.1010402@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, The dnssec-trigger 0.12 release is available. For Mac and Windows, dnssec-trigger asks the user for update permission in the next day. For users with custom set-up: please note that the auto updater will try to sed-edit the config file because some default IP addresses have changed (NLnet Labs is changing network prefix). http://www.nlnetlabs.nl/downloads/dnssec-trigger/dnssec-trigger-0.12.tar.gz sha1 5fcc642d8dae63524aa769f7129cf4454bdb42e5 sha256 1cafd9ec296edc1d17b9ed2a98e06c7057c80ef1dbd6d45dbfa11991d3703535 Changes - - log correct type in timeout for TXT. - - restart panels on install on OSX. - - Fix OSX user panel stop and start in reinstall, also fix for double popups during reinstall. - - Fix crash on read of ssl443 entry without a hash. - - Squelch address family not supported errors (on low verbosity). - - Fix networkmanager hook to detect if it has to use the new commandline syntax of networkmanager 0.9.4. - - Fixup uniqueid for Mountain Lion OSX 10.8 release, you have to run the installer again (upgrade or uninstall-reinstall). - - bug 489: removed Application deprecated keyword from .desktop file. - - OSX wake listener implementation. - - patch for OSX that passes all domains from search to the OS (from Phil Pennock). - - Fixup snprintf return value usage. - - Fixup OSX backquote backslashes. Removed wrong OSX version from its installer text. - - Let system dealloc feed and feed_lock on OSX and Linux/BSD. - - Fixup new glib deprecated calls. - - Patch from Tomas Hozza to improve the networkmanager connect script for VPN connections. It adds forward zones for the VPN over the VPN connection. - - Fix#522: Errors found by static analysis of source from Tomas Hozza. - - Fix NM dispatcher script to work with NM >= 0.9.9.0 (Thanks Tomas Hozza). - - Patch from Tomas Hozza that improves text in dialogs (on linux). - - Added fedora/dnssec-trigger-resolvconf-handle.sh from Tomas Hozza, that will backup and restore resolv.conf for use in systemd.service scripts and networkmanager scripts. - - Added contrib networkmanager dispatcher script from Tomas Hozza. - - Added patch to networkmanager dispatcher script and also an example dnssec.conf file from Tomas Hozza. - - Fix #551: Change Regents to Copyright holder in License. - - Patches from Tomass Hozza; Explicitly-use-Python2-interpreter, Fix-situation-when-connection-is-going-down, resolv.conf-backup-script-restart-NM-to-handle-resolv.conf, Update-systemd-service-files-to-latest-version-used. - - Patch from Pavel Simerda: better integration with NetworkManager and distributions, added in contrib. - - Removed files obsoleted by patch from Pavel Simerda: contrib/01-dnssec-trigger-hook-new_nm (replaced with dnssec-trigger-script and 01-dnssec-trigger) fedora/dnssec-triggerd.service (new version in contrib) fedora/dnssec-triggerd-resolvconf-handle.service (handled by dnssec-triggerd.service directly) fedora/dnssec-trigger.spec (spec files are maintained separately) fedora/dnssec-triggerd-keygen.service (new version in contrib) fedora/dnssec-triggerd-resolvconf-handle.sh (handled by dnssec-trigger-script directly) fedora/dnssec-triggerd.init (only used in epel6 which hasn't been updated for ages) - - Renamed 01-dnssec-trigger-hook to 01-dnssec-trigger with the networkmanager naming scheme. (From Pavel Simerda). - - Patch from Pavel Simerda that incorporates contrib items into the build install system. Systemd scripts, dnssec-trigger-script, dnssec.conf. - - Patch for dnssec-trigger-script.in --async flag from Pavel Simerda, stops dnssec-trigger-script to block on networkmanager, which is good in cases when networkmanager blocks on the script. - - Change the ip-address of tcp and ssl service from broer.nlnetlabs.nl to zus.nlnetlabs.nl (we changed netblocks). The new ip address and new certificate fingerprint (because of ssl heartbleed vuln) are in the example.conf file. The cert was only used for transport and not for authentication, so its change was low priority. - - Updated dnssec-trigger-script.in to distinguish secure and insecure zones, and to flush the unbound cache on DNS server list changes. (from Pavel Simerda). Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTfa9LAAoJEJ9vHC1+BF+NePcP/3cOa+OL2NrZwR4FeNwLmnxs 5iw/yG8DW/1JAY6iP9zrPRmcqKFc68vIsdsSSJoZNkGPjtQCho1A68Jp8tsITey4 RbLkV69GUmkiDWcFID88pK0bnSvac4Z7rHFM2HBunmJmwFEmIMCH50Uc4XQDkilm v55aiaNZBy1su/IC9851dKrGB0EhdN2FHA/nPNMmL/7OVRxm4Jg5kyHPqn8e4kQk DCQDwcsBdIIx1+Gxfrg2CmllONDDEk6KaM3fWZ9w3E0Qk8q1TKbDL12stnNa2ipx xXpKytmtMfImSNjdIJdTgH3J2JSFvggD/VNQekzX/K6mujFNjyVZAjf7MJBJI2Of y8VBdg7f+45pA7keszEbBomoW8i7JVl5rMmVhlBVaqv7skyLpAZiHCMI6sArMSXY OBYXVidZLu+6DzqM6Kg7+0Q+NwK1zZZ0EWMuRogIjUn47UiB6ANO4SXjoDkb/bJY TDP8oPF0xcnd8zVKPTF4AMIueZtYX7o49HsQGFFAusuzuLRwi2gccbCJrkeTapG3 rAj8LBuik9w1rnMzlvooNzXHGrttXhXY8dJ1uaK8N7ZoSpEZuGbKGlyUoDXO1cmt /BSmeF3kw0Vvl52Kv63KK0OUaR5zCIZEWhuiXNNYERf5ib/FiqVWYi6aOy2mmIAQ viJBH+XM/DBtTEzW5Umw =cZtR -----END PGP SIGNATURE-----