From psimerda at redhat.com  Fri Jan  9 16:09:02 2015
From: psimerda at redhat.com (Pavel Simerda)
Date: Fri, 9 Jan 2015 11:09:02 -0500 (EST)
Subject: [Dnssec-trigger] dnssec-trigger patches
In-Reply-To: <2023813875.3439754.1420819541271.JavaMail.zimbra@redhat.com>
Message-ID: <705250979.3441076.1420819742792.JavaMail.zimbra@redhat.com>

Hi,

new patchset for dnssec-trigger SVN.

Pavel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-dnssec-trigger-script-read-var-run-NetworkManager-re.patch
Type: text/x-patch
Size: 1146 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20150109/09285154/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-dnssec-trigger-script-don-t-leak-var-run-dnssec-trig.patch
Type: text/x-patch
Size: 1294 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20150109/09285154/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-dnssec-trigger-script-install-etc-resolv-secure.conf.patch
Type: text/x-patch
Size: 3177 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20150109/09285154/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-dnssec-trigger-panel-fix-desktop-file-paths.patch
Type: text/x-patch
Size: 869 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20150109/09285154/attachment-0003.bin>

From wouter at nlnetlabs.nl  Tue Jan 13 14:52:17 2015
From: wouter at nlnetlabs.nl (W.C.A. Wijngaards)
Date: Tue, 13 Jan 2015 15:52:17 +0100
Subject: [Dnssec-trigger] dnssec-trigger patches
In-Reply-To: <705250979.3441076.1420819742792.JavaMail.zimbra@redhat.com>
References: <705250979.3441076.1420819742792.JavaMail.zimbra@redhat.com>
Message-ID: <54B53121.6070300@nlnetlabs.nl>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Pavel,

On 09/01/15 17:09, Pavel Simerda wrote:
> Hi,
> 
> new patchset for dnssec-trigger SVN.

Thanks, committed.  Also committed a fix for newer OSX to flush its
cache properly from dnssec-trigger.

Best regards,
   Wouter

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUtTEgAAoJEJ9vHC1+BF+NNgoQAJ4Q1oxec+unaiTfbhp82fc9
CVwa7FQpqh+JTGOm2c0drAL6c2gS7Px1hozGdJPHvIEXwTUJA1gD2+WoXMzt29l0
p9OZeF69C8PY2DtpoFhYR04+9yQVFpu65KgC6IRa0HfYuiFq361xFvT5DZH7bV/S
HEtS0Ap5Byx1XNDxjbKKEhfG6B1L1H2VPSPH2a7D0+txIx8PnAYwpmG1IZn8NBd/
q7mg6S/AFoF6Gug3hB4A4B+vT9+Opjo3Wpsid9Pb8CS2CxBuLGgR0HpGap3eKN6E
BPC37gngCm2nsMqaFrZwZvTeDRJ4w/4H+i087buvSbTmZoolWTaIVpA8+RlI+pGY
ycenizMSZ4KOBEhkk5miuMln8FA1OkiNCHaVJKf31gyI8mnzMI3kmU4aYsy/3zUA
i8nngLGU5rSVCbN/P+27o/ApWUh8Vn13R02/35fJEMZ5kLbnHHvyX7S0Q1lUoS/u
2SkvFyBOQy//ZVn+tosefIVAnXEnEkY1sg0ndhy19m6bWeVj3FFFSwDi1lxxAZFC
bDQ/7Nj5uZLF5f9MLvZKQmU8wB6XdKEDsHpdU3WOyxb9gVPYomjqaZ16XF89EOmA
/yEf7q2/+qIfFG67tdK6nNQQr2616ftYRbp6gGnGZDVcWyBavm5ctdKs7yKb4JhG
jQFQMwQCNeU5dYkFzUsq
=4W+u
-----END PGP SIGNATURE-----


From psimerda at redhat.com  Mon Jan 19 12:47:07 2015
From: psimerda at redhat.com (Pavel Simerda)
Date: Mon, 19 Jan 2015 07:47:07 -0500 (EST)
Subject: [Dnssec-trigger] dnssec-trigger patches
In-Reply-To: <54B53121.6070300@nlnetlabs.nl>
References: <705250979.3441076.1420819742792.JavaMail.zimbra@redhat.com>
 <54B53121.6070300@nlnetlabs.nl>
Message-ID: <546929670.7740280.1421671627855.JavaMail.zimbra@redhat.com>

----- Original Message -----
> From: "W.C.A. Wijngaards" <wouter at nlnetlabs.nl>
> To: "Pavel Simerda" <psimerda at redhat.com>
> Cc: dnssec-trigger at nlnetlabs.nl, "Tomas Hozza" <thozza at redhat.com>, "Ond?ej Sur?" <ondrej at sury.org>
> Sent: Tuesday, January 13, 2015 3:52:17 PM
> Subject: Re: dnssec-trigger patches
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Hi Pavel,
> 
> On 09/01/15 17:09, Pavel Simerda wrote:
> > Hi,
> > 
> > new patchset for dnssec-trigger SVN.
> 
> Thanks, committed.  Also committed a fix for newer OSX to flush its
> cache properly from dnssec-trigger.

Thanks!

I have two other related patches.

Cheers,

Pavel

> Best regards,
>    Wouter
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> 
> iQIcBAEBCAAGBQJUtTEgAAoJEJ9vHC1+BF+NNgoQAJ4Q1oxec+unaiTfbhp82fc9
> CVwa7FQpqh+JTGOm2c0drAL6c2gS7Px1hozGdJPHvIEXwTUJA1gD2+WoXMzt29l0
> p9OZeF69C8PY2DtpoFhYR04+9yQVFpu65KgC6IRa0HfYuiFq361xFvT5DZH7bV/S
> HEtS0Ap5Byx1XNDxjbKKEhfG6B1L1H2VPSPH2a7D0+txIx8PnAYwpmG1IZn8NBd/
> q7mg6S/AFoF6Gug3hB4A4B+vT9+Opjo3Wpsid9Pb8CS2CxBuLGgR0HpGap3eKN6E
> BPC37gngCm2nsMqaFrZwZvTeDRJ4w/4H+i087buvSbTmZoolWTaIVpA8+RlI+pGY
> ycenizMSZ4KOBEhkk5miuMln8FA1OkiNCHaVJKf31gyI8mnzMI3kmU4aYsy/3zUA
> i8nngLGU5rSVCbN/P+27o/ApWUh8Vn13R02/35fJEMZ5kLbnHHvyX7S0Q1lUoS/u
> 2SkvFyBOQy//ZVn+tosefIVAnXEnEkY1sg0ndhy19m6bWeVj3FFFSwDi1lxxAZFC
> bDQ/7Nj5uZLF5f9MLvZKQmU8wB6XdKEDsHpdU3WOyxb9gVPYomjqaZ16XF89EOmA
> /yEf7q2/+qIfFG67tdK6nNQQr2616ftYRbp6gGnGZDVcWyBavm5ctdKs7yKb4JhG
> jQFQMwQCNeU5dYkFzUsq
> =4W+u
> -----END PGP SIGNATURE-----
> 


From psimerda at redhat.com  Mon Jan 19 12:47:41 2015
From: psimerda at redhat.com (Pavel Simerda)
Date: Mon, 19 Jan 2015 07:47:41 -0500 (EST)
Subject: [Dnssec-trigger] dnssec-trigger patches
In-Reply-To: <546929670.7740280.1421671627855.JavaMail.zimbra@redhat.com>
References: <705250979.3441076.1420819742792.JavaMail.zimbra@redhat.com>
 <54B53121.6070300@nlnetlabs.nl>
 <546929670.7740280.1421671627855.JavaMail.zimbra@redhat.com>
Message-ID: <46526698.7740360.1421671661757.JavaMail.zimbra@redhat.com>

----- Original Message -----
> From: "Pavel Simerda" <psimerda at redhat.com>
> To: "W.C.A. Wijngaards" <wouter at nlnetlabs.nl>
> Cc: dnssec-trigger at nlnetlabs.nl, "Tomas Hozza" <thozza at redhat.com>, "Ond?ej Sur?" <ondrej at sury.org>
> Sent: Monday, January 19, 2015 1:47:07 PM
> Subject: Re: dnssec-trigger patches
> 
> ----- Original Message -----
> > From: "W.C.A. Wijngaards" <wouter at nlnetlabs.nl>
> > To: "Pavel Simerda" <psimerda at redhat.com>
> > Cc: dnssec-trigger at nlnetlabs.nl, "Tomas Hozza" <thozza at redhat.com>, "Ond?ej
> > Sur?" <ondrej at sury.org>
> > Sent: Tuesday, January 13, 2015 3:52:17 PM
> > Subject: Re: dnssec-trigger patches
> > 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> > 
> > Hi Pavel,
> > 
> > On 09/01/15 17:09, Pavel Simerda wrote:
> > > Hi,
> > > 
> > > new patchset for dnssec-trigger SVN.
> > 
> > Thanks, committed.  Also committed a fix for newer OSX to flush its
> > cache properly from dnssec-trigger.
> 
> Thanks!
> 
> I have two other related patches.
> 
> Cheers,
> 
> Pavel
> 
> > Best regards,
> >    Wouter
> > 
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1
> > 
> > iQIcBAEBCAAGBQJUtTEgAAoJEJ9vHC1+BF+NNgoQAJ4Q1oxec+unaiTfbhp82fc9
> > CVwa7FQpqh+JTGOm2c0drAL6c2gS7Px1hozGdJPHvIEXwTUJA1gD2+WoXMzt29l0
> > p9OZeF69C8PY2DtpoFhYR04+9yQVFpu65KgC6IRa0HfYuiFq361xFvT5DZH7bV/S
> > HEtS0Ap5Byx1XNDxjbKKEhfG6B1L1H2VPSPH2a7D0+txIx8PnAYwpmG1IZn8NBd/
> > q7mg6S/AFoF6Gug3hB4A4B+vT9+Opjo3Wpsid9Pb8CS2CxBuLGgR0HpGap3eKN6E
> > BPC37gngCm2nsMqaFrZwZvTeDRJ4w/4H+i087buvSbTmZoolWTaIVpA8+RlI+pGY
> > ycenizMSZ4KOBEhkk5miuMln8FA1OkiNCHaVJKf31gyI8mnzMI3kmU4aYsy/3zUA
> > i8nngLGU5rSVCbN/P+27o/ApWUh8Vn13R02/35fJEMZ5kLbnHHvyX7S0Q1lUoS/u
> > 2SkvFyBOQy//ZVn+tosefIVAnXEnEkY1sg0ndhy19m6bWeVj3FFFSwDi1lxxAZFC
> > bDQ/7Nj5uZLF5f9MLvZKQmU8wB6XdKEDsHpdU3WOyxb9gVPYomjqaZ16XF89EOmA
> > /yEf7q2/+qIfFG67tdK6nNQQr2616ftYRbp6gGnGZDVcWyBavm5ctdKs7yKb4JhG
> > jQFQMwQCNeU5dYkFzUsq
> > =4W+u
> > -----END PGP SIGNATURE-----
> > 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-dnssec-trigger-script-clean-up-servers-as-well.patch
Type: text/x-patch
Size: 1282 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20150119/47edead4/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-dnssec-trigger-script-prefer-VPN-nameservers-over-de.patch
Type: text/x-patch
Size: 3197 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20150119/47edead4/attachment-0001.bin>

From wouter at nlnetlabs.nl  Wed Jan 21 12:07:43 2015
From: wouter at nlnetlabs.nl (W.C.A. Wijngaards)
Date: Wed, 21 Jan 2015 13:07:43 +0100
Subject: [Dnssec-trigger] dnssec-trigger patches
In-Reply-To: <46526698.7740360.1421671661757.JavaMail.zimbra@redhat.com>
References: <705250979.3441076.1420819742792.JavaMail.zimbra@redhat.com>
 <54B53121.6070300@nlnetlabs.nl>
 <546929670.7740280.1421671627855.JavaMail.zimbra@redhat.com>
 <46526698.7740360.1421671661757.JavaMail.zimbra@redhat.com>
Message-ID: <54BF968F.2080507@nlnetlabs.nl>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Pavel,

On 01/19/2015 01:47 PM, Pavel Simerda wrote:
> ----- Original Message -----
>> From: "Pavel Simerda" <psimerda at redhat.com> To: "W.C.A.
>> Wijngaards" <wouter at nlnetlabs.nl> Cc:
>> dnssec-trigger at nlnetlabs.nl, "Tomas Hozza" <thozza at redhat.com>,
>> "Ond?ej Sur?" <ondrej at sury.org> Sent: Monday, January 19, 2015
>> 1:47:07 PM Subject: Re: dnssec-trigger patches
>> 
>> ----- Original Message -----
>>> From: "W.C.A. Wijngaards" <wouter at nlnetlabs.nl> To: "Pavel
>>> Simerda" <psimerda at redhat.com> Cc: dnssec-trigger at nlnetlabs.nl,
>>> "Tomas Hozza" <thozza at redhat.com>, "Ond?ej Sur?"
>>> <ondrej at sury.org> Sent: Tuesday, January 13, 2015 3:52:17 PM 
>>> Subject: Re: dnssec-trigger patches
>>> 
> Hi Pavel,
> 
> On 09/01/15 17:09, Pavel Simerda wrote:
>>>>> Hi,
>>>>> 
>>>>> new patchset for dnssec-trigger SVN.
> 
> Thanks, committed.  Also committed a fix for newer OSX to flush
> its cache properly from dnssec-trigger.
>>> 
>>> Thanks!
>>> 
>>> I have two other related patches.

Committed them both. I assume the VPN preference is very nice for VPN
users. :-)

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUv5aPAAoJEJ9vHC1+BF+NLnYP/3R+9NVePNFF+FNNoi2IY+TJ
FcpMUf0btN05Il7/b5WTRyDrEi4WAkDSdkx4MHNDBoVnvMl9i+Thzs/iQRumgd7S
9042x8V4hdC/VaBhx7CRHvF0bVNMswaVT9ZDVw7VZe87eCvIp4v/7Me/0G2XYbhl
zNMCXyvKENJY/+iBXPSEz2WQf0qCqdOlv5e6Qfkoe1PkvMfMRO6S904/hx+9Wktl
C0X0nygNv/4IDYO4JSyHzjIZ/2wjbyRldNydMs3sxXRnZNVU5Ta+BdOcw9GGLfBO
wsysNVHP+96+MgJjUB5G3k9sToRFUCxrr5zkHcnC7uCMX+6NPqu91ZCOiHseZLL1
Rt1Z9yzERfYgfdxoAEQUoxgbmYrjlrebaPgxiLOu7o013+4RqfzoD9/RwFUhFkou
Jp5BFiXixeB/Tk2/juAskwOCWV+PbX5yWCHLIKDuT8tJ/UMYeuknciwU+dfyvEO9
sTBz/AgG5KlBLywvPenoiWtYxST1n+Xobmslp+auUfawW+CSy9QoQ0vDVZ6OHdT2
wnFmLcBSeuXeOFI6I16dwhyxuYcYjAiGjE0dudYtKDfDiny9ftxCU+HTDJVykx2z
HmfAlLAiFKR7YZ0zV7vFhaxoJg0PLlp886ydLUWuPxxjQOXZ/0arG06gFR71JaLa
Ez38gszu4vI+pKI9KxPg
=gaTE
-----END PGP SIGNATURE-----


From psimerda at redhat.com  Wed Jan 21 14:30:21 2015
From: psimerda at redhat.com (Pavel Simerda)
Date: Wed, 21 Jan 2015 09:30:21 -0500 (EST)
Subject: [Dnssec-trigger] dnssec-trigger patches
In-Reply-To: <54BF968F.2080507@nlnetlabs.nl>
References: <705250979.3441076.1420819742792.JavaMail.zimbra@redhat.com>
 <54B53121.6070300@nlnetlabs.nl>
 <546929670.7740280.1421671627855.JavaMail.zimbra@redhat.com>
 <46526698.7740360.1421671661757.JavaMail.zimbra@redhat.com>
 <54BF968F.2080507@nlnetlabs.nl>
Message-ID: <671836867.8456657.1421850621354.JavaMail.zimbra@redhat.com>

----- Original Message -----
> From: "W.C.A. Wijngaards" <wouter at nlnetlabs.nl>
> To: "Pavel Simerda" <psimerda at redhat.com>
> Cc: dnssec-trigger at nlnetlabs.nl, "Tomas Hozza" <thozza at redhat.com>, "Ond?ej Sur?" <ondrej at sury.org>
> Sent: Wednesday, January 21, 2015 1:07:43 PM
> Subject: Re: dnssec-trigger patches
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi Pavel,
> 
> On 01/19/2015 01:47 PM, Pavel Simerda wrote:
> > ----- Original Message -----
> >> From: "Pavel Simerda" <psimerda at redhat.com> To: "W.C.A.
> >> Wijngaards" <wouter at nlnetlabs.nl> Cc:
> >> dnssec-trigger at nlnetlabs.nl, "Tomas Hozza" <thozza at redhat.com>,
> >> "Ond?ej Sur?" <ondrej at sury.org> Sent: Monday, January 19, 2015
> >> 1:47:07 PM Subject: Re: dnssec-trigger patches
> >> 
> >> ----- Original Message -----
> >>> From: "W.C.A. Wijngaards" <wouter at nlnetlabs.nl> To: "Pavel
> >>> Simerda" <psimerda at redhat.com> Cc: dnssec-trigger at nlnetlabs.nl,
> >>> "Tomas Hozza" <thozza at redhat.com>, "Ond?ej Sur?"
> >>> <ondrej at sury.org> Sent: Tuesday, January 13, 2015 3:52:17 PM
> >>> Subject: Re: dnssec-trigger patches
> >>> 
> > Hi Pavel,
> > 
> > On 09/01/15 17:09, Pavel Simerda wrote:
> >>>>> Hi,
> >>>>> 
> >>>>> new patchset for dnssec-trigger SVN.
> > 
> > Thanks, committed.  Also committed a fix for newer OSX to flush
> > its cache properly from dnssec-trigger.
> >>> 
> >>> Thanks!
> >>> 
> >>> I have two other related patches.
> 
> Committed them both. I assume the VPN preference is very nice for VPN
> users. :-)

It may be quite a rare use case, though. Most VPN users are happy to choose
between all access through VPN and access only to services under VPN domains
and IP addresses. I think the main reason people want this feature is that
they are used to it from classic NetworkManager /etc/resolv.conf setup.

It also doesn't help much if the VPN nameserver is not DNSSEC ready as
then it's replaced by full recursion or a DNSSEC ready infrastructure
nameserver.

We are examining a couple of more issues and features in Fedora and we are
trying to prepare for getting dnssec-trigger and unbound by default in Fedora
workstation. When we get some more testing, it might be nice to issue a new
release of dnssec-trigger to offer our work to other distributions among other
things.

Cheers,

Pavel

> Best regards,
>    Wouter
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> 
> iQIcBAEBAgAGBQJUv5aPAAoJEJ9vHC1+BF+NLnYP/3R+9NVePNFF+FNNoi2IY+TJ
> FcpMUf0btN05Il7/b5WTRyDrEi4WAkDSdkx4MHNDBoVnvMl9i+Thzs/iQRumgd7S
> 9042x8V4hdC/VaBhx7CRHvF0bVNMswaVT9ZDVw7VZe87eCvIp4v/7Me/0G2XYbhl
> zNMCXyvKENJY/+iBXPSEz2WQf0qCqdOlv5e6Qfkoe1PkvMfMRO6S904/hx+9Wktl
> C0X0nygNv/4IDYO4JSyHzjIZ/2wjbyRldNydMs3sxXRnZNVU5Ta+BdOcw9GGLfBO
> wsysNVHP+96+MgJjUB5G3k9sToRFUCxrr5zkHcnC7uCMX+6NPqu91ZCOiHseZLL1
> Rt1Z9yzERfYgfdxoAEQUoxgbmYrjlrebaPgxiLOu7o013+4RqfzoD9/RwFUhFkou
> Jp5BFiXixeB/Tk2/juAskwOCWV+PbX5yWCHLIKDuT8tJ/UMYeuknciwU+dfyvEO9
> sTBz/AgG5KlBLywvPenoiWtYxST1n+Xobmslp+auUfawW+CSy9QoQ0vDVZ6OHdT2
> wnFmLcBSeuXeOFI6I16dwhyxuYcYjAiGjE0dudYtKDfDiny9ftxCU+HTDJVykx2z
> HmfAlLAiFKR7YZ0zV7vFhaxoJg0PLlp886ydLUWuPxxjQOXZ/0arG06gFR71JaLa
> Ez38gszu4vI+pKI9KxPg
> =gaTE
> -----END PGP SIGNATURE-----
> 


From paul at nohats.ca  Wed Jan 21 14:47:06 2015
From: paul at nohats.ca (Paul Wouters)
Date: Wed, 21 Jan 2015 09:47:06 -0500 (EST)
Subject: [Dnssec-trigger] split dns, was Re:  dnssec-trigger patches
In-Reply-To: <671836867.8456657.1421850621354.JavaMail.zimbra@redhat.com>
References: <705250979.3441076.1420819742792.JavaMail.zimbra@redhat.com>
 <54B53121.6070300@nlnetlabs.nl>
 <546929670.7740280.1421671627855.JavaMail.zimbra@redhat.com>
 <46526698.7740360.1421671661757.JavaMail.zimbra@redhat.com>
 <54BF968F.2080507@nlnetlabs.nl>
 <671836867.8456657.1421850621354.JavaMail.zimbra@redhat.com>
Message-ID: <alpine.LFD.2.10.1501210936360.31548@bofh.nohats.ca>

On Wed, 21 Jan 2015, Pavel Simerda wrote:

>> Committed them both. I assume the VPN preference is very nice for VPN
>> users. :-)
>
> It may be quite a rare use case, though. Most VPN users are happy to choose
> between all access through VPN and access only to services under VPN domains
> and IP addresses.

Indeed. Wouter, don't be tempted to make the new patch the default. The
problem of dnssec-trigger+unbound is that people depend on split view
DNS and in some cases that involves dozens or more domains, so not just
the one you are informed about via DHCP or a VPN.

So, on the one hand, I want my non-VPN queries to not go over the VPN,
as my personal queries are non of my employers business. I run a split
VPN and only *.redhat.com queries to to the internal DNS servers.

On the other hand, large campuses tend to have dozens of internal-only
domains, so you are kind of forced to throw all DNS at the campus DNS
server, even if you VPN in. Because you simply have no list of domains
to forward to the campus VPN server.

Some of the recent flush vs no-flush on network changes also come into
play here. The simple case with VPN and 1 domain (eg redhat.com) already
works. When I (dis)connect the VPN the received domain from VPN gets
flushed from cache. But that does not help the "campus case", where
you need to flush all cache once you move between campus/non-campus.

While "always flushing everything" solves the campus issue, it is really
bad for two reasons. I find myself often on flaky wifi, and if I get my
cache cleared when my wifi stutters, then I'll never have any working
DNS on those networks. Additionally, when my laptop opens, I'm sure my
launched programs create a nice fingerprint of DNS requests, which would
leak into the world if my cache was empty, allowing pervasive monitors
to track me.

>From an ideology point if view, I want to tell the campus networks to
migrate away from split view DNS (which are terrible with DNSSEC and
validating stubs) or at the very least use very low TTLs so their campus
only DNS data doesn't survive in my cache. The campus deployments want
us to "not break things".

The sad end result is probably more DNS options for the clueless enduser :(

Paul


From psimerda at redhat.com  Mon Jan 26 11:17:12 2015
From: psimerda at redhat.com (Pavel Simerda)
Date: Mon, 26 Jan 2015 06:17:12 -0500 (EST)
Subject: [Dnssec-trigger] bugfixes and new features
In-Reply-To: <1826905880.170892.1422270941021.JavaMail.zimbra@redhat.com>
Message-ID: <47005922.171786.1422271032945.JavaMail.zimbra@redhat.com>

Hi,

I have new patches for dnssec-trigger: two bugfixes, three cleanups, three features.

Cheers,

Pavel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-dnssec-trigger-script-check-for-paths-not-files.patch
Type: text/x-patch
Size: 1327 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20150126/622f5de6/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-dnssec-trigger-script-fix-secure-insecure-forward-zo.patch
Type: text/x-patch
Size: 2583 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20150126/622f5de6/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-clean-up-the-dnssec.conf-comments.patch
Type: text/x-patch
Size: 7075 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20150126/622f5de6/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-dnssec-trigger-script-log-dnssec-trigger-control-and.patch
Type: text/x-patch
Size: 2499 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20150126/622f5de6/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0005-dnssec-trigger-script-use-a-global-config-object.patch
Type: text/x-patch
Size: 3245 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20150126/622f5de6/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0006-dnssec-trigger-script-add-option-to-set-search-domai.patch
Type: text/x-patch
Size: 2638 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20150126/622f5de6/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0007-dnssec-trigger-script-add-undocumented-option-to-avo.patch
Type: text/x-patch
Size: 2055 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20150126/622f5de6/attachment-0006.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0008-dnssec-trigger-script-use-private-address-ranges.patch
Type: text/x-patch
Size: 6969 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20150126/622f5de6/attachment-0007.bin>

From wouter at nlnetlabs.nl  Mon Jan 26 15:20:47 2015
From: wouter at nlnetlabs.nl (W.C.A. Wijngaards)
Date: Mon, 26 Jan 2015 16:20:47 +0100
Subject: [Dnssec-trigger] bugfixes and new features
In-Reply-To: <47005922.171786.1422271032945.JavaMail.zimbra@redhat.com>
References: <47005922.171786.1422271032945.JavaMail.zimbra@redhat.com>
Message-ID: <54C65B4F.2050407@nlnetlabs.nl>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Pavel,

On 26/01/15 12:17, Pavel Simerda wrote:
> Hi,
> 
> I have new patches for dnssec-trigger: two bugfixes, three
> cleanups, three features.

Thanks.  Are you sure that reverse 1918 entries do not get stuck in
this set up, because I see the script leaves them as-is when they are
encountered, this does not make them 'once entered never go away'?
Committed.

Best regards,
   Wouter

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUxltPAAoJEJ9vHC1+BF+N568P/ivNDUDzvClgE36jh4BS5MMC
833TWuokyQDQoCok6AupoDq7M8jtPd/Hgpey8uv3dDc1E8FICg/bmH7kMXP74BOk
+SmAcSkwLTz8J6JBfgS6yFI7IypyA3QEGl+UKZpHPyPtLwjVmTB9s856GTs0/q7O
4HwBZ4FKsEWrLpeT/ouhAneLE90/+u7Mze/Bs0YIORU8S7MQiWCGs6jSGVLXVWKg
ZtdWqmo2eo9BJqroifV7Ti+if674uDXpkvNN5/qWU0+zEGOv16ZdcC+ZXV1VIE1k
bnYlvPzx2MfDkahc8KpVLnnCzcw4RqAblYHj9SMK+flhXrxOgJ0TXn7AaPmj/5b8
n1ME1ygtbahsY8WqUmTHATRAmRVyLf0r8k1hwJa+zG0zfkcKhj2C5uwj9G3dmNqt
O1UwUZgFmq0rGCvtuOAR1P5PsWNGPrOtD2tVH7DnvhNADPVxu31T+AGzsS3rjrz+
WaYraa8VBW2ApZFL5E/FOuwQWKOWJJUx0aBOlAkwLDYZVdFJywm/Oltf+78Jxukj
nRJVJx36ZmOmWtSG2aOQgr/t47z05jJmKW6Iuo4Xa3FyYz0yUiVX2sEEs8daKugU
Vc0lKyXI5SiF3wYzIcEYeWGi5TT6G94wNtx6Uir5RBl+4pso1HEvNWKfNt2UtHQb
7+m+AJBFGg+Fg//aBHrC
=X3sF
-----END PGP SIGNATURE-----


From psimerda at redhat.com  Mon Jan 26 20:29:42 2015
From: psimerda at redhat.com (Pavel Simerda)
Date: Mon, 26 Jan 2015 15:29:42 -0500 (EST)
Subject: [Dnssec-trigger] bugfixes and new features
In-Reply-To: <54C65B4F.2050407@nlnetlabs.nl>
References: <47005922.171786.1422271032945.JavaMail.zimbra@redhat.com>
 <54C65B4F.2050407@nlnetlabs.nl>
Message-ID: <197165814.385654.1422304182401.JavaMail.zimbra@redhat.com>

----- Original Message -----
> From: "W.C.A. Wijngaards" <wouter at nlnetlabs.nl>
> To: "Pavel Simerda" <psimerda at redhat.com>, dnssec-trigger at nlnetlabs.nl
> Cc: "Tomas Hozza" <thozza at redhat.com>, "P J P" <pjp at fedoraproject.org>
> Sent: Monday, January 26, 2015 4:20:47 PM
> Subject: Re: bugfixes and new features
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Hi Pavel,
> 
> On 26/01/15 12:17, Pavel Simerda wrote:
> > Hi,
> > 
> > I have new patches for dnssec-trigger: two bugfixes, three
> > cleanups, three features.
> 
> Thanks.  Are you sure that reverse 1918 entries do not get stuck in
> this set up, because I see the script leaves them as-is when they are
> encountered, this does not make them 'once entered never go away'?
> Committed.

Hi Wouter,

as far as I know, it adds them to the list of installed zones. They are
installed and they are kept as long as dnssec-triggerd.service is running
but they should be cleaned up as soon as dnssec-triggerd.service is stopped
and dnssec-trigger-script --cleanup is run.

Also if they are already configured before dnssec-triggerd.service is started,
dnssec-trigger-script leaves them alone and never touches them. That is
consistent with its behavior towards all other forward zones that are
configured by other means than from dnssec-trigger-script.

It follows the principle that custom unbound configuration takes precedence
over the dynamic one, so dnssec-trigger doesn't step in the administrator's
way.

Does that answer your question?

Cheers,

Pavel

> 
> Best regards,
>    Wouter
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> 
> iQIcBAEBCAAGBQJUxltPAAoJEJ9vHC1+BF+N568P/ivNDUDzvClgE36jh4BS5MMC
> 833TWuokyQDQoCok6AupoDq7M8jtPd/Hgpey8uv3dDc1E8FICg/bmH7kMXP74BOk
> +SmAcSkwLTz8J6JBfgS6yFI7IypyA3QEGl+UKZpHPyPtLwjVmTB9s856GTs0/q7O
> 4HwBZ4FKsEWrLpeT/ouhAneLE90/+u7Mze/Bs0YIORU8S7MQiWCGs6jSGVLXVWKg
> ZtdWqmo2eo9BJqroifV7Ti+if674uDXpkvNN5/qWU0+zEGOv16ZdcC+ZXV1VIE1k
> bnYlvPzx2MfDkahc8KpVLnnCzcw4RqAblYHj9SMK+flhXrxOgJ0TXn7AaPmj/5b8
> n1ME1ygtbahsY8WqUmTHATRAmRVyLf0r8k1hwJa+zG0zfkcKhj2C5uwj9G3dmNqt
> O1UwUZgFmq0rGCvtuOAR1P5PsWNGPrOtD2tVH7DnvhNADPVxu31T+AGzsS3rjrz+
> WaYraa8VBW2ApZFL5E/FOuwQWKOWJJUx0aBOlAkwLDYZVdFJywm/Oltf+78Jxukj
> nRJVJx36ZmOmWtSG2aOQgr/t47z05jJmKW6Iuo4Xa3FyYz0yUiVX2sEEs8daKugU
> Vc0lKyXI5SiF3wYzIcEYeWGi5TT6G94wNtx6Uir5RBl+4pso1HEvNWKfNt2UtHQb
> 7+m+AJBFGg+Fg//aBHrC
> =X3sF
> -----END PGP SIGNATURE-----
> 


From cra at WPI.EDU  Sat Jan 31 23:58:00 2015
From: cra at WPI.EDU (Chuck Anderson)
Date: Sat, 31 Jan 2015 18:58:00 -0500
Subject: [Dnssec-trigger] persistent cache needed?
Message-ID: <20150131235759.GD4025@angus.ind.WPI.EDU>

After booting up and re-opening Firefox, restoring 50-100 tabs causes
so much DNS traffic that unbound goes unresponsive, and queries
repeatedly timeout for many minutes until things finally settle down.
I thought Firefox's behavior was to not reload every tab until you
activate the tab, but maybe it is still doing DNS pre-fetches for the
inactive tabs?  I don't know.

I think we need a persistent cache, saved across restarts/reboots.
What else can we do to solve this problem?

Or is the verbosity the cause of the problem:

#journalctl -b -u unbound | wc -l
24581

unbound.conf:

server:
        # verbosity number, 0 is least verbose. 1 is default.
        verbosity: 3