From cra at WPI.EDU Wed Mar 11 19:21:54 2015 From: cra at WPI.EDU (Chuck Anderson) Date: Wed, 11 Mar 2015 15:21:54 -0400 Subject: [Dnssec-trigger] current status? Message-ID: <20150311192154.GJ13261@angus.ind.WPI.EDU> What is the current status of dnssec-trigger? Does anyone here run this daily on Fedora 21? Every day after resuming from suspend, I have crash messages pop up on Fedora 21 from dnssec-trigger (even after I fixed rhbz#1187371 myself over a month ago). Now, I have SELinux problems with dnssec-trigger writing to /etc. The current selinux policy apparently doesn't allow this, so I end up with no /etc/resolv.conf at all. I'm very concerned about this: https://fedoraproject.org//wiki/Changes/Default_Local_DNS_Resolver when it seems that even trivial-to-fix bugs like this one go unfixed for weeks: https://bugzilla.redhat.com/show_bug.cgi?id=1187371 Other bugs also not fixed: https://bugzilla.redhat.com/show_bug.cgi?id=1187183 and a new one I just filed today for more SELinux issues: https://bugzilla.redhat.com/show_bug.cgi?id=1200996 From carsten at strotmann.de Thu Mar 12 07:09:04 2015 From: carsten at strotmann.de (Carsten Strotmann) Date: Thu, 12 Mar 2015 08:09:04 +0100 Subject: [Dnssec-trigger] current status? In-Reply-To: <20150311192154.GJ13261@angus.ind.WPI.EDU> References: <20150311192154.GJ13261@angus.ind.WPI.EDU> Message-ID: <87fv9avgj3.fsf@csmobile4.home.strotmann.de> Hello Chuck, Chuck Anderson writes: > What is the current status of dnssec-trigger? Does anyone here run > this daily on Fedora 21? I'm running dnssec-trigger (0.12) on my Thinkpad with Fedora 21 every day, without major issues. I'm not seeing any of the issues you describe. My Fedora is not a fresh install, but has been upgraded up from 16 or 17 all the way. Maybe that makes a difference. Carsten -- Sent with my mu4e From thozza at redhat.com Thu Mar 12 08:20:28 2015 From: thozza at redhat.com (Tomas Hozza) Date: Thu, 12 Mar 2015 09:20:28 +0100 Subject: [Dnssec-trigger] current status? In-Reply-To: <20150311192154.GJ13261@angus.ind.WPI.EDU> References: <20150311192154.GJ13261@angus.ind.WPI.EDU> Message-ID: <55014C4C.8050305@redhat.com> On 03/11/2015 08:21 PM, Chuck Anderson wrote: > What is the current status of dnssec-trigger? Does anyone here run > this daily on Fedora 21? > > Every day after resuming from suspend, I have crash messages pop up on > Fedora 21 from dnssec-trigger (even after I fixed rhbz#1187371 myself > over a month ago). > > Now, I have SELinux problems with dnssec-trigger writing to /etc. The > current selinux policy apparently doesn't allow this, so I end up with > no /etc/resolv.conf at all. > > I'm very concerned about this: > > https://fedoraproject.org//wiki/Changes/Default_Local_DNS_Resolver > > when it seems that even trivial-to-fix bugs like this one go unfixed > for weeks: > > https://bugzilla.redhat.com/show_bug.cgi?id=1187371 > > Other bugs also not fixed: > > https://bugzilla.redhat.com/show_bug.cgi?id=1187183 > > and a new one I just filed today for more SELinux issues: > > https://bugzilla.redhat.com/show_bug.cgi?id=1200996 Hi Chuck. I'm also using dnssec-trigger on Fedora 21 every day, with VPN and SELinux in enforcing mode. But my Fedora is also upgraded from older ones. Sometimes my system also ends up without resolv.conf due to https://bugzilla.redhat.com/show_bug.cgi?id=1195752 . But other than that, the experience is pretty seamless. We deferred the Fedora Change to Fedora 23, to sort out these issues. Lately we had some higher priority issues to deal with, but we are aware of the status in Fedora and are planning to address all the user's issues. Thank you for filing bugs and for adding them to the tracker bug. Feel free to reach to us directly by email, here on the mailing list or via Bugzilla. Regards, -- Tomas Hozza Software Engineer - EMEA ENG Developer Experience PGP: 1D9F3C2D Red Hat Inc. http://cz.redhat.com From cra at WPI.EDU Thu Mar 12 13:31:49 2015 From: cra at WPI.EDU (Chuck Anderson) Date: Thu, 12 Mar 2015 09:31:49 -0400 Subject: [Dnssec-trigger] current status? In-Reply-To: <55014C4C.8050305@redhat.com> References: <20150311192154.GJ13261@angus.ind.WPI.EDU> <55014C4C.8050305@redhat.com> Message-ID: <20150312133148.GN13261@angus.ind.WPI.EDU> On Thu, Mar 12, 2015 at 09:20:28AM +0100, Tomas Hozza wrote: > On 03/11/2015 08:21 PM, Chuck Anderson wrote: > > Every day after resuming from suspend, I have crash messages pop up on > > Fedora 21 from dnssec-trigger (even after I fixed rhbz#1187371 myself > > over a month ago). > > > > I'm very concerned about this: > > > > https://fedoraproject.org//wiki/Changes/Default_Local_DNS_Resolver > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1187371 > > https://bugzilla.redhat.com/show_bug.cgi?id=1187183 > > https://bugzilla.redhat.com/show_bug.cgi?id=1200996 > > Hi Chuck. > > I'm also using dnssec-trigger on Fedora 21 every day, with VPN and > SELinux in enforcing mode. But my Fedora is also upgraded from older > ones. My systems are almost always fresh installs, but I do update them with "dnf update" and reboot every once in while, maybe every week or two. I started seeing this crash only on my home laptop I use every day. It started in January and hasn't gone away. My earlier attempt to file this bug with ABRT local core dump analysis failed, so I just filed this one using the retrace server: https://bugzilla.redhat.com/show_bug.cgi?id=1201283 > Sometimes my system also ends up without resolv.conf due to > https://bugzilla.redhat.com/show_bug.cgi?id=1195752 . But other > than that, the experience is pretty seamless. My experience is also mostly seamless, at least until this disappearing /etc/resolv.conf just started happening. My earlier report about DNS resolution timeouts after re-opening Firefox with many tabs open I believe is related to the NAT table filling up on my old Netgear stock-firmware router when unbound gets flooded with DNS resolution requests from Firefox. I do not have that problem anymore after moving to a newer Netgear router running Cerowrt (Openwrt fork). > We deferred the Fedora Change to Fedora 23, to sort out these issues. > Lately we had some higher priority issues to deal with, but we are > aware of the status in Fedora and are planning to address all the > user's issues. Thank you, that is good to hear. I see the wiki page shows Fedora 23 as the targeted release, but the "Last Update" date wasn't changed and still says 2014-04-11. > Thank you for filing bugs and for adding them to the tracker bug. I'll finish going through the bugs and add more I think should be blockers. > Feel free to reach to us directly by email, here on the mailing list > or via Bugzilla. Thanks. I was worried since there seemed to be a long silence. I am also a Fedora packager and could volunteer to help, but my time is also limited. But if it would help for me to push out updates for trivial fixes like rhbz#1187371, I can do that. From thozza at redhat.com Thu Mar 12 14:05:12 2015 From: thozza at redhat.com (Tomas Hozza) Date: Thu, 12 Mar 2015 15:05:12 +0100 Subject: [Dnssec-trigger] Fixes for dnssec-trigger-script, new configure option for python interpreter; generate longer keys Message-ID: <55019D18.10002@redhat.com> Hi. I'm sending couple of patches, mostly fixes for dnssec-trigger-script. I also added a new option to configure script --with-python, so one is able to configure which Python interpreter to use (e.g. in Fedora we are switching to use Python3 by default). I also changed the key length dnssec-trigger-control-setup script, to the advised length. Tomas Hozza (7): dnssec-trigger-script: Fix wrong default value in configuration dnssec-trigger-script: Fix formatting errors dnssec-trigger-script: Remove unused class Allow to select the default Python interpretter during build Fix 01-dnssec-trigger NOT to hardcode shell path dnssec-trigger-script: Fix typo when adding search domains dnssec-trigger-control-setup: Use 3072 bit keys 01-dnssec-trigger.in | 2 +- Makefile.in | 3 +++ config.h.in | 3 +++ configure | 25 +++++++++++++++++++++++++ configure.ac | 10 ++++++++++ dnssec-trigger-control-setup.sh.in | 4 +++- dnssec-trigger-script.in | 21 +++++---------------- 7 files changed, 50 insertions(+), 18 deletions(-) Regards, -- Tomas Hozza Software Engineer - EMEA ENG Developer Experience PGP: 1D9F3C2D Red Hat Inc. http://cz.redhat.com -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-dnssec-trigger-script-Fix-wrong-default-value-in-con.patch Type: text/x-patch Size: 880 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-dnssec-trigger-script-Fix-formatting-errors.patch Type: text/x-patch Size: 1121 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-dnssec-trigger-script-Remove-unused-class.patch Type: text/x-patch Size: 1042 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0004-Allow-to-select-the-default-Python-interpretter-duri.patch Type: text/x-patch Size: 4402 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0005-Fix-01-dnssec-trigger-NOT-to-hardcode-shell-path.patch Type: text/x-patch Size: 640 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0006-dnssec-trigger-script-Fix-typo-when-adding-search-do.patch Type: text/x-patch Size: 951 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0007-dnssec-trigger-control-setup-Use-3072-bit-keys.patch Type: text/x-patch Size: 901 bytes Desc: not available URL: From cra at WPI.EDU Thu Mar 12 14:06:01 2015 From: cra at WPI.EDU (Chuck Anderson) Date: Thu, 12 Mar 2015 10:06:01 -0400 Subject: [Dnssec-trigger] current status? In-Reply-To: References: <20150311192154.GJ13261@angus.ind.WPI.EDU> <55014C4C.8050305@redhat.com> <20150312133148.GN13261@angus.ind.WPI.EDU> Message-ID: <20150312140600.GO13261@angus.ind.WPI.EDU> On Thu, Mar 12, 2015 at 10:03:42AM -0400, Paul Wouters wrote: > On Thu, 12 Mar 2015, Chuck Anderson wrote: > > >My experience is also mostly seamless, at least until this > >disappearing /etc/resolv.conf > > There is a long standing bug that triggers in certain situations with > hotspots where somehow dnssec-triggerd rewrites resolv.conf but actually > has no (DHCP obtained) DNS server to put in, it then writes a file > without any nameserver entry and expects the user to successfully browse > through the captive portal. I haven't managed to reproduce it at will > though. But I do wish that dnssec-triggerd would first check if it has > any DNS server before it overwrites resolv.conf. This particular "disappearing /etc/resolv.conf" APPEARS to be SELinux-related. When I "setenforce 0" and restart dnssec-triggerd, resolv.conf gets generated properly. It may be a new SELinux thing since I just took a new version of selinux-policy-targeted. From paul at nohats.ca Thu Mar 12 14:03:42 2015 From: paul at nohats.ca (Paul Wouters) Date: Thu, 12 Mar 2015 10:03:42 -0400 (EDT) Subject: [Dnssec-trigger] current status? In-Reply-To: <20150312133148.GN13261@angus.ind.WPI.EDU> References: <20150311192154.GJ13261@angus.ind.WPI.EDU> <55014C4C.8050305@redhat.com> <20150312133148.GN13261@angus.ind.WPI.EDU> Message-ID: On Thu, 12 Mar 2015, Chuck Anderson wrote: > My experience is also mostly seamless, at least until this > disappearing /etc/resolv.conf There is a long standing bug that triggers in certain situations with hotspots where somehow dnssec-triggerd rewrites resolv.conf but actually has no (DHCP obtained) DNS server to put in, it then writes a file without any nameserver entry and expects the user to successfully browse through the captive portal. I haven't managed to reproduce it at will though. But I do wish that dnssec-triggerd would first check if it has any DNS server before it overwrites resolv.conf. Paul From paul at nohats.ca Thu Mar 12 14:08:26 2015 From: paul at nohats.ca (Paul Wouters) Date: Thu, 12 Mar 2015 10:08:26 -0400 (EDT) Subject: [Dnssec-trigger] current status? In-Reply-To: <20150312140600.GO13261@angus.ind.WPI.EDU> References: <20150311192154.GJ13261@angus.ind.WPI.EDU> <55014C4C.8050305@redhat.com> <20150312133148.GN13261@angus.ind.WPI.EDU> <20150312140600.GO13261@angus.ind.WPI.EDU> Message-ID: On Thu, 12 Mar 2015, Chuck Anderson wrote: >> There is a long standing bug that triggers in certain situations with >> hotspots where somehow dnssec-triggerd rewrites resolv.conf but actually >> has no (DHCP obtained) DNS server to put in, it then writes a file >> without any nameserver entry and expects the user to successfully browse >> through the captive portal. I haven't managed to reproduce it at will >> though. But I do wish that dnssec-triggerd would first check if it has >> any DNS server before it overwrites resolv.conf. > > This particular "disappearing /etc/resolv.conf" APPEARS to be > SELinux-related. When I "setenforce 0" and restart dnssec-triggerd, > resolv.conf gets generated properly. It may be a new SELinux thing > since I just took a new version of selinux-policy-targeted. Not for me. I (sadly) do not run with selinux enabled on my laptop. Paul From thozza at redhat.com Thu Mar 12 15:14:55 2015 From: thozza at redhat.com (Tomas Hozza) Date: Thu, 12 Mar 2015 16:14:55 +0100 Subject: [Dnssec-trigger] current status? In-Reply-To: <20150312133148.GN13261@angus.ind.WPI.EDU> References: <20150311192154.GJ13261@angus.ind.WPI.EDU> <55014C4C.8050305@redhat.com> <20150312133148.GN13261@angus.ind.WPI.EDU> Message-ID: <5501AD6F.9010705@redhat.com> On 03/12/2015 02:31 PM, Chuck Anderson wrote: > On Thu, Mar 12, 2015 at 09:20:28AM +0100, Tomas Hozza wrote: >> On 03/11/2015 08:21 PM, Chuck Anderson wrote: >>> Every day after resuming from suspend, I have crash messages pop up on >>> Fedora 21 from dnssec-trigger (even after I fixed rhbz#1187371 myself >>> over a month ago). >>> >>> I'm very concerned about this: >>> >>> https://fedoraproject.org//wiki/Changes/Default_Local_DNS_Resolver >>> >>> https://bugzilla.redhat.com/show_bug.cgi?id=1187371 >>> https://bugzilla.redhat.com/show_bug.cgi?id=1187183 >>> https://bugzilla.redhat.com/show_bug.cgi?id=1200996 >> >> Hi Chuck. >> >> I'm also using dnssec-trigger on Fedora 21 every day, with VPN and >> SELinux in enforcing mode. But my Fedora is also upgraded from older >> ones. > > My systems are almost always fresh installs, but I do update them with > "dnf update" and reboot every once in while, maybe every week or two. > I started seeing this crash only on my home laptop I use every day. > It started in January and hasn't gone away. My earlier attempt to > file this bug with ABRT local core dump analysis failed, so I just > filed this one using the retrace server: > > https://bugzilla.redhat.com/show_bug.cgi?id=1201283 > >> Sometimes my system also ends up without resolv.conf due to >> https://bugzilla.redhat.com/show_bug.cgi?id=1195752 . But other >> than that, the experience is pretty seamless. > > My experience is also mostly seamless, at least until this > disappearing /etc/resolv.conf just started happening. My earlier > report about DNS resolution timeouts after re-opening Firefox with > many tabs open I believe is related to the NAT table filling up on my > old Netgear stock-firmware router when unbound gets flooded with DNS > resolution requests from Firefox. I do not have that problem anymore > after moving to a newer Netgear router running Cerowrt (Openwrt fork). > >> We deferred the Fedora Change to Fedora 23, to sort out these issues. >> Lately we had some higher priority issues to deal with, but we are >> aware of the status in Fedora and are planning to address all the >> user's issues. > > Thank you, that is good to hear. I see the wiki page shows Fedora 23 > as the targeted release, but the "Last Update" date wasn't changed and > still says 2014-04-11. > >> Thank you for filing bugs and for adding them to the tracker bug. > > I'll finish going through the bugs and add more I think should be > blockers. > >> Feel free to reach to us directly by email, here on the mailing list >> or via Bugzilla. > > Thanks. I was worried since there seemed to be a long silence. I am > also a Fedora packager and could volunteer to help, but my time is > also limited. But if it would help for me to push out updates for > trivial fixes like rhbz#1187371, I can do that. I just sent some patches to the mailing list and will fix those in Fedora once I get some response for them. So I'll cover also rhbz#1187371. Anyway thank you for your offer. I think we would appreciate any help, so feel free to request permission in the fedora package-db. Regards, -- Tomas Hozza Software Engineer - EMEA ENG Developer Experience PGP: 1D9F3C2D Red Hat Inc. http://cz.redhat.com From wouter at nlnetlabs.nl Thu Mar 12 15:39:06 2015 From: wouter at nlnetlabs.nl (W.C.A. Wijngaards) Date: Thu, 12 Mar 2015 16:39:06 +0100 Subject: [Dnssec-trigger] Fixes for dnssec-trigger-script, new configure option for python interpreter; generate longer keys In-Reply-To: <55019D18.10002@redhat.com> References: <55019D18.10002@redhat.com> Message-ID: <5501B31A.7@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi Tomas, A veritable list of fixes. Applied. Interesting to see the dnssec-trigger-control 3k key advise. I have also fixed unbound-control-setup and nsd-control-setup for this same issue. Thanks! Best regards, Wouter On 12/03/15 15:05, Tomas Hozza wrote: > Hi. > > I'm sending couple of patches, mostly fixes for > dnssec-trigger-script. I also added a new option to configure > script --with-python, so one is able to configure which Python > interpreter to use (e.g. in Fedora we are switching to use Python3 > by default). I also changed the key length > dnssec-trigger-control-setup script, to the advised length. > > Tomas Hozza (7): dnssec-trigger-script: Fix wrong default value in > configuration dnssec-trigger-script: Fix formatting errors > dnssec-trigger-script: Remove unused class Allow to select the > default Python interpretter during build Fix 01-dnssec-trigger NOT > to hardcode shell path dnssec-trigger-script: Fix typo when adding > search domains dnssec-trigger-control-setup: Use 3072 bit keys > > 01-dnssec-trigger.in | 2 +- Makefile.in > | 3 +++ config.h.in | 3 +++ configure > | 25 +++++++++++++++++++++++++ configure.ac | > 10 ++++++++++ dnssec-trigger-control-setup.sh.in | 4 +++- > dnssec-trigger-script.in | 21 +++++---------------- 7 > files changed, 50 insertions(+), 18 deletions(-) > > Regards, > > > > _______________________________________________ dnssec-trigger > mailing list dnssec-trigger at NLnetLabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJVAbMaAAoJEJ9vHC1+BF+NL88QAKZLqrpNEw8U5W04Ij6r2IvP gshZa+UnkYqP5ImGAvakQUJnenxfrVbreIImN3qSaXFCtppsu+MesmyyIK23zuFr +KQ60QHhRA9/yFgyJtBIXPge3D8hdWgQcOFiO9hOyy8fMVEw6585ehKFzNxqqaFn jtYCYEvLxpO9lXyL9Sq6BxHEtbH3h8YiNNzlD5MEn39VzdfVIGEjps+RHTFMHuyG kFMNN/utBiFun7keAGwdaslYqc2sSTP3zVnbd5A7RrkJqqk0YhTLGXLCiYCtKKQ+ +O45RkmtW04bad4PLer0ZrxIhdlVGzBCa7oIO8NJiuhqj5qEFyLKqx0opOPsRiqp iOFMvBwiJ1n0VzditYhTRgn7YeAMP2FXxk7eSZjE46N35C4S6aLXsJ38zc5Y2/5/ VuBMCAtFnLauyG8qgCHOxM+8fYsBdz6YNEE9oYH6pswU/hrBAlTXB2L6HhAi8RO+ YhzjoIpg5RmXm86oN1uAsSKMWZGeiqt0RE/elIONe7cJZPdcgOEgX8Oyh1+mWaKV Od6JUmmaFUKqG9GpiEnROyjI9PjJStW3f8NDvgByhDOL5mLJMPBPt6OveMRrI79u iR0ss9lmQv8EcojZONjT6wQhiCASLTl/rHiyHcPJ6rPby9S/wU8PzehRP5hgDQWZ ef7EzAIm41PKAaAiD9vl =8Qs4 -----END PGP SIGNATURE-----