[Dnssec-trigger] [PATCH] Automatic fallback to insecure mode

Wed Nov 25 15:23:17 UTC 2015

Hi.

In Fedora we had a discussions with GNOME and NetworkManager
developers about how to seamlessly integrate dnssec-trigger
and Unbound by default to the Workstation Product of Fedora.

The bottom line was that we should not use the panel applet
and rather do some better integration with NM and let GNOME
do some work.

Also some important decisions had been made, like automatic
switch to insecure mode when all attempts to use DNSSEC have
failed. This is mainly to NOT to break user experience and
rather fall back to the current state in which DNSSEC validation
is not done by default in Fedora.

Not having panel installed is the easy part, we split it into
separate sub-package which is not installed by default.

NM already implements the Captive Portal detection, GNOME
checks the connectivity state in NM and is able to
launch a browser window. Therefore we disabled the Captive
Portal detection in dnssec-trigger and also disabled the
login-action when installed on Workstation. Now such situation
need to be handled properly anyway in dnssec-trigger. By
properly I mean that for the time of hotspot login dnssec-trigger
should be switched to the hotspot signon mode. NM devels
will add the notifications on Connectivity state changes into
nm-dispatcher. This would allow us to call dnssec-trigger-control
from the dnssec-trigger Python script we use and switch
dnssec-trigger to the hotspot signon mode. The switch back
should be done also by calling dnssec-trigger-control to
reprobe. However my ideas how to do it may change once I start
testing it.

Some parts are still missing, but we are working on it.
We are restarting the effort to have Unbound and dnssec-trigger
installed and used by default from next Fedora (24), so you'll
see more emails from us :)

I started by implementing the automatic switch to insecure mode.

I added two new options:
1. auto-insecure - which takes yes/no and makes dnssec-trigger to
switch to insecure mode in case DNSSEC can not be used on the
network. This is done without any user interaction.

2. on-insecure-command - which takes string that will be run as
a command on switch to insecure mode. This seemed to be handy for
the future e.g. for triggering a notification to the user.

I'm also attaching two changes for dnssec-trigger-script,
which are more of a cosmetic changes to not scare users with
unnecessary warnings and errors.

Regards,
-- 
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

PGP: 1D9F3C2D
UTC+2 (CEST)
Red Hat Inc.                 http://cz.redhat.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Add-auto-insecure-option.patch
Type: text/x-patch
Size: 4722 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20151125/0fe73033/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Add-on-insecure-command-option.patch
Type: text/x-patch
Size: 3966 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20151125/0fe73033/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-dnssec-trigger-script-Use-ducktaping-when-restarting.patch
Type: text/x-patch
Size: 1458 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20151125/0fe73033/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-dnssec-trigger-script-Silence-the-calls-to-chattr.patch
Type: text/x-patch
Size: 1175 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20151125/0fe73033/attachment-0003.bin>