From bortzmeyer at nic.fr  Sun Dec  4 16:42:48 2016
From: bortzmeyer at nic.fr (Stephane Bortzmeyer)
Date: Sun, 4 Dec 2016 17:42:48 +0100
Subject: [Dnssec-trigger] Problems on Ubuntu 16.04
In-Reply-To: <74dfc392-0b02-2e5d-80ff-61581267eb72@redhat.com>
References: <20160717101044.GA3072@laperouse.bortzmeyer.org>
 <74dfc392-0b02-2e5d-80ff-61581267eb72@redhat.com>
Message-ID: <20161204164248.GA2983@laperouse.bortzmeyer.org>

[Resuming the work on this bug, to celebrate the publication of RFC 8027.]

On Mon, Jul 18, 2016 at 08:26:20AM +0200,
 Tomas Hozza <thozza at redhat.com> wrote 
 a message of 88 lines which said:

> Do you see anything in syslog from NetworkManager or NM dispatcher?

At the end.

> Could you please provide the content of your NetworkManager.conf?

Here it is (it's the default Ubuntu one)

[main]
plugins=ifupdown,keyfile,ofono
dns=dnsmasq

[ifupdown]
managed=false


Dec  4 17:40:14 godin NetworkManager[971]: <warn>  [1480869614.2705] device (eno1): disconnecting connection 'Wired connection 1' for new activation request.
Dec  4 17:40:14 godin NetworkManager[971]: <info>  [1480869614.2705] device (eno1): state change: activated -> deactivating (reason 'new-activation') [100 110 60]
Dec  4 17:40:14 godin NetworkManager[971]: <info>  [1480869614.2709] manager: NetworkManager state is now DISCONNECTING
Dec  4 17:40:14 godin whoopsie[925]: [17:40:14] offline
Dec  4 17:40:14 godin NetworkManager[971]: <info>  [1480869614.2784] device (eno1): disconnecting for new activation request.
Dec  4 17:40:14 godin NetworkManager[971]: <info>  [1480869614.2785] audit: op="connection-activate" uuid="d599f7e7-e500-33e0-be81-34a5ad202127" name="Wired connection 1" pid=2108 uid=1000 result="success"
Dec  4 17:40:14 godin NetworkManager[971]: <info>  [1480869614.2791] device (eno1): state change: deactivating -> disconnected (reason 'new-activation') [110 30 60]
Dec  4 17:40:14 godin NetworkManager[971]: <info>  [1480869614.3123] dhcp4 (eno1): canceled DHCP transaction, DHCP client pid 1350
Dec  4 17:40:14 godin NetworkManager[971]: <info>  [1480869614.3123] dhcp4 (eno1): state changed bound -> done
Dec  4 17:40:14 godin NetworkManager[971]: <info>  [1480869614.3128] dhcp6 (eno1): canceled DHCP transaction, DHCP client pid 1460
Dec  4 17:40:14 godin NetworkManager[971]: <info>  [1480869614.3129] dhcp6 (eno1): state changed bound -> done
Dec  4 17:40:14 godin NetworkManager[971]: <info>  [1480869614.3141] manager: NetworkManager state is now DISCONNECTED
Dec  4 17:40:14 godin NetworkManager[971]: <info>  [1480869614.3142] device (eno1): Activation: starting connection 'Wired connection 1' (d599f7e7-e500-33e0-be81-34a5ad202127)
Dec  4 17:40:14 godin dbus[929]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
Dec  4 17:40:14 godin NetworkManager[971]: <info>  [1480869614.3163] device (eno1): state change: disconnected -> prepare (reason 'none') [30 40 0]
Dec  4 17:40:14 godin NetworkManager[971]: <info>  [1480869614.3165] manager: NetworkManager state is now CONNECTING
Dec  4 17:40:14 godin NetworkManager[971]: <info>  [1480869614.3180] device (eno1): state change: prepare -> config (reason 'none') [40 50 0]
Dec  4 17:40:14 godin NetworkManager[971]: <info>  [1480869614.3184] device (eno1): state change: config -> ip-config (reason 'none') [50 70 0]
Dec  4 17:40:14 godin NetworkManager[971]: <info>  [1480869614.3186] dhcp4 (eno1): activation: beginning transaction (timeout in 45 seconds)
Dec  4 17:40:14 godin NetworkManager[971]: <info>  [1480869614.3218] dhcp4 (eno1): dhclient started with pid 3039
Dec  4 17:40:14 godin systemd[1]: Starting Network Manager Script Dispatcher Service...
Dec  4 17:40:14 godin dhclient[3039]: DHCPREQUEST of 192.168.2.11 on eno1 to 255.255.255.255 port 67 (xid=0x5c8a156c)
Dec  4 17:40:14 godin dbus[929]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Dec  4 17:40:14 godin systemd[1]: Started Network Manager Script Dispatcher Service.
Dec  4 17:40:14 godin nm-dispatcher: req:1 'down' [eno1]: new request (2 scripts)
Dec  4 17:40:14 godin nm-dispatcher: req:1 'down' [eno1]: start running ordered scripts...
Dec  4 17:40:14 godin dhclient[3039]: DHCPACK of 192.168.2.11 from 192.168.2.254
Dec  4 17:40:14 godin NetworkManager[971]: <info>  [1480869614.3542]   address 192.168.2.11
Dec  4 17:40:14 godin NetworkManager[971]: <info>  [1480869614.3542]   plen 24 (255.255.255.0)
Dec  4 17:40:14 godin NetworkManager[971]: <info>  [1480869614.3542]   gateway 192.168.2.254
Dec  4 17:40:14 godin NetworkManager[971]: <info>  [1480869614.3542]   server identifier 192.168.2.254
Dec  4 17:40:14 godin NetworkManager[971]: <info>  [1480869614.3542]   lease time 43200
Dec  4 17:40:14 godin NetworkManager[971]: <info>  [1480869614.3542]   hostname 'godin'
Dec  4 17:40:14 godin NetworkManager[971]: <info>  [1480869614.3542]   nameserver '192.168.2.254'
Dec  4 17:40:14 godin NetworkManager[971]: <info>  [1480869614.3542]   domain name 'dyn.sources.org'
Dec  4 17:40:14 godin NetworkManager[971]: <info>  [1480869614.3542] dhcp4 (eno1): state changed unknown -> bound
Dec  4 17:40:14 godin NetworkManager[971]: <info>  [1480869614.3572] device (eno1): state change: ip-config -> ip-check (reason 'none') [70 80 0]
Dec  4 17:40:14 godin NetworkManager[971]: <info>  [1480869614.3582] device (eno1): state change: ip-check -> secondaries (reason 'none') [80 90 0]
Dec  4 17:40:14 godin NetworkManager[971]: <info>  [1480869614.3585] device (eno1): state change: secondaries -> activated (reason 'none') [90 100 0]
Dec  4 17:40:14 godin NetworkManager[971]: <info>  [1480869614.3586] manager: NetworkManager state is now CONNECTED_LOCAL
Dec  4 17:40:14 godin NetworkManager[971]: <info>  [1480869614.3621] manager: NetworkManager state is now CONNECTED_GLOBAL
Dec  4 17:40:14 godin NetworkManager[971]: <info>  [1480869614.3622] policy: set 'Wired connection 1' (eno1) as default for IPv4 routing and DNS
Dec  4 17:40:14 godin NetworkManager[971]: <info>  [1480869614.3624] device (eno1): Activation: successful, device activated.
Dec  4 17:40:14 godin nm-dispatcher: req:2 'up' [eno1]: new request (2 scripts)
Dec  4 17:40:14 godin dhclient[3039]: bound to 192.168.2.11 -- renewal in 17071 seconds.
Dec  4 17:40:14 godin nm-dispatcher[3038]: /usr/lib/dnssec-trigger/dnssec-trigger-script:8: PyGIWarning: NMClient was imported without specifying a version first. Use gi.require_version('NMClient', '1.0') before import to ensure that the right version gets loaded.
Dec  4 17:40:14 godin nm-dispatcher[3038]:   from gi.repository import NMClient
Dec  4 17:40:14 godin nm-dispatcher[3038]: NetworkManager is not running.
Dec  4 17:40:14 godin nm-dispatcher: req:1 'down' [eno1], "/etc/NetworkManager/dispatcher.d/01-dnssec-trigger": complete: failed with Script '/etc/NetworkManager/dispatcher.d/01-dnssec-trigger' exited with error status 1.
Dec  4 17:40:14 godin nm-dispatcher[3038]: grep: /etc/resolv.conf: No such file or directory
Dec  4 17:40:14 godin nm-dispatcher: req:2 'up' [eno1]: start running ordered scripts...
Dec  4 17:40:14 godin NetworkManager[971]: <warn>  [1480869614.4644] dispatcher: (6) 01-dnssec-trigger failed (failed): Script '/etc/NetworkManager/dispatcher.d/01-dnssec-trigger' exited with error status 1.
Dec  4 17:40:14 godin nm-dispatcher[3038]: /usr/lib/dnssec-trigger/dnssec-trigger-script:8: PyGIWarning: NMClient was imported without specifying a version first. Use gi.require_version('NMClient', '1.0') before import to ensure that the right version gets loaded.
Dec  4 17:40:14 godin nm-dispatcher[3038]:   from gi.repository import NMClient
Dec  4 17:40:14 godin nm-dispatcher[3038]: NetworkManager is not running.
Dec  4 17:40:14 godin nm-dispatcher: req:2 'up' [eno1], "/etc/NetworkManager/dispatcher.d/01-dnssec-trigger": complete: failed with Script '/etc/NetworkManager/dispatcher.d/01-dnssec-trigger' exited with error status 1.
Dec  4 17:40:14 godin nm-dispatcher[3038]: grep: /etc/resolv.conf: No such file or directory
Dec  4 17:40:14 godin systemd[1]: Reloading OpenBSD Secure Shell server.
Dec  4 17:40:14 godin systemd[1]: Reloaded OpenBSD Secure Shell server.
Dec  4 17:40:14 godin nm-dispatcher[3038]: grep: /etc/resolv.conf: No such file or directory
Dec  4 17:40:14 godin systemd[1]: Reloading OpenBSD Secure Shell server.
Dec  4 17:40:14 godin systemd[1]: Reloaded OpenBSD Secure Shell server.
Dec  4 17:40:14 godin NetworkManager[971]: <warn>  [1480869614.6780] dispatcher: (8) 01-dnssec-trigger failed (failed): Script '/etc/NetworkManager/dispatcher.d/01-dnssec-trigger' exited with error status 1.
Dec  4 17:40:15 godin NetworkManager[971]: <info>  [1480869615.7879] dhcp6 (eno1): activation: beginning transaction (timeout in 45 seconds)
Dec  4 17:40:15 godin NetworkManager[971]: <info>  [1480869615.7890] dhcp6 (eno1): dhclient started with pid 3163
Dec  4 17:40:15 godin NetworkManager[971]: <info>  [1480869615.7901] policy: set 'Wired connection 1' (eno1) as default for IPv6 routing and DNS
Dec  4 17:40:16 godin dhclient[3163]: XMT: Confirm on eno1, interval 910ms.
Dec  4 17:40:17 godin dhclient[3163]: XMT: Confirm on eno1, interval 1880ms.
Dec  4 17:40:19 godin dhclient[3163]: XMT: Confirm on eno1, interval 3860ms.




From wouter at nlnetlabs.nl  Thu Dec 15 09:42:57 2016
From: wouter at nlnetlabs.nl (W.C.A. Wijngaards)
Date: Thu, 15 Dec 2016 10:42:57 +0100
Subject: [Dnssec-trigger] dnssec-trigger 0.13
Message-ID: <816ba201-dc9b-a73e-fece-10f70d2a6df8@nlnetlabs.nl>

Hi,

There are new versions of the installers available on the website, for
0.13.  This includes new unbound, 1.6.0.  They can be installed by
manually downloading and installing the installer.

They are found here:
https://nlnetlabs.nl/projects/dnssec-trigger

The source code tarball:
https://nlnetlabs.nl/downloads/dnssec-trigger/dnssec-trigger-0.13.tar.gz
sha1 11f3d28a57dcc8df63d9c35b5e32b8f76f413e73
sha256 d8418e6456263229acebdd7d32d43b1e8571f599fdff2f71a023dcad6882b631

The code has not changed a lot, this release mostly brings new included
libraries for the binary downloaders.


0.13	2016-12-15
-   Updated acx_nlnetlabs.m4 for openssl-1.1.0 compatibility.
-   Patch for openssl-1.1.0 compilation.
-   Tomas Hozza (3): dnssec-trigger-script: Use ducktaping when
restarting NM, instead of checking the sysfs dnssec-trigger-script:
Silence the calls to chattr Improved text in the panel GUI when insecure
mode is forced
-   Remove kickstarts of daemons because daemon died for test user.
-   Fixup compile on OSX with static SSL for makedist mac build.
-   OSX hide unbound user from login screen.
-   Attempt to stop panels and kickstart daemons on OSX.
-   Remove stuff from osx installer that logs out the user.
-   Fixup osx gui panel start code for new osx. installer talks about
new locations and set permissions on key files and add to the path the
/usr/local/sbin directory during install. Do not link RiggerStatusItem
to /usr/local/opt/openssl/lib.
-   chmod key files for unbound, dnssec-trigger control and ldns in
/usr/local. For OSX.
-   Fixup installer for creation of missing keys, and also start panel
in osx userspace.
-   Fix Makefile for use of /Library, which seems okay for new OSX.
-   makedist prints checksums on OSX.
-   new acx_nlnetlabs.m4 version and it has the libdl fix.
-   Fix lint warnings about int and size_t conversion.
-   Fixes to make the installer work on OSX-ElCapitan.
-   Patch for preliminary Mac OSX 10.11 support (from Philip Paeps).
-   Move plists into uidir on OSX (/usr/local/share), and set usr/local
in makedist for OSX.
-   default keysize for control is 3072 on windows.
-   Changed windows setup compression to be more transparent.
-   Patches from Tomas Hozza for systemd service files: Set PIDFile in
the dnssec-triggerd.service file. Remove restorecon call in
dnssec-triggerd-keygen.service.
-   Patches from Tomas Hozza for dnssec-trigger-script: Use one import
on one line as defined by PEP8. Use path to DEVNULL from os module. Move
the main functionality into main() function to enable testing. Use
existing API in NM for distinguishing VPN connections. Construct
NMClient as advised by the documentation. Forbid Python from searching
local dirs and using env variables. Set low max negative cache TTL to
prevent possible user issues. Send SIGHUP to NM if it is new enough
instead of restarting it. Set the required version in GI before
importing NMClient.
-   Fix #618: create sha1 and sha256 hashes for created binaries, fixed
in makedist.sh.
-   Renamed 'open resolvers' to 'relay resolvers' in the explanatory
text what dnssec-trigger is doing. Resolvers from DHCP can also be
public resolvers, so the term relay resolver is used for an open
resolver that performs transport layer adjustment.
-   Patches from Tomas Hozza for dnssec-trigger-script: Add newlines
between classes to conform with PEP-8 and increase readability.
Add/remove local zones in Unbound when configuring reverse addr forward
zones.
-   Patch from Tomas Hozza: dnssec-trigger-script: Don't configure
RFC1918 zones if there are no global forwarders.
-   Patches from Tomas Hozza (7): dnssec-trigger-script: Fix wrong
default value in configuration dnssec-trigger-script: Fix formatting
errors dnssec-trigger-script: Remove unused class Allow to select the
default Python interpretter during build Fix 01-dnssec-trigger NOT to
hardcode shell path dnssec-trigger-script: Fix typo when adding search
domains dnssec-trigger-control-setup: Use 3072 bit keys
-   Patches from Pavel Simerda: dnssec-trigger-script: check for paths,
not files https://bugzilla.redhat.com/show_bug.cgi?id=1183975
dnssec-trigger-script: fix secure/insecure forward zone switching
https://bugzilla.redhat.com/show_bug.cgi?id=1185796 dnssec.conf: clean
up the dnssec.conf comments dnssec-trigger-script: log
dnssec-trigger-control and unbound-control calls dnssec-trigger-script:
use a global config object dnssec-trigger-script: add option to set
search domains in /etc/resolv.conf
https://bugzilla.redhat.com/show_bug.cgi?id=1130502
dnssec-trigger-script: add (undocumented) option to avoid flushing
positive answers https://bugzilla.redhat.com/show_bug.cgi?id=1105685
dnssec-trigger-script: use private address ranges
https://bugzilla.redhat.com/show_bug.cgi?id=1128310
-   Patches from Pavel Simerda: dnssec-trigger-script: clean up servers
as well, for restart dnssec-trigger-script: prefer VPN nameservers over
default ones
-   Update OSX resolvehook to flush dns caches for new OSX release with
"discoveryutil udnsflushcaches" and "discoveryutil mdnsflushcache".
-   Patches from Pavel Simerda: dnssec-trigger-script: The accepted
version of NetworkManager patch uses `resolv.conf` instead of
`resolv.conf.default`, https://bugzilla.gnome.org/show_bug.cgi?id=732941
dnssec-trigger-script: Leaking file descriptors is bad, especially when
selinux or similar tool is used.
https://bugzilla.redhat.com/show_bug.cgi?id=1147705
dnssec-trigger-script: Use a regular file unless
use_resolv_secure_conf_symlink is set. Always install
/var/run/dnssec-trigger/resolv.conf for comparison. Guard all of those
regular files using immutable attribute.
https://bugzilla.redhat.com/show_bug.cgi?id=1165126
dnssec-trigger-script: fix desktop file paths.
-   Patches from Pavel Simerda: dnssec-trigger-script: lock --update-*
methods only The original locking was a bit too broad for future
development. dnssec-trigger-script: improve /etc/dnssec.conf handling
Minor changes that make future /etc/dnssec.conf extensions easier.
dnssec-trigger-script: support 'debug' option in /etc/dnssec.conf With
that you can get the debugging output even for instances run by systemd,
dnssec-triggerd and NetworkManager dispatcher. dnssec-trigger-script:
clean up resolv.conf backup and restore Clean up the code a bit so that
later additions dont turn it into a mess. dnssec-trigger-script: use
/var/run/NetworkManager/resolv.conf.default Avoid restarting
NetworkManager just to restore /etc/resolv.conf when a simple symlink
would do. This is only done when the NetworkManager's private
resolv.conf actually exists. allow the resolv.conf hooks be handled by
dnssec-trigger-script dnssec-trigger-script: handle resolv.conf events
from the daemon The new implementation doesn't write directly to
/etc/resolv.conf and instead it writes a temporary file and then
replaces the /etc/resolv.conf using POSIX `rename()`.
dnssec-trigger-script: support /etc/resolv.conf and
/etc/resolv-secure.conf symlinks This is an experimental feature and is
turned off by default. You need to put the following to /etc/dnssec.conf
to activate it: use_resolv_conf_symlink=yes probe: use wildcard probing
domains This change might need to be revisited to see whether we need to
check both known wildcard and known non-wildcard domains.
-   Fix #629: bad if test in net_help for ctx_load_verify_locations.
-   Patch from Pavel Simerda: improve dnssec-trigger-script locking and
avoid a dependency.
-   Fix NetworkManager script fails t parse nmcli version as of
0.9.10.0, patch from Gerald Turner.
-   Patches from Ondrej Sury (from the Debian package): Remove some ugly
bashisms from the script. Fixes static paths that right be mismatched
(f.e. on multiarch system). Fix IndexError in dnssec-trigger-script,
when there less then 4 resolvers since you use 3xfields.pop(0) before
that. Fix release date in makedist manpage to be more stable. Do
substitutions in makefile, more autoconf'y Fixup dnssec-triggerd.service
from Makefile.in
-   Better fix for pidof that sets PATH for networkmanager dispatcher
script (from Ondrej Sury).
-   Add --with-pidof=/usr/sbin/pidof where you can set the location of
the pidof command to use in the Networkmanager script, /usr/bin/pidof or
/usr/sbin/pidof (depending no your distribution).
-   Patches from Pavel Simerda: improve systemctl call. serialize script
instances.
-   Patches from Pavel Simerda: Fixup for python2. fix a race condition
with NetworkManager restart. don't fail on empty connection list. move
legacy connection handling to the cleanup phase. don't block on
systemctl restart NetworkManager.
-   Patches from Pavel Simerda: fix bug that prevents calling
dnssec-trigger-control submit
(https://bugzilla.redhat.com/show_bug.cgi?id=1105896) avoid dependency
on pidof handle missing resolv.conf backup gracefully upgrade zone cache
format at startup ( https://bugzilla.redhat.com/show_bug.cgi?id=1111143)
always log to stderr
-   Patch from Pavel Simerda. This, among other things, allows to
restart unbound and/or dnssec-trigger without restarting NetworkManager
when it's configured not to touch the DNS. And, avoid Filenotfounderror
not available in python 2,
https://bugzilla.redhat.com/show_bug.cgi?id=1100794 And fix unbound
output parser https://bugzilla.redhat.com/show_bug.cgi?id=1100796
-   updated authority server addresses builtin to dnssec-trigger for d
root server (ipv4) and c root server (ipv6) for its tests.


Best regards, Wouter

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20161215/8e821dd3/attachment.bin>

From regnauld at nsrc.org  Thu Dec 15 10:14:37 2016
From: regnauld at nsrc.org (Phil Regnauld)
Date: Thu, 15 Dec 2016 11:14:37 +0100
Subject: [Dnssec-trigger] dnssec-trigger 0.13
In-Reply-To: <816ba201-dc9b-a73e-fece-10f70d2a6df8@nlnetlabs.nl>
References: <816ba201-dc9b-a73e-fece-10f70d2a6df8@nlnetlabs.nl>
Message-ID: <20161215101437.GD14974@macbook.x0.dk>

W.C.A. Wijngaards (wouter) writes:
> Hi,
> 
> There are new versions of the installers available on the website, for
> 0.13.  This includes new unbound, 1.6.0.  They can be installed by
> manually downloading and installing the installer.

	Awesome!

	Just installed it - working fine, but not seeing the anchor
	icon in the menu bar... I can see dnssec-trigged and unbound
	are running (this is on OSX Sierra).

	Great work!

	Cheers,
	Phil
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20161215/3ef3efd7/attachment.bin>

From wouter at nlnetlabs.nl  Thu Dec 15 10:26:45 2016
From: wouter at nlnetlabs.nl (W.C.A. Wijngaards)
Date: Thu, 15 Dec 2016 11:26:45 +0100
Subject: [Dnssec-trigger] dnssec-trigger 0.13
In-Reply-To: <20161215101437.GD14974@macbook.x0.dk>
References: <816ba201-dc9b-a73e-fece-10f70d2a6df8@nlnetlabs.nl>
 <20161215101437.GD14974@macbook.x0.dk>
Message-ID: <b1ef9f33-b919-aeca-f0dc-b0ec2ea43cb6@nlnetlabs.nl>

Hi Phil,

On 15/12/16 11:14, Phil Regnauld wrote:
> W.C.A. Wijngaards (wouter) writes:
>> Hi,
>>
>> There are new versions of the installers available on the website, for
>> 0.13.  This includes new unbound, 1.6.0.  They can be installed by
>> manually downloading and installing the installer.
> 
> 	Awesome!
> 
> 	Just installed it - working fine, but not seeing the anchor
> 	icon in the menu bar... I can see dnssec-trigged and unbound
> 	are running (this is on OSX Sierra).

A reboot should fix that, or you can use this commandline, if you do not
want to reboot,
launchctl load -w
/Library/LaunchAgents/nl.nlnetlabs.dnssec-trigger-panel.plist

I've also found the likely culprit in the install script that checked
for swvers 10.11, but sierra is 10.12 ... (it now has != 10.10).

Best regards, Wouter

> 
> 	Great work!
> 
> 	Cheers,
> 	Phil
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20161215/ec3bfc13/attachment.bin>

From regnauld at nsrc.org  Thu Dec 15 10:48:51 2016
From: regnauld at nsrc.org (Phil Regnauld)
Date: Thu, 15 Dec 2016 11:48:51 +0100
Subject: [Dnssec-trigger] dnssec-trigger 0.13
In-Reply-To: <b1ef9f33-b919-aeca-f0dc-b0ec2ea43cb6@nlnetlabs.nl>
References: <816ba201-dc9b-a73e-fece-10f70d2a6df8@nlnetlabs.nl>
 <20161215101437.GD14974@macbook.x0.dk>
 <b1ef9f33-b919-aeca-f0dc-b0ec2ea43cb6@nlnetlabs.nl>
Message-ID: <20161215104851.GE14974@macbook.x0.dk>

W.C.A. Wijngaards (wouter) writes:
> 
> A reboot should fix that, or you can use this commandline, if you do not
> want to reboot,
> launchctl load -w
> /Library/LaunchAgents/nl.nlnetlabs.dnssec-trigger-panel.plist

	Thanks, the only thing I hadn't tried (had to sudo that).

> I've also found the likely culprit in the install script that checked
> for swvers 10.11, but sierra is 10.12 ... (it now has != 10.10).

	Ack.
	
	Cheers,
	Phil


From jaap at NLnetLabs.nl  Thu Dec 22 14:32:32 2016
From: jaap at NLnetLabs.nl (Jaap Akkerhuis)
Date: Thu, 22 Dec 2016 15:32:32 +0100
Subject: [Dnssec-trigger] [NLnet Labs Maintainers] dnssec-trigger 0.13
In-Reply-To: <1482404213.1896454.826821249.31E1E5A7@webmail.messagingengine.com>
References: <816ba201-dc9b-a73e-fece-10f70d2a6df8@nlnetlabs.nl>
 <1482404213.1896454.826821249.31E1E5A7@webmail.messagingengine.com>
Message-ID: <201612221432.uBMEWWZp028398@bela.nlnetlabs.nl>

Note it is vacation time an Wouter is taking some. But for your
information, there has been some work in updating dnssec-trigger
lately, including openssl-1.1.0 support...

	jaap


From ondrej at sury.org  Thu Dec 22 10:56:53 2016
From: ondrej at sury.org (=?utf-8?Q?Ond=C5=99ej=20Sur=C3=BD?=)
Date: Thu, 22 Dec 2016 11:56:53 +0100
Subject: [Dnssec-trigger] [NLnet Labs Maintainers] dnssec-trigger 0.13
In-Reply-To: <816ba201-dc9b-a73e-fece-10f70d2a6df8@nlnetlabs.nl>
References: <816ba201-dc9b-a73e-fece-10f70d2a6df8@nlnetlabs.nl>
Message-ID: <1482404213.1896454.826821249.31E1E5A7@webmail.messagingengine.com>

Wouter,

dnssec-trigger 0.13 still tries to use SSL_OP_NO_SSLv2, so I made a PR
on github dnssec-trigger toghether with other patches that I have in
Debian (reworking those to be universally useful).

And I have just noticed that dnssec-trigger github copy is out of date.
So please:

1) update it to latest svn copy
2) setup a trigger to push the svn automatically (or for the love of all
pagan gods, just switch to git already :)
3) ping me, and I'll update the PR to latest master

Or you can cherry-pick individual patches (apart from the HMAC_CTX_*
stuff I guess they all should apply) and then push the up-to-date git
copy.

Thanks,
-- 
Ond?ej Sur? <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) ? a high-performance DNS server
Knot Resolver (https://www.knot-resolver.cz/) ? secure, privacy-aware,
fast DNS(SEC) resolver
V?e pro chleba (https://vseprochleba.cz) ? Mouky ze ml?na a pot?eby pro
pe?en? chleba v?eho druhu

On Thu, Dec 15, 2016, at 10:42, W.C.A. Wijngaards wrote:
> Hi,
> 
> There are new versions of the installers available on the website, for
> 0.13.  This includes new unbound, 1.6.0.  They can be installed by
> manually downloading and installing the installer.
> 
> They are found here:
> https://nlnetlabs.nl/projects/dnssec-trigger
> 
> The source code tarball:
> https://nlnetlabs.nl/downloads/dnssec-trigger/dnssec-trigger-0.13.tar.gz
> sha1 11f3d28a57dcc8df63d9c35b5e32b8f76f413e73
> sha256 d8418e6456263229acebdd7d32d43b1e8571f599fdff2f71a023dcad6882b631
> 
> The code has not changed a lot, this release mostly brings new included
> libraries for the binary downloaders.
> 
> 
> 0.13    2016-12-15
> -   Updated acx_nlnetlabs.m4 for openssl-1.1.0 compatibility.
> -   Patch for openssl-1.1.0 compilation.
> -   Tomas Hozza (3): dnssec-trigger-script: Use ducktaping when
> restarting NM, instead of checking the sysfs dnssec-trigger-script:
> Silence the calls to chattr Improved text in the panel GUI when insecure
> mode is forced
> -   Remove kickstarts of daemons because daemon died for test user.
> -   Fixup compile on OSX with static SSL for makedist mac build.
> -   OSX hide unbound user from login screen.
> -   Attempt to stop panels and kickstart daemons on OSX.
> -   Remove stuff from osx installer that logs out the user.
> -   Fixup osx gui panel start code for new osx. installer talks about
> new locations and set permissions on key files and add to the path the
> /usr/local/sbin directory during install. Do not link RiggerStatusItem
> to /usr/local/opt/openssl/lib.
> -   chmod key files for unbound, dnssec-trigger control and ldns in
> /usr/local. For OSX.
> -   Fixup installer for creation of missing keys, and also start panel
> in osx userspace.
> -   Fix Makefile for use of /Library, which seems okay for new OSX.
> -   makedist prints checksums on OSX.
> -   new acx_nlnetlabs.m4 version and it has the libdl fix.
> -   Fix lint warnings about int and size_t conversion.
> -   Fixes to make the installer work on OSX-ElCapitan.
> -   Patch for preliminary Mac OSX 10.11 support (from Philip Paeps).
> -   Move plists into uidir on OSX (/usr/local/share), and set usr/local
> in makedist for OSX.
> -   default keysize for control is 3072 on windows.
> -   Changed windows setup compression to be more transparent.
> -   Patches from Tomas Hozza for systemd service files: Set PIDFile in
> the dnssec-triggerd.service file. Remove restorecon call in
> dnssec-triggerd-keygen.service.
> -   Patches from Tomas Hozza for dnssec-trigger-script: Use one import
> on one line as defined by PEP8. Use path to DEVNULL from os module. Move
> the main functionality into main() function to enable testing. Use
> existing API in NM for distinguishing VPN connections. Construct
> NMClient as advised by the documentation. Forbid Python from searching
> local dirs and using env variables. Set low max negative cache TTL to
> prevent possible user issues. Send SIGHUP to NM if it is new enough
> instead of restarting it. Set the required version in GI before
> importing NMClient.
> -   Fix #618: create sha1 and sha256 hashes for created binaries, fixed
> in makedist.sh.
> -   Renamed 'open resolvers' to 'relay resolvers' in the explanatory
> text what dnssec-trigger is doing. Resolvers from DHCP can also be
> public resolvers, so the term relay resolver is used for an open
> resolver that performs transport layer adjustment.
> -   Patches from Tomas Hozza for dnssec-trigger-script: Add newlines
> between classes to conform with PEP-8 and increase readability.
> Add/remove local zones in Unbound when configuring reverse addr forward
> zones.
> -   Patch from Tomas Hozza: dnssec-trigger-script: Don't configure
> RFC1918 zones if there are no global forwarders.
> -   Patches from Tomas Hozza (7): dnssec-trigger-script: Fix wrong
> default value in configuration dnssec-trigger-script: Fix formatting
> errors dnssec-trigger-script: Remove unused class Allow to select the
> default Python interpretter during build Fix 01-dnssec-trigger NOT to
> hardcode shell path dnssec-trigger-script: Fix typo when adding search
> domains dnssec-trigger-control-setup: Use 3072 bit keys
> -   Patches from Pavel Simerda: dnssec-trigger-script: check for paths,
> not files https://bugzilla.redhat.com/show_bug.cgi?id=1183975
> dnssec-trigger-script: fix secure/insecure forward zone switching
> https://bugzilla.redhat.com/show_bug.cgi?id=1185796 dnssec.conf: clean
> up the dnssec.conf comments dnssec-trigger-script: log
> dnssec-trigger-control and unbound-control calls dnssec-trigger-script:
> use a global config object dnssec-trigger-script: add option to set
> search domains in /etc/resolv.conf
> https://bugzilla.redhat.com/show_bug.cgi?id=1130502
> dnssec-trigger-script: add (undocumented) option to avoid flushing
> positive answers https://bugzilla.redhat.com/show_bug.cgi?id=1105685
> dnssec-trigger-script: use private address ranges
> https://bugzilla.redhat.com/show_bug.cgi?id=1128310
> -   Patches from Pavel Simerda: dnssec-trigger-script: clean up servers
> as well, for restart dnssec-trigger-script: prefer VPN nameservers over
> default ones
> -   Update OSX resolvehook to flush dns caches for new OSX release with
> "discoveryutil udnsflushcaches" and "discoveryutil mdnsflushcache".
> -   Patches from Pavel Simerda: dnssec-trigger-script: The accepted
> version of NetworkManager patch uses `resolv.conf` instead of
> `resolv.conf.default`, https://bugzilla.gnome.org/show_bug.cgi?id=732941
> dnssec-trigger-script: Leaking file descriptors is bad, especially when
> selinux or similar tool is used.
> https://bugzilla.redhat.com/show_bug.cgi?id=1147705
> dnssec-trigger-script: Use a regular file unless
> use_resolv_secure_conf_symlink is set. Always install
> /var/run/dnssec-trigger/resolv.conf for comparison. Guard all of those
> regular files using immutable attribute.
> https://bugzilla.redhat.com/show_bug.cgi?id=1165126
> dnssec-trigger-script: fix desktop file paths.
> -   Patches from Pavel Simerda: dnssec-trigger-script: lock --update-*
> methods only The original locking was a bit too broad for future
> development. dnssec-trigger-script: improve /etc/dnssec.conf handling
> Minor changes that make future /etc/dnssec.conf extensions easier.
> dnssec-trigger-script: support 'debug' option in /etc/dnssec.conf With
> that you can get the debugging output even for instances run by systemd,
> dnssec-triggerd and NetworkManager dispatcher. dnssec-trigger-script:
> clean up resolv.conf backup and restore Clean up the code a bit so that
> later additions dont turn it into a mess. dnssec-trigger-script: use
> /var/run/NetworkManager/resolv.conf.default Avoid restarting
> NetworkManager just to restore /etc/resolv.conf when a simple symlink
> would do. This is only done when the NetworkManager's private
> resolv.conf actually exists. allow the resolv.conf hooks be handled by
> dnssec-trigger-script dnssec-trigger-script: handle resolv.conf events
> from the daemon The new implementation doesn't write directly to
> /etc/resolv.conf and instead it writes a temporary file and then
> replaces the /etc/resolv.conf using POSIX `rename()`.
> dnssec-trigger-script: support /etc/resolv.conf and
> /etc/resolv-secure.conf symlinks This is an experimental feature and is
> turned off by default. You need to put the following to /etc/dnssec.conf
> to activate it: use_resolv_conf_symlink=yes probe: use wildcard probing
> domains This change might need to be revisited to see whether we need to
> check both known wildcard and known non-wildcard domains.
> -   Fix #629: bad if test in net_help for ctx_load_verify_locations.
> -   Patch from Pavel Simerda: improve dnssec-trigger-script locking and
> avoid a dependency.
> -   Fix NetworkManager script fails t parse nmcli version as of
> 0.9.10.0, patch from Gerald Turner.
> -   Patches from Ondrej Sury (from the Debian package): Remove some ugly
> bashisms from the script. Fixes static paths that right be mismatched
> (f.e. on multiarch system). Fix IndexError in dnssec-trigger-script,
> when there less then 4 resolvers since you use 3xfields.pop(0) before
> that. Fix release date in makedist manpage to be more stable. Do
> substitutions in makefile, more autoconf'y Fixup dnssec-triggerd.service
> from Makefile.in
> -   Better fix for pidof that sets PATH for networkmanager dispatcher
> script (from Ondrej Sury).
> -   Add --with-pidof=/usr/sbin/pidof where you can set the location of
> the pidof command to use in the Networkmanager script, /usr/bin/pidof or
> /usr/sbin/pidof (depending no your distribution).
> -   Patches from Pavel Simerda: improve systemctl call. serialize script
> instances.
> -   Patches from Pavel Simerda: Fixup for python2. fix a race condition
> with NetworkManager restart. don't fail on empty connection list. move
> legacy connection handling to the cleanup phase. don't block on
> systemctl restart NetworkManager.
> -   Patches from Pavel Simerda: fix bug that prevents calling
> dnssec-trigger-control submit
> (https://bugzilla.redhat.com/show_bug.cgi?id=1105896) avoid dependency
> on pidof handle missing resolv.conf backup gracefully upgrade zone cache
> format at startup ( https://bugzilla.redhat.com/show_bug.cgi?id=1111143)
> always log to stderr
> -   Patch from Pavel Simerda. This, among other things, allows to
> restart unbound and/or dnssec-trigger without restarting NetworkManager
> when it's configured not to touch the DNS. And, avoid Filenotfounderror
> not available in python 2,
> https://bugzilla.redhat.com/show_bug.cgi?id=1100794 And fix unbound
> output parser https://bugzilla.redhat.com/show_bug.cgi?id=1100796
> -   updated authority server addresses builtin to dnssec-trigger for d
> root server (ipv4) and c root server (ipv6) for its tests.
> 
> 
> Best regards, Wouter
> 
> _______________________________________________
> maintainers mailing list
> maintainers at nlnetlabs.nl
> https://nlnetlabs.nl/mailman/listinfo/maintainers
> Email had 1 attachment:
> + signature.asc
>   1k (application/pgp-signature)