[Dnssec-trigger] dnssec-trigger 0.13

W.C.A. Wijngaards wouter at nlnetlabs.nl
Thu Dec 15 09:42:57 UTC 2016


There are new versions of the installers available on the website, for
0.13.  This includes new unbound, 1.6.0.  They can be installed by
manually downloading and installing the installer.

They are found here:

The source code tarball:
sha1 11f3d28a57dcc8df63d9c35b5e32b8f76f413e73
sha256 d8418e6456263229acebdd7d32d43b1e8571f599fdff2f71a023dcad6882b631

The code has not changed a lot, this release mostly brings new included
libraries for the binary downloaders.

0.13	2016-12-15
-   Updated acx_nlnetlabs.m4 for openssl-1.1.0 compatibility.
-   Patch for openssl-1.1.0 compilation.
-   Tomas Hozza (3): dnssec-trigger-script: Use ducktaping when
restarting NM, instead of checking the sysfs dnssec-trigger-script:
Silence the calls to chattr Improved text in the panel GUI when insecure
mode is forced
-   Remove kickstarts of daemons because daemon died for test user.
-   Fixup compile on OSX with static SSL for makedist mac build.
-   OSX hide unbound user from login screen.
-   Attempt to stop panels and kickstart daemons on OSX.
-   Remove stuff from osx installer that logs out the user.
-   Fixup osx gui panel start code for new osx. installer talks about
new locations and set permissions on key files and add to the path the
/usr/local/sbin directory during install. Do not link RiggerStatusItem
to /usr/local/opt/openssl/lib.
-   chmod key files for unbound, dnssec-trigger control and ldns in
/usr/local. For OSX.
-   Fixup installer for creation of missing keys, and also start panel
in osx userspace.
-   Fix Makefile for use of /Library, which seems okay for new OSX.
-   makedist prints checksums on OSX.
-   new acx_nlnetlabs.m4 version and it has the libdl fix.
-   Fix lint warnings about int and size_t conversion.
-   Fixes to make the installer work on OSX-ElCapitan.
-   Patch for preliminary Mac OSX 10.11 support (from Philip Paeps).
-   Move plists into uidir on OSX (/usr/local/share), and set usr/local
in makedist for OSX.
-   default keysize for control is 3072 on windows.
-   Changed windows setup compression to be more transparent.
-   Patches from Tomas Hozza for systemd service files: Set PIDFile in
the dnssec-triggerd.service file. Remove restorecon call in
-   Patches from Tomas Hozza for dnssec-trigger-script: Use one import
on one line as defined by PEP8. Use path to DEVNULL from os module. Move
the main functionality into main() function to enable testing. Use
existing API in NM for distinguishing VPN connections. Construct
NMClient as advised by the documentation. Forbid Python from searching
local dirs and using env variables. Set low max negative cache TTL to
prevent possible user issues. Send SIGHUP to NM if it is new enough
instead of restarting it. Set the required version in GI before
importing NMClient.
-   Fix #618: create sha1 and sha256 hashes for created binaries, fixed
in makedist.sh.
-   Renamed 'open resolvers' to 'relay resolvers' in the explanatory
text what dnssec-trigger is doing. Resolvers from DHCP can also be
public resolvers, so the term relay resolver is used for an open
resolver that performs transport layer adjustment.
-   Patches from Tomas Hozza for dnssec-trigger-script: Add newlines
between classes to conform with PEP-8 and increase readability.
Add/remove local zones in Unbound when configuring reverse addr forward
-   Patch from Tomas Hozza: dnssec-trigger-script: Don't configure
RFC1918 zones if there are no global forwarders.
-   Patches from Tomas Hozza (7): dnssec-trigger-script: Fix wrong
default value in configuration dnssec-trigger-script: Fix formatting
errors dnssec-trigger-script: Remove unused class Allow to select the
default Python interpretter during build Fix 01-dnssec-trigger NOT to
hardcode shell path dnssec-trigger-script: Fix typo when adding search
domains dnssec-trigger-control-setup: Use 3072 bit keys
-   Patches from Pavel Simerda: dnssec-trigger-script: check for paths,
not files https://bugzilla.redhat.com/show_bug.cgi?id=1183975
dnssec-trigger-script: fix secure/insecure forward zone switching
https://bugzilla.redhat.com/show_bug.cgi?id=1185796 dnssec.conf: clean
up the dnssec.conf comments dnssec-trigger-script: log
dnssec-trigger-control and unbound-control calls dnssec-trigger-script:
use a global config object dnssec-trigger-script: add option to set
search domains in /etc/resolv.conf
dnssec-trigger-script: add (undocumented) option to avoid flushing
positive answers https://bugzilla.redhat.com/show_bug.cgi?id=1105685
dnssec-trigger-script: use private address ranges
-   Patches from Pavel Simerda: dnssec-trigger-script: clean up servers
as well, for restart dnssec-trigger-script: prefer VPN nameservers over
default ones
-   Update OSX resolvehook to flush dns caches for new OSX release with
"discoveryutil udnsflushcaches" and "discoveryutil mdnsflushcache".
-   Patches from Pavel Simerda: dnssec-trigger-script: The accepted
version of NetworkManager patch uses `resolv.conf` instead of
`resolv.conf.default`, https://bugzilla.gnome.org/show_bug.cgi?id=732941
dnssec-trigger-script: Leaking file descriptors is bad, especially when
selinux or similar tool is used.
dnssec-trigger-script: Use a regular file unless
use_resolv_secure_conf_symlink is set. Always install
/var/run/dnssec-trigger/resolv.conf for comparison. Guard all of those
regular files using immutable attribute.
dnssec-trigger-script: fix desktop file paths.
-   Patches from Pavel Simerda: dnssec-trigger-script: lock --update-*
methods only The original locking was a bit too broad for future
development. dnssec-trigger-script: improve /etc/dnssec.conf handling
Minor changes that make future /etc/dnssec.conf extensions easier.
dnssec-trigger-script: support 'debug' option in /etc/dnssec.conf With
that you can get the debugging output even for instances run by systemd,
dnssec-triggerd and NetworkManager dispatcher. dnssec-trigger-script:
clean up resolv.conf backup and restore Clean up the code a bit so that
later additions dont turn it into a mess. dnssec-trigger-script: use
/var/run/NetworkManager/resolv.conf.default Avoid restarting
NetworkManager just to restore /etc/resolv.conf when a simple symlink
would do. This is only done when the NetworkManager's private
resolv.conf actually exists. allow the resolv.conf hooks be handled by
dnssec-trigger-script dnssec-trigger-script: handle resolv.conf events
from the daemon The new implementation doesn't write directly to
/etc/resolv.conf and instead it writes a temporary file and then
replaces the /etc/resolv.conf using POSIX `rename()`.
dnssec-trigger-script: support /etc/resolv.conf and
/etc/resolv-secure.conf symlinks This is an experimental feature and is
turned off by default. You need to put the following to /etc/dnssec.conf
to activate it: use_resolv_conf_symlink=yes probe: use wildcard probing
domains This change might need to be revisited to see whether we need to
check both known wildcard and known non-wildcard domains.
-   Fix #629: bad if test in net_help for ctx_load_verify_locations.
-   Patch from Pavel Simerda: improve dnssec-trigger-script locking and
avoid a dependency.
-   Fix NetworkManager script fails t parse nmcli version as of, patch from Gerald Turner.
-   Patches from Ondrej Sury (from the Debian package): Remove some ugly
bashisms from the script. Fixes static paths that right be mismatched
(f.e. on multiarch system). Fix IndexError in dnssec-trigger-script,
when there less then 4 resolvers since you use 3xfields.pop(0) before
that. Fix release date in makedist manpage to be more stable. Do
substitutions in makefile, more autoconf'y Fixup dnssec-triggerd.service
from Makefile.in
-   Better fix for pidof that sets PATH for networkmanager dispatcher
script (from Ondrej Sury).
-   Add --with-pidof=/usr/sbin/pidof where you can set the location of
the pidof command to use in the Networkmanager script, /usr/bin/pidof or
/usr/sbin/pidof (depending no your distribution).
-   Patches from Pavel Simerda: improve systemctl call. serialize script
-   Patches from Pavel Simerda: Fixup for python2. fix a race condition
with NetworkManager restart. don't fail on empty connection list. move
legacy connection handling to the cleanup phase. don't block on
systemctl restart NetworkManager.
-   Patches from Pavel Simerda: fix bug that prevents calling
dnssec-trigger-control submit
(https://bugzilla.redhat.com/show_bug.cgi?id=1105896) avoid dependency
on pidof handle missing resolv.conf backup gracefully upgrade zone cache
format at startup ( https://bugzilla.redhat.com/show_bug.cgi?id=1111143)
always log to stderr
-   Patch from Pavel Simerda. This, among other things, allows to
restart unbound and/or dnssec-trigger without restarting NetworkManager
when it's configured not to touch the DNS. And, avoid Filenotfounderror
not available in python 2,
https://bugzilla.redhat.com/show_bug.cgi?id=1100794 And fix unbound
output parser https://bugzilla.redhat.com/show_bug.cgi?id=1100796
-   updated authority server addresses builtin to dnssec-trigger for d
root server (ipv4) and c root server (ipv6) for its tests.

Best regards, Wouter

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20161215/8e821dd3/attachment.bin>

More information about the dnssec-trigger mailing list