[Dnssec-trigger] [NLnet Labs Maintainers] dnssec-trigger 0.13

Ondřej Surý ondrej at sury.org
Thu Dec 22 10:56:53 UTC 2016


dnssec-trigger 0.13 still tries to use SSL_OP_NO_SSLv2, so I made a PR
on github dnssec-trigger toghether with other patches that I have in
Debian (reworking those to be universally useful).

And I have just noticed that dnssec-trigger github copy is out of date.
So please:

1) update it to latest svn copy
2) setup a trigger to push the svn automatically (or for the love of all
pagan gods, just switch to git already :)
3) ping me, and I'll update the PR to latest master

Or you can cherry-pick individual patches (apart from the HMAC_CTX_*
stuff I guess they all should apply) and then push the up-to-date git

Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
fast DNS(SEC) resolver
Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro
pečení chleba všeho druhu

On Thu, Dec 15, 2016, at 10:42, W.C.A. Wijngaards wrote:
> Hi,
> There are new versions of the installers available on the website, for
> 0.13.  This includes new unbound, 1.6.0.  They can be installed by
> manually downloading and installing the installer.
> They are found here:
> https://nlnetlabs.nl/projects/dnssec-trigger
> The source code tarball:
> https://nlnetlabs.nl/downloads/dnssec-trigger/dnssec-trigger-0.13.tar.gz
> sha1 11f3d28a57dcc8df63d9c35b5e32b8f76f413e73
> sha256 d8418e6456263229acebdd7d32d43b1e8571f599fdff2f71a023dcad6882b631
> The code has not changed a lot, this release mostly brings new included
> libraries for the binary downloaders.
> 0.13    2016-12-15
> -   Updated acx_nlnetlabs.m4 for openssl-1.1.0 compatibility.
> -   Patch for openssl-1.1.0 compilation.
> -   Tomas Hozza (3): dnssec-trigger-script: Use ducktaping when
> restarting NM, instead of checking the sysfs dnssec-trigger-script:
> Silence the calls to chattr Improved text in the panel GUI when insecure
> mode is forced
> -   Remove kickstarts of daemons because daemon died for test user.
> -   Fixup compile on OSX with static SSL for makedist mac build.
> -   OSX hide unbound user from login screen.
> -   Attempt to stop panels and kickstart daemons on OSX.
> -   Remove stuff from osx installer that logs out the user.
> -   Fixup osx gui panel start code for new osx. installer talks about
> new locations and set permissions on key files and add to the path the
> /usr/local/sbin directory during install. Do not link RiggerStatusItem
> to /usr/local/opt/openssl/lib.
> -   chmod key files for unbound, dnssec-trigger control and ldns in
> /usr/local. For OSX.
> -   Fixup installer for creation of missing keys, and also start panel
> in osx userspace.
> -   Fix Makefile for use of /Library, which seems okay for new OSX.
> -   makedist prints checksums on OSX.
> -   new acx_nlnetlabs.m4 version and it has the libdl fix.
> -   Fix lint warnings about int and size_t conversion.
> -   Fixes to make the installer work on OSX-ElCapitan.
> -   Patch for preliminary Mac OSX 10.11 support (from Philip Paeps).
> -   Move plists into uidir on OSX (/usr/local/share), and set usr/local
> in makedist for OSX.
> -   default keysize for control is 3072 on windows.
> -   Changed windows setup compression to be more transparent.
> -   Patches from Tomas Hozza for systemd service files: Set PIDFile in
> the dnssec-triggerd.service file. Remove restorecon call in
> dnssec-triggerd-keygen.service.
> -   Patches from Tomas Hozza for dnssec-trigger-script: Use one import
> on one line as defined by PEP8. Use path to DEVNULL from os module. Move
> the main functionality into main() function to enable testing. Use
> existing API in NM for distinguishing VPN connections. Construct
> NMClient as advised by the documentation. Forbid Python from searching
> local dirs and using env variables. Set low max negative cache TTL to
> prevent possible user issues. Send SIGHUP to NM if it is new enough
> instead of restarting it. Set the required version in GI before
> importing NMClient.
> -   Fix #618: create sha1 and sha256 hashes for created binaries, fixed
> in makedist.sh.
> -   Renamed 'open resolvers' to 'relay resolvers' in the explanatory
> text what dnssec-trigger is doing. Resolvers from DHCP can also be
> public resolvers, so the term relay resolver is used for an open
> resolver that performs transport layer adjustment.
> -   Patches from Tomas Hozza for dnssec-trigger-script: Add newlines
> between classes to conform with PEP-8 and increase readability.
> Add/remove local zones in Unbound when configuring reverse addr forward
> zones.
> -   Patch from Tomas Hozza: dnssec-trigger-script: Don't configure
> RFC1918 zones if there are no global forwarders.
> -   Patches from Tomas Hozza (7): dnssec-trigger-script: Fix wrong
> default value in configuration dnssec-trigger-script: Fix formatting
> errors dnssec-trigger-script: Remove unused class Allow to select the
> default Python interpretter during build Fix 01-dnssec-trigger NOT to
> hardcode shell path dnssec-trigger-script: Fix typo when adding search
> domains dnssec-trigger-control-setup: Use 3072 bit keys
> -   Patches from Pavel Simerda: dnssec-trigger-script: check for paths,
> not files https://bugzilla.redhat.com/show_bug.cgi?id=1183975
> dnssec-trigger-script: fix secure/insecure forward zone switching
> https://bugzilla.redhat.com/show_bug.cgi?id=1185796 dnssec.conf: clean
> up the dnssec.conf comments dnssec-trigger-script: log
> dnssec-trigger-control and unbound-control calls dnssec-trigger-script:
> use a global config object dnssec-trigger-script: add option to set
> search domains in /etc/resolv.conf
> https://bugzilla.redhat.com/show_bug.cgi?id=1130502
> dnssec-trigger-script: add (undocumented) option to avoid flushing
> positive answers https://bugzilla.redhat.com/show_bug.cgi?id=1105685
> dnssec-trigger-script: use private address ranges
> https://bugzilla.redhat.com/show_bug.cgi?id=1128310
> -   Patches from Pavel Simerda: dnssec-trigger-script: clean up servers
> as well, for restart dnssec-trigger-script: prefer VPN nameservers over
> default ones
> -   Update OSX resolvehook to flush dns caches for new OSX release with
> "discoveryutil udnsflushcaches" and "discoveryutil mdnsflushcache".
> -   Patches from Pavel Simerda: dnssec-trigger-script: The accepted
> version of NetworkManager patch uses `resolv.conf` instead of
> `resolv.conf.default`, https://bugzilla.gnome.org/show_bug.cgi?id=732941
> dnssec-trigger-script: Leaking file descriptors is bad, especially when
> selinux or similar tool is used.
> https://bugzilla.redhat.com/show_bug.cgi?id=1147705
> dnssec-trigger-script: Use a regular file unless
> use_resolv_secure_conf_symlink is set. Always install
> /var/run/dnssec-trigger/resolv.conf for comparison. Guard all of those
> regular files using immutable attribute.
> https://bugzilla.redhat.com/show_bug.cgi?id=1165126
> dnssec-trigger-script: fix desktop file paths.
> -   Patches from Pavel Simerda: dnssec-trigger-script: lock --update-*
> methods only The original locking was a bit too broad for future
> development. dnssec-trigger-script: improve /etc/dnssec.conf handling
> Minor changes that make future /etc/dnssec.conf extensions easier.
> dnssec-trigger-script: support 'debug' option in /etc/dnssec.conf With
> that you can get the debugging output even for instances run by systemd,
> dnssec-triggerd and NetworkManager dispatcher. dnssec-trigger-script:
> clean up resolv.conf backup and restore Clean up the code a bit so that
> later additions dont turn it into a mess. dnssec-trigger-script: use
> /var/run/NetworkManager/resolv.conf.default Avoid restarting
> NetworkManager just to restore /etc/resolv.conf when a simple symlink
> would do. This is only done when the NetworkManager's private
> resolv.conf actually exists. allow the resolv.conf hooks be handled by
> dnssec-trigger-script dnssec-trigger-script: handle resolv.conf events
> from the daemon The new implementation doesn't write directly to
> /etc/resolv.conf and instead it writes a temporary file and then
> replaces the /etc/resolv.conf using POSIX `rename()`.
> dnssec-trigger-script: support /etc/resolv.conf and
> /etc/resolv-secure.conf symlinks This is an experimental feature and is
> turned off by default. You need to put the following to /etc/dnssec.conf
> to activate it: use_resolv_conf_symlink=yes probe: use wildcard probing
> domains This change might need to be revisited to see whether we need to
> check both known wildcard and known non-wildcard domains.
> -   Fix #629: bad if test in net_help for ctx_load_verify_locations.
> -   Patch from Pavel Simerda: improve dnssec-trigger-script locking and
> avoid a dependency.
> -   Fix NetworkManager script fails t parse nmcli version as of
>, patch from Gerald Turner.
> -   Patches from Ondrej Sury (from the Debian package): Remove some ugly
> bashisms from the script. Fixes static paths that right be mismatched
> (f.e. on multiarch system). Fix IndexError in dnssec-trigger-script,
> when there less then 4 resolvers since you use 3xfields.pop(0) before
> that. Fix release date in makedist manpage to be more stable. Do
> substitutions in makefile, more autoconf'y Fixup dnssec-triggerd.service
> from Makefile.in
> -   Better fix for pidof that sets PATH for networkmanager dispatcher
> script (from Ondrej Sury).
> -   Add --with-pidof=/usr/sbin/pidof where you can set the location of
> the pidof command to use in the Networkmanager script, /usr/bin/pidof or
> /usr/sbin/pidof (depending no your distribution).
> -   Patches from Pavel Simerda: improve systemctl call. serialize script
> instances.
> -   Patches from Pavel Simerda: Fixup for python2. fix a race condition
> with NetworkManager restart. don't fail on empty connection list. move
> legacy connection handling to the cleanup phase. don't block on
> systemctl restart NetworkManager.
> -   Patches from Pavel Simerda: fix bug that prevents calling
> dnssec-trigger-control submit
> (https://bugzilla.redhat.com/show_bug.cgi?id=1105896) avoid dependency
> on pidof handle missing resolv.conf backup gracefully upgrade zone cache
> format at startup ( https://bugzilla.redhat.com/show_bug.cgi?id=1111143)
> always log to stderr
> -   Patch from Pavel Simerda. This, among other things, allows to
> restart unbound and/or dnssec-trigger without restarting NetworkManager
> when it's configured not to touch the DNS. And, avoid Filenotfounderror
> not available in python 2,
> https://bugzilla.redhat.com/show_bug.cgi?id=1100794 And fix unbound
> output parser https://bugzilla.redhat.com/show_bug.cgi?id=1100796
> -   updated authority server addresses builtin to dnssec-trigger for d
> root server (ipv4) and c root server (ipv6) for its tests.
> Best regards, Wouter
> _______________________________________________
> maintainers mailing list
> maintainers at nlnetlabs.nl
> https://nlnetlabs.nl/mailman/listinfo/maintainers
> Email had 1 attachment:
> + signature.asc
>   1k (application/pgp-signature)

More information about the dnssec-trigger mailing list