From bortzmeyer at nic.fr Sun Jul 17 10:10:44 2016 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Sun, 17 Jul 2016 12:10:44 +0200 Subject: [Dnssec-trigger] Problems on Ubuntu 16.04 Message-ID: <20160717101044.GA3072@laperouse.bortzmeyer.org> I run the official Ubuntu package 0.13~svn685-4 on Ubuntu 16.04 LTS. At startup, it fails to configure the resolver: % dnssec-trigger-control status at (no probe performed) no cache: no DNS servers have been supplied via DHCP state: auth secure If, after logging in, I run reprobe, it works: % dnssec-trigger-control reprobe % dnssec-trigger-control status at 2016-07-17 11:53:43 authority 192.5.5.241: OK no cache: no DNS servers have been supplied via DHCP state: auth secure I'm also puzzled by the message "no DNS servers have been supplied via DHCP" (without dnssec-trigger, the network does give me resolvers) Also, the icon does not show in the Unity panel. But the daemon runs: stephane 1923 0.0 0.3 635268 25052 ? Sl 11:53 0:00 /usr/bin/dnssec-trigger-panel % lsb-info Ubuntu 16.04 (xenial) % dpkg -s dnssec-trigger Package: dnssec-trigger Status: install ok installed Priority: optional Section: net Installed-Size: 405 Maintainer: Ubuntu Developers Architecture: amd64 Version: 0.13~svn685-4 Depends: libc6 (>= 2.15), libgdk-pixbuf2.0-0 (>= 2.22.0), libglib2.0-0 (>= 2.31.8), libgtk2.0-0 (>= 2.18.0), libldns1 (>= 1.6.5), libssl1.0.0 (>= 1.0.0), init-system-helpers (>= 1.18~), python, python-gi, python-lockfile, gir1.2-networkmanager-1.0, unbound Breaks: resolvconf Conffiles: /etc/NetworkManager/dispatcher.d/01-dnssec-trigger f5a1b1f0b18984659ed145f0b39564f0 /etc/default/dnssec-triggerd 7b7de8d185ea3a37ae9f19c5561af18a /etc/dnssec-trigger/dnssec-trigger.conf 6e1df81a721bd50d2b882798d4a17fb5 /etc/dnssec-trigger/dnssec.conf 725d746bd60cfe638a1c1ed5655d86f2 /etc/init.d/dnssec-triggerd 60a1fd0d19b8bd148ce607f774b7df68 /etc/xdg/autostart/dnssec-trigger-panel.desktop dfcb054de101b36ce113818b4516bbe9 Description: reconfiguration tool to make DNSSEC work Dnssec-trigger reconfigures the local unbound DNS server. This unbound DNS server performs DNSSEC validation, but dnssec-trigger will signal it to use the DHCP obtained forwarders if possible, and fallback to doing its own AUTH queries if that fails, and if that fails prompt the user via dnssec-trigger-applet the option to go with insecure DNS only. Original-Maintainer: Ond?ej Sur? Homepage: http://www.nlnetlabs.nl/projects/dnssec-trigger/ From thozza at redhat.com Mon Jul 18 06:26:20 2016 From: thozza at redhat.com (Tomas Hozza) Date: Mon, 18 Jul 2016 08:26:20 +0200 Subject: [Dnssec-trigger] Problems on Ubuntu 16.04 In-Reply-To: <20160717101044.GA3072@laperouse.bortzmeyer.org> References: <20160717101044.GA3072@laperouse.bortzmeyer.org> Message-ID: <74dfc392-0b02-2e5d-80ff-61581267eb72@redhat.com> Hi Stephane. Do you see anything in syslog from NetworkManager or NM dispatcher? Could you please provide the content of your NetworkManager.conf? Thanks. Tomas On 07/17/2016 12:10 PM, Stephane Bortzmeyer wrote: > I run the official Ubuntu package 0.13~svn685-4 on Ubuntu 16.04 LTS. > > At startup, it fails to configure the resolver: > > % dnssec-trigger-control status > at (no probe performed) > no cache: no DNS servers have been supplied via DHCP > state: auth secure > > If, after logging in, I run reprobe, it works: > > % dnssec-trigger-control reprobe > > % dnssec-trigger-control status > at 2016-07-17 11:53:43 > authority 192.5.5.241: OK > no cache: no DNS servers have been supplied via DHCP > state: auth secure > > I'm also puzzled by the message "no DNS servers have been supplied via > DHCP" (without dnssec-trigger, the network does give me resolvers) > > Also, the icon does not show in the Unity panel. But the daemon runs: > > stephane 1923 0.0 0.3 635268 25052 ? Sl 11:53 0:00 /usr/bin/dnssec-trigger-panel > > % lsb-info > Ubuntu 16.04 (xenial) > > % dpkg -s dnssec-trigger > Package: dnssec-trigger > Status: install ok installed > Priority: optional > Section: net > Installed-Size: 405 > Maintainer: Ubuntu Developers > Architecture: amd64 > Version: 0.13~svn685-4 > Depends: libc6 (>= 2.15), libgdk-pixbuf2.0-0 (>= 2.22.0), libglib2.0-0 (>= 2.31.8), libgtk2.0-0 (>= 2.18.0), libldns1 (>= 1.6.5), libssl1.0.0 (>= 1.0.0), init-system-helpers (>= 1.18~), python, python-gi, python-lockfile, gir1.2-networkmanager-1.0, unbound > Breaks: resolvconf > Conffiles: > /etc/NetworkManager/dispatcher.d/01-dnssec-trigger f5a1b1f0b18984659ed145f0b39564f0 > /etc/default/dnssec-triggerd 7b7de8d185ea3a37ae9f19c5561af18a > /etc/dnssec-trigger/dnssec-trigger.conf 6e1df81a721bd50d2b882798d4a17fb5 > /etc/dnssec-trigger/dnssec.conf 725d746bd60cfe638a1c1ed5655d86f2 > /etc/init.d/dnssec-triggerd 60a1fd0d19b8bd148ce607f774b7df68 > /etc/xdg/autostart/dnssec-trigger-panel.desktop dfcb054de101b36ce113818b4516bbe9 > Description: reconfiguration tool to make DNSSEC work > Dnssec-trigger reconfigures the local unbound DNS server. This unbound > DNS server performs DNSSEC validation, but dnssec-trigger will signal > it to use the DHCP obtained forwarders if possible, and fallback to > doing its own AUTH queries if that fails, and if that fails prompt the > user via dnssec-trigger-applet the option to go with insecure DNS > only. > Original-Maintainer: Ond?ej Sur? > Homepage: http://www.nlnetlabs.nl/projects/dnssec-trigger/ > _______________________________________________ > dnssec-trigger mailing list > dnssec-trigger at NLnetLabs.nl > https://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger > -- Tomas Hozza Associate Manager, Software Engineering - EMEA ENG Mainstream RHEL PGP: 1D9F3C2D UTC+1 (CET) Red Hat Inc. http://cz.redhat.com From 44fa2cff at opayq.com Fri Jul 22 06:50:56 2016 From: 44fa2cff at opayq.com (Bob) Date: Fri, 22 Jul 2016 06:50:56 +0000 (UTC) Subject: [Dnssec-trigger] Dnssec trigger 0.13 for OSX 10.11 (El Capitan) References: <5666F8F7.3080306@nlnetlabs.nl> Message-ID: Any HOW-TO guide for setting up & using this app? This hotel changed their ISP, now DNSCrypt won't connect. Someone on GitHub suggested dnssec-trigger. I installed it but since it has no front-end it was useless to me. I uninstalled it tonight using the included uninstaller (it still left a folder behind - /private/etc/dnssec-trigger). I'm no networking genius and I don't write scripts. I'm just looking for SIMPLE DNS privacy/security. DNSCrypt fits the bill but stopped working at this location it's useless now. I also tried to use pdnsd with DNSCrypt but couldn't get that woking either. It would be useful to have a local cache along with the DNS protection. OS X 10.11.6 PS: What's up with the 80 character line limit here? "The following errors were found. Fix them, and submit again: You have lines longer than 80 characters. Fix that."