Dnssec-Trigger

Download


Source
dnssec-trigger-0.10.tar.gz
411K
       

Windows
dnssec_trigger_setup_0.10.exe
(includes unbound) 1.3M
       

MacOSX
dnssectrigger-0.10.dmg
(includes unbound) 866K

source tarball hash
sha1: 92d09fa5fff490feadbd3b927478d51e0001a6e1
sha256: 2d4e95413dbc8249f152f9cc1d1d1449f2c9d0e8d64839d8b7686d0250f54fde

->commandline, ->screenshots, ->changelog.

Dnssec-Trigger

Dnssec-trigger reconfigures the local unbound DNS server. This unbound DNS server performs DNSSEC validation, but dnssec-trigger will signal it to to use the DHCP obtained forwarders if possible, and fallback to doing its own AUTH queries if that fails, and if that fails prompt the user via dnssec-trigger-applet the option to go with insecure DNS only.

This software is experimental at this time.

The software is open source, and uses the BSD license, it is in the tarball.

Subscribe to the mailing list.

Manpage for dnssec-trigger. The windows manual.

The development version can be seen in the subversion repository trunk.

The software is experimental. It is of interest to see if DNSSEC validation can be deployed currently, and how that must be done. DNSSEC validation can benefit from better network-management, better OS-integration (with network connection management), and better application support.

Feature list

  • DNSSEC,
  • IP4 and IP6 support,
  • Uses Unbound for validation,
  • OSX, Windows (XP, Vista, 7), Linux support,
  • small size,
  • Tries to assist infrastructure,
  • Fallbacks and last resort for DNSSEC,
  • Manual page and online documentation.

Known issues

The current version (0.10) needs for some internet hotspots that the user presses the 'HotSpot Signon' menu button, and when done, presses 'Reprobe'. Because the dnssec-fallback from dnssec-trigger disrupts the signon process.

There used to be a race condition between dnssec-trigger and the system but this was fixed in 0.6, with a 'system preferences' override on OSX and Windows, and chattr immutable on Linux and BSD.

Install

For Linux, try using your package manager (there are RPMs, there is a specfile to build packages from), you need to also install unbound. If you compile from source, it can support NetworkManager and Netconfig. For OSX, use the dmg download (download, doubleclick to open diskimage, doubleclick installer). For Windows, run installer. The software compiles on BSD and Solaris, but DHCP and wifi hooks are not something we can test.

See the INSTALL file in the source.

How does it work

It uses unbound which is running on localhost (127.0.0.1) as a validating (caching) local resolver. Often unbound is pointed at another cache, and forwards all queries there (but performs DNSSEC validation itself). There is a dnssec-triggerd daemon running that catches changes in the network, DHCP events, and probes what unbound should do to get DNSSEC.

Probe sequence

The probe sequence uses normal DNSSEC queries, and checks if the answer contains RRSIGs and proper DNSSEC information. The probe:

  1. Check the DHCP provided DNS caches. If they work they have a hot cache, and lessen load on infrastructure, and provide fast answers.
  2. Check authority servers directly. If that works, full resolver mode is used to get DNSSEC.
  3. Check open resolver on TCP port 80(www port). If that works, unbound is told to use (plain) DNS over TCP to port 80 to an open (DNSSEC capable) resolver.
  4. Check open resolver over SSL port 443(https port). If that works, unbound is told to use SSL encapsulated DNS over port 443 to an open (DNSSEC capable) resolver.

The list is tried in order to lessen network load on servers down the list.

If no servers work then the user is informed, and can select to disconnect (DNS is blackholed) or connect insecurely (the DHCP provided DNS servers are used). In this case, timer-based reprobes are attempted.

The last SSL-port-443 attempt is because, if https is going to work then traffic over port-443 works on this internet-hotspot. And then SSL encapsulated DNS over SSL-port-443 also works. If something bad happens to that traffic then neither DNSSEC nor https can work.

The dnssec-trigger.conf config file is shipped by default with an open resolver at NLnet Labs that serves port 80 and 443 (it runs unbound). You can disable it or add others if you want.

Commandline test

It is possible to test the software from the commandline. The dnssec-trigger-control utility can be used to test and connect to the daemon.

With dnssec-trigger-control status you can see the probe results from the commandline.

With dnssec-trigger-control reprobe trigger a reprobe (just like the item from the tray icon menu).

With dnssec-trigger-control hotspot_signon go to insecure so you can enter a captive portal (just like the item from the tray icon menu). Use reprobe when signed on to resume dnssec protection efforts.

With dnssec-trigger-control submit 192.0.2.1 you can pretend that DHCP gave the 192.0.2.1 DNS server IPs (IP4 and IP6 separated by spaces).

With dnssec-trigger-control unsafe you can pretend that DNSSEC does not work. It takes a couple seconds while it probes useless 127.0.0.x IPs. Note that if you press insecure on the dialog an automated reprobe after 10 seconds in the background is likely to enable DNSSEC again and stop the insecure test. You have to be fast to see resolv.conf change to the insecure DNS servers (or the fake ones used in this test).

With dnssec-trigger-control test_tcp you can pretend that DHCP cache and authority direct does not work, and it attempts to use TCP-port-80/443. This requires unbound 1.4.13 or later. The test_ssl command is similar.

Screenshots

With this software most happens automatically in the background. It tries to not interact with the user when not necessary, so the user can get on.

When it all goes wrong, DNSSEC fails and the user is prompted.

If the user selects insecure, the tray icon gets a red ! (exclamation mark). When the situation becomes secure again, the tray icon silently changes back.

The normal state is this user menu. Geeks can click and see the detailed technical results (and complain to the network operator).

Support

There is a mailing list for the dnssec-trigger discussion, click the link to subscribe or view archives.

Changelog

0.10

2012-02-17
  • truncate pidfile (just like NSD fix, in case directory not owned).
  • If hotspot-signon, set override servers right away on a network change, so the user does not have to wait for 10 seconds after a change of the wifi.
  • Attempt to add DHCPv6 support for windows.
  • Use Processes.dll code (can be freely used, source provided) for kill process in windows NSIS installer. Compiled to 6kb (not 50kb). Processes.dll was made by Andrei Ciubotaru.
  • show version number in add-removeprograms configpanel (windows).
  • install script removes leftover trayicons using direct windows API.
  • dnssec-trigger-control uses registry config location (for windows).
  • fix dnssec-trigger-control error printout if SSL files fail.
  • show package version in probe results dialog.
  • updated acx.nlnetlabs.m4 for gcc 4.6 compat for portability tests.
  • Do not show the insecure and hotspot windows at the same time.
  • Fix for OSX to show the popups on top of the other windows.
  • alert icon easier to read.

0.9

2011-12-19
  • unbound in binary packages is upgraded to 1.4.14.
  • Set hook throttleinterval to 1 second, this reduces the osx wakeup and bootup wrong probes because the hook was throttled for 10 seconds.
  • stoppanels waits for the connection of the panel to close, this may remove re-install race conditions.
  • detailprints in windows installer and uninstaller.
  • attempt to fix endless loop on windows (reported by Alan Clegg).
  • windows installer waits for services to come to a full stop.

0.8

2011-12-13
  • macinstall, launch unbound-anchor at boot (update if offline months)
  • echo in Makefile and newline if no probe performed.
  • do not log errors for unclean ssl close.
  • probe ssl servers (nlnetlabs default server configured).
  • check ssl fingerprint of servers.
  • remove error dialog at end of osx install.
  • on OSX update config if old (no ssl443)
  • more detailed logging at verbosity 4 (prints wire and dig output)
  • fixed the OSX installer problem, launchd does not load userspace agents without hacks, and has side-effects that enables boot-start.
  • config for new open resolver (port 80 TCP, port 443 SSL). No more probe plain tcp on port 443.
  • the test_tcp and test_ssl command do not have the 20-sec tcpretry once timer, so that the test can try unbound.
  • Fix that if network down (nothing pings) then it picks disconnect, for slow bootup where the machine has the previous network settings.
  • control unsafe shows the dialog popup again.
  • Fix bug where no IPv6 causes wrong test results, notably SSL, due to the error report code.
  • Fix where race condition could cause blacklist of open resolver.
  • Fix to flush_infra and flush_requestlist when we use open resolver, the proxy that causes this to be used as fallback has polluted those entries (possibly).
  • sigHUP reloads config and reopens logfile for log rotation support.
  • Fix apple OS failure by installer, because of tarfile inclusion of extended attributes that overwrote system dir extended attributes.

0.7

2011-10-28
  • fix that setup hint is not printed on a reinstall.
  • stop executables before re-install of dnssec-trigger.
  • tested to work on winXP (thanks Jan-Piet Mens).
  • fix printout of 1970 date, instead that no probe was performed.
  • fix unknown options for dnssec-trigger-panel, prints version too.
  • dmg installer for MacOS X, donated by Carsten Strotmann.
  • for caches, also test if NSEC3 is present for QTYPE=NULL nodata.

0.6

2011-10-21
  • detect transparent proxies and avoid them.
  • Fix insecure mode after dnstcp443 has been probed.
  • Fix race condition between system and dnssec-trigger where briefly the DHCP insecure response was dominant. On OSX and Windows a system preference (like from the control panel) is created. On Linux chattr immutable, on BSD chflag immutable. On exit, it enters 127.0.0.1 even if in insecure mode, so that a later reboot will be secure. The override is removed on uninstall.
  • windows package work, tested Vista.
  • the dnssec-trigger-panel (gtk2 without libappindicator) works on the XFCE desktop.
  • libappindicator support, for Ubuntu Unity desktop GUI. Just install libappindicator-dev and build and a Unity GUI tray icon is produced.
  • can build outside of sourcedir.
  • Manpage fixes
  • Add @ to echo in Makefile.
  • print error on control unknown command, and exit status 1.

0.5

2011-09-29
  • The windows installer includes unbound and is much improved. untested.
  • There is a GUI for Hotspot Signon (menu item). Use it to go without DNSSEC to sign into the hotel hotspot.
  • windows README is a proper .txt files for dos
  • windows loop bug is fixed.
  • new IP6 address for the open resolver service at nlnetlabs. ip4 is .42 and ip6 has ::42.

0.4

2011-09-23
  • dnssec-trigger-control reprobe command from the commandline.
  • dnssec-trigger-control hotspot_signon, forces insecure mode for a sign-on. The reprobe command can be used to stop forced_insecure.
  • added probe tcp80 and tcp443 as last resort.
  • retry for insecure and disconnect cases with exponential backoff, start 10 seconds, max 24h.
  • tcp retry after 20 seconds, in case more opens up or it was slow.
  • ignore UDP without QR flag: some DNS caches send echoes of the query back initially. If we ignore them we catch a (100 msec later) correct answer later. (or timeout if no answer comes).
  • if probe is in progress it prints that in status.
  • if no DNS servers via DHCP it prints that in status.
  • antialiased fonts in windows native gui.
  • fix configure --with-gui, it did not change the gui but hooks.
  • refactor GUI panel SSL feed to be more portable.
  • fix stop command.
  • status 'dark' is now called 'nodnssec'.
  • fix so that if it cannot bind socket the server fails to start.
  • fix so that on OSX no zombie process remains.
  • kill -HUP performs a reload on UNIX. It only reload the strings and that config, it keeps the running probe results and open sockets to panels and certificates.
  • added fedora spec and init script.
  • fix OSX get of DHCP options to use ipconfig API instead of faulty awk parse.

0.3

2011-09-15
  • Fixes makefile dependencies.
  • stoppanels control command for installers to update that panel exe.

0.2

2011-09-14
  • pick up SSID (for windows, OSX) to filter trigger with, so an SSID change from the wlan triggers a reprobe.
  • set windres resource files, icons, log-format, useradmpermission and setup.exe script with NSIS, it includes dlls.
  • fix fd leaked every second by panel if the daemon was down.
  • print time of probe with results.
  • windows and osx probe and hooks.
  • gtk and cocoa GUI

0.1

2011-08-18
  • First version. networkmanager hooks. GTK gui.

About

Dnssec trigger enables the end-host (laptop or desktop computer) to use DNSSEC protection for the DNS traffic. DNS translates names of computers into IP-addresses used to contact them.

It probes for DNSSEC capable servers and instructs a validator on localhost to use that. If it fails, the user can opt to go insecure.

This means a browser can (often) get DNSSEC capable results. It may trust results from 127.0.0.1 with the ADflag. Or it can do DNSSEC validation itself. This can enable DANE (IETF wg).

One of the last resorts of dnssec-trigger is to use SSL port 443 for DNSSEC. If that fails, it is unlikely that DANE (https, also SSL port 443) can work. Thus, logically, this service is very likely to provide DNSSEC when DANE must have it.

This software is Open Source licensed and it works on a variety of platforms.

Links

license
mailing list
dnssec-trigger manpage
windows manual
repository
 

Fri Feb 17 2012

© NLnet Labs

Science Park 400, 1098 XH Amsterdam, The Netherlands

labs@nlnetlabs.nl, subsidised by NLnet and SIDN.