source tarball hash
setup exe hash
Dnssec-trigger reconfigures the local unbound DNS server. This unbound DNS
server performs DNSSEC validation, but dnssec-trigger will signal it to
to use the DHCP obtained forwarders if possible, and fallback to doing its
own AUTH queries if that fails, and if that fails prompt the user via
dnssec-trigger-applet the option to go with insecure DNS only.
This software is experimental at this time.
The software is open source, and uses the BSD license, it is in the tarball.
Subscribe to the
The development version can be seen in the subversion
The software is experimental. It is of interest to see if DNSSEC
validation can be deployed currently, and how that must be done. DNSSEC
validation can benefit from better network-management, better OS-integration
(with network connection management), and better application support.
- IP4 and IP6 support,
- Uses Unbound for validation,
- OSX, Windows (XP, Vista, 7), Linux support,
- small size,
- Tries to assist infrastructure,
- Fallbacks and last resort for DNSSEC,
- Software update is prompted
- Manual page and online documentation.
There used to be a race condition between dnssec-trigger and the system
but this was fixed in 0.6, with a 'system preferences' override on OSX and
Windows, and chattr immutable on Linux and BSD.
In case of trouble it is possible to manually override. With the command
'hotspot signon' from the menu, insecure mode can be entered. It is left
when you select 'reprobe' later (and it detects a secure network).
For Linux, try using your package manager (there are RPMs, there is a specfile
to build packages from), you need to also install unbound. If you compile from
source, it can support NetworkManager and Netconfig. For OSX, use the
dmg download (download, doubleclick to open diskimage, doubleclick installer).
For Windows, run installer. The software compiles on BSD and Solaris, but
DHCP and wifi hooks are not something we can test.
See the INSTALL file in the source.
How does it work
It uses unbound which is running on localhost (127.0.0.1) as a validating
(caching) local resolver. Often unbound is pointed at another cache, and
forwards all queries there (but performs DNSSEC validation itself). There
is a dnssec-triggerd daemon running that catches changes in the network,
DHCP events, and probes what unbound should do to get DNSSEC.
The probe sequence uses normal DNSSEC queries, and checks if the answer
contains RRSIGs and proper DNSSEC information. The probe:
- Check the DHCP provided DNS caches. If they work they have a hot
cache, and lessen load on infrastructure, and provide fast answers.
- Check authority servers directly. If that works, full resolver mode
is used to get DNSSEC.
- Check open resolver on TCP port 80(www port). If that works,
unbound is told to use (plain) DNS over TCP to port 80 to an open
(DNSSEC capable) resolver.
- Check open resolver over SSL port 443(https port). If that works,
unbound is told to use SSL encapsulated DNS over port 443 to an open
(DNSSEC capable) resolver.
The list is tried in order to lessen network load on servers down the list.
If no servers work then the user is informed, and can select to disconnect
(DNS is blackholed) or connect insecurely (the DHCP provided DNS servers
are used). In this case, timer-based reprobes are attempted.
The last SSL-port-443 attempt is because, if https is going to work then
traffic over port-443 works on this internet-hotspot. And then SSL
encapsulated DNS over SSL-port-443 also works. If something bad happens to
that traffic then neither DNSSEC nor https can work.
The dnssec-trigger.conf config file is shipped by default with an open
resolver at NLnet Labs that serves port 80 and 443 (it runs unbound).
You can disable it or add others if you want.
During the probe sequence, also a potential active hotspot is
detected. These are those devices that require a user to interact
with some webpage before you can enter the network. They are
detected by trying to download a known, fixed webpage, and checking
if the result is correct. If the result is correct, then the
connection to the internet is open and nothing needs to be done.
If the result is not correct, a hotspot is likely needed, and the
user is prompted if this is the case, a webbrowser is opened to a
random web page (this page) which should then show the hotspot-page.
Meanwhile, every 10 seconds it retries to enable DNSSEC.
It picks a random server from a number of configured servers, and for IPv4
and IPv6 attempts to access the page. Only one needs to work. It cycles
through addresses provided, that it looks up via the cache-DNS (because that
may be intercepted by the hotspot).
It is possible to test the software from the commandline. The
dnssec-trigger-control utility can be used to test and connect to the daemon.
With dnssec-trigger-control status you can see the probe results from
With dnssec-trigger-control reprobe trigger a reprobe (just like the
item from the tray icon menu).
With dnssec-trigger-control hotspot_signon go to insecure, forced. Use reprobe when signed on to resume dnssec protection efforts.
With dnssec-trigger-control submit 192.0.2.1 you can pretend that
DHCP gave the 192.0.2.1 DNS server IPs (IP4 and IP6 separated by spaces).
With dnssec-trigger-control skip_http you can skip the
http hotspot test, it'll assume the network is accessible and continue to
set up DNSSEC for you.
With dnssec-trigger-control unsafe you can pretend that
DNSSEC does not work. It takes a couple seconds while it probes useless
127.0.0.x IPs. Note that if you press insecure on the dialog an automated
reprobe after 10 seconds in the background is likely to enable DNSSEC again
and stop the insecure test. You have to be fast to see resolv.conf change
to the insecure DNS servers (or the fake ones used in this test).
With dnssec-trigger-control test_tcp you can pretend that DHCP cache
and authority direct does not work, and it attempts to use TCP-port-80/443.
This requires unbound 1.4.13 or later. The test_ssl command
With dnssec-trigger-control test_http you can pretend that
the http probe fails to fetch the correct contents (as if there is a hotspot).
With this software most happens automatically in the background. It tries
to not interact with the user when not necessary, so the user can get on.
If a hotspot is detected it asks the user if this is really a hotspot, if
so, a browser window is opened, otherwise, we disconnect.
When a software update is detected, it is asked if the user wants to update.
For windows and OSX, on unix this is disabled by default (use package manager
or ports tree).
When it all goes wrong, DNSSEC fails and the user is prompted.
If the user selects insecure, the tray icon gets a red ! (exclamation mark).
When the situation becomes secure again, the tray icon silently changes back.
The normal state is this user menu. Geeks can click and see the detailed
technical results (and complain to the network operator).
There is a
for the dnssec-trigger discussion, click the link to subscribe or view
- log correct type in timeout for TXT.
- restart panels on install on OSX.
- Fix OSX user panel stop and start in reinstall, also fix for double
popups during reinstall.
- Fix crash on read of ssl443 entry without a hash.
- Squelch address family not supported errors (on low verbosity).
- Fix networkmanager hook to detect if it has to use the new
commandline syntax of networkmanager 0.9.4.
- Fixup uniqueid for Mountain Lion OSX 10.8 release, you have to
run the installer again (upgrade or uninstall-reinstall).
- bug 489: removed Application deprecated keyword from .desktop file.
- OSX wake listener implementation.
- patch for OSX that passes all domains from search to the OS (from
- Fixup snprintf return value usage.
- Fixup OSX backquote backslashes. Removed wrong OSX version from
its installer text.
- Let system dealloc feed and feed_lock on OSX and Linux/BSD.
- Fixup new glib deprecated calls.
- Patch from Tomas Hozza to improve the networkmanager connect
script for VPN connections. It adds forward zones for the VPN
over the VPN connection.
- Fix#522: Errors found by static analysis of source from Tomas Hozza.
- Fix NM dispatcher script to work with NM >= 0.9.9.0 (Thanks Tomas
- Patch from Tomas Hozza that improves text in dialogs (on linux).
- Added fedora/dnssec-trigger-resolvconf-handle.sh from Tomas
Hozza, that will backup and restore resolv.conf for use in
systemd.service scripts and networkmanager scripts.
- Added contrib networkmanager dispatcher script from Tomas Hozza.
- Added patch to networkmanager dispatcher script and also
an example dnssec.conf file from Tomas Hozza.
- Fix #551: Change Regents to Copyright holder in License.
- Patches from Tomass Hozza; Explicitly-use-Python2-interpreter,
- Patch from Pavel Simerda: better integration with NetworkManager and
distributions, added in contrib.
- Removed files obsoleted by patch from Pavel Simerda:
(replaced with dnssec-trigger-script and 01-dnssec-trigger)
(new version in contrib)
(handled by dnssec-triggerd.service directly)
(spec files are maintained separately)
(new version in contrib)
(handled by dnssec-trigger-script directly)
(only used in epel6 which hasn't been updated for ages)
- Renamed 01-dnssec-trigger-hook to 01-dnssec-trigger with the
networkmanager naming scheme. (From Pavel Simerda).
- Patch from Pavel Simerda that incorporates contrib items into
the build install system. Systemd scripts, dnssec-trigger-script,
- Patch for dnssec-trigger-script.in --async flag from Pavel Simerda,
stops dnssec-trigger-script to block on networkmanager, which is
good in cases when networkmanager blocks on the script.
- Change the ip-address of tcp and ssl service from broer.nlnetlabs.nl
to zus.nlnetlabs.nl (we changed netblocks). The new ip address
and new certificate fingerprint (because of ssl heartbleed vuln)
are in the example.conf file. The cert was only used for transport
and not for authentication, so its change was low priority.
- Updated dnssec-trigger-script.in to distinguish secure and
insecure zones, and to flush the unbound cache on DNS server
list changes. (from Pavel Simerda).
- This release has selfupdate enabled for Windows and OSX. There is no implementation for Unix (it downloads the tarball to /tmp for you if enabled).
- This release detects hotspots and shows a login prompt, opens a web browser for you and in the background retries to enable dnssec every 10 seconds.
- Fix Fedora bug with no DNS servers in resolv.conf with absolute path in networkmanager hook script.
- The .desktop entry name without 'panel'.
- fedora package files updated.
- http check is performed, nonblocking. Lookup of addres(es), A, AAAA
to the (up to 5) DHCP DNS resolvers. 3 urls are checked, until one
connects, then it checks content. IP4 and IP6, until first works.
- url for ster.nlnetlabs.nl and fedoraproject.org added in default config.
- absolute sbindir in netconfig hooks.
- ssl can list multiple hashes (for certificate rollover).
- probe logic that keeps track of http_insecure mode.
- skip_http control command.
- raise dialog to top on GTK.
- gui for hot spot sign on. opens web browser if user wants to sign on.
- OSX update dnssec-trigger.conf with new url settings.
- OSX fix the double-window shown bug, bug in NSWindow deminiaturize func.
- configure windows detects GetAdaptersAdresses (XP and later).
- Fix compatibility with VirtualBox on Windows, that messes with the
network adapters. Solution works on windows XP and later (detected
- Fix trayicon on windows high DPI settings to look better.
- silence connect() http errors, unless verbosity 2.
- stop other download if one succeeds (happy eyeballs) on selfupdate.
- fix exit of panel and threads
- fix read multiple persist actions in one SSL packet frame.
- Fix FIONBIO error on windows.
- improved printout of SSL_ERROR_SYSCALL errors.
- do not print interface-unknown and conn-reset errors upon system
restart for windows, only printed on high verbosity.
- windows dnssectrigger depends on unbound for boot invocation,
this fixes an error where it cannot tell unbound what to do.
- linebuffer for dnssec-trigger-control stdout, for results printout.
- Fix windows upgrade to preserve config files and to preserve the
installed (or not-installed) startmenu links.
- fix osx comma in multiple DNS servers.
- fix OSX unbound to be able to write root.key from the chroot.
- truncate pidfile (just like NSD fix, in case directory not owned).
- If hotspot-signon, set override servers right away on a network
change, so the user does not have to wait for 10 seconds after a
change of the wifi.
- Attempt to add DHCPv6 support for windows.
- Use Processes.dll code (can be freely used, source provided) for
kill process in windows NSIS installer. Compiled to 6kb (not 50kb).
Processes.dll was made by Andrei Ciubotaru.
- show version number in add-removeprograms configpanel (windows).
- install script removes leftover trayicons using direct windows API.
- dnssec-trigger-control uses registry config location (for windows).
- fix dnssec-trigger-control error printout if SSL files fail.
- show package version in probe results dialog.
- updated acx.nlnetlabs.m4 for gcc 4.6 compat for portability tests.
- Do not show the insecure and hotspot windows at the same time.
- Fix for OSX to show the popups on top of the other windows.
- alert icon easier to read.
- unbound in binary packages is upgraded to 1.4.14.
- Set hook throttleinterval to 1 second, this reduces the osx wakeup
and bootup wrong probes because the hook was throttled for 10 seconds.
- stoppanels waits for the connection of the panel to close, this
may remove re-install race conditions.
- detailprints in windows installer and uninstaller.
- attempt to fix endless loop on windows (reported by Alan Clegg).
- windows installer waits for services to come to a full stop.
- macinstall, launch unbound-anchor at boot (update if offline months)
- echo in Makefile and newline if no probe performed.
- do not log errors for unclean ssl close.
- probe ssl servers (nlnetlabs default server configured).
- check ssl fingerprint of servers.
- remove error dialog at end of osx install.
- on OSX update config if old (no ssl443)
- more detailed logging at verbosity 4 (prints wire and dig output)
- fixed the OSX installer problem, launchd does not load userspace agents without hacks, and has side-effects that enables boot-start.
- config for new open resolver (port 80 TCP, port 443 SSL).
No more probe plain tcp on port 443.
- the test_tcp and test_ssl command do not have the 20-sec tcpretry once timer, so that the test can try unbound.
- Fix that if network down (nothing pings) then it picks disconnect,
for slow bootup where the machine has the previous network settings.
- control unsafe shows the dialog popup again.
- Fix bug where no IPv6 causes wrong test results, notably SSL, due
to the error report code.
- Fix where race condition could cause blacklist of open resolver.
- Fix to flush_infra and flush_requestlist when we use open resolver,
the proxy that causes this to be used as fallback has polluted those
- sigHUP reloads config and reopens logfile for log rotation support.
- Fix apple OS failure by installer, because of tarfile inclusion of
extended attributes that overwrote system dir extended attributes.
- fix that setup hint is not printed on a reinstall.
- stop executables before re-install of dnssec-trigger.
- tested to work on winXP (thanks Jan-Piet Mens).
- fix printout of 1970 date, instead that no probe was performed.
- fix unknown options for dnssec-trigger-panel, prints version too.
- dmg installer for MacOS X, donated by Carsten Strotmann.
- for caches, also test if NSEC3 is present for QTYPE=NULL nodata.
- detect transparent proxies and avoid them.
- Fix insecure mode after dnstcp443 has been probed.
- Fix race condition between system and dnssec-trigger where briefly the
DHCP insecure response was dominant. On OSX and Windows a system preference
(like from the control panel) is created. On Linux chattr immutable, on BSD
chflag immutable. On exit, it enters 127.0.0.1 even if in insecure mode, so
that a later reboot will be secure. The override is removed on uninstall.
- windows package work, tested Vista.
- the dnssec-trigger-panel (gtk2 without libappindicator) works on the XFCE desktop.
- libappindicator support, for Ubuntu Unity desktop GUI. Just install
libappindicator-dev and build and a Unity GUI tray icon is produced.
- can build outside of sourcedir.
- Manpage fixes
- Add @ to echo in Makefile.
- print error on control unknown command, and exit status 1.
- The windows installer includes unbound and is much improved. untested.
- There is a GUI for Hotspot Signon (menu item). Use it to go without
DNSSEC to sign into the hotel hotspot.
- windows README is a proper .txt files for dos
- windows loop bug is fixed.
- new IP6 address for the open resolver service at nlnetlabs. ip4 is .42
and ip6 has ::42.
- dnssec-trigger-control reprobe command from the commandline.
- dnssec-trigger-control hotspot_signon, forces insecure mode for
a sign-on. The reprobe command can be used to stop forced_insecure.
- added probe tcp80 and tcp443 as last resort.
- retry for insecure and disconnect cases with exponential backoff,
start 10 seconds, max 24h.
- tcp retry after 20 seconds, in case more opens up or it was slow.
- ignore UDP without QR flag: some DNS caches send echoes of the query
back initially. If we ignore them we catch a (100 msec later)
correct answer later. (or timeout if no answer comes).
- if probe is in progress it prints that in status.
- if no DNS servers via DHCP it prints that in status.
- antialiased fonts in windows native gui.
- fix configure --with-gui, it did not change the gui but hooks.
- refactor GUI panel SSL feed to be more portable.
- fix stop command.
- status 'dark' is now called 'nodnssec'.
- fix so that if it cannot bind socket the server fails to start.
- fix so that on OSX no zombie process remains.
- kill -HUP performs a reload on UNIX. It only reload the strings
and that config, it keeps the running probe results and open
sockets to panels and certificates.
- added fedora spec and init script.
- fix OSX get of DHCP options to use ipconfig API instead of faulty awk
- Fixes makefile dependencies.
- stoppanels control command for installers to update that panel exe.
- pick up SSID (for windows, OSX) to filter trigger with, so an SSID
change from the wlan triggers a reprobe.
- set windres resource files, icons, log-format, useradmpermission
and setup.exe script with NSIS, it includes dlls.
- fix fd leaked every second by panel if the daemon was down.
- print time of probe with results.
- windows and osx probe and hooks.
- gtk and cocoa GUI
- First version. networkmanager hooks. GTK gui.