(includes unbound) 1.4M

This updated version is for OSX: dnssectrigger-0.13_20160906.dmg (4.6M)

source tarball hash
sha1: 5fcc642d8dae63524aa769f7129cf4454bdb42e5
sha256: 1cafd9ec296edc1d17b9ed2a98e06c7057c80ef1dbd6d45dbfa11991d3703535
setup exe hash
sha1: 28f81c91270f9fc75cdab8d808ed59f9bd118f9d
sha256: 64fafc9cb964ad71848cc8f8036d08d3a5869da01c92c90aeb3670912e11ada8

->commandline, ->screenshots, ->changelog.


Dnssec-trigger reconfigures the local unbound DNS server. This unbound DNS server performs DNSSEC validation, but dnssec-trigger will signal it to to use the DHCP obtained forwarders if possible, and fallback to doing its own AUTH queries if that fails, and if that fails prompt the user via dnssec-trigger-applet the option to go with insecure DNS only.

This software is experimental at this time.

The software is open source, and uses the BSD license, it is in the tarball.

Subscribe to the mailing list.

Manpage for dnssec-trigger. The windows manual.

The development version can be seen in the subversion repository trunk.

The software is experimental. It is of interest to see if DNSSEC validation can be deployed currently, and how that must be done. DNSSEC validation can benefit from better network-management, better OS-integration (with network connection management), and better application support.

Feature list

  • IP4 and IP6 support,
  • Uses Unbound for validation,
  • OSX, Windows (XP, Vista, 7), Linux support,
  • small size,
  • Tries to assist infrastructure,
  • Fallbacks and last resort for DNSSEC,
  • Software update is prompted
  • Manual page and online documentation.

Known issues

There used to be a race condition between dnssec-trigger and the system but this was fixed in 0.6, with a 'system preferences' override on OSX and Windows, and chattr immutable on Linux and BSD.

In case of trouble it is possible to manually override. With the command 'hotspot signon' from the menu, insecure mode can be entered. It is left when you select 'reprobe' later (and it detects a secure network).


For Linux, try using your package manager (there are RPMs, there is a specfile to build packages from), you need to also install unbound. If you compile from source, it can support NetworkManager and Netconfig. For OSX, use the dmg download (download, doubleclick to open diskimage, doubleclick installer). For Windows, run installer. The software compiles on BSD and Solaris, but DHCP and wifi hooks are not something we can test.

See the INSTALL file in the source.

How does it work

It uses unbound which is running on localhost ( as a validating (caching) local resolver. Often unbound is pointed at another cache, and forwards all queries there (but performs DNSSEC validation itself). There is a dnssec-triggerd daemon running that catches changes in the network, DHCP events, and probes what unbound should do to get DNSSEC.

Probe sequence

The probe sequence uses normal DNSSEC queries, and checks if the answer contains RRSIGs and proper DNSSEC information. The probe:

  1. Check the DHCP provided DNS caches. If they work they have a hot cache, and lessen load on infrastructure, and provide fast answers.
  2. Check authority servers directly. If that works, full resolver mode is used to get DNSSEC.
  3. Check open resolver on TCP port 80(www port). If that works, unbound is told to use (plain) DNS over TCP to port 80 to an open (DNSSEC capable) resolver.
  4. Check open resolver over SSL port 443(https port). If that works, unbound is told to use SSL encapsulated DNS over port 443 to an open (DNSSEC capable) resolver.

The list is tried in order to lessen network load on servers down the list.

If no servers work then the user is informed, and can select to disconnect (DNS is blackholed) or connect insecurely (the DHCP provided DNS servers are used). In this case, timer-based reprobes are attempted.

The last SSL-port-443 attempt is because, if https is going to work then traffic over port-443 works on this internet-hotspot. And then SSL encapsulated DNS over SSL-port-443 also works. If something bad happens to that traffic then neither DNSSEC nor https can work.

The dnssec-trigger.conf config file is shipped by default with an open resolver at NLnet Labs that serves port 80 and 443 (it runs unbound). You can disable it or add others if you want.

Hotspot detection

During the probe sequence, also a potential active hotspot is detected. These are those devices that require a user to interact with some webpage before you can enter the network. They are detected by trying to download a known, fixed webpage, and checking if the result is correct. If the result is correct, then the connection to the internet is open and nothing needs to be done. If the result is not correct, a hotspot is likely needed, and the user is prompted if this is the case, a webbrowser is opened to a random web page (this page) which should then show the hotspot-page. Meanwhile, every 10 seconds it retries to enable DNSSEC.

It picks a random server from a number of configured servers, and for IPv4 and IPv6 attempts to access the page. Only one needs to work. It cycles through addresses provided, that it looks up via the cache-DNS (because that may be intercepted by the hotspot).

Commandline test

It is possible to test the software from the commandline. The dnssec-trigger-control utility can be used to test and connect to the daemon.

With dnssec-trigger-control status you can see the probe results from the commandline.

With dnssec-trigger-control reprobe trigger a reprobe (just like the item from the tray icon menu).

With dnssec-trigger-control hotspot_signon go to insecure, forced. Use reprobe when signed on to resume dnssec protection efforts.

With dnssec-trigger-control submit you can pretend that DHCP gave the DNS server IPs (IP4 and IP6 separated by spaces).

With dnssec-trigger-control skip_http you can skip the http hotspot test, it'll assume the network is accessible and continue to set up DNSSEC for you.

With dnssec-trigger-control unsafe you can pretend that DNSSEC does not work. It takes a couple seconds while it probes useless 127.0.0.x IPs. Note that if you press insecure on the dialog an automated reprobe after 10 seconds in the background is likely to enable DNSSEC again and stop the insecure test. You have to be fast to see resolv.conf change to the insecure DNS servers (or the fake ones used in this test).

With dnssec-trigger-control test_tcp you can pretend that DHCP cache and authority direct does not work, and it attempts to use TCP-port-80/443. This requires unbound 1.4.13 or later. The test_ssl command is similar.

With dnssec-trigger-control test_http you can pretend that the http probe fails to fetch the correct contents (as if there is a hotspot).


With this software most happens automatically in the background. It tries to not interact with the user when not necessary, so the user can get on.

If a hotspot is detected it asks the user if this is really a hotspot, if so, a browser window is opened, otherwise, we disconnect.

When a software update is detected, it is asked if the user wants to update. For windows and OSX, on unix this is disabled by default (use package manager or ports tree).

When it all goes wrong, DNSSEC fails and the user is prompted.

If the user selects insecure, the tray icon gets a red ! (exclamation mark). When the situation becomes secure again, the tray icon silently changes back.

The normal state is this user menu. Geeks can click and see the detailed technical results (and complain to the network operator).


There is a mailing list for the dnssec-trigger discussion, click the link to subscribe or view archives.



  • log correct type in timeout for TXT.
  • restart panels on install on OSX.
  • Fix OSX user panel stop and start in reinstall, also fix for double popups during reinstall.
  • Fix crash on read of ssl443 entry without a hash.
  • Squelch address family not supported errors (on low verbosity).
  • Fix networkmanager hook to detect if it has to use the new commandline syntax of networkmanager 0.9.4.
  • Fixup uniqueid for Mountain Lion OSX 10.8 release, you have to run the installer again (upgrade or uninstall-reinstall).
  • bug 489: removed Application deprecated keyword from .desktop file.
  • OSX wake listener implementation.
  • patch for OSX that passes all domains from search to the OS (from Phil Pennock).
  • Fixup snprintf return value usage.
  • Fixup OSX backquote backslashes. Removed wrong OSX version from its installer text.
  • Let system dealloc feed and feed_lock on OSX and Linux/BSD.
  • Fixup new glib deprecated calls.
  • Patch from Tomas Hozza to improve the networkmanager connect script for VPN connections. It adds forward zones for the VPN over the VPN connection.
  • Fix#522: Errors found by static analysis of source from Tomas Hozza.
  • Fix NM dispatcher script to work with NM >= (Thanks Tomas Hozza).
  • Patch from Tomas Hozza that improves text in dialogs (on linux).
  • Added fedora/ from Tomas Hozza, that will backup and restore resolv.conf for use in systemd.service scripts and networkmanager scripts.
  • Added contrib networkmanager dispatcher script from Tomas Hozza.
  • Added patch to networkmanager dispatcher script and also an example dnssec.conf file from Tomas Hozza.
  • Fix #551: Change Regents to Copyright holder in License.
  • Patches from Tomass Hozza; Explicitly-use-Python2-interpreter, Fix-situation-when-connection-is-going-down, resolv.conf-backup-script-restart-NM-to-handle-resolv.conf, Update-systemd-service-files-to-latest-version-used.
  • Patch from Pavel Simerda: better integration with NetworkManager and distributions, added in contrib.
  • Removed files obsoleted by patch from Pavel Simerda: contrib/01-dnssec-trigger-hook-new_nm (replaced with dnssec-trigger-script and 01-dnssec-trigger) fedora/dnssec-triggerd.service (new version in contrib) fedora/dnssec-triggerd-resolvconf-handle.service (handled by dnssec-triggerd.service directly) fedora/dnssec-trigger.spec (spec files are maintained separately) fedora/dnssec-triggerd-keygen.service (new version in contrib) fedora/ (handled by dnssec-trigger-script directly) fedora/dnssec-triggerd.init (only used in epel6 which hasn't been updated for ages)
  • Renamed 01-dnssec-trigger-hook to 01-dnssec-trigger with the networkmanager naming scheme. (From Pavel Simerda).
  • Patch from Pavel Simerda that incorporates contrib items into the build install system. Systemd scripts, dnssec-trigger-script, dnssec.conf.
  • Patch for --async flag from Pavel Simerda, stops dnssec-trigger-script to block on networkmanager, which is good in cases when networkmanager blocks on the script.
  • Change the ip-address of tcp and ssl service from to (we changed netblocks). The new ip address and new certificate fingerprint (because of ssl heartbleed vuln) are in the example.conf file. The cert was only used for transport and not for authentication, so its change was low priority.
  • Updated to distinguish secure and insecure zones, and to flush the unbound cache on DNS server list changes. (from Pavel Simerda).


  • This release has selfupdate enabled for Windows and OSX. There is no implementation for Unix (it downloads the tarball to /tmp for you if enabled).
  • This release detects hotspots and shows a login prompt, opens a web browser for you and in the background retries to enable dnssec every 10 seconds.
  • Fix Fedora bug with no DNS servers in resolv.conf with absolute path in networkmanager hook script.
  • The .desktop entry name without 'panel'.
  • fedora package files updated.
  • http check is performed, nonblocking. Lookup of addres(es), A, AAAA to the (up to 5) DHCP DNS resolvers. 3 urls are checked, until one connects, then it checks content. IP4 and IP6, until first works.
  • url for and added in default config.
  • absolute sbindir in netconfig hooks.
  • ssl can list multiple hashes (for certificate rollover).
  • probe logic that keeps track of http_insecure mode.
  • skip_http control command.
  • raise dialog to top on GTK.
  • gui for hot spot sign on. opens web browser if user wants to sign on.
  • OSX update dnssec-trigger.conf with new url settings.
  • OSX fix the double-window shown bug, bug in NSWindow deminiaturize func.
  • configure windows detects GetAdaptersAdresses (XP and later).
  • Fix compatibility with VirtualBox on Windows, that messes with the network adapters. Solution works on windows XP and later (detected by configure).
  • Fix trayicon on windows high DPI settings to look better.
  • silence connect() http errors, unless verbosity 2.
  • stop other download if one succeeds (happy eyeballs) on selfupdate.
  • fix exit of panel and threads
  • fix read multiple persist actions in one SSL packet frame.
  • Fix FIONBIO error on windows.
  • improved printout of SSL_ERROR_SYSCALL errors.
  • do not print interface-unknown and conn-reset errors upon system restart for windows, only printed on high verbosity.
  • windows dnssectrigger depends on unbound for boot invocation, this fixes an error where it cannot tell unbound what to do.
  • linebuffer for dnssec-trigger-control stdout, for results printout.
  • Fix windows upgrade to preserve config files and to preserve the installed (or not-installed) startmenu links.
  • fix osx comma in multiple DNS servers.
  • fix OSX unbound to be able to write root.key from the chroot.


  • truncate pidfile (just like NSD fix, in case directory not owned).
  • If hotspot-signon, set override servers right away on a network change, so the user does not have to wait for 10 seconds after a change of the wifi.
  • Attempt to add DHCPv6 support for windows.
  • Use Processes.dll code (can be freely used, source provided) for kill process in windows NSIS installer. Compiled to 6kb (not 50kb). Processes.dll was made by Andrei Ciubotaru.
  • show version number in add-removeprograms configpanel (windows).
  • install script removes leftover trayicons using direct windows API.
  • dnssec-trigger-control uses registry config location (for windows).
  • fix dnssec-trigger-control error printout if SSL files fail.
  • show package version in probe results dialog.
  • updated acx.nlnetlabs.m4 for gcc 4.6 compat for portability tests.
  • Do not show the insecure and hotspot windows at the same time.
  • Fix for OSX to show the popups on top of the other windows.
  • alert icon easier to read.


  • unbound in binary packages is upgraded to 1.4.14.
  • Set hook throttleinterval to 1 second, this reduces the osx wakeup and bootup wrong probes because the hook was throttled for 10 seconds.
  • stoppanels waits for the connection of the panel to close, this may remove re-install race conditions.
  • detailprints in windows installer and uninstaller.
  • attempt to fix endless loop on windows (reported by Alan Clegg).
  • windows installer waits for services to come to a full stop.


  • macinstall, launch unbound-anchor at boot (update if offline months)
  • echo in Makefile and newline if no probe performed.
  • do not log errors for unclean ssl close.
  • probe ssl servers (nlnetlabs default server configured).
  • check ssl fingerprint of servers.
  • remove error dialog at end of osx install.
  • on OSX update config if old (no ssl443)
  • more detailed logging at verbosity 4 (prints wire and dig output)
  • fixed the OSX installer problem, launchd does not load userspace agents without hacks, and has side-effects that enables boot-start.
  • config for new open resolver (port 80 TCP, port 443 SSL). No more probe plain tcp on port 443.
  • the test_tcp and test_ssl command do not have the 20-sec tcpretry once timer, so that the test can try unbound.
  • Fix that if network down (nothing pings) then it picks disconnect, for slow bootup where the machine has the previous network settings.
  • control unsafe shows the dialog popup again.
  • Fix bug where no IPv6 causes wrong test results, notably SSL, due to the error report code.
  • Fix where race condition could cause blacklist of open resolver.
  • Fix to flush_infra and flush_requestlist when we use open resolver, the proxy that causes this to be used as fallback has polluted those entries (possibly).
  • sigHUP reloads config and reopens logfile for log rotation support.
  • Fix apple OS failure by installer, because of tarfile inclusion of extended attributes that overwrote system dir extended attributes.


  • fix that setup hint is not printed on a reinstall.
  • stop executables before re-install of dnssec-trigger.
  • tested to work on winXP (thanks Jan-Piet Mens).
  • fix printout of 1970 date, instead that no probe was performed.
  • fix unknown options for dnssec-trigger-panel, prints version too.
  • dmg installer for MacOS X, donated by Carsten Strotmann.
  • for caches, also test if NSEC3 is present for QTYPE=NULL nodata.


  • detect transparent proxies and avoid them.
  • Fix insecure mode after dnstcp443 has been probed.
  • Fix race condition between system and dnssec-trigger where briefly the DHCP insecure response was dominant. On OSX and Windows a system preference (like from the control panel) is created. On Linux chattr immutable, on BSD chflag immutable. On exit, it enters even if in insecure mode, so that a later reboot will be secure. The override is removed on uninstall.
  • windows package work, tested Vista.
  • the dnssec-trigger-panel (gtk2 without libappindicator) works on the XFCE desktop.
  • libappindicator support, for Ubuntu Unity desktop GUI. Just install libappindicator-dev and build and a Unity GUI tray icon is produced.
  • can build outside of sourcedir.
  • Manpage fixes
  • Add @ to echo in Makefile.
  • print error on control unknown command, and exit status 1.


  • The windows installer includes unbound and is much improved. untested.
  • There is a GUI for Hotspot Signon (menu item). Use it to go without DNSSEC to sign into the hotel hotspot.
  • windows README is a proper .txt files for dos
  • windows loop bug is fixed.
  • new IP6 address for the open resolver service at nlnetlabs. ip4 is .42 and ip6 has ::42.


  • dnssec-trigger-control reprobe command from the commandline.
  • dnssec-trigger-control hotspot_signon, forces insecure mode for a sign-on. The reprobe command can be used to stop forced_insecure.
  • added probe tcp80 and tcp443 as last resort.
  • retry for insecure and disconnect cases with exponential backoff, start 10 seconds, max 24h.
  • tcp retry after 20 seconds, in case more opens up or it was slow.
  • ignore UDP without QR flag: some DNS caches send echoes of the query back initially. If we ignore them we catch a (100 msec later) correct answer later. (or timeout if no answer comes).
  • if probe is in progress it prints that in status.
  • if no DNS servers via DHCP it prints that in status.
  • antialiased fonts in windows native gui.
  • fix configure --with-gui, it did not change the gui but hooks.
  • refactor GUI panel SSL feed to be more portable.
  • fix stop command.
  • status 'dark' is now called 'nodnssec'.
  • fix so that if it cannot bind socket the server fails to start.
  • fix so that on OSX no zombie process remains.
  • kill -HUP performs a reload on UNIX. It only reload the strings and that config, it keeps the running probe results and open sockets to panels and certificates.
  • added fedora spec and init script.
  • fix OSX get of DHCP options to use ipconfig API instead of faulty awk parse.


  • Fixes makefile dependencies.
  • stoppanels control command for installers to update that panel exe.


  • pick up SSID (for windows, OSX) to filter trigger with, so an SSID change from the wlan triggers a reprobe.
  • set windres resource files, icons, log-format, useradmpermission and setup.exe script with NSIS, it includes dlls.
  • fix fd leaked every second by panel if the daemon was down.
  • print time of probe with results.
  • windows and osx probe and hooks.
  • gtk and cocoa GUI


  • First version. networkmanager hooks. GTK gui.


Dnssec trigger enables the end-host (laptop or desktop computer) to use DNSSEC protection for the DNS traffic. DNS translates names of computers into IP-addresses used to contact them.

It probes for DNSSEC capable servers and instructs a validator on localhost to use that. If it fails, the user can opt to go insecure.

This means a browser can (often) get DNSSEC capable results. It may trust results from with the ADflag. Or it can do DNSSEC validation itself. This can enable DANE (IETF wg).

One of the last resorts of dnssec-trigger is to use SSL port 443 for DNSSEC. If that fails, it is unlikely that DANE (https, also SSL port 443) can work. Thus, logically, this service is very likely to provide DNSSEC when DANE must have it.

This software is Open Source licensed and it works on a variety of platforms.


mailing list
dnssec-trigger manpage
windows manual

Tue Sep 6 2016

© Stichting NLnet Labs

Science Park 400, 1098 XH Amsterdam, The Netherlands, subsidised by NLnet and SIDN.