Hi developers of NM and Fedora, We are trying to get DNSSEC validation on the end nodes. One way of doing that is to run a caching resolver on every host, but that strains the DNS infrastructure because all DNS caches would be circumvented. Since DNSSEC data is signed, you can obtain it via "insecure channels" and then validate it. So we want to try and use the DHCP obtained DNS caches as much as possible. However, there are many networks out there that mess with DNS, and sometimes we have to accept fake DNS to get past hotspot/login pages. Sometimes the DNS proxies are broken for DNSSEC and we would prefer to run the queries ourselves to the authoritative nameservers without using the broken caching middle layer. This is where "dnssec-trigger" comes in. Users run a local validating resolver with DNSSEC support (unbound) that can be dynamically reconfigured to use different forwarders. dnssec-triggerd checks the DNS path by sending a query to a root name server (via the caching resolver or directly) and determines if the DHCP obtained DNS servers can be used, or if unbound should attempt it directly. Or in the worst case, if DNS should be disabled completely because it is proven untrusted. dnssec-trigger consists of NetworkManager hooks, a daemon that rewrites resolv.conf and signals unbound, and a gnome applet to show the user the DNSSEC status and to warn the user if the network is (too?) unsafe to use. We'd love to hear from Fedora people how well this integrates and works in various hotspot scenarios. We'd love to hear from NM developers to see if the hooking have all been done in proper ways. You can find source and package pre-releases at: ftp://ftp.xelerance.com/dnssec-trigger/ Install dnssec-trigger, which should drag in the unbound DNS server. Enable the unbound and dnssec-triggerd services to start. the panel can be manually started with "dnssec-trigger-panel". Cheers, Paul -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
