2011-09-17 18:00:04 UTC
We are trying to get DNSSEC validation on the end nodes. One way of doing
that is to run a caching resolver on every host, but that strains the
DNS infrastructure because all DNS caches would be circumvented. Since
DNSSEC data is signed, you can obtain it via "insecure channels" and then
validate it. So we want to try and use the DHCP obtained DNS caches as much
However, there are many networks out there that mess with DNS, and sometimes
we have to accept fake DNS to get past hotspot/login pages. Sometimes the
DNS proxies are broken for DNSSEC and we would prefer to run the queries
ourselves to the authoritative nameservers without using the broken caching
This is where "dnssec-trigger" comes in. Users run a local validating
resolver with DNSSEC support (unbound) that can be dynamically reconfigured
to use different forwarders. dnssec-triggerd checks the DNS path by sending
a query to a root name server (via the caching resolver or directly) and
determines if the DHCP obtained DNS servers can be used, or if unbound should
attempt it directly. Or in the worst case, if DNS should be disabled completely
because it is proven untrusted.
dnssec-trigger consists of NetworkManager hooks, a daemon that rewrites
resolv.conf and signals unbound, and a gnome applet to show the user the
DNSSEC status and to warn the user if the network is (too?) unsafe to use.
We'd love to hear from Fedora people how well this integrates and works in
various hotspot scenarios. We'd love to hear from NM developers to see if
the hooking have all been done in proper ways.
You can find source and package pre-releases at:
Install dnssec-trigger, which should drag in the unbound DNS server. Enable
the unbound and dnssec-triggerd services to start. the panel can be manually
started with "dnssec-trigger-panel".