Paul Wouters wrote:

> On Tue, 13 Jan 2015, Neal Becker wrote:
>> How will this impact the following (common) situation?
>> I carry my linux laptop between home and work.  When at work, I need to use
>> my employer's dns to lookup names of (non-public) local machines.
> When connecting to work, dnssec-trigger will probe the DHCP obtained
> resolver and use it when it works (well enough to support DNSSEC)
> If your work's public DNS view is unsigned, then your
> corporate DNS server can lie all it want and we'll believe it.
> If your work's public DNS view is signed, then your internal view better
> be signed with that key too, or else we'll mis-detect it as an attack.
> If you connect via VPN to your work, the VPN client should receive the
> domain and nameservers via the VPN options, and configure a forward
> inside your resolver. (libreswan IPsec supports this and I use it daily
> when connecting to the RedHat VPN :)
> NetworkManager should allow for a connection property based on network
> identification where you can configure overrides.
> DNSSEC in general will make split view DNS much harder to maintain. We
> are not introducing this problem - we just have to try and cope with it.
> Paul

Just tried it on f21.  Did:
sudo systemctl enable dnssec-triggerd.service
sudo systemctl start dnssec-triggerd.service

[ works fine ]

Now a local machine:

host nbecker7
host nbecker7
Host nbecker7 not found: 3(NXDOMAIN)
[nbecker@nbecker1 ~]$ tail /var/log/messages
tail /var/log/messages
Jan 13 10:32:55 nbecker1 dnssec-trigger-script: ok removed 0 rrsets, 0 messages 
and 0 key entries
Jan 13 10:32:56 nbecker1 dnssec-trigger-script: Global forwarders:
Jan 13 10:32:56 nbecker1 dnssec-triggerd: [31187] error: http_probe_create_get: 
Network is unreachable
Jan 13 10:32:56 nbecker1 dnssec-triggerd: [31187] error: http_probe_create_get: 
Network is unreachable
Jan 13 10:32:56 nbecker1 dnssec-triggerd: [31187] error: http_probe_create_get: 
Network is unreachable
Jan 13 10:32:56 nbecker1 dnssec-triggerd: [31187] error: could not UDP send to 
ip 2001:503:ba3e::2:30
Jan 13 10:32:56 nbecker1 dnssec-triggerd: [31187] error: could not UDP send to 
ip 2001:503:ba3e::2:30
Jan 13 10:32:56 nbecker1 dnssec-triggerd: [31187] error: could not send queries 
for probe
Jan 13 10:32:56 nbecker1 dnssec-trigger-script: Connection provided zone 
'' (insecure):
Jan 13 10:32:56 nbecker1 dnssec-triggerd: ok 

but if I unplug enet cable, and replug, it seems no longer working for local 

Host not found: 3(NXDOMAIN)

I'm guessing I need to manually configure /etc/unbound/unbound.conf?

No clue why behavior changed after unplug/replug enet cable.

I did NOT try logout/login or reboot.

-- Those who don't understand recursion are doomed to repeat it

devel mailing list
Fedora Code of Conduct:

Reply via email to