DOKK / manpages / debian 12 / dnssec-trigger / dnssec-triggerd.8.en
dnssec-trigger(8) dnssec-trigger 0.17 dnssec-trigger(8)

dnssec-trigger, dnssec-triggerd, dnssec-trigger-panel, dnssec-trigger-control, dnssec-trigger-control-setup, dnssec-trigger.conf - check DNS servers for DNSSEC support and adjust to compensate.

dnssec-triggerd [-d] [-v] [-u] [-c file]

dnssec-trigger-control [-c file] [-s ip[@port] ] command [arguments]

dnssec-trigger-panel [-d] [-c file]

The dnssec-trigger programs steer unbound(8) towards DNSSEC capable DNS servers. A DHCP hook installed on the system calls dnssec-trigger-control that contacts the daemon dnssec-triggerd that probes the list of servers. The daemon then adjusts a running unbound through unbound-control(8) and notifies the user applet dnssec-trigger-panel for GUI display.

The dnssec-trigger-panel runs after user login, displays notifications and status to the user. It may popup a warning if no DNSSEC capable servers are available, with options to disconnect or to connect insecurely.

The dnssec-trigger-control tool is used in the background by scripts to notify the daemon of new (DHCP) DNS servers. It can be used to test the system by providing a (fake) list of DNS server IP addresses.

The dnssec-trigger-control-setup tool is used to setup the SSL keys that the daemon and user panel use to communicate securely. It must be run once after installation.

THE DNSSEC-TRIGGERD DAEMON

Thus the dnssec-triggerd daemon runs continually, and is started after boot. It receives a list of IP addresses, probes them, and adjusts unbound and resolv.conf. Unbound acts as the validating local resolver, running on 127.0.0.1. And resolv.conf is modified to point to 127.0.0.1.

Set the config file with settings for the dnssec-triggerd to read instead of reading the file at the default location, /etc/dnssec-trigger/dnssec-trigger.conf. The syntax is described below.
Debug flag, do not fork into the background, but stay attached to the console.
uninstall dns override: makes resolv.conf mutable again, or other OS action.
Increase verbosity. If given multiple times, more information is logged. This is in addition to the verbosity (if any) from the config file.

THE DNSSEC-TRIGGER.CONF FILE

The config file contains options. It is fairly simple, key: value. You can make comments with '#' and have empty lines. The parser is simple and expects one statement per line.

Amount of logging, 1 is default. 0 is only errors, 2 is more detail, 4 for debug.
The filename where the pid of the dnssec-triggerd is stored. Default is /run/dnssec-triggerd.pid.
Log to a file instead of syslog, default is to syslog.
Log to syslog, default is yes. Set to no logs to stderr (if no logfile) or the configured logfile.
The string gives the command to execute. It can be "unbound-control" to search the runtime PATH, or a full pathname. With a space after the command arguments can be configured to the command, i.e. "/usr/local/bin/unbound-control -c my.conf".
The resolv.conf file to edit (on posix systems). The daemon keeps the file readonly and only make it writable shortly to change it itself. This is to keep other software from interfering. On OSX (if compiled in) also the DNS settings are changed in the network configuration machinery (visible in the network settings control panel). On Windows (if compiled), it sets registry settings for network configuration (may be visible in the control panel tab for network devices) and does not write a resolv.conf file.
The domain to set in resolv.conf. See resolv.conf(5). Picked up once during installation, and not from DHCP since it allows directing traffic elsewhere.
The domain name search path to set in resolv.conf. See resolv.conf(5). Picked up once during installation, and not from DHCP since it allows directing traffic elsewhere.
Default is no. If yes, no action is taken to change unbound-control or resolv.conf. The software can be tested with this, probe results are available.
Port number to use for communication with dnssec-triggerd. Communication uses 127.0.0.1 (the loopback interface). SSL is used to secure it, and the keys are stored on the disk (see below). The other tools read this config file to find the port number and key locations.
The command that is run when the user clicks Login on the no web access dialog. That is supposedly a web browser, that is aimed to open some url so that the hot-spot network login can intercept and show its login page. The default is a detected generic web browser. The "" empty string turns off this feature and no command gets run.
The url that is opened with the web browser. Used as commandline argument.
The files used for SSL secured communication with dnssec-triggerd. These files can be created with dnssec-trigger-control-setup (run as root).
Check for software updates, if there are, download them and present the user with a dialog that allows them to run the installer to upgrade the software. It checks a SHA256 checksum on the download, the checksum is signed with DNSSEC (from a TXT record). On windows and osx the default is yes. On other systems the default is no (it'll download the source tarball if enabled).
This command adds an url to probe via HTTP (port 80). The first word, before the space is the url to resolve. The remainder is the string that is expected as page contents (that may be prefixed or suffixed with whitespace). The url is resolved, a HTTP 1.1 query is sent. The reply must be type 2xx and contain the page contents. If this is not true, dnssec-trigger knows that there is a 'hot spot' of some sort interfering with traffic. If you do not configure any urls, then no probes are done. If you configure multiple urls then it probes a random selection of 3 urls, all of their IP addresses in turn, with IP4 and IP6 simultaneously. At most 5 of the DHCP DNS servers are used to resolve (in parallel). If an answer is gotten and it fails the probe stop, the probing continues if there is no connection or response 404.
Add an IP4 or IP6 address to the list of fallback open DNSSEC resolvers that are used on TCP port 80. These relay traffic from port 80 to regular DNS.
Add an IP4 or IP6 address to the list of fallback open DNSSEC resolvers that are used on TCP port 443. These relay traffic from port 443 to regular DNS.
Add an IP4 of IP6 address to the list of fallback SSL open DNSSEC resolvers. They serve plain-DNS(tcp-style) over port 443, encapsulated in SSL. The SSL certificate online is checked with the fingerprint (if configured here). You may configure multiple hashes (one space between), if one matches its OK, so that pre-publish rollover of the certificates is possible.
Use DNS servers from VPN for all hosts, default is no. Only domains configured for this connection are forwarded to VPN resolvers. If set yes, all DNS queries are resolved on servers supplied by VPN.
Forward reverse zones of RFC 1918 private addresses to global forwarders, default is yes. If set no, private addresses are resolved only on this host. Addresses not configured locally will return NXDOMAIN.

THE DNSSEC-TRIGGER-PANEL

The dnssec-trigger-panel is an applet that runs in the tray. It shows the DNSSEC status. It can be invoked with -d to test in the build directory. The -c cfgfile option can set the config file away from the default. The applet keeps an SSL connection to the daemon and displays the status, and can show the user dialogs.

The applet has a small menu. The menu item Reprobe causes the daemon to probe the last seen DHCP DNS servers again, which may now work after a hotspot signon. The menu item Hotspot Signon goes into insecure mode for hotspots where this must be used to sign on to the hot spot: use reprobe when done to resume dnssec protection efforts. The Probe Result menu item shows the results of the previous probe to the user, for technical help with network difficulties.

THE DNSSEC-TRIGGER-CONTROL TOOL

The dnssec-trigger-control tool can be used to test. It is also used inside DHCP scripts (platform specific). It can send commands to the daemon.

Options:

Set the config file to use away from the default.
Default connects to 127.0.0.1 with the port from config file, but this options overrides that with an IPv4 or IPv6 address and optional a port.
increase verbosity of dnssec-trigger-control.

Commands:

Submit a list of space separated IP addresses (from DHCP) that are the DNS servers that the daemon will probe. IPv4 and IPv6 addresses can be used.
Test command that probes some 127/8 addresses in a way that makes the daemon conclude that no DNSSEC works. Presents user with 'Insecure?' dialog.
Shows the last probe results.
Probe the last probe again. It also cancels forced insecure state from hotspot signon, causing probes for dnssec to resume. This command acts as the menu item with the same name.
Skip the http probe step. Setup DNSSEC, as possible, without taking the result of the http probe into account. Once http works again, it'll stop skipping the http results. Useful, if you want to have DNSSEC on a network where web access is not possible.
This command acts as the menu item with the same name. Use it to force insecure mode, where you can then interact with (weird) hotspot set ups. When you are done, do the reprobe command to resume DNSSEC protection efforts.
continuous feed of probe results.
Continuous input feed, used by the tray icon to send commands to the daemon.
Makes connected tray icons quit. Useful for installers that need to update their executable.
stops the daemon.

THE DNSSEC-TRIGGER-CONTROL-SETUP TOOL

This tool aids setup of files. Without arguments it creates the key files. If key files already exist, it resigns certificates with existing private keys. With -d dir the files are placed in the given directory.

With -i the tool changes configuration files. It tests if unbound has remote-control: control-enable: yes and if not appends lines to unbound.conf that enable unbound-control, and it runs unbound-control-setup to generate the keys for unbound-control. It tests if unbound has a trust anchor, if not it enables the root.key as auto-trust-anchor-file and runs unbound-anchor(8) to initialize the key. It picks up the domain and search from resolv.conf and configures the dnssec-trigger.conf to use that.

Note the tool trusts the domain and search path at install time. You should review them or perform configuration manually.

With -u it removes the options it enabled in unbound.conf(5).

/etc/dnssec-trigger/dnssec-trigger.conf
The default configuration file.
/etc/dnssec-trigger
Directory with keys used for SSL connections to dnssec-triggerd.
/run/dnssec-triggerd.pid
Default pidfile with the pid of the running dnssec-triggerd.

unbound(8), unbound-control(8), unbound.conf(5), resolv.conf(5).

This program was developed by Wouter Wijngaards at NLnet Labs.

2018-06-25 NLnet Labs