[Dnsmasq-discuss] dnssec and local caching dns in fedora and network manager

Dan Williams dcbw at redhat.com
Mon Apr 14 15:38:08 UTC 2014 

On Mon, 2014-04-14 at 09:31 +0100, Simon Kelley wrote:
> On 13/04/14 21:24, Dave Taht wrote:
> > interesting long thread over at the fedora project this weekend:
> > 
> > https://lists.fedoraproject.org/pipermail/devel/2014-April/197755.html
> > 
> 
> I'm quite a long way through it already. The main takehome seems to be
> that captive portals are even more broken in the era of DNSSEC than
> before. It's amazing that's even possible......

They are quite awful.  They were always awful.  But with 10+ years of
captive portal hackage, it's pretty much on the DNSSEC implementors to
either (a) change every captive portal to work, or (b) figure out how to
work around the problem.  A combination of the two is the right path,
but nobody is going to get all captive portals to follow a spec.

There is Hotspot 2.0 (and the older WISPR) that at least automates the
process so that you *know* you're connected to a captive portal and
sometimes you can automatically log in using the SIM card in your device
or other cached credentials.  Usually used by phones and providers to
automatically roam to WiFi networks your provider has affiliations with.

This is where the standardization work is going on for hotspot stuff.

Dan

> Maybe the IETF should create a sane spec for such things....
> 
> 
> 
> Simon.
> 
> > 
> > 
> > ---------- Forwarded message ----------
> > From: Chuck Anderson <cra at wpi.edu>
> > Date: Sun, Apr 13, 2014 at 10:59 AM
> > Subject: Re: [Cerowrt-devel] Full blown DNSSEC by default?
> > To: cerowrt-devel at lists.bufferbloat.net
> > 
> > 
> > On Sun, Apr 13, 2014 at 12:05:19PM +0200, Toke Høiland-Jørgensen wrote:
> >>
> >>> Is there a "D"?
> >>
> >> Running a full resolver in cerowrt? I've been running a dnssec-enabled bind for some time on my boxes (prior to dnssec support in dnsmasq).
> > 
> > How do these proposals compare with unbound+dnssec-trigger in the
> > Fedora world?  I stirred up a rats nest:
> > 
> > https://lists.fedoraproject.org/pipermail/devel/2014-April/197755.html
> > 
> > I realize these are slightly different use cases, but it may be
> > helpful to learn from the different implementations, if for no other
> > reason than to be sure they interoperate.  I'm going to turn on
> > unbound+dnssec-trigger on my laptop and try it behind Cerowrt w/DNSSEC
> > turned on to see what happens...
> > _______________________________________________
> > Cerowrt-devel mailing list
> > Cerowrt-devel at lists.bufferbloat.net
> > https://lists.bufferbloat.net/listinfo/cerowrt-devel
> > 
> > 
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

More information about the Dnsmasq-discuss mailing list