subject:"Re\: F23 System Wide Change\: Default Local DNS Resolver"

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-18 Thread Bastien Nocera



- Original Message -
 On 18.6.2015 13:14, Bastien Nocera wrote:
  
  
  - Original Message -
  On 12.06.2015 19:00, Matthew Miller wrote:
  On Fri, Jun 12, 2015 at 11:53:32AM -0500, Dan Williams wrote:
  Yeah, we did.  From my recollection, most of that focused on the unbound
  parts and how NM could add the dns=unbound stuff (which Pavel
  contributed) but less on the NM connectivity checking, becuase Fedora
  hadn't turned that on by default yet.  I'm all fine with dns=unbound,
  that's not the issue.  The issue is more around what happens with NM's
  connectivity checking, since that's used by quite a few clients,
  including GNOME Shell.
 
  I personally find the anchor icon very confusing. As a non-expert in
  this area, it doesn't represent anything which seems relevant to me,
  and all of the right click menu options, once I figured out to right
  click, are obscure to me.
 
  I plan to contact the GNOME folks about how they would be willing to
  better integrate the panel (most probably in a different form) into GNOME.
  
  I don't think we want to integrate one more panel applet. The information
  about
  the DNS security should be passed on from NetworkManager. Once that's
  figured
  out, we can discuss how to show that information.
  
  The code needs to integrate with various NetworkManager features, such as
 
 The code already integrates with VPNs.
 
  VPNs and connectivity checking. Adding any UI for network information
  provided
  via a side-channel would be premature.
 
 Could you elaborate how/why is the source of information tied to the UI?
 
 I suspect that networkd and others might not be very happy if the
 NetworkManager has to be available just to pass the information from whatever
 tool doing the actual job to the UI.

networkd isn't supported as a backend for WorkStation (no gnome-shell, or 
gnome-control-center
integration). And systemd doesn't like its internal services depending on 
third-party
services. So you'd most likely have to talk directly to your DNSSEC service to 
get the
information.

 Could you please explain how can we do that in environments without
 NetworkManager?

Front-ends would talk directly to your service.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-18 Thread Reindl Harald



Am 18.06.2015 um 15:29 schrieb Bastien Nocera:

I would love to see more will for cooperation from GNOME people, so we
can converge to the working and well integrated solution. Vague claims
that something is missing or something needs to be done, without clear
reasoning is not helping anyone.


It's a network feature, it needs to be integrated in NetworkManager for
WorkStation to be able to configure it, and get status from it


not all workstations are using NetworkManager and/or GNOME



signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-18 Thread Bastien Nocera



- Original Message -
 
 
 On 18.06.2015 13:14, Bastien Nocera wrote:
  
  
  - Original Message -
  On 12.06.2015 19:00, Matthew Miller wrote:
  On Fri, Jun 12, 2015 at 11:53:32AM -0500, Dan Williams wrote:
  Yeah, we did.  From my recollection, most of that focused on the unbound
  parts and how NM could add the dns=unbound stuff (which Pavel
  contributed) but less on the NM connectivity checking, becuase Fedora
  hadn't turned that on by default yet.  I'm all fine with dns=unbound,
  that's not the issue.  The issue is more around what happens with NM's
  connectivity checking, since that's used by quite a few clients,
  including GNOME Shell.
 
  I personally find the anchor icon very confusing. As a non-expert in
  this area, it doesn't represent anything which seems relevant to me,
  and all of the right click menu options, once I figured out to right
  click, are obscure to me.
 
  I plan to contact the GNOME folks about how they would be willing to
  better integrate the panel (most probably in a different form) into GNOME.
  
  I don't think we want to integrate one more panel applet. The information
  about
  the DNS security should be passed on from NetworkManager. Once that's
  figured
  out, we can discuss how to show that information.
 
 I think you should discuss with us the approach before saying that you
 don't want to integrate with dnssec-trigger.

We wouldn't want to integrate with another network handler. 

 We don't see any reason why
 the information should be passed back to NM. The information can be
 passed or gathered from dnssec-trigger itself. We don't want to lock
 ourselves only to NetworkManager, since there are also other network
 configuration managers.

That's fine. But you'll need to do the integration in NM, so that gnome-shell,
gnome-control-center and others NM front-ends can get the feature without
needing to talk directly to dnssec-trigger in addition to talking to 
NetworkManager.

You don't need to lock yourselves into NetworkManager, but front-ends already
talking to NetworkManager should be getting the information through it, not
through another service and arbitrate themselves.

  The code needs to integrate with various NetworkManager features, such as
  VPNs and connectivity checking. Adding any UI for network information
  provided
  via a side-channel would be premature.
 
 VPNs... done like 2 years ago. From what we discussed the connectivity
 checking is not really perfect in NM, since it assumes that DHCP
 provided resolvers are in resolv.conf because NM obviously uses system's
 stub resolver.
 
 If there are any valid integration pieces, please be specific.

I don't want, in the Network panel, to be talking to 2 pieces of software that
I'll need to aggregate myself to get a complete picture.

I can imagine that gnome-shell developers will have a similar request.

 I would love to see more will for cooperation from GNOME people, so we
 can converge to the working and well integrated solution. Vague claims
 that something is missing or something needs to be done, without clear
 reasoning is not helping anyone.

It's a network feature, it needs to be integrated in NetworkManager for
WorkStation to be able to configure it, and get status from it.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-18 Thread Petr Spacek

On 18.6.2015 13:14, Bastien Nocera wrote:
 
 
 - Original Message -
 On 12.06.2015 19:00, Matthew Miller wrote:
 On Fri, Jun 12, 2015 at 11:53:32AM -0500, Dan Williams wrote:
 Yeah, we did.  From my recollection, most of that focused on the unbound
 parts and how NM could add the dns=unbound stuff (which Pavel
 contributed) but less on the NM connectivity checking, becuase Fedora
 hadn't turned that on by default yet.  I'm all fine with dns=unbound,
 that's not the issue.  The issue is more around what happens with NM's
 connectivity checking, since that's used by quite a few clients,
 including GNOME Shell.

 I personally find the anchor icon very confusing. As a non-expert in
 this area, it doesn't represent anything which seems relevant to me,
 and all of the right click menu options, once I figured out to right
 click, are obscure to me.

 I plan to contact the GNOME folks about how they would be willing to
 better integrate the panel (most probably in a different form) into GNOME.
 
 I don't think we want to integrate one more panel applet. The information 
 about
 the DNS security should be passed on from NetworkManager. Once that's figured
 out, we can discuss how to show that information.
 
 The code needs to integrate with various NetworkManager features, such as

The code already integrates with VPNs.

 VPNs and connectivity checking. Adding any UI for network information provided
 via a side-channel would be premature.

Could you elaborate how/why is the source of information tied to the UI?

I suspect that networkd and others might not be very happy if the
NetworkManager has to be available just to pass the information from whatever
tool doing the actual job to the UI.

Could you please explain how can we do that in environments without
NetworkManager?

-- 
Petr Spacek  @  Red Hat
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-18 Thread Tomas Hozza



On 18.06.2015 13:14, Bastien Nocera wrote:
 
 
 - Original Message -
 On 12.06.2015 19:00, Matthew Miller wrote:
 On Fri, Jun 12, 2015 at 11:53:32AM -0500, Dan Williams wrote:
 Yeah, we did.  From my recollection, most of that focused on the unbound
 parts and how NM could add the dns=unbound stuff (which Pavel
 contributed) but less on the NM connectivity checking, becuase Fedora
 hadn't turned that on by default yet.  I'm all fine with dns=unbound,
 that's not the issue.  The issue is more around what happens with NM's
 connectivity checking, since that's used by quite a few clients,
 including GNOME Shell.

 I personally find the anchor icon very confusing. As a non-expert in
 this area, it doesn't represent anything which seems relevant to me,
 and all of the right click menu options, once I figured out to right
 click, are obscure to me.

 I plan to contact the GNOME folks about how they would be willing to
 better integrate the panel (most probably in a different form) into GNOME.
 
 I don't think we want to integrate one more panel applet. The information 
 about
 the DNS security should be passed on from NetworkManager. Once that's figured
 out, we can discuss how to show that information.

I think you should discuss with us the approach before saying that you
don't want to integrate with dnssec-trigger. We don't see any reason why
the information should be passed back to NM. The information can be
passed or gathered from dnssec-trigger itself. We don't want to lock
ourselves only to NetworkManager, since there are also other network
configuration managers.

 The code needs to integrate with various NetworkManager features, such as
 VPNs and connectivity checking. Adding any UI for network information provided
 via a side-channel would be premature.

VPNs... done like 2 years ago. From what we discussed the connectivity
checking is not really perfect in NM, since it assumes that DHCP
provided resolvers are in resolv.conf because NM obviously uses system's
stub resolver.

If there are any valid integration pieces, please be specific.

I would love to see more will for cooperation from GNOME people, so we
can converge to the working and well integrated solution. Vague claims
that something is missing or something needs to be done, without clear
reasoning is not helping anyone.

Cheers
-- 
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

PGP: 1D9F3C2D
Red Hat Inc. http://cz.redhat.com
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-18 Thread Miloslav Trmač

  VPNs... done like 2 years ago. From what we discussed the connectivity
  checking is not really perfect in NM, since it assumes that DHCP
  provided resolvers are in resolv.conf because NM obviously uses system's
  stub resolver.
  
  If there are any valid integration pieces, please be specific.
 
 I don't want, in the Network panel, to be talking to 2 pieces of software that
 I'll need to aggregate myself to get a complete picture.

That’s kind of surprising; users should see a view that makes sense to them, 
not a reflection of the underlying implementation stack.  Isn’t it anyway a 
pretty common situation to talk to two or more services in one dialog? E.g. the 
sharing panel definitely talks to several services.

I agree that you don’t want to talk to two pieces of software which tell you 
different answers to the same question—but AFAICS that should be an argument in 
favor of integrating with dnssec-trigger directly instead of having 
NetworkManager proxy (and possibly modify) everything. (Well, assuming 
dnssec-trigger and NM talk to each other enough to keep in sync, but the 
dnssec-trigger-NM interface does not need to be the same as GUI-NM nor 
GUI-dnssec-trigger one.)
Mirek
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-18 Thread Bastien Nocera



- Original Message -
 On 12.06.2015 19:00, Matthew Miller wrote:
  On Fri, Jun 12, 2015 at 11:53:32AM -0500, Dan Williams wrote:
  Yeah, we did.  From my recollection, most of that focused on the unbound
  parts and how NM could add the dns=unbound stuff (which Pavel
  contributed) but less on the NM connectivity checking, becuase Fedora
  hadn't turned that on by default yet.  I'm all fine with dns=unbound,
  that's not the issue.  The issue is more around what happens with NM's
  connectivity checking, since that's used by quite a few clients,
  including GNOME Shell.
  
  I personally find the anchor icon very confusing. As a non-expert in
  this area, it doesn't represent anything which seems relevant to me,
  and all of the right click menu options, once I figured out to right
  click, are obscure to me.
 
 I plan to contact the GNOME folks about how they would be willing to
 better integrate the panel (most probably in a different form) into GNOME.

I don't think we want to integrate one more panel applet. The information about
the DNS security should be passed on from NetworkManager. Once that's figured
out, we can discuss how to show that information.

The code needs to integrate with various NetworkManager features, such as
VPNs and connectivity checking. Adding any UI for network information provided
via a side-channel would be premature.

Cheers
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-18 Thread Bastien Nocera



- Original Message -
 
 Am 18.06.2015 um 15:29 schrieb Bastien Nocera:
  I would love to see more will for cooperation from GNOME people, so we
  can converge to the working and well integrated solution. Vague claims
  that something is missing or something needs to be done, without clear
  reasoning is not helping anyone.
 
  It's a network feature, it needs to be integrated in NetworkManager for
  WorkStation to be able to configure it, and get status from it
 
 not all workstations are using NetworkManager and/or GNOME

Workstation as in Fedora Workstation, which uses both by default.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-18 Thread Bastien Nocera



- Original Message -
   VPNs... done like 2 years ago. From what we discussed the connectivity
   checking is not really perfect in NM, since it assumes that DHCP
   provided resolvers are in resolv.conf because NM obviously uses system's
   stub resolver.
   
   If there are any valid integration pieces, please be specific.
  
  I don't want, in the Network panel, to be talking to 2 pieces of software
  that
  I'll need to aggregate myself to get a complete picture.
 
 That’s kind of surprising; users should see a view that makes sense to them,
 not a reflection of the underlying implementation stack.  Isn’t it anyway a
 pretty common situation to talk to two or more services in one dialog? E.g.
 the sharing panel definitely talks to several services.

Wrong example ;)

It talks to gnome-settings-daemon's sharing plugin which hides the
implementation details of how to start/stop services and the various networks.

 I agree that you don’t want to talk to two pieces of software which tell you
 different answers to the same question—but AFAICS that should be an argument
 in favor of integrating with dnssec-trigger directly instead of having
 NetworkManager proxy (and possibly modify) everything. (Well, assuming
 dnssec-trigger and NM talk to each other enough to keep in sync, but the
 dnssec-trigger-NM interface does not need to be the same as GUI-NM nor
 GUI-dnssec-trigger one.)

And use dnssec-trigger to configure VPNs or Wi-Fi? :)

We really want to talk to only one service here, and NetworkManager could 
provide
us with per-connection settings for whether to accept insecure DNSes, 
configuration
storage, system-wide settings, etc.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-18 Thread Reindl Harald



Am 18.06.2015 um 17:17 schrieb Bastien Nocera:

- Original Message -


Am 18.06.2015 um 15:29 schrieb Bastien Nocera:

I would love to see more will for cooperation from GNOME people, so we
can converge to the working and well integrated solution. Vague claims
that something is missing or something needs to be done, without clear
reasoning is not helping anyone.


It's a network feature, it needs to be integrated in NetworkManager for
WorkStation to be able to configure it, and get status from it


not all workstations are using NetworkManager and/or GNOME


Workstation as in Fedora Workstation, which uses both by default


but Fedora is still an operating system and not just a runtime for GNOME

BTW: fix your horrible quoting



signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-18 Thread Bastien Nocera



- Original Message -
 
 Am 18.06.2015 um 17:17 schrieb Bastien Nocera:
  - Original Message -
 
  Am 18.06.2015 um 15:29 schrieb Bastien Nocera:
  I would love to see more will for cooperation from GNOME people, so we
  can converge to the working and well integrated solution. Vague claims
  that something is missing or something needs to be done, without clear
  reasoning is not helping anyone.
 
  It's a network feature, it needs to be integrated in NetworkManager for
  WorkStation to be able to configure it, and get status from it
 
  not all workstations are using NetworkManager and/or GNOME
 
  Workstation as in Fedora Workstation, which uses both by default
 
 but Fedora is still an operating system and not just a runtime for GNOME

Other spins can state their own requirements, that's the one from Fedora
Workstation and/or GNOME's side.

 BTW: fix your horrible quoting

My horrible MUA.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-18 Thread Dan Williams

On Mon, 2015-06-15 at 14:57 +0200, Petr Spacek wrote:
On 12.6.2015 18:53, Dan Williams wrote:
On Fri, 2015-06-12 at 17:10 +0200, Petr Spacek wrote:
On Tue, 2015-06-09 at 12:30 -0400, Matthew Miller wrote:
On Tue, Jun 09, 2015 at 11:34:39AM -0400, Paul Wouters wrote:
decision needs to then be made by the system. I believe that's been
mostly due to lack of time for the various parties to sit down and
plan and then program this further.

We should try to make that happen.

Okay, let's start once again from scratch.

All of this was already discussed and we even had a huge meeting around
DevConf and FLOCK 2014 about this, so following text will be just a short
refresher:

Yeah, we did. From my recollection, most of that focused on the unbound
parts and how NM could add the dns=unbound stuff (which Pavel
contributed) but less on the NM connectivity checking, becuase Fedora
hadn't turned that on by default yet. I'm all fine with dns=unbound,
that's not the issue. The issue is more around what happens with NM's
connectivity checking, since that's used by quite a few clients,
including GNOME Shell.

The ultimate goal
=
Make various man-in-the-middle attacks *automatically* detectable - without
any user interaction. Especially we want to get rid of dialogs like Site
www.gmail.com is using certificate issued for xxx.porn and certificate's
validity ended 10 years ago. Do you want to continue? [YES] [YES] [YES].

Tools
=
To achieve this goal we need to do DNSSEC validation on every client
machine
(ignoring Docker for a moment, see below) and allow applications to use
DNS as
trusted source of sensitive data (certificate fingerprints, SSH
fingerprints,
etc.).

DNSSEC allows all parties to publish their fingerprints in DNS and gives
us a
secure way to get the data and to detect that someone prevents us from
getting
the data.

Longer description
==
http://developerblog.redhat.com/2015/04/14/writing-an-application-that-supports-dnssec-in-rhel-and-fedora/

First step: DNSSEC validation
=
Contemporary networks are full of broken DNS proxies so we need to jump
through various hoops to get non-faked DNSSEC data for DNSSEC validation.

The goal of this step is to get *cryptographical* proof that the data we
received are the same as DNS zone owner published.

This includes two sub-problems:
a) Hot-spots:
Captive portal detection needs to allow user to disable all the security
so he
can log-in but this needs to be done in a secure and reliable way so an
attacker cannot misuse this.

b) Broken networks:
Some networks are so broken that even without captive portal they are not
able
to deliver DNSSEC data to the clients.

In that case will try tunnel to other DNS servers on the Internet (Fedora
Infra or public DNS root) and use them. Naturally, local/internal domains
need
to be available.

While I don't actually care, this might well be a sticking point for
many people since their DNS information is going to an untrusted (to
them) DNS server. Yeah, I tend to trust Fedora, but not everyone will.
Can the tunnel be turned off, or the broken servers whitelisted, or is
the answer here to just dnf remove dnssec-trigger?

All these sub-problems (including VPN handling an so on) are solved by
dnssec-trigger with tweaks by Tomas Hozza and Pavel Simerda.

HERE we need to coordinate with other parties who might want to write into
the
/etc/resolv.conf file. These include (but might not be limited to):
NetworkManager
initscripts
dhclient
libreswan ?
resolved
connman

pppd, vpnc, openvpn, etc. should get added to the list since they all
have scripts that can potentially write to /etc/resolv.conf.

Option is either to implement all the checks and workarounds in all the
projects over and over or to implement all the logic in one place -
dnssec-trigger might be such place.

Anyone who is going to write to resolv.conf needs to check for captive
portals, find a DNSSEC-enabled DNS server, and deal with VPN-provided DNS
servers and domains.

*Questions:*
Guys, what are your plans for handling the situations mentioned above?

Can we integrate on one place (e.g. by calling into dnssec-trigger) instead
overwriting /etc/resolv.conf independently?

This is the real issue. It sounds like What you're proposing is to make
dnssec-trigger into the DNS broker. The previous solutions
(resolvconf, NetworkManager, etc) have all failed for various reasons.
Touching/changing something so fundamental to the system, as you've
probably discovered, can be hard...

systemd-resolved might have a chance here, since it's small and pretty
simple, but they don't have an external API and don't seem interested in
creating one any time soon which

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-18 Thread Dan Williams

On Fri, 2015-06-12 at 14:32 -0400, Paul Wouters wrote:
 On Fri, 12 Jun 2015, Dan Williams wrote:
 
  That is why HTTP redirection and DNS failure have to be detected by
  whatever is the hot spot detector. Both items weigh in on triggering
  a hotspot logon window.
 
  Agreed.  But how does the DNS failure actually get relayed to the thing
  doing the HTTP request, when unbound + DNSSEC is involved?  That's one
  point I'm very unclear on.
 
 In hotspot mode (dnssec-trigger's version of hotspot mode)
 /etc/resolv.conf contains the DHCP supplied DNS servers. Those are used
 to determine both the DNS cleanliness state, and is also used to fetch
 the fedoraproject hot spot detection page. The unbound DNS server, while
 running, is not used at all for anything, as resolv.conf does not point
 to it. Unfortunately, because this is not isolated to dnssec-triggerd,
 all applications doing DNS during this time get crap/dangerous DNS
 resolves, leading to add the bad certificate warning popups. And why I
 was hoping to isolate that with either a network namespace, or other
 solution that prevents us from requiring to affect the whole system
 by changing resolv.conf.
 
 If selecting cache only, then resolv.conf points to 127.0.0.1 and
 unbound is configured with a DNS forwarder for everything set to
 127.0.0.127 so no DNS lookups ever leave the host.
 
  1. NM connects to a new network
  2. NM updates DNS information
 
  I don't know what 2) means. If it means rewriting /etc/resolv.conf or
  the unbound forwarder configuration, we have already lost if the DNS
  was malicious (and/or a hotspot DNS)
 
  It means whatever dns action was set in NM, either writing
  resolv.conf, not touching anything (dns=none), sending split DNS to
  unbound (dns=unbound), or to dnsmasq (dns=dnsmasq), etc.  In this case
  I'll presume dns=unbound.
 
 Ahh thanks.
 
  dnssec-trigger currently detects the difference by also checking for an
  http hotspot redirect using http://fedoraproject.org/static/hotspot.txt
  If no http redirect, then DNS is broken and it tries to work around it
  by becoming a full iterative resolver or doing DNS over TCP or DNS over
  TLS. and if it all fails, presents the insecure or cache only dialog.
 
  NM also checks for redirection.
 
  Though, what do you mean by if no HTTP redirect, then DNS is broken?
 
 Sorry I meant If no http redirect, and DNS is broken, then it tries to
 work around by  That is, when there is an http redirect, there is
 no point doing anything about DNS because after authenticating to the
 hotspot, DNS might turn out to be either fine or broken for other
 reasons.
 
  1) NM detects a new nework, but doesn't tell the applications that there
  is network connectivity yet. So firefox won't throw HTTPS warnings
  and pidgin/IM won't throw https warnings. Because as far as they know
  the network is still down.
 
  Agreed.  Right now we have connectivity states, but they are all
  determined after the interface is signaled as connected.  We can do
  some work here to indicate connectivity status on this interface before
  indicating to applications that the interface is fully connected.
 
 That would be awesome!
 
  2) NM/dnssec-trigger does the HTTP and DNS probing and prompting using
  a dedicated container and any DNS requests in that container are
  thrown away with the container once hotspot has been authenticated.
  This would allow us to never have resolv.conf on the host be
  different from 127.0.0.1. (currently, it needs to put in the hotspot
  DNS servers for the hotspot logon, exposing other applications to
  fake DNS)
 
  I'm not sure a container really needs to be involved as long as the DNS
  resolution can be done without hitting resolv.conf.  That's not hugely
  hard to do I think
 
 True. In fact with unbound it is pretty trivial to do. The equivalent
 unbound python code for that would be:
 
 import unbound
 
 ctx = unbound.ub_ctx()
 ctx.resolvconf(/this/networks/respresentation/of/resolv.conf)

Hmm, that doesn't really allow for split DNS though since it uses the
resolv.conf format?  Ideally we could just send unbound a list of server
+domain, and then a fallback of server+* for anything not matching
that list.

 any resolve calls made will use the non-system resolv.conf's nameserver
 addresses.
 
 So the hotspot check could be:
 
 ctx = unbound.ub_ctx()
 ctx.add_ta_file(rootanchor) # DNSSEC root key
 ctx.resolvconf(/this/networks/respresentation/of/resolv.conf)
 status, result = ctx.resolve(fedoraproject.org, unbound.RR_TYPE_A)
 if not result.havedata or not result.secure:
   # we're captive because fedoraproject.org is DNSSEC signed and
   # we got an error (forged) response
   # Redo query with a non-DNSSEC cache to get forged A record to
   # authenticate to the hotspot
   insecurectx = unbound.ub_ctx()
   insecurectx.resolvconf(/this/networks/respresentation/of/resolv.conf)
   status, result =

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-18 Thread Dan Williams

On Wed, 2015-06-17 at 13:17 +0200, Tomas Hozza wrote:
 On 12.06.2015 18:58, Dan Williams wrote:
  On Fri, 2015-06-12 at 10:58 +0200, Tomas Hozza wrote:
  On 11.06.2015 22:48, Dan Williams wrote:
  On Tue, 2015-06-09 at 12:30 -0400, Matthew Miller wrote:
  On Tue, Jun 09, 2015 at 11:34:39AM -0400, Paul Wouters wrote:
  decision needs to then be made by the system. I believe that's been
  mostly due to lack of time for the various parties to sit down and
  plan and then program this further.
 
  We should try to make that happen.
 
  Unfortunately the Proposal doesn't say anything about how this will
  actually work, which is something NetworkManager needs to know.  It also
  fails to address the failure cases where your local DNS doesn't support
  DNSSEC or is otherwise broken here out of no fault of your own.
 
  NetworkManager is pure network configuration manager in this scenario.
  We don't expect nor want NM to handle /etc/resolv.conf. We will only get
  the current network configuration from it and act upon it. NM
  configuration will contain dns=unbound.
  
  Correct, and I personally have no problem with this.  NM is quite happy
  to hand off DNS information wherever it has been told to do so.
  
  But this is separate from the connectivity detection/hotspot issue which
  I think we'll discuss more below.
  
  The cases when local (to the network you are connected to) DNS resolver
  does not support DNSSEC is handled by the logic in dnssec-trigger and
  dnssec-trigger script. Unbound is always configured in a way that it is
  able to do DNS resolution and DNSSEC validation. If this can not be
  done, the user is informed.
  
  Right, and that's where most of this discussion lies, I think.
  
  I see that there's a hotspot sign on option if you right click on the
  icon. How does this work with Network Manager and GNOME's captive
  portal detection?
  I have never seen those work except for when the backend was down and
  I got a stream of false positives. But possibly that is because I've 
  used
  dnssec-trigger for years now and it might win the captive portal
  detection race. There are some bugs once in a while but overal it works
  pretty reliably.
 
  I think that's probably it — the race. The hotspot signon thing works
  for me at coffeeshops. Or it did before I enabled this feature. We'll
  see now!
 
  So, if you're behind a portal then unbound could potentially fail all
  DNS lookups.  That means that NetworkManager's connectivity detection,
  which relies on retrieving a URL from a known website, will fail because
  the DNS lookup for it was blocked by unbound.  Thus GNOME Shell portal
  detection will also fail.  That kinda sucks.
 
  If there is such situation, that Unbound fails all DNS lookups, then it
  is a bug. This is pure theory until you have some real situation. The
  logic is designed in a way to prevent such situations from ever happen.
  Hotspot detection is done by dnssec-trigger. The hot-spot-signon is done
  by putting DHCP provided resolvers into resolv.conf. So in this
  situation Unbound it not used at all.
 
  While I'm sure the dnssec-trigger panel applet works great for some
  people, I think the GNOME team would rather have the portal
  functionality in the existing GNOME Shell indicator.  There is nothing
  wrong with having DNSSEC enabled and part of the portal detection
  scheme, but the UI handling portals is clearly a desktop-specific
  decision.  So whatever we need to do in NM to enable the workflow that
  desktops need is what we'll end up doing...  Ideally the process goes
  like this when unbound/dnssec-trigger are installed:
 
  1. NM connects to a new network
 
  1.1. Dispatch dispatcher with the network configuration change event.
 
  2. NM updates DNS information
 
  NM is not expected to touch resolv.conf in the intended default
  configuration.
  
  My #2 was intended to be the same as your #1.1.  I was assuming
  dns=unbound here.
  
  3. NM waits for some signal from unbound/dnssec-trigger about the
  trustability of the DNS server
 
  If you think NM needs to do some action (as I don't), we don't have
  problem with notifying NM (if you provide some API).
  
  NM may need to do some action for connectivity checking.
  
  3a. if the DNS server is trusted, NM continues with its connectivity
  check
  3b. if the DNS server is not trusted or DNSSEC is broken, then ???  How
  do we distinguish between portal and simply that your local DNS
  doesn't support DNSSEC or is otherwise broken, if we cannot resolve the
  address of the connectivity server?
 
  The only trusted DNS resolver is the local Unbound. The DNS resolver
  from the network you are connected to is never trusted. It is just used
  in case it can provide all the necessary information to do the DNSSEC
  validation. Since using such data we are able to build the chain of
  trust and verify that the Answer is correct, there is no point in
  distinguishing if network provided resolver is

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-18 Thread Paul Wouters


On Thu, 18 Jun 2015, Dan Williams wrote:


True. In fact with unbound it is pretty trivial to do. The equivalent
unbound python code for that would be:

import unbound

ctx = unbound.ub_ctx()
ctx.resolvconf(/this/networks/respresentation/of/resolv.conf)


Hmm, that doesn't really allow for split DNS though since it uses the
resolv.conf format?  Ideally we could just send unbound a list of server
+domain, and then a fallback of server+* for anything not matching
that list.


that's tricky. What you'd do with a bunch of intermediate work queries.
You are probably better of splitting the work:

import unbound
ctxgoogle = unbound.ub_ctx()
ctxgoogle.set_fwd(8.8.8.8)
ctxlocal = ctx = unbound.ub_ctx()
ctxlocal = ctx.resolvconf(/this/networks/respresentation/of/resolv.conf)

and you can query using google:

ctxgoogle.resolve(www.google.com, unbound.RR_TYPE_A)

or your local setup:

ctxlocal.resolve(www.google.com, unbound.RR_TYPE_A)

I'm pretty sure though there will be equivalent python code that causes
the same as:

unbound-control forward_add fedoraproject.org 1.2.3.4 5.6.7.8

or if there isn't, that upstream wouldn't mind making that available.



something like this:

0) resolve.conf/unbound/whatever DNS is unpopulated
1) NetworkManager looks up connectivity server IP address
2) NetworkManager does the connectivity check using that IP address
3) assuming either #1 or #2 fails, NM signals HOTSPOT connectivity state
and provides the DNS information via the API, including any DHCP/WISPR
information received from the network
4) Hotspot agent (GNOME Shell, KDE, whatever) sees the HOTSPOT state,
reads the DNS servers, and spawns a sandboxed web browser using the
preliminary DNS servers
5) User completes hotspot logon or rejection, user agent signals that
hotspot operations complete
6) NetworkManager re-does connectivity checks, and assuming the result
is success, indicates CONNECTED connectivity state

or something like that.


Yes.


 But these steps could be split out into a
small, single-purpose connectivityd that used information from NM/other
sources and was triggered by NM/other sources, and then NM wouldn't have
to do it.  NM could still proxy the state since NM would know when to
trigger connectivity checks anyway.  But I digress.


Sure.


pull your credit card out), it assumes you have successfully authenticated
to the hotspot. It re-tests the supplied DNS servers. If these are still
  determined to be too broken for using DNSSEC (eg too old bind,
dnsmasq) it tries to (silently) become a full itterative nameservers,
eg it will not use any forwards and do all the DNS work itself. If this
also fails, for example because the network blocks port 53 to all but
its own DNS servers,  dnssec-trigger tries the other modes of DNS over
TCP/SSL. If any of this works the user isn't even consulted. Only when
all of this fails do we need to contact the user and ask them to go
insecure or cache only


This is the part that I feel like unbound should do, or if not unbound
then whatever local caching nameserver we do have.  Perhaps that's
already built into unbound and only controlled by dnssec-trigger, but it
seems like something more integral to the resolver than outside of it?


No that is the core functionality of dnssec-trigger, not unbound. We
might be able to turn that into libdnssectrigger or something for
re-use. I don't think upstream wants to converge these two things into
one.

Paul
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-18 Thread Paul Wouters


On Thu, 18 Jun 2015, Dan Williams wrote:


The drawbacks I see to dnssec-trigger here are:



2) provides only HTTPS IPC, perhaps because it works on all platforms.
But a Linux-only solution would typically use a unix socket or D-Bus and
be secured by Unix or D-Bus permissions instead of using certificates.


Recenyly unbound was patched to allow a local socket so we don't have to
go through HTTPS. This was merged upstream. A similar patch could be adopted
for dnssec-triggerd and I see now reason why (the same) upstream would
refuse it.

Paul
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-17 Thread Tomas Hozza

On 17.06.2015 16:22, Paul Wouters wrote:
 On Wed, 17 Jun 2015, Tomas Hozza wrote:

  While I don't actually care, this might well be a sticking point for
  many people since their DNS information is going to an untrusted (to
  them) DNS server.  Yeah, I tend to trust Fedora, but not everyone will.

 If you don't trust fedora infrastructure, you have more issues
 though

  Can the tunnel be turned off, or the broken servers whitelisted, or is
  the answer here to just dnf remove dnssec-trigger?

 Yes. It is all configured in /etc/dnssec-trigger/dnssec-triggerd.conf

  The fallback infrastructure is used as the last resort of DNS data
  source. Full recursion is preferred over the fallback servers.

 And full recursion means your privacy might be in even more danger too
 until the IETF dprive comes up with DNS privacy protocols.

  If someone is trusting a DNS server without using DNSSEC, that that
  person is not really aware of the potential security implications of
  such name resolution. With DNSSEC validation done locally, it is
  irrelevant what DNS servers are uses, as long they can provide all the
  DNSSEC data.

 I think DNS privacy was the issue here, not security. Eg the fact that
 fedora servers see your DNS queries for evil.com. There are no logs kept
 of queries to these servers. I think we would discontinue the service
 before adding logging to them.

  It is not like Fedora infrastructure is collecting data about which user
  is resolving which name. Although ANY DNS service provider can do that!
 
  If user wants to use broken nameservers, they can switch the
  dnssec-trigger to hotspot sign-on mode. I agree that this is
  completely not intuitive and should be rather named insecure mode.
  Practically this means that the DHCP provided resolvers are placed into
  resolv.conf and the user is free to shoot themselves into the feet.

 And your VPN DNS forwards are no longer used, so if you have a VPN up,
 then going into insecure mode means your network behind the VPN
 becomes basically unreachable. The hotspot/insecure mode is not a dont
 trust fedora mode. People should not use that way.

Right, although it would be technically possible to also add VPN
resolvers to resolv.conf in hotspot signon mode it is not the goal of
the mode.

  Also turning off the dnssec-triggerd.service is a solution, since it
  will clean up after itself and return back the system to the original
  state. Of course you can remove it if you wish :)

 But that would affect all users. Granted, we are probably talking
 about private laptops here. But in theory one should disable
 dnssec-trigger-panel on a per-user basis, and not stop the system service.

Right, I meant it for the single-user machine. Disabling the panel will
not turn off the dnssec-trigger itself, so I don't think it would solve
anything other than getting rid of the UI popup windows.

  systemd-resolved plans to do just a kind of best effort DNSSEC, at
  least from what I asked on the Linux PLumbers Conference in Dusseldorf
  last year on the Tom Gundersen's presentation. This means they will do
  the validation, but only if they are able to. They don't plan and don't
  want to do any fallback to external infrastructure, but rather want to
  turn off the validation. I'm not sure if this is still the case, but it
  was. This is exactly what we don't want to do with dnssec-trigger and
  Unbound. We will try really hard to do DNSSEC validation.

 A design that will just turn it off DNSSEC, possibly even silenly,
 seems like the wrong approach. I assume we are misunderstanding the
 systemd-resolvd goals here, and will let the systemd people explain
 their design.

I hope, too. :)

  If this is indeed what you're proposing, then lets have a discussion
  about dnssec-trigger+unbound in that context, I do have some
 thoughts to
  contribute here.
 
  Good, we are open to thoughts and ideas ;)

 Indeed, I'm curious to what others have to say. Clearly, I have a
 somewhat strong bias toward DNSSEC :)

 Paul

Tomas
-- 
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

PGP: 1D9F3C2D
Red Hat Inc. http://cz.redhat.com
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-17 Thread Tomas Hozza

On 12.06.2015 19:17, Paul Wouters wrote:
On 06/12/2015 12:53 PM, Dan Williams wrote:
b) Broken networks:
Some networks are so broken that even without captive portal they are not
able
to deliver DNSSEC data to the clients.

In that case will try tunnel to other DNS servers on the Internet (Fedora
Infra or public DNS root) and use them. Naturally, local/internal domains
need
to be available.

The fallbacks are configured in /etc/dnssec-trigger/dnssec-triggerd.conf

# Provided by fedoraproject.org, #fedora-admin
# It is provided on a best effort basis, with no service guarantee.
ssl443: 140.211.169.201
A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
tcp80: 140.211.169.201
ssl443: 66.35.62.163
A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
tcp80: 66.35.62.163
ssl443: 152.19.134.150
A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
tcp80: 152.19.134.150
ssl443: 2610:28:3090:3001:dead:beef:cafe:fed9
A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64
:AA:87:E6:F2
tcp80: 2610:28:3090:3001:dead:beef:cafe:fed9

Can we integrate on one place (e.g. by calling into dnssec-trigger) instead
overwriting /etc/resolv.conf independently?

But it must be done for security reasons.

systemd-resolved might have a chance here, since it's small and pretty
simple, but they don't have an external API and don't seem interested in
creating one any time soon which severely limits it's usefulness.

And last I looked it did not support DNSSEC. I'm also weary about
systemd-resolved basically marshalling DNS via DBUS.

If this is indeed what you're proposing, then lets have a discussion
about dnssec-trigger+unbound in that context, I do have some thoughts to
contribute here.

I believe we selected dnssec-trigger because it was the UI/daemon that
worked. A better native integration into either
NM or Gnome would be preferred.

I had the same idea before, but given that there is not only NM, but
also other projects that intend to do the same thing as NM and even
replace it in some environments (e.g. systemd-networkd) I don't think
it makes sense to implement the same thing in each and every of these.

I changed my mind and think that having one component implementing the
functionality and communicating with the network configuration software
that is used on the specific platform is a better approach. Although
dnssec-trigger may not be ideal as final solution, it is a good for
start and as a proof of concept of how to do client side DNSSEC
validation properly.

Tomas

Paul

--
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

PGP: 1D9F3C2D
Red Hat Inc. http://cz.redhat.com
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-17 Thread Tomas Hozza

On 12.06.2015 18:58, Dan Williams wrote:
 On Fri, 2015-06-12 at 10:58 +0200, Tomas Hozza wrote:
 On 11.06.2015 22:48, Dan Williams wrote:
 On Tue, 2015-06-09 at 12:30 -0400, Matthew Miller wrote:
 On Tue, Jun 09, 2015 at 11:34:39AM -0400, Paul Wouters wrote:
 decision needs to then be made by the system. I believe that's been
 mostly due to lack of time for the various parties to sit down and
 plan and then program this further.

 We should try to make that happen.

 Unfortunately the Proposal doesn't say anything about how this will
 actually work, which is something NetworkManager needs to know.  It also
 fails to address the failure cases where your local DNS doesn't support
 DNSSEC or is otherwise broken here out of no fault of your own.

 NetworkManager is pure network configuration manager in this scenario.
 We don't expect nor want NM to handle /etc/resolv.conf. We will only get
 the current network configuration from it and act upon it. NM
 configuration will contain dns=unbound.
 
 Correct, and I personally have no problem with this.  NM is quite happy
 to hand off DNS information wherever it has been told to do so.
 
 But this is separate from the connectivity detection/hotspot issue which
 I think we'll discuss more below.
 
 The cases when local (to the network you are connected to) DNS resolver
 does not support DNSSEC is handled by the logic in dnssec-trigger and
 dnssec-trigger script. Unbound is always configured in a way that it is
 able to do DNS resolution and DNSSEC validation. If this can not be
 done, the user is informed.
 
 Right, and that's where most of this discussion lies, I think.
 
 I see that there's a hotspot sign on option if you right click on the
 icon. How does this work with Network Manager and GNOME's captive
 portal detection?
 I have never seen those work except for when the backend was down and
 I got a stream of false positives. But possibly that is because I've used
 dnssec-trigger for years now and it might win the captive portal
 detection race. There are some bugs once in a while but overal it works
 pretty reliably.

 I think that's probably it — the race. The hotspot signon thing works
 for me at coffeeshops. Or it did before I enabled this feature. We'll
 see now!

 So, if you're behind a portal then unbound could potentially fail all
 DNS lookups.  That means that NetworkManager's connectivity detection,
 which relies on retrieving a URL from a known website, will fail because
 the DNS lookup for it was blocked by unbound.  Thus GNOME Shell portal
 detection will also fail.  That kinda sucks.

 If there is such situation, that Unbound fails all DNS lookups, then it
 is a bug. This is pure theory until you have some real situation. The
 logic is designed in a way to prevent such situations from ever happen.
 Hotspot detection is done by dnssec-trigger. The hot-spot-signon is done
 by putting DHCP provided resolvers into resolv.conf. So in this
 situation Unbound it not used at all.

 While I'm sure the dnssec-trigger panel applet works great for some
 people, I think the GNOME team would rather have the portal
 functionality in the existing GNOME Shell indicator.  There is nothing
 wrong with having DNSSEC enabled and part of the portal detection
 scheme, but the UI handling portals is clearly a desktop-specific
 decision.  So whatever we need to do in NM to enable the workflow that
 desktops need is what we'll end up doing...  Ideally the process goes
 like this when unbound/dnssec-trigger are installed:

 1. NM connects to a new network

 1.1. Dispatch dispatcher with the network configuration change event.

 2. NM updates DNS information

 NM is not expected to touch resolv.conf in the intended default
 configuration.
 
 My #2 was intended to be the same as your #1.1.  I was assuming
 dns=unbound here.
 
 3. NM waits for some signal from unbound/dnssec-trigger about the
 trustability of the DNS server

 If you think NM needs to do some action (as I don't), we don't have
 problem with notifying NM (if you provide some API).
 
 NM may need to do some action for connectivity checking.
 
 3a. if the DNS server is trusted, NM continues with its connectivity
 check
 3b. if the DNS server is not trusted or DNSSEC is broken, then ???  How
 do we distinguish between portal and simply that your local DNS
 doesn't support DNSSEC or is otherwise broken, if we cannot resolve the
 address of the connectivity server?

 The only trusted DNS resolver is the local Unbound. The DNS resolver
 from the network you are connected to is never trusted. It is just used
 in case it can provide all the necessary information to do the DNSSEC
 validation. Since using such data we are able to build the chain of
 trust and verify that the Answer is correct, there is no point in
 distinguishing if network provided resolver is trusted or not... it is
 not. This is the reason we do the validation locally.
 
 Ok, I should rephrase my question to be clearer.  NM's connectivity
 checking

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-17 Thread Tomas Hozza

On 12.06.2015 16:58, Paul Wouters wrote:
 On Fri, 12 Jun 2015, Matthew Miller wrote:
 
 Another integration concern: the network config GUI (and ifcfg files,
 for that matter) let me list specific DNS servers. With this
 feature, are those used (and if so, how)? If not, is my configuration
 just silently ignored?
 
 I do not know if it is supported currently, but support for that is
 very trivial. If unbound is found running, issue:
 
 unbound-control forward_add . 1.2.3.4 5.6.7.8
 
 I'm not sure whose job that would be.
 
 Paul

This should be ideally left to the network configuration software (e.g.
NM). Dnssec-trigger will not touch any forward zones that are already
configured in Unbound and it didn't configured them itself. While
technically this should not be a problem, and everything should work
properly (since forward zones are configured properly), this should be
ideally done only by the dnssec-trigger based on the information passed
by VPN to the NM.

Tomas
-- 
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

PGP: 1D9F3C2D
Red Hat Inc. http://cz.redhat.com
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-17 Thread Tomas Hozza

On 12.06.2015 18:53, Dan Williams wrote:
On Fri, 2015-06-12 at 17:10 +0200, Petr Spacek wrote:
On Tue, 2015-06-09 at 12:30 -0400, Matthew Miller wrote:
On Tue, Jun 09, 2015 at 11:34:39AM -0400, Paul Wouters wrote:
decision needs to then be made by the system. I believe that's been
mostly due to lack of time for the various parties to sit down and
plan and then program this further.

We should try to make that happen.

Okay, let's start once again from scratch.

All of this was already discussed and we even had a huge meeting around
DevConf and FLOCK 2014 about this, so following text will be just a short
refresher:

Tools
=
To achieve this goal we need to do DNSSEC validation on every client machine
(ignoring Docker for a moment, see below) and allow applications to use DNS
as
trusted source of sensitive data (certificate fingerprints, SSH fingerprints,
etc.).

DNSSEC allows all parties to publish their fingerprints in DNS and gives us a
secure way to get the data and to detect that someone prevents us from
getting
the data.

Longer description
==
http://developerblog.redhat.com/2015/04/14/writing-an-application-that-supports-dnssec-in-rhel-and-fedora/

First step: DNSSEC validation
=
Contemporary networks are full of broken DNS proxies so we need to jump
through various hoops to get non-faked DNSSEC data for DNSSEC validation.

The goal of this step is to get *cryptographical* proof that the data we
received are the same as DNS zone owner published.

This includes two sub-problems:
a) Hot-spots:
Captive portal detection needs to allow user to disable all the security so
he
can log-in but this needs to be done in a secure and reliable way so an
attacker cannot misuse this.

b) Broken networks:
Some networks are so broken that even without captive portal they are not
able
to deliver DNSSEC data to the clients.

In that case will try tunnel to other DNS servers on the Internet (Fedora
Infra or public DNS root) and use them. Naturally, local/internal domains
need
to be available.

The fallback infrastructure is used as the last resort of DNS data
source. Full recursion is preferred over the fallback servers.

If someone is trusting a DNS server without using DNSSEC, that that
person is not really aware of the potential security implications of
such name resolution. With DNSSEC validation done locally, it is
irrelevant what DNS servers are uses, as long they can provide all the
DNSSEC data.

It is not like Fedora infrastructure is collecting data about which user
is resolving which name. Although ANY DNS service provider can do that!

If user wants to use broken nameservers, they can switch the
dnssec-trigger to hotspot sign-on mode. I agree that this is
completely not intuitive and should be rather named insecure mode.
Practically this means that the DHCP provided resolvers are placed into
resolv.conf and the user is free to shoot themselves into the feet.

Also turning off the dnssec-triggerd.service is a solution, since it
will clean up after itself and return back the system to the original
state. Of course you can remove it if you wish :)

All these sub-problems (including VPN handling an so on) are solved by
dnssec-trigger with tweaks by Tomas Hozza and Pavel Simerda.

pppd, vpnc, openvpn, etc. should get added to the list since they all
have scripts that can potentially write to /etc/resolv.conf.

Option is either to implement all the checks and workarounds in all the
projects over and over or to implement all the logic in one place -
dnssec-trigger

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-17 Thread Tomas Hozza

On 12.06.2015 19:00, Matthew Miller wrote:
 On Fri, Jun 12, 2015 at 11:53:32AM -0500, Dan Williams wrote:
 Yeah, we did.  From my recollection, most of that focused on the unbound
 parts and how NM could add the dns=unbound stuff (which Pavel
 contributed) but less on the NM connectivity checking, becuase Fedora
 hadn't turned that on by default yet.  I'm all fine with dns=unbound,
 that's not the issue.  The issue is more around what happens with NM's
 connectivity checking, since that's used by quite a few clients,
 including GNOME Shell.
 
 I personally find the anchor icon very confusing. As a non-expert in
 this area, it doesn't represent anything which seems relevant to me,
 and all of the right click menu options, once I figured out to right
 click, are obscure to me.

I plan to contact the GNOME folks about how they would be willing to
better integrate the panel (most probably in a different form) into GNOME.

 I understand Hotspot sign-on and can go from there, but I can't see
 it not completely perplexing e.g. my dad.

I agree that something like insecure mode would be more self-explanatory.

 I don't know what Reprobe does (and especially not because there's no
 context other than the anchor), and Probe Results give some
 indication that it has to do with DNSSEC — but I think that if our
 users have to learn what that means and understand all that in order to
 be secure (or just to browse the web at _any_ level), we're not
 succeeding.
 
 I hope we can get a design for this which integrates better with GNOME
 Shell and the existing network icon there.

I hope too.

Regards,
Tomas

-- 
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

PGP: 1D9F3C2D
Red Hat Inc. http://cz.redhat.com
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-17 Thread Paul Wouters


On Wed, 17 Jun 2015, Tomas Hozza wrote:


While I don't actually care, this might well be a sticking point for
many people since their DNS information is going to an untrusted (to
them) DNS server.  Yeah, I tend to trust Fedora, but not everyone will.


If you don't trust fedora infrastructure, you have more issues
though


Can the tunnel be turned off, or the broken servers whitelisted, or is
the answer here to just dnf remove dnssec-trigger?


Yes. It is all configured in /etc/dnssec-trigger/dnssec-triggerd.conf


The fallback infrastructure is used as the last resort of DNS data
source. Full recursion is preferred over the fallback servers.


And full recursion means your privacy might be in even more danger too
until the IETF dprive comes up with DNS privacy protocols.


If someone is trusting a DNS server without using DNSSEC, that that
person is not really aware of the potential security implications of
such name resolution. With DNSSEC validation done locally, it is
irrelevant what DNS servers are uses, as long they can provide all the
DNSSEC data.


I think DNS privacy was the issue here, not security. Eg the fact that
fedora servers see your DNS queries for evil.com. There are no logs kept
of queries to these servers. I think we would discontinue the service
before adding logging to them.


It is not like Fedora infrastructure is collecting data about which user
is resolving which name. Although ANY DNS service provider can do that!

If user wants to use broken nameservers, they can switch the
dnssec-trigger to hotspot sign-on mode. I agree that this is
completely not intuitive and should be rather named insecure mode.
Practically this means that the DHCP provided resolvers are placed into
resolv.conf and the user is free to shoot themselves into the feet.


And your VPN DNS forwards are no longer used, so if you have a VPN up,
then going into insecure mode means your network behind the VPN
becomes basically unreachable. The hotspot/insecure mode is not a dont
trust fedora mode. People should not use that way.


Also turning off the dnssec-triggerd.service is a solution, since it
will clean up after itself and return back the system to the original
state. Of course you can remove it if you wish :)


But that would affect all users. Granted, we are probably talking
about private laptops here. But in theory one should disable
dnssec-trigger-panel on a per-user basis, and not stop the system service.


systemd-resolved plans to do just a kind of best effort DNSSEC, at
least from what I asked on the Linux PLumbers Conference in Dusseldorf
last year on the Tom Gundersen's presentation. This means they will do
the validation, but only if they are able to. They don't plan and don't
want to do any fallback to external infrastructure, but rather want to
turn off the validation. I'm not sure if this is still the case, but it
was. This is exactly what we don't want to do with dnssec-trigger and
Unbound. We will try really hard to do DNSSEC validation.


A design that will just turn it off DNSSEC, possibly even silenly,
seems like the wrong approach. I assume we are misunderstanding the
systemd-resolvd goals here, and will let the systemd people explain
their design.


If this is indeed what you're proposing, then lets have a discussion
about dnssec-trigger+unbound in that context, I do have some thoughts to
contribute here.


Good, we are open to thoughts and ideas ;)


Indeed, I'm curious to what others have to say. Clearly, I have a
somewhat strong bias toward DNSSEC :)

Paul
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: GNOME captive portal helper (was Re: F23 System Wide Change: Default Local DNS Resolver)

2015-06-16 Thread Paul Wouters


On Tue, 16 Jun 2015, Bastien Nocera wrote:


That’s what dnssec-trigger ideally _should_ do. What would it _actually_
do, e.g. with the current code?


That's defined by login-command: in /etc/dnssec-trigger/dnssec-trigger.conf
which we did not change from the default xdg-open.

It uses the URL configured by login-location: for which we use:
http://hotspot-nocache.fedoraproject.org/;

xdg-open could be changed to a user's firefox, or a private window
firefox, or chrome, etc etc.


As what user is that trigger run?


It is run by dnssec-trigger-panel which runs as the logged in user.

Paul
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: GNOME captive portal helper (was Re: F23 System Wide Change: Default Local DNS Resolver)

2015-06-16 Thread Bastien Nocera



- Original Message -
 On Mon, 15 Jun 2015, Miloslav Trmač wrote:
 
  Detect it and show the sandboxed browser.  If that means that the user
  has to type their Facebook password again, then the user is welcome to
  do that.  I don't see why we should make it easier to track users,
  though.
 
  That’s what dnssec-trigger ideally _should_ do. What would it _actually_
  do, e.g. with the current code?
 
 That's defined by login-command: in /etc/dnssec-trigger/dnssec-trigger.conf
 which we did not change from the default xdg-open.
 
 It uses the URL configured by login-location: for which we use:
 http://hotspot-nocache.fedoraproject.org/;
 
 xdg-open could be changed to a user's firefox, or a private window
 firefox, or chrome, etc etc.

As what user is that trigger run?
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-15 Thread Petr Spacek

On 12.6.2015 16:55, Dan Williams wrote:
 On Fri, 2015-06-12 at 10:20 -0400, Matthew Miller wrote:
 On Fri, Jun 12, 2015 at 10:58:14AM +0200, Tomas Hozza wrote:
 NetworkManager is pure network configuration manager in this scenario.
 We don't expect nor want NM to handle /etc/resolv.conf. We will only get
 the current network configuration from it and act upon it. NM
 configuration will contain dns=unbound.

 Another integration concern: the network config GUI (and ifcfg files,
 for that matter) let me list specific DNS servers. With this
 feature, are those used (and if so, how)? If not, is my configuration
 just silently ignored?
 
 NM will use those DNS servers as it always has, and with dns=unbound
 will simply forward them to unbound, which will use your servers as the
 upstream servers.  Basically, any information that NM used to write to
 resolv.conf will now instead get forwarded to unbound.
 
 What unbound wants to do with it is another story, of course, that I'm
 not an expert on but Thomas/Paul/etc are.

This scenario should work fine. Generally we need to get all tools to push the
DNS servers to NM (so somewhere else) so the information is available via
(e.g.) NM API.

That is ideal case which would allow us to centralize DNSSEC handling on one
place in dnssec-triggerd.

-- 
Petr Spacek  @  Red Hat
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-15 Thread Petr Spacek

On 12.6.2015 18:53, Dan Williams wrote:
On Fri, 2015-06-12 at 17:10 +0200, Petr Spacek wrote:
On Tue, 2015-06-09 at 12:30 -0400, Matthew Miller wrote:
On Tue, Jun 09, 2015 at 11:34:39AM -0400, Paul Wouters wrote:
decision needs to then be made by the system. I believe that's been
mostly due to lack of time for the various parties to sit down and
plan and then program this further.