* Re: resolv.conf and gnupg2
@ 2022-08-09 6:17 Brian Inglis
2022-08-09 12:58 ` Christian Franke
0 siblings, 1 reply; 7+ messages in thread
From: Brian Inglis @ 2022-08-09 6:17 UTC (permalink / raw)
To: cygwin
[-- Attachment #1: Type: text/plain, Size: 1865 bytes --]
I've been running with /etc/resolv.conf for a few years now, generated
from the ISP info from ipconfig and lists of public DNS servers and
suffixes.
The attached postinstall script 0p_l_etc_resolv_conf.dash generates a
new resolv.conf and replaces the current if different every update.
It is also run at cron startup and that covers system startup.
The AWK script collects names and addresses from ipconfig ouput and adds
lists of public DNS servers and public suffixes in the proper order.
How this works with other ISPs or in other network environments is not
anything I ever thought of testing externally.
Feel feel to try it and change it if curious or interested.
I'be been shuffling my keyservers since keyserver public key certificate
poisoning started; currently I have the following formerly "safe"
servers configured in ~/gnupg/dirmngr.conf:
#keyserver hkp://pool.sks-keyservers.net
#keyserver hkps://hkps.pool.sks-keyservers.net
#keyserver hkp://keys.gnupg.net
keyserver hkps://keyserver.ubuntu.com
keyserver hkps://keys.openpgp.org
keyserver hkp://pgp.mit.edu
keyserver hkp://pgp.surf.nl
also in ~/.gnupg/gpg.conf:
#keyserver hkp://pool.sks-keyservers.net
#keyserver hkps://hkps.pool.sks-keyservers.net
#keyserver hkp://keys.gnupg.net
keyserver hkp://keyserver.ubuntu.com
keyserver hkps://keys.openpgp.org
keyserver hkp://pgp.mit.edu
keyserver hkp://pgp.surf.nl
#keyserver mailto:pgp-public-keys@keys.nl.pgp.net
#keyserver ldap://keyserver.pgp.com
I've also installed US DoD (for USNO data) and LE root CA certs and sub
CA certs to extend access where not provided in Windows and/or Cygwin.
--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in binary units and prefixes, physical quantities in SI.]
[-- Attachment #2: 0p_l_etc_resolv_conf.dash --]
[-- Type: text/plain, Size: 527 bytes --]
#!/bin/dash
# 0p_l_etc_resolv_conf.dash - update /etc/resolv.conf if changed
r=resolv
cr=/usr/local/bin/cyg-$r.awk
run=/var/run/${r}conf
rrc=$run/$r.conf
SYSCONFDIR=${SYSCONFDIR:-/etc}
conf=$SYSCONFDIR/$r.conf
/bin/mkdir -pv -- $run/ && \
ip=$(/usr/bin/which -- ipconfig) && \
tmp=$(/bin/mktemp -t -- .XXXXXXXX.) && \
$ip /all | $cr > $tmp && \
[ -s $tmp ] && \
[ -w $rrc ] || : > $rrc
if ! /usr/bin/cmp -s -- $tmp $rrc; then
/bin/cp -fv -- $tmp $rrc
/bin/ln -frsTv -- $rrc $conf
fi
/bin/rm -f -- $tmp
[-- Attachment #3: cyg-resolv.awk --]
[-- Type: text/plain, Size: 4673 bytes --]
#!/usr/bin/awk -f
# cyg-resolv.awk - create Cygwin resolv.conf from Windows ipconfig /all output
function nextaddr( addr, name, ns, nameserveraddr, nameserverhostname ,private,n) {
if (DEBUG) print addr, name, ns > DEBUG
# private subnets
private = (addr ~ p10 || addr ~ p172 || addr ~ p192)
# default name
if (private && !name) { name = "private" }
# private subnets come first if unoccupied
if (private && !(0 in nameserveraddr)) {
n = 0
} else {
n = ++ns
}
if (addr) { nameserveraddr[n] = addr }
if (name) { nameserverhostname[n] = name }
if (DEBUG) print addr, name, ns > DEBUG
return ns
}
function addrs( NS, nameserveraddr, ns, c, l) {
# $ getent ahostsv4 $NS
# 1.0.0.1 STREAM one.one.one.one
# 1.0.0.1 DGRAM one.one.one.one
# 1.1.1.1 STREAM
# 1.1.1.1 DGRAM
# 149.112.112.112 0 dns.quad9.net
# 9.9.9.9 0
# 208.67.220.220 0 resolver2.opendns.com
# 208.67.222.222 0 resolver1.opendns.com
# 8.8.4.4 0 google-public-dns-b.google.com
# 8.8.8.8 0 google-public-dns-a.google.com
# 149.112.122.20 0 CAshieldProtected
# 149.112.121.20 0
l = 0
c = "/usr/bin/getent ahostsv4 " NS
while ((c | getline) > 0) {
if ($1 != l) {
ns = nextaddr( $1, $3, ns, nameserveraddr, nameserverhostname)
}
l = $1
}
return ns
}
BEGIN {
# private subnets
# digit patterns: .[0[0]]0-255, .[0]16-31
d0_255 = "(.(0{0,2}[0-9]|0{0,1}[1-9][0-9]|1[0-9][0-9]|2([0-4][0-9]|5[0-5])))"
d16_31 = ".0?(1[6-9]|2[0-9]|3[01])"
# 10.0.0.0-.255.255.255
p10 = "^10" d0_255 "{3}$"
# 172.16.0.0-.31.255.255
p172 = "^172" d16_31 d0_255 "{2}$"
# 192.168.0.0-.255.255
p192 = "^192.168" d0_255 "{2}$"
# public name servers
# CIRA Canadian Shield Protected+malware+phishing
NS = "dns.quad9.net. one.one.one.one. " \
"resolver2.opendns.com. resolver1.opendns.com. " \
"google-public-dns-b.google.com. google-public-dns-a.google.com. " \
"CAshieldProtected"
SUF = "ca. org. com. net."
CFHD = "# /etc/resolv.conf"
CFHD = CFHD " - Internet Domain Name System resolver configuration file"
CDS = "# domain suffix"
CSSL = "# suffix search list"
}
/\r/ { sub( /\r/, "", $NF) } # trim \r
# collect DNS domain suffixes
/D[Nn][Ss]\sSuffix[^:]*:\s\S/ {
last = $NF
if (last ~ /\./ && last !~ /\.$/) last = last "."; # add root dot
if (!(last in domain)) {
domain[last] = last
domains = domains " " last
}
while (last ~ /\..+\..+/) { # strip labels if more than two for domain
sub(/^[^.]+./, "", last)
if (last ~ /\./ && last !~ /\.$/) last = last "."; # add root dot
if (!(last in domain)) {
domain[last] = last
domains = domains " " last
}
}
}
# collect DNS search suffixes
/Search\sList[^:]*:\s\S/ {
for (d in domain) {
if (!(d in search)) search[d] = d
if (d ~ /shaw[^.]+./) {
last = "shaw.ca."
if (!(last in search)) {
search[last] = last
domains = domains " " last
}
}
}
last = $NF
if (last ~ /\./ && last !~ /\.$/) last = last "."; # add root dot
if (!(last in search)) {
search[last] = last
domains = domains " " last
}
while (last ~ /\..+\..+/) { # strip labels if more than two for domain
sub(/^[^.]+./, "", last)
if (last ~ /\./ && last !~ /\.$/) last = last "."; # add root dot
if (!(last in search)) {
search[last] = last
domains = domains " " last
}
}
ns = split( SUF, sa)
for (s = 1; s <= ns; ++s) {
last = sa[s]
if (last ~ /\./ && last !~ /\.$/) last = last "."; # add root dot
if (!(last in search)) {
search[last] = last
domains = domains " " last
}
}
}
# collect DNS server IP V4 addresses
/DNS\sServers[^:]*:\s\S/ { dns = 1 } # start - enable
dns && $NF ~ /^([0-9A-Fa-f]{0,4}:){1,7}[0-9A-Fa-f]{0,4}$/ { next } # skip IP V6
dns && $NF ~ /^([0-9]{1,3}\.){3}[0-9]{1,3}$/ { # collect IP V4
ns = nextaddr( $NF, last, ns, nameserveraddr, nameserverhostname)
last = ""
}
dns && $NF !~ /^([0-9A-Fa-f]{0,4}:){1,7}[0-9A-Fa-f]{0,4}$/ && \
$NF !~ /^([0-9]{1,3}\.){3}[0-9]{1,3}$/ { dns = 0 } # non-IP disable
# output unique resolv.conf entries
END {
print CFHD
ns = addrs( NS, nameserveraddr, ns)
for (n = 0; n <= ns; ++n) {
if (n in nameserverhostname && nameserverhostname[n]) {
print "#", nameserverhostname[n]
}
if (n in nameserveraddr && nameserveraddr[n]) {
print "nameserver", nameserveraddr[n]
}
}
print CDS
for (d in domain) { print "domain " d }
print CSSL
if (domains) print "search" domains
}
[-- Attachment #4: resolv.conf --]
[-- Type: text/plain, Size: 690 bytes --]
# /etc/resolv.conf - Internet Domain Name System resolver configuration file
# shawcable.net.
nameserver 64.59.135.148
nameserver 64.59.128.114
# dns.quad9.net
nameserver 9.9.9.9
nameserver 149.112.112.112
# one.one.one.one
nameserver 1.1.1.1
nameserver 1.0.0.1
# resolver2.opendns.com
nameserver 208.67.220.220
# resolver1.opendns.com
nameserver 208.67.222.222
# google-public-dns-b.google.com
nameserver 8.8.4.4
# google-public-dns-a.google.com
nameserver 8.8.8.8
# CAshieldProtected
nameserver 149.112.121.20
nameserver 149.112.122.20
# domain suffix
domain shawcable.net.
domain cg.shawcable.net.
# suffix search list
search cg.shawcable.net. shawcable.net. shaw.ca. ca. org. com. net.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: resolv.conf and gnupg2
2022-08-09 6:17 resolv.conf and gnupg2 Brian Inglis
@ 2022-08-09 12:58 ` Christian Franke
2022-08-09 14:51 ` Lee
2022-08-10 14:40 ` Andrey Repin
0 siblings, 2 replies; 7+ messages in thread
From: Christian Franke @ 2022-08-09 12:58 UTC (permalink / raw)
To: cygwin
[-- Attachment #1: Type: text/plain, Size: 1307 bytes --]
Brian Inglis wrote:
> I've been running with /etc/resolv.conf for a few years now, generated
> from the ISP info from ipconfig and lists of public DNS servers and
> suffixes.
>
> The attached postinstall script 0p_l_etc_resolv_conf.dash generates a
> new resolv.conf and replaces the current if different every update.
> It is also run at cron startup and that covers system startup.
>
> The AWK script collects names and addresses from ipconfig ouput and
> adds lists of public DNS servers and public suffixes in the proper order.
>
> How this works with other ISPs or in other network environments is not
> anything I ever thought of testing externally.
> Feel feel to try it and change it if curious or interested.
This is an interesting approach, thanks for sharing.
Unfortunately the ipconfig output is always localized, so this does only
work OOTB with English versions of Windows. The ipconfig parsing is also
broken due to two reasons:
- The current Cygwin versions of awk, grep and sed no longer convert
CR/LF -> LF on stdin, so '/FooBar$/' patterns never match.
- ipconfig may output scoped IPv6 addresses ("fe80::1%12") which are not
matched by the awk script.
A draft patch is attached. It also avoids the tmp file and uses shell
builtins where possible.
--
Regards,
Christian
[-- Attachment #2: cyg-resolv.patch --]
[-- Type: text/plain, Size: 1683 bytes --]
diff -ru cyg-resolv.orig/0p_l_etc_resolv_conf.dash cyg-resolv/0p_l_etc_resolv_conf.dash
--- cyg-resolv.orig/0p_l_etc_resolv_conf.dash 2022-08-09 13:52:07.293134900 +0200
+++ cyg-resolv/0p_l_etc_resolv_conf.dash 2022-08-09 14:29:56.429564700 +0200
@@ -9,14 +9,13 @@
conf=$SYSCONFDIR/$r.conf
/bin/mkdir -pv -- $run/ && \
-ip=$(/usr/bin/which -- ipconfig) && \
-tmp=$(/bin/mktemp -t -- .XXXXXXXX.) && \
-$ip /all | $cr > $tmp && \
-[ -s $tmp ] && \
-[ -w $rrc ] || : > $rrc
-if ! /usr/bin/cmp -s -- $tmp $rrc; then
- /bin/cp -fv -- $tmp $rrc
+ip=$(command -v ipconfig) && \
+a=$(/bin/cat $rrc 2>/dev/null || :) && \
+b=$("$ip" /all | /bin/tr -d '\r' | $cr) && \
+[ "${b:+set}" = "set" ] && \
+[ -w $rrc ] || a= : > $rrc
+if [ "$a" != "$b" ]; then
+ echo "$cr > $rrc"
+ echo "$b" > $rrc
/bin/ln -frsTv -- $rrc $conf
fi
-
-/bin/rm -f -- $tmp
diff -ru cyg-resolv.orig/cyg-resolv.awk cyg-resolv/cyg-resolv.awk
--- cyg-resolv.orig/cyg-resolv.awk 2022-08-09 13:52:07.293348300 +0200
+++ cyg-resolv/cyg-resolv.awk 2022-08-09 14:15:51.164139100 +0200
@@ -156,7 +156,7 @@
# collect DNS server IP V4 addresses
/DNS\sServers[^:]*:\s\S/ { dns = 1 } # start - enable
-dns && $NF ~ /^([0-9A-Fa-f]{0,4}:){1,7}[0-9A-Fa-f]{0,4}$/ { next } # skip IP V6
+dns && $NF ~ /^([0-9A-Fa-f]{0,4}:){1,7}[0-9A-Fa-f]{0,4}(%.*)?$/ { next } # skip IP V6
dns && $NF ~ /^([0-9]{1,3}\.){3}[0-9]{1,3}$/ { # collect IP V4
@@ -164,7 +164,7 @@
last = ""
}
-dns && $NF !~ /^([0-9A-Fa-f]{0,4}:){1,7}[0-9A-Fa-f]{0,4}$/ && \
+dns && $NF !~ /^([0-9A-Fa-f]{0,4}:){1,7}[0-9A-Fa-f]{0,4}(%.*)$/ && \
$NF !~ /^([0-9]{1,3}\.){3}[0-9]{1,3}$/ { dns = 0 } # non-IP disable
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: resolv.conf and gnupg2
2022-08-09 12:58 ` Christian Franke
@ 2022-08-09 14:51 ` Lee
2022-08-09 16:07 ` Christian Franke
2022-08-10 14:40 ` Andrey Repin
1 sibling, 1 reply; 7+ messages in thread
From: Lee @ 2022-08-09 14:51 UTC (permalink / raw)
To: Christian Franke; +Cc: cygwin
On 8/9/22, Christian Franke wrote:
> Brian Inglis wrote:
>> I've been running with /etc/resolv.conf for a few years now, generated
>> from the ISP info from ipconfig and lists of public DNS servers and
>> suffixes.
>>
>> The attached postinstall script 0p_l_etc_resolv_conf.dash generates a
>> new resolv.conf and replaces the current if different every update.
>> It is also run at cron startup and that covers system startup.
>>
>> The AWK script collects names and addresses from ipconfig ouput and
>> adds lists of public DNS servers and public suffixes in the proper order.
>>
>> How this works with other ISPs or in other network environments is not
>> anything I ever thought of testing externally.
>> Feel feel to try it and change it if curious or interested.
>
> This is an interesting approach, thanks for sharing.
Yes, interesting script
> Unfortunately the ipconfig output is always localized, so this does only
> work OOTB with English versions of Windows. The ipconfig parsing is also
> broken due to two reasons:
>
> - The current Cygwin versions of awk, grep and sed no longer convert
> CR/LF -> LF on stdin, so '/FooBar$/' patterns never match.
Which is handled by
/\r/ { sub( /\r/, "", $NF) } # trim \r
I get " ca. org. com. net." appended to the search suffix list; that
should be fixed.
Regards,
Lee
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: resolv.conf and gnupg2
2022-08-09 14:51 ` Lee
@ 2022-08-09 16:07 ` Christian Franke
0 siblings, 0 replies; 7+ messages in thread
From: Christian Franke @ 2022-08-09 16:07 UTC (permalink / raw)
To: cygwin
Lee wrote:
> On 8/9/22, Christian Franke wrote:
>> Brian Inglis wrote:
>>> I've been running with /etc/resolv.conf for a few years now, generated
>>> from the ISP info from ipconfig and lists of public DNS servers and
>>> suffixes.
>>>
>>> The attached postinstall script 0p_l_etc_resolv_conf.dash generates a
>>> new resolv.conf and replaces the current if different every update.
>>> It is also run at cron startup and that covers system startup.
>>>
>>> The AWK script collects names and addresses from ipconfig ouput and
>>> adds lists of public DNS servers and public suffixes in the proper order.
>>>
>>> How this works with other ISPs or in other network environments is not
>>> anything I ever thought of testing externally.
>>> Feel feel to try it and change it if curious or interested.
>> This is an interesting approach, thanks for sharing.
> Yes, interesting script
>
>> Unfortunately the ipconfig output is always localized, so this does only
>> work OOTB with English versions of Windows. The ipconfig parsing is also
>> broken due to two reasons:
>>
>> - The current Cygwin versions of awk, grep and sed no longer convert
>> CR/LF -> LF on stdin, so '/FooBar$/' patterns never match.
> Which is handled by
> /\r/ { sub( /\r/, "", $NF) } # trim \r
Indeed - sorry for the noise. Then only the scoped IPv6 addresses were
the problem.
> I get " ca. org. com. net." appended to the search suffix list; that
> should be fixed.
These are apparently added unconditionally. Could be fixed by removing
lines 141-152 from the awk script.
--
Regards,
Christian
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: resolv.conf and gnupg2
2022-08-09 12:58 ` Christian Franke
2022-08-09 14:51 ` Lee
@ 2022-08-10 14:40 ` Andrey Repin
2022-08-11 13:36 ` Christian Franke
1 sibling, 1 reply; 7+ messages in thread
From: Andrey Repin @ 2022-08-10 14:40 UTC (permalink / raw)
To: Christian Franke, cygwin
Greetings, Christian Franke!
> Brian Inglis wrote:
>> I've been running with /etc/resolv.conf for a few years now, generated
>> from the ISP info from ipconfig and lists of public DNS servers and
>> suffixes.
>>
>> The attached postinstall script 0p_l_etc_resolv_conf.dash generates a
>> new resolv.conf and replaces the current if different every update.
>> It is also run at cron startup and that covers system startup.
>>
>> The AWK script collects names and addresses from ipconfig ouput and
>> adds lists of public DNS servers and public suffixes in the proper order.
>>
>> How this works with other ISPs or in other network environments is not
>> anything I ever thought of testing externally.
>> Feel feel to try it and change it if curious or interested.
> This is an interesting approach, thanks for sharing.
> Unfortunately the ipconfig output is always localized, so this does only
> work OOTB with English versions of Windows. The ipconfig parsing is also broken due to two reasons:
> - The current Cygwin versions of awk, grep and sed no longer convert CR/LF
> -> LF on stdin, so '/FooBar$/' patterns never match.
> - ipconfig may output scoped IPv6 addresses ("fe80::1%12") which are not matched by the awk script.
> A draft patch is attached. It also avoids the tmp file and uses shell builtins where possible.
Why not use netsh with `chcp 65001`?
--
With best regards,
Andrey Repin
Wednesday, August 10, 2022 17:33:04
Sorry for my terrible english...
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: resolv.conf and gnupg2
2022-08-10 14:40 ` Andrey Repin
@ 2022-08-11 13:36 ` Christian Franke
2022-08-19 9:13 ` Andrey Repin
0 siblings, 1 reply; 7+ messages in thread
From: Christian Franke @ 2022-08-11 13:36 UTC (permalink / raw)
To: cygwin
Andrey Repin wrote:
> Greetings, Christian Franke!
>
> ...
>> Unfortunately the ipconfig output is always localized, so this does only
>> work OOTB with English versions of Windows. The ipconfig parsing is also broken due to two reasons:
>> - The current Cygwin versions of awk, grep and sed no longer convert CR/LF
>> -> LF on stdin, so '/FooBar$/' patterns never match.
>> - ipconfig may output scoped IPv6 addresses ("fe80::1%12") which are not matched by the awk script.
>> A draft patch is attached. It also avoids the tmp file and uses shell builtins where possible.
> Why not use netsh with `chcp 65001`?
How would netsh help?
Netsh is also localized and changing the codepage does possibly not
change the output language. Changing the language would also require
'.../en-US/netsh.exe.mui' file which is not necessarily installed.
If netsh is run interactively, it prints a deprecation warning for
'interface' and other commands and recommends usage of powershell.
This works but is slow and might violate local security policy:
powersh()
{
local x
# May require '-ExecutionPolicy ...'
if ! x=$(powershell -NoProfile -Command "$@" 2>/dev/null); then
echo "powershell: failed" >&2
return 1
fi
echo "$x" | tr -d '\r'
}
search=$(powersh \
'Get-DnsClientGlobalSetting `
| ForEach-Object SuffixSearchList')
nameservers=$(powersh \
'Get-DnsClientServerAddress `
| ForEach-Object ServerAddresses `
| select -Unique')
# Alternatively
nameservers=$(powersh \
'Get-NetIPConfiguration `
| ForEach-Object DNSServer `
| ForEach-Object ServerAddresses `
| select -Unique')
...
--
Regards,
Christian
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: resolv.conf and gnupg2
2022-08-11 13:36 ` Christian Franke
@ 2022-08-19 9:13 ` Andrey Repin
0 siblings, 0 replies; 7+ messages in thread
From: Andrey Repin @ 2022-08-19 9:13 UTC (permalink / raw)
To: Christian Franke, cygwin
Greetings, Christian Franke!
> Andrey Repin wrote:
>> Greetings, Christian Franke!
>>
>> ...
>>> Unfortunately the ipconfig output is always localized, so this does only
>>> work OOTB with English versions of Windows. The ipconfig parsing is also broken due to two reasons:
>>> - The current Cygwin versions of awk, grep and sed no longer convert CR/LF
>>> -> LF on stdin, so '/FooBar$/' patterns never match.
>>> - ipconfig may output scoped IPv6 addresses ("fe80::1%12") which are not matched by the awk script.
>>> A draft patch is attached. It also avoids the tmp file and uses shell builtins where possible.
>> Why not use netsh with `chcp 65001`?
> How would netsh help?
> Netsh is also localized and changing the codepage does possibly not change
> the output language. Changing the language would also require
> '.../en-US/netsh.exe.mui' file which is not necessarily installed.
netsh with console CP set to 65001 switching to English.
> If netsh is run interactively, it prints a deprecation warning for
> 'interface' and other commands and recommends usage of powershell.
You are not going to run it interactively, so not really a problem.
And netsh output is much more parsing friendly.
--
With best regards,
Andrey Repin
Friday, August 19, 2022 12:11:11
Sorry for my terrible english...
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2022-08-19 9:20 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-08-09 6:17 resolv.conf and gnupg2 Brian Inglis
2022-08-09 12:58 ` Christian Franke
2022-08-09 14:51 ` Lee
2022-08-09 16:07 ` Christian Franke
2022-08-10 14:40 ` Andrey Repin
2022-08-11 13:36 ` Christian Franke
2022-08-19 9:13 ` Andrey Repin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).