[Dnssec-trigger] [PATCH] Improved NM dispatcher hook script

Tomas Hozza thozza at redhat.com
Tue Aug 6 13:42:33 UTC 2013


Hello.

In July I proposed a new modified NM dispatcher hook script.
I have been working on it and after discussion with Pavel
Simerda I came up with a new version of the script that
covers some corner cases. Hopefully it is also easier
to understand.

Corner cases that I'm speaking of are particularly those
when you connect to a VPN or any network that provides you
with a nameservers and a domain, but those nameservers have
broken DNSSEC configuration. In this case you would be possibly
unable to resolve domain names from the provided domain, if
only those provided nameservers can resolve them. The reason is
that dnssec-trigger would ignore those nameservers because of
the broken DNSSEC configuration. In this particular
situation I think the user would like to be able to resolve
those internal domain names using provided nameservers even
though the DNSSEC is broken. But only domain names from the
provided domain. For the rest, nameservers chosen by dnssec-trigger
based on its configuration should be used.

Described corner cases can be solved by adding a insecure
forward zone into unbound. Unfortunately dnssec-trigger-control
does not provides an interface to do this, therefore I used
unbound-control directly. There is also a possibility by
changing single script variable to change the behaviour
of the script so it adds secure instead of insecure forward zones.

I'm attaching the patch for the latest trunk version and
also the NM script itself because it is more readable than
from patch.

Regards,

Tomas Hozza
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 01-dnssec-trigger-hook.sh.in
Type: application/octet-stream
Size: 3441 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20130806/33511711/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Improve-NM-dispatcher-hook-script.patch
Type: text/x-patch
Size: 5760 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20130806/33511711/attachment.bin>


More information about the dnssec-trigger mailing list