[Dnssec-trigger] [PATCH] Improved NM dispatcher hook script
wouter at nlnetlabs.nl
Tue Aug 6 14:53:17 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Committed, I changed this bit:
# Remove forward zone from unbound
if [ "$validate_forward_zones" == "no" ]; then
unbound-control forward_remove +i $domain &> /dev/null
unbound-control forward_remove $domain &> /dev/null
The forward_remove also needs the +i flag to remove the insecure point
that was created by the forward_add +i.
Thank you for the patch! VPN support is very nice to have.
On 08/06/2013 03:42 PM, Tomas Hozza wrote:
> In July I proposed a new modified NM dispatcher hook script. I have
> been working on it and after discussion with Pavel Simerda I came
> up with a new version of the script that covers some corner cases.
> Hopefully it is also easier to understand.
> Corner cases that I'm speaking of are particularly those when you
> connect to a VPN or any network that provides you with a
> nameservers and a domain, but those nameservers have broken DNSSEC
> configuration. In this case you would be possibly unable to resolve
> domain names from the provided domain, if only those provided
> nameservers can resolve them. The reason is that dnssec-trigger
> would ignore those nameservers because of the broken DNSSEC
> configuration. In this particular situation I think the user would
> like to be able to resolve those internal domain names using
> provided nameservers even though the DNSSEC is broken. But only
> domain names from the provided domain. For the rest, nameservers
> chosen by dnssec-trigger based on its configuration should be
> Described corner cases can be solved by adding a insecure forward
> zone into unbound. Unfortunately dnssec-trigger-control does not
> provides an interface to do this, therefore I used unbound-control
> directly. There is also a possibility by changing single script
> variable to change the behaviour of the script so it adds secure
> instead of insecure forward zones.
> I'm attaching the patch for the latest trunk version and also the
> NM script itself because it is more readable than from patch.
> Tomas Hozza
> _______________________________________________ dnssec-trigger
> mailing list dnssec-trigger at NLnetLabs.nl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the dnssec-trigger