[Dnssec-trigger] [PATCH] Improved NM dispatcher hook script

[Paul Wouters]

On Tue, 6 Aug 2013, Tomas Hozza wrote:

> In July I proposed a new modified NM dispatcher hook script.
> I have been working on it and after discussion with Pavel
> Simerda I came up with a new version of the script that
> covers some corner cases. Hopefully it is also easier
> to understand.

Thanks for the patch. I see two issues.

1) Double work

if this patch is added, the existing openswan/libreswan and vpnc
packages will add the domain forward twice, once via this new hook
and once via their own mechanism. Currently, those setups work without
needing dnssec-triggerd (eg just vpn software + unbound) but with this
patch is now requires dnssec-triggerd running.

2) Changing the default

This patch changes the default system resolver when the VPN comes up.
This might not be desirable. When I bring up my redhat VPN, I only want
to send the redhat.com DNS queries their way. With this patch, I will
be sending _all_ DNS traffic their way.

With IPsec, we receive specifically the domain name(s) and DNS server
IPs, as well as a list of routes that should go through the VPN (so
called split tunnel). Other VPN implementations/configurations might send a
request for 0.0.0.0/0 where it would be reasonable to expect that they
want all traffic, and where they would want you to use their DNS.
However, the notion of "use our DNS for some domains" versus "use our
DNS for everything" is not negotiated for IPsec. Furthermore, again for
our implementation, the VPN tunnel information is only available within
our out software, and not exported/exposed to NM.

I am not sure how best to fix these two problems. While 1) is
fairly benign, 2) is very important.

Paul