[Dnssec-trigger] [PATCH] NetworkManager hook should add unbound forward zones for VPN connections

Paul Wouters pwouters at redhat.com
Wed Jul 3 19:26:10 UTC 2013

On Tue, 2 Jul 2013, Tomas Hozza wrote:

> Recently I discovered that dnssec-trigger works really good until you
> try to use it with a VPN to some corporate network, which provides
> its own DNS servers together with internal domain(s).

Note, I said before this is a really personally coloured view by you.
There is various support in openswan, libreswan and vpnc that works
really well. Sure, openvpn is missing, but it can launch any custom
shell script on the client, so it should not be hard to just push
the unbound-control commands down the client.

> Currently dnssec-trigger provides a NM dispatcher script that adds
> DHCP obtained DNS servers into dnssec-triggerd. But when it comes
> to VPN connections, dnssec-trigger relies completely on VPN clients
> to configure unbound and add forwarding zones if obtained from VPN.
> This causes dnssec-trigger together with unbound not to work out of
> the box when used with VPNs (which is really common use case).

You mean _some_ VPN clients.

> I think the dispatcher script should be modified to handle also VPN
> provided domains and configure unbound if needed, rather than rely on
> third parties scripts to do it. I know there are some issues in NM
> and dispatcher preventing this to be done.
> BUT one needed change to NetworkManager have been already merged into
> upstream [1] and one more [2] is still pending, but I expect it to
> get into upstream, too. If not, I'm ready to solve this issue other way.
> I'm sending you also my proposed changes to the dispatcher script. It
> is based on script version in repository trunk. It also expects both
> NM proposed changes [1, 2] to be merged into NM upstream.

I have no principle problems with the patch. And I agree it would be
best that all parties talk to NM as the central point, and only
NM runs unbound-control and changes /etc/resolv.conf.

If the NM and dnssec-trigger patches are upstream, I'm willing to
change the libreswan/openswan/vpnc scripts to call NM instead of
doing the work themselves.

But please stop saying dnssec-trigger does not work with VPNs.


More information about the dnssec-trigger mailing list