[Dnssec-trigger] [PATCH] NetworkManager hook should add unbound forward zones for VPN connections

[Paul Wouters]

On Thu, 4 Jul 2013, Tomas Hozza wrote:

> That is true. I tested only vpnc and openvpn and should be more specific.
> I should also say that there is a pending patch from YOU for vpnc that
> adds the support for configuring unbound. But AFAIK it requires extra
> configuration to work.

That should not be the case since IPsec with XAUTH sends the DNS domain
and the list of nameservers. The patched vpnc just called unbound-control
like openswan/libreswan does.

>> I have no principle problems with the patch. And I agree it would be
>> best that all parties talk to NM as the central point, and only
>> NM runs unbound-control and changes /etc/resolv.conf.
>
> That is exactly what is my intention. I think that there should be
> a single point where unbound is configured. In current circumstances I think,
> the NM dispatcher script is the best place for this functionality. Another
> advantage is that we won't have to change script in each VPN client
> if needed, but only in one place.

VPN programs still need to be changed to use NM scripts, and when NM is
not there, perform the action themselves. Unless dnssec-triggerd is
modified to do all that, and the VPN programs just use some new option
to tell dnssec-triggerd.

But I am not sure if non-IPsec VPNs have some standard way of relaying
this information.

I think the most ideal situation is if NM takes over part of
dnssec-triggerd as a plugin, so we don't need to run another daemon. But
for that, NM needs to also integrate hot spot detection and all.

Paul