[Dnssec-trigger] resolv.conf content after dnssec-trigger stop

Tomas Hozza thozza at redhat.com
Thu Nov 21 16:09:53 UTC 2013


Hi.

I finished and successfully tested the script for backing-up
and restoring resolv.conf. Its behaviour was consulted with QE
and it works as follows:

1. if called as "dnssec-trigger-resolvconf-handle.sh backup"
 - if NM is configured with "dns=none" it copies resolv.conf
   into /var/run/dnssec-trigger

2. if called as "dnssec-trigger-resolvconf-handle.sh restore"
 - if backup in /var/run/dnssec-trigger exists and NM is configured
   with "dns=none" it will restore the resolv.conf
 - else it will obtain current list of nameservers and writes them
   into resolv.conf until NM rewrites it.

I'm working with systemd guys on the right systemd.service file, because
systemd had some problems with creating transaction. But this is for sure
doable, since I have couple of other ways how to make it work.

I'm CCing also dnssec-trigger mailing-list, since I think such script
should be included in the upstream repo if agreed that it is good.


Thanks.

Regards,

Tomas Hozza

----- Original Message -----
> 
> [ ExecStop script ]
> 
> Good idea. Note that an unrelated bug sometimes causes dnssec-triggerd
> to write a resolv.conf without any nameserver entry. I've filed that as
> bug upstream and they confirmed it. We might need to poke them a few
> times to get it fixed though.
> 
> >> I was recently thinking about the situation that happens
> >> if you stop dnssec-trigger on the system. dnssec-trigger
> >> will leave most probably (depending on the state it was in)
> >> "127.0.0.1" in resolv.conf. This can cause a really
> >> frustrating user experience, since NM will not write DNS
> >> servers IP addresses into it until next network change.
> >>
> >> Currently there is no way how to tell NM to write the
> >> configuration into the resolv.conf besides restarting
> >> it.
> 
> This should get folded into a NM plugin, so NM can fully
> control resolv.conf and we can restrict selinux to only
> allow NM to write /etc/resolv.conf. It would also remove
> the need for making it immutable. Problem is, we are all
> busy people....
> 
> Paul
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dnssec-trigger-resolvconf-handle.sh
Type: application/x-shellscript
Size: 2321 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20131121/159acee8/attachment.bin>


More information about the dnssec-trigger mailing list