[Dnssec-trigger] resolv.conf content after dnssec-trigger stop

Paul Wouters paul at nohats.ca
Thu Nov 21 17:17:14 UTC 2013

On Thu, 21 Nov 2013, Tomas Hozza wrote:

> I finished and successfully tested the script for backing-up
> and restoring resolv.conf. Its behaviour was consulted with QE
> and it works as follows:
> 1. if called as "dnssec-trigger-resolvconf-handle.sh backup"
> - if NM is configured with "dns=none" it copies resolv.conf
>   into /var/run/dnssec-trigger
> 2. if called as "dnssec-trigger-resolvconf-handle.sh restore"
> - if backup in /var/run/dnssec-trigger exists and NM is configured
>   with "dns=none" it will restore the resolv.conf
> - else it will obtain current list of nameservers and writes them
>   into resolv.conf until NM rewrites it.
> I'm working with systemd guys on the right systemd.service file, because
> systemd had some problems with creating transaction. But this is for sure
> doable, since I have couple of other ways how to make it work.
> I'm CCing also dnssec-trigger mailing-list, since I think such script
> should be included in the upstream repo if agreed that it is good.

I would really prefer _less_ programs touching /etc/resolv.conf, not
more (vpn software, systemd, scripts,... etc)

Perhaps dnssec-triggerd should have a method where it only probes and
reports the results, without rewriting /etc/resolv.conf so that can be
done by NM itself, which can then be restricted by SElinux, and we can
block every other program from writing /etc/resolv.conf without requiring
the immutable file hack.

VPN software can then just tell NM what the new DNS entries and domain
are, and NM can run unbound-control to reconfigure unbound on the fly.
And when the network changes, NM can call dnssec-triggerd to get a
report, and then make the /etc/resolv.conf changes itself.


More information about the dnssec-trigger mailing list