[Dnssec-trigger] resolv.conf content after dnssec-trigger stop
paul at nohats.ca
Thu Nov 21 17:17:14 UTC 2013
On Thu, 21 Nov 2013, Tomas Hozza wrote:
> I finished and successfully tested the script for backing-up
> and restoring resolv.conf. Its behaviour was consulted with QE
> and it works as follows:
> 1. if called as "dnssec-trigger-resolvconf-handle.sh backup"
> - if NM is configured with "dns=none" it copies resolv.conf
> into /var/run/dnssec-trigger
> 2. if called as "dnssec-trigger-resolvconf-handle.sh restore"
> - if backup in /var/run/dnssec-trigger exists and NM is configured
> with "dns=none" it will restore the resolv.conf
> - else it will obtain current list of nameservers and writes them
> into resolv.conf until NM rewrites it.
> I'm working with systemd guys on the right systemd.service file, because
> systemd had some problems with creating transaction. But this is for sure
> doable, since I have couple of other ways how to make it work.
> I'm CCing also dnssec-trigger mailing-list, since I think such script
> should be included in the upstream repo if agreed that it is good.
I would really prefer _less_ programs touching /etc/resolv.conf, not
more (vpn software, systemd, scripts,... etc)
Perhaps dnssec-triggerd should have a method where it only probes and
reports the results, without rewriting /etc/resolv.conf so that can be
done by NM itself, which can then be restricted by SElinux, and we can
block every other program from writing /etc/resolv.conf without requiring
the immutable file hack.
VPN software can then just tell NM what the new DNS entries and domain
are, and NM can run unbound-control to reconfigure unbound on the fly.
And when the network changes, NM can call dnssec-triggerd to get a
report, and then make the /etc/resolv.conf changes itself.
More information about the dnssec-trigger