[Dnssec-trigger] resolv.conf content after dnssec-trigger stop

Tomas Hozza thozza at redhat.com
Thu Nov 21 22:44:16 UTC 2013


----- Original Message -----
> On Thu, 21 Nov 2013, Tomas Hozza wrote:
> > I finished and successfully tested the script for backing-up
> > and restoring resolv.conf. Its behaviour was consulted with QE
> > and it works as follows:
> >
> > 1. if called as "dnssec-trigger-resolvconf-handle.sh backup"
> > - if NM is configured with "dns=none" it copies resolv.conf
> >   into /var/run/dnssec-trigger
> >
> > 2. if called as "dnssec-trigger-resolvconf-handle.sh restore"
> > - if backup in /var/run/dnssec-trigger exists and NM is configured
> >   with "dns=none" it will restore the resolv.conf
> > - else it will obtain current list of nameservers and writes them
> >   into resolv.conf until NM rewrites it.
> >
> > I'm working with systemd guys on the right systemd.service file, because
> > systemd had some problems with creating transaction. But this is for sure
> > doable, since I have couple of other ways how to make it work.
> >
> > I'm CCing also dnssec-trigger mailing-list, since I think such script
> > should be included in the upstream repo if agreed that it is good.
> 
> I would really prefer _less_ programs touching /etc/resolv.conf, not
> more (vpn software, systemd, scripts,... etc)
> 
> Perhaps dnssec-triggerd should have a method where it only probes and
> reports the results, without rewriting /etc/resolv.conf so that can be
> done by NM itself, which can then be restricted by SElinux, and we can
> block every other program from writing /etc/resolv.conf without requiring
> the immutable file hack.
> 
> VPN software can then just tell NM what the new DNS entries and domain
> are, and NM can run unbound-control to reconfigure unbound on the fly.
> And when the network changes, NM can call dnssec-triggerd to get a
> report, and then make the /etc/resolv.conf changes itself.
> 
> Paul

I know that the NM plugin is the ultimate solution. However it does not
exist yet. I'm trying to make the DNSSEC client validation using dnssec-trigger
more robust, so it works OK in every possible scenario, until some NM plugin
is created. 

Tomas



More information about the dnssec-trigger mailing list