Browse files

Prevent resolvconf from updating /etc/resolv.conf. As Jakob Schlyter

pointed out, having additional nameservers listed in /etc/resolv.conf
can break DNSSEC verification by providing a false positive if unbound
returns SERVFAIL due to an invalid signature.  The downside is that
the domain / search path won't get updated either, but we can live
with that.

Approved by:	re (blanket)
  • Loading branch information...
1 parent ff52db8 commit 0f8f840670a0d35203600fb99b86013beb6c00eb @dag-erling dag-erling committed Sep 23, 2013
Showing with 3 additions and 5 deletions.
  1. +3 −5 usr.sbin/unbound/local-setup/local-unbound-setup.sh
View
8 usr.sbin/unbound/local-setup/local-unbound-setup.sh
@@ -156,14 +156,12 @@ gen_resolv_conf() {
#
gen_resolvconf_conf() {
echo "# Generated by $self"
- echo "name_servers=\"127.0.0.1\""
- echo "resolv_conf_options=\"edns0\""
+ echo "resolv_conf=\"/dev/null\" # prevent updating ${resolv_conf}"
echo "unbound_conf=\"${forward_conf}\""
echo "unbound_pid=\"${pidfile}\""
echo "unbound_service=\"${service}\""
- # resolvconf(8) likes to restart rather than reload - consider
- # forcing its hand?
- #echo "unbound_restart=\"service ${service} reload\""
+ # resolvconf(8) likes to restart rather than reload
+ echo "unbound_restart=\"service ${service} reload\""
}
#

0 comments on commit 0f8f840

Please sign in to comment.