svn commit: r255826 - head/usr.sbin/unbound/local-setup

Dag-Erling Smørgrav des at FreeBSD.org
Mon Sep 23 20:07:00 UTC 2013


Author: des
Date: Mon Sep 23 20:06:59 2013
New Revision: 255826
URL: http://svnweb.freebsd.org/changeset/base/255826

Log:
  Prevent resolvconf from updating /etc/resolv.conf.  As Jakob Schlyter
  pointed out, having additional nameservers listed in /etc/resolv.conf
  can break DNSSEC verification by providing a false positive if unbound
  returns SERVFAIL due to an invalid signature.  The downside is that
  the domain / search path won't get updated either, but we can live
  with that.
  
  Approved by:	re (blanket)

Modified:
  head/usr.sbin/unbound/local-setup/local-unbound-setup.sh

Modified: head/usr.sbin/unbound/local-setup/local-unbound-setup.sh
==============================================================================
--- head/usr.sbin/unbound/local-setup/local-unbound-setup.sh	Mon Sep 23 20:03:23 2013	(r255825)
+++ head/usr.sbin/unbound/local-setup/local-unbound-setup.sh	Mon Sep 23 20:06:59 2013	(r255826)
@@ -156,14 +156,12 @@ gen_resolv_conf() {
 #
 gen_resolvconf_conf() {
 	echo "# Generated by $self"
-	echo "name_servers=\"127.0.0.1\""
-	echo "resolv_conf_options=\"edns0\""
+	echo "resolv_conf=\"/dev/null\" # prevent updating ${resolv_conf}"
 	echo "unbound_conf=\"${forward_conf}\""
 	echo "unbound_pid=\"${pidfile}\""
 	echo "unbound_service=\"${service}\""
-	# resolvconf(8) likes to restart rather than reload - consider
-	# forcing its hand?
-	#echo "unbound_restart=\"service ${service} reload\""
+	# resolvconf(8) likes to restart rather than reload
+	echo "unbound_restart=\"service ${service} reload\""
 }
 
 #


More information about the svn-src-all mailing list