Author: des
Date: Mon Sep 23 20:06:59 2013
New Revision: 255826
URL: http://svnweb.freebsd.org/changeset/base/255826
Log:
Prevent resolvconf from updating /etc/resolv.conf. As Jakob Schlyter
pointed out, having additional nameservers listed in /etc/resolv.conf
can break DNSSEC verification by providing a false positive if unbound
returns SERVFAIL due to an invalid signature. The downside is that
the domain / search path won't get updated either, but we can live
with that.
Approved by: re (blanket)
Modified:
head/usr.sbin/unbound/local-setup/local-unbound-setup.sh
Modified: head/usr.sbin/unbound/local-setup/local-unbound-setup.sh
==============================================================================
--- head/usr.sbin/unbound/local-setup/local-unbound-setup.sh Mon Sep 23
20:03:23 2013 (r255825)
+++ head/usr.sbin/unbound/local-setup/local-unbound-setup.sh Mon Sep 23
20:06:59 2013 (r255826)
@@ -156,14 +156,12 @@ gen_resolv_conf() {
#
gen_resolvconf_conf() {
echo "# Generated by $self"
- echo "name_servers=\"127.0.0.1\""
- echo "resolv_conf_options=\"edns0\""
+ echo "resolv_conf=\"/dev/null\" # prevent updating ${resolv_conf}"
echo "unbound_conf=\"${forward_conf}\""
echo "unbound_pid=\"${pidfile}\""
echo "unbound_service=\"${service}\""
- # resolvconf(8) likes to restart rather than reload - consider
- # forcing its hand?
- #echo "unbound_restart=\"service ${service} reload\""
+ # resolvconf(8) likes to restart rather than reload
+ echo "unbound_restart=\"service ${service} reload\""
}
#
_______________________________________________
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
