diff options
| author | Dag-Erling Smørgrav <des@FreeBSD.org> | 2013-09-23 20:06:59 +0000 |
|---|---|---|
| committer | Dag-Erling Smørgrav <des@FreeBSD.org> | 2013-09-23 20:06:59 +0000 |
| commit | 058a4e34194250206a4b607905257dc3811eb7ef (patch) | |
| tree | dad1b185fb3066fe3114c2afce467b93f0213d9b /usr.sbin/unbound | |
| parent | 3f32c6fb5646908d74936954466a20d36f07b919 (diff) | |
| download | src-test2-058a4e34194250206a4b607905257dc3811eb7ef.tar.gz src-test2-058a4e34194250206a4b607905257dc3811eb7ef.zip | |
Prevent resolvconf from updating /etc/resolv.conf. As Jakob Schlyter
pointed out, having additional nameservers listed in /etc/resolv.conf
can break DNSSEC verification by providing a false positive if unbound
returns SERVFAIL due to an invalid signature. The downside is that
the domain / search path won't get updated either, but we can live
with that.
Approved by: re (blanket)
Notes
Notes:
svn path=/head/; revision=255826
Diffstat (limited to 'usr.sbin/unbound')
| -rwxr-xr-x | usr.sbin/unbound/local-setup/local-unbound-setup.sh | 8 |
1 files changed, 3 insertions, 5 deletions
diff --git a/usr.sbin/unbound/local-setup/local-unbound-setup.sh b/usr.sbin/unbound/local-setup/local-unbound-setup.sh index 9996df53ad9f..99c93243553f 100755 --- a/usr.sbin/unbound/local-setup/local-unbound-setup.sh +++ b/usr.sbin/unbound/local-setup/local-unbound-setup.sh @@ -156,14 +156,12 @@ gen_resolv_conf() { # gen_resolvconf_conf() { echo "# Generated by $self" - echo "name_servers=\"127.0.0.1\"" - echo "resolv_conf_options=\"edns0\"" + echo "resolv_conf=\"/dev/null\" # prevent updating ${resolv_conf}" echo "unbound_conf=\"${forward_conf}\"" echo "unbound_pid=\"${pidfile}\"" echo "unbound_service=\"${service}\"" - # resolvconf(8) likes to restart rather than reload - consider - # forcing its hand? - #echo "unbound_restart=\"service ${service} reload\"" + # resolvconf(8) likes to restart rather than reload + echo "unbound_restart=\"service ${service} reload\"" } # |