From 058a4e34194250206a4b607905257dc3811eb7ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dag-Erling=20Sm=C3=B8rgrav?= Date: Mon, 23 Sep 2013 20:06:59 +0000 Subject: Prevent resolvconf from updating /etc/resolv.conf. As Jakob Schlyter pointed out, having additional nameservers listed in /etc/resolv.conf can break DNSSEC verification by providing a false positive if unbound returns SERVFAIL due to an invalid signature. The downside is that the domain / search path won't get updated either, but we can live with that. Approved by: re (blanket) --- usr.sbin/unbound/local-setup/local-unbound-setup.sh | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) (limited to 'usr.sbin/unbound') diff --git a/usr.sbin/unbound/local-setup/local-unbound-setup.sh b/usr.sbin/unbound/local-setup/local-unbound-setup.sh index 9996df53ad9f..99c93243553f 100755 --- a/usr.sbin/unbound/local-setup/local-unbound-setup.sh +++ b/usr.sbin/unbound/local-setup/local-unbound-setup.sh @@ -156,14 +156,12 @@ gen_resolv_conf() { # gen_resolvconf_conf() { echo "# Generated by $self" - echo "name_servers=\"127.0.0.1\"" - echo "resolv_conf_options=\"edns0\"" + echo "resolv_conf=\"/dev/null\" # prevent updating ${resolv_conf}" echo "unbound_conf=\"${forward_conf}\"" echo "unbound_pid=\"${pidfile}\"" echo "unbound_service=\"${service}\"" - # resolvconf(8) likes to restart rather than reload - consider - # forcing its hand? - #echo "unbound_restart=\"service ${service} reload\"" + # resolvconf(8) likes to restart rather than reload + echo "unbound_restart=\"service ${service} reload\"" } # -- cgit v1.2.3