[Resolvconf-devel] Bug#776778: Please play nicely with resolvconf

[Thomas Hood]

On 4 February 2015 at 12:00, Ondřej Surý <ondrej at sury.org> wrote:
> On Wed, Feb 4, 2015, at 11:14, Axel Beckert wrote:
>> Ondřej Surý wrote:
>> > do you think that we can push the resolvconf compatibility to jessie?
>> >
>> > I see two possible paths here:
>> >
>> > a) add Breaks: resolvconf
>>
>> That's ok-ish. It would be the short-hack temporary solution and
>> likely suitable for Jessie.
>
> okay, this is fairly easy


Please do this quickly, closing #776776, and push to Jessie.

For post Jessie we can work on making dnssec-trigger compatible with
resolvconf, which is bug report #776778.

On that topic....

Dnssec-trigger should certainly not Pre-Depend on resolvconf and
should also not Depend on resolvconf.

When resolvconf is installed, dnssec should refrain entirely from
touching /etc/resolv.conf. This goes for install time and for run
time.


> [...] unless there's a way how dnssec-trigger can hook into resolvconf
> postinst, it won't play well.
>
> Also we will need to have lo.dnssec in first place in the list of
> priorities and a way how to tell resolvconf to stop after localhost
> (e.g. trigger TRUNCATE_NAMESERVER_LIST_AFTER_LOOPBACK_ADDRESS when
> dnssec-trigger is installed).


As I mentioned earlier, unbound itself already registers the
nameserver address 127.0.0.1 with record name "lo.unbound". This
matches the pattern "lo.!(pdns|pdns-recursor)" in
/etc/resolvconf/interface-order and thus gets a high priority. So the
address 127.0.0.1 will be listed before external addresses. If it
turns out that unbound's record needs a different priority than it now
has then we (resolvconf maintainers, in a new release of resolvconf)
can add a line "lo.unbound" at the right place in that file.

TRUNCATE_NAMESERVER_LIST_AFTER_LOOPBACK_ADDRESS=yes is the default, so
we don't need to do anything new in order to cause there to be no
further addresses listed after unbound's 127.0.0.1.
-- 
Thomas