Prevent resolvconf from updating /etc/resolv.conf. As Jakob Schlyter

pointed out, having additional nameservers listed in /etc/resolv.conf
can break DNSSEC verification by providing a false positive if unbound
returns SERVFAIL due to an invalid signature.  The downside is that
the domain / search path won't get updated either, but we can live
with that.

Approved by:	re (blanket)

1 files changed, 3 insertions, 5 deletions

diff --git a/usr.sbin/unbound/local-setup/local-unbound-setup.sh b/usr.sbin/unbound/local-setup/local-unbound-setup.sh
index 9996df5..99c9324 100755
--- a/usr.sbin/unbound/local-setup/local-unbound-setup.sh
+++ b/usr.sbin/unbound/local-setup/local-unbound-setup.sh
@@ -156,14 +156,12 @@ gen_resolv_conf() {
 #
 gen_resolvconf_conf() {
 	echo "# Generated by $self"
-	echo "name_servers=\"127.0.0.1\""
-	echo "resolv_conf_options=\"edns0\""
+	echo "resolv_conf=\"/dev/null\" # prevent updating ${resolv_conf}"
 	echo "unbound_conf=\"${forward_conf}\""
 	echo "unbound_pid=\"${pidfile}\""
 	echo "unbound_service=\"${service}\""
-	# resolvconf(8) likes to restart rather than reload - consider
-	# forcing its hand?
-	#echo "unbound_restart=\"service ${service} reload\""
+	# resolvconf(8) likes to restart rather than reload
+	echo "unbound_restart=\"service ${service} reload\""
 }
 
 #