Unless dnssec-triggerd locks the /etc/resolv.conf using the immutable bit, NetworkManager is the entity that takes care of it. Apart from name server list, it also configures the domain search list and stuff like that. I believe it would be good to leave the management to NetworkManager when it's using the dns=unbound option. I'm going to update the NM unbound plugin patch so that it writes 'nameserver 127.0.0.1' to /etc/resolv.conf. I don't know whether immutable bit should be then used by NetworkManager or not. And I don't know how much automation is expected to be done by default regarding the domain search list. I've seen some discussions on fedora-devel, so please comment and bring in any interested parties.
I don't think we should do it in this stage of the unbound plugin. This will break the "hot-spot sign-on" mode of dnssec-trigger. Until the hot-spot detection and sign-on handling is implemented in the plugin, we can not let only NetworkManager take care of the content of resolv.conf.
(In reply to Tomas Hozza from comment #1) > I don't think we should do it in this stage of the unbound plugin. This will > break the "hot-spot sign-on" mode of dnssec-trigger. Fair enough. This will have to wait.
As noted in bug #1067856, we're keeping the daemon and therefore keeping the management of /etc/resolv.conf in dnssec-trigger.