Description of problem: dnssec triggers documentation states that it does not configure searchdomains from dhcp due to the potential for abuse. This seems reasonable, and I can't criticise it. My issue is thus two fold: 1) Admins should have a configurable setting that re-enables dhcp provided search domains, acknowledging the potential risk. 2) Search domains entered manually in NetworkManager are currently not used. These should be added by dnssec-trigger, as they again show admin intent and acknowledgement of the risks.
(In reply to William Brown from comment #0) > Description of problem: > dnssec triggers documentation states that it does not configure > searchdomains from dhcp due to the potential for abuse. This seems > reasonable, and I can't criticise it. You need to specify the exact way you are using it. The standard way in Fedora is to use dnssec-trigger with NetworkManager and then it's not true and it depends on `/etc/dnssec.conf`. The current stable f20 version should work for you. > My issue is thus two fold: > 1) Admins should have a configurable setting that re-enables dhcp provided > search domains, acknowledging the potential risk. Granted. > 2) Search domains entered manually in NetworkManager are currently not used. How do you enter those manually? Can you use `nmcli` to print them out? If yes, then we can fix the situation. Otherwise we have to extend NetworkManager first. > These should be added by dnssec-trigger, as they again show admin intent and > acknowledgement of the risks. Definitely.
(In reply to Pavel Šimerda (pavlix) from comment #1) > (In reply to William Brown from comment #0) > > Description of problem: > > dnssec triggers documentation states that it does not configure > > searchdomains from dhcp due to the potential for abuse. This seems > > reasonable, and I can't criticise it. > > You need to specify the exact way you are using it. The standard way in > Fedora is to use dnssec-trigger with NetworkManager and then it's not true > and it depends on `/etc/dnssec.conf`. The current stable f20 version should > work for you. I understood the issue is that the resolv.conf generated by dnssec-trigger does not contain search domains. I don't think there is anything in /etc/dnssec.conf that could help you with that. If dnssec-trigger does not allow search domains to be set (if explicitly configured by admin), then it should be extended to do so.
Now I realized that this bug is most probably duplicate of Bug #1130502
> > 2) Search domains entered manually in NetworkManager are currently not used. > > How do you enter those manually? Can you use `nmcli` to print them out? If > yes, then we can fix the situation. Otherwise we have to extend > NetworkManager first. > nmcli connection edit enp0s25 nmcli> print all ipv4.dns-search: services.example.com > I understood the issue is that the resolv.conf generated by dnssec-trigger > does not contain search domains. I don't think there is anything in > /etc/dnssec.conf that could help you with that. If dnssec-trigger does not > allow search domains to be set (if explicitly configured by admin), then it > should be extended to do so. Well, that resolv.conf is immutable anyway, so that doesn't help. I was thinking more the insertion of these searchdomains into unbound via some means. If that's not possible, then yes, resolv.conf it will have to be.
Please update the other bug to include information from this one. I'll try to do it if noone else comes first. *** This bug has been marked as a duplicate of bug 1130502 ***