When dnssec-trigger daemon starts, it writes /etc/resolv.conf and sets the immutable bit on it. This is done to ensure that all applications talk to the local unbound instance whether or not another tool attempts to write its own version of /etc/resolv.conf. But its behavior when /etc/resolv.conf is not a symlink (1) doesn't achieve that and (2) result in rewriting files belonging to other tools. Expected result: When /etc/resolv.conf is a symlink, dnssec-trigger daemon should remove it and create a brand new /etc/resolv.conf file. Actual result: When /etc/resolv.conf is a symlink (e.g. to /run/NetworkManager/resolv.conf when using an experimental patch), dnssec-trigger daemon opens /etc/resolv.conf for writing and thus rewrites a file that belongs to another tool like NetworkManager or systemd-resolved. Additional information: Other tools write a temporary file like /etc/resolv.conf.tmp and then move it over to /etc/resolv.conf, replacing the original file whether it's a symlink or not. Information from strace: open("/etc/resolv.conf", O_RDONLY) = 5 chattr: Operation not supported while reading flags on /etc/resolv.conf --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3493, si_status=1, si_utime=0, si_stime=0} --- chmod("/etc/resolv.conf", 0644) = 0 open("/etc/resolv.conf", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 5 chmod("/etc/resolv.conf", 0444) = 0 chattr: Operation not supported while reading flags on /etc/resolv.conf --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3495, si_status=1, si_utime=0, si_stime=0} --- Solution: The daemon could simply do what other tools do and instead of opening "/etc/resolv.conf" for writing, it could simply replace /etc/resolv.conf with a temporary file. Note that enforcing the contents of /etc/resolv.conf is an intended behavior of the dnssec-trigger daemon as designed upstream.
Fixed in rawhide, moving to F21.
dnssec-trigger-0.12-18.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/dnssec-trigger-0.12-18.fc21
Package dnssec-trigger-0.12-18.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing dnssec-trigger-0.12-18.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-1279/dnssec-trigger-0.12-18.fc21 then log in and leave karma (feedback).
This issue should be fixed in the current dnssec-trigger package. Please test and reopen if the package does not fix the issue for you.