DNS Expectations (was rtsol)

[Roy Marples <roy%marples.name@localhost>]

On 21/10/2014 15:09, Robert Swindells wrote:
>>>> The resolv.conf part is tricky - because dhcpcd supports DNSSL and RDNSS
>>>> options that need to expire it needs to be able to manage resolv.conf
>>>> somehow. The solution is to either disable dhcpcd from writing to it at
>>>> all (--nohook resolv.conf), setup your static config using
>>>> resolvconf.conf or make the file immutable. Is this something we should
>>>> document in resolv.conf(5)?
>>>
>>> I would expect the default behaviour to be to not overwrite
>>> resolv.conf on an error.
>>
>> This behaves like DHCP, DHCPv6 or a vpn link - expect resolv.conf to be
>> modified. The entry for the interface is cleared on start, just like the
>> addresses are cleared on a reboot. Hence the above comment I made.
> 
> It still fails POLA for me.

Every protocol that supplies an IP address also supplies DNS servers.
DHCP, DHCPv6, IPv6RS/RA, PPP (+ pppoe), various VPN's.
I would argue that any of these not supplying DNS fails POLA.

In all cases, when any of these is used there exists the possibility
that any one of them could impose their idea of DNS on resolv.conf.
Because of this, we have resolvconf(8) which every daemon who learns DNS
dynamically should write to rather than directly to resolv.conf.

For the case where a lack of dynamically learned information does not
exist, or it expires, dhcpcd will remove what it previously learned.
In the case of DNS, it will call resolvconf -d $interface:$protocol

You can opt-out of resolvconf(8) ever touching resolv.conf by setting
resolvconf=NO in resolvconf.conf(5) (you'll need -current of a few days ago)
or change the file it writes to
resolv_conf=/var/run/resolv.conf (or /dev/null)

Or you can take the OS level approach and make the file immutable.

Thanks

Roy