/etc/NetworkManager/dispatcher.d/01-dnssec-trigger is in dnssec-trigger 0.13~svn685-4.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 | #!/bin/sh
#
# Script to notify dnssec-trigger that the DNS configuration in NetworkManager
# may have changed.
# Future versions of NetworkManager will have an active unbound/dnssec-trigger
# plugin. Don't intervene when the new plugin is being used.
if [ -e /etc/NetworkManager/NetworkManager.conf ]; then
grep -q '^dns=unbound\>' /etc/NetworkManager/NetworkManager.conf && exit 0
fi
# Exec the dnssec-trigger update script that uses NetworkManager API to gather
# all the necessary information.
if [ -x /usr/lib/dnssec-trigger/dnssec-trigger-script ]; then
exec /usr/lib/dnssec-trigger/dnssec-trigger-script --update
fi
# When dnssec-trigger-script is absent or not executable, the original
# shell-based dnssec trigger hook code below is run instead.
#
# NetworkManager trigger for in dispatcher.d
# config items
# set PATH correctly instead of absolute paths to binaries
PATH="/usr/sbin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin"
state_dir="/run/dnssec-trigger"
validate_forward_zones="no"
# implementation
ifname="$1"
action="$2"
domains=""
nameservers=""
global_nameservers=""
conn_zones_file="$state_dir/$CONNECTION_UUID"
################################################################
# get domains and nameservers if provided by connection going up
case "$action" in
"vpn-up" )
domains="`echo $VPN_IP4_DOMAINS $VPN_IP6_DOMAINS | tr " " "\n" | sort -u | tr "\n" " " | sed '$s/.$//'`"
nameservers="`echo $VPN_IP4_NAMESERVERS $VPN_IP6_NAMESERVERS`"
;;
"up" )
domains="`echo $IP4_DOMAINS $IP6_DOMAINS | tr " " "\n" | sort -u | tr "\n" " " | sed '$s/.$//'`"
nameservers="`echo $IP4_NAMESERVERS $IP6_NAMESERVERS`"
;;
esac
#########################
# get global nameservers
# try to get nmcli version
NMCLI_VER=$(printf '%03d%03d%03d%03d\n' $(nmcli -v 2>/dev/null | sed 's/.*version \([0-9]\+\)\.\([0-9]\+\)\.\([0-9]\+\)\.\([0-9]\+\).*/\1 \2 \3 \4/'))
# if nmcli exists
if [ -n "$NMCLI_VER" ]; then
# if the version is greater or equal 0.9.9.0
if [ $NMCLI_VER -ge 000009009000 ]; then
global_nameservers="`nmcli -f IP4,IP6 dev show | fgrep 'DNS' | awk '{print $2;}'`"
else
global_nameservers="`nmcli -f IP4,IP6 dev list | fgrep 'DNS' | awk '{print $2;}'`"
fi
# nmcli does not exist
else
global_nameservers="`nm-tool | grep 'DNS:' | awk '{print $2;}'`"
fi
# fix whitespaces
global_nameservers="`echo $global_nameservers`"
############################################################
# configure global nameservers using dnssec-trigger-control
if [ -n "`pidof dnssec-triggerd`" ] ; then
dnssec-trigger-control submit "$global_nameservers" > /dev/null 2>&1
logger "dnssec-trigger-hook(networkmanager) $ifname $action added global DNS $global_nameservers"
else
logger "dnssec-trigger-hook(networkmanager) $ifname $action NOT added global DNS - dnssec-triggerd is not running"
fi
######################################################
# add forward zones into unbound using unbound-control
if [ -n "`pidof unbound`" ]; then
if [ -r "$conn_zones_file" ]; then
for domain in `cat $conn_zones_file`; do
# Remove forward zone from unbound
if [ "$validate_forward_zones" = "no" ]; then
unbound-control forward_remove +i $domain > /dev/null 2>&1
else
unbound-control forward_remove $domain > /dev/null 2>&1
fi
unbound-control flush_zone $domain > /dev/null 2>&1
unbound-control flush_requestlist > /dev/null 2>&1
logger "dnssec-trigger-hook(networkmanager) $ifname $action removed forward DNS zone $domain"
done
# Remove file with zones for this connection
rm -f $conn_zones_file > /dev/null 2>&1
fi
if [ "$action" = "vpn-up" -o "$action" = "up" ]; then
if [ -n "$domains" ]; then
for domain in $domains; do
# Add forward zone into unbound
if [ "$validate_forward_zones" = "no" ]; then
unbound-control forward_add +i $domain $nameservers > /dev/null 2>&1
else
unbound-control forward_add $domain $nameservers > /dev/null 2>&1
fi
unbound-control flush_zone $domain > /dev/null 2>&1
unbound-control flush_requestlist > /dev/null 2>&1
# Create zone info file
mkdir -p $(dirname $conn_zones_file)
echo $domain >> $conn_zones_file
logger "dnssec-trigger-hook(networkmanager) $ifname $action added forward DNS zone $domain $nameservers"
done
fi
fi
else
logger "dnssec-trigger-hook(networkmanager) $ifname $action NOT added forward DNS zone(s) - unbound is not running"
fi
exit 0
|