I have created a file that interacts from /etc/resolvconf/update.d with pdnsd. It reads nameservers as it is done with the libc script, filters out 127.* and the rest is sent to pdnsd with pdnsd-ctl.
Created attachment 87432 [details] PDNSD interaction from resolvconf configurator Should be placed under /etc/resolvconf/update.d/ directory.
I think that the script /etc/init.d/pdnsd also needs an update, because it could happen that the network card had been configured, when the pdnsd started. So my proposal is to add ... eend $? if [[ $? == 0 && -x /sbin/resolvconf ]] ; then eindent ebegin "Updating resolvconf database" /sbin/resolvconf -u eend $? eoutdent fi into start() function of /etc/init.d/pdnsd. That works fine for me. There is no need to make network card initialization scripts dependent on resolvconf or pdnsd.
No, the idea is the resolvconf stuff is separate from the main init scripts. I have scripts for dnsmasq and bind written by myself and one for djbdns written by a fellow dev (kiaowas) here - http://dev.gentoo.org/~uberlord/resolvconf-gentoo Any script for pdns should try and emulate those. They are a bit more involved than libc as they provide nameservers for specific domains so that openvpn gets full DNS on both public and private networks which is something that libc cannot provide.
(In reply to comment #3) > No, the idea is the resolvconf stuff is separate from the main init scripts. Sorry, I do not understand. How do you want to make automatical pdnsd configuration, if the configuration cannot be activated after the pdnsd is loaded? I copied the idea from Debian's /etc/init.d/pdnsd (comment #2) and /etc/resolvconf/update.d/pdnsd (comment #1). What is wrong? If the network card is configured first (it boot runlevel), then the pdnsd is started (in default runlevel), there will be no configuration in pdnsd. I have to call "resolvconf -u" manually to update it (from pdnsd init script for example - see the Debian's way to do it). If I now start wifi or ppp0 interface, it will automatically update the configuration with "resolvconf -a" (from /etc/resolvconf/update.d/pdnsd). Where is the problem? I downloaded mentioned scripts and I will have a look at them later today (hopefully).
(In reply to comment #4) > (In reply to comment #3) > > No, the idea is the resolvconf stuff is separate from the main init scripts. > > Sorry, I do not understand. How do you want to make automatical pdnsd > configuration, if the configuration cannot be activated after the pdnsd is > loaded? I copied the idea from Debian's /etc/init.d/pdnsd (comment #2) and > /etc/resolvconf/update.d/pdnsd (comment #1). What is wrong? Well, we don't use Debians init scripts and the referenced examples restart the dns resolver only if required. So the Gentoo init scripts for the dns resolvers should not need any modification. > > If the network card is configured first (it boot runlevel), then the pdnsd is > started (in default runlevel), there will be no configuration in pdnsd. I have > to call "resolvconf -u" manually to update it (from pdnsd init script for > example - see the Debian's way to do it). If I now start wifi or ppp0 > interface, it will automatically update the configuration with "resolvconf -a" > (from /etc/resolvconf/update.d/pdnsd). Where is the problem? Our resolvconf only shares the same design as Debians - the underlying code is vastly different for starters. Our design makes writing helper scripts much easier for starters :) However, it is the job of resolvconf to update and restart the dns resolvers when dns information has changed, thus there is no need for the dns resolver init script to be resovconf aware. If it needs to be then the error is elsewhere. Let's just say that using the dnsmasq and bind scripts my network cards are configured in the boot runlevel by udev/coldplug and dnsmasq is started in the default runlevel. Everything works as advertised without the need for the dnsmasq init script to be aware of resovlconf. This works as we save all needed information to files that the user needs to include in their config - you will probably need todo this as well.
Created attachment 87496 [details] pdnsd interaction with resolvconf Description of how to activate the pdnsd is written in detail in the file. Now there is no need to change the /etc/init.d/pdnsd :-)
(In reply to comment #5) > Our resolvconf only shares the same design as Debians - the underlying code is > vastly different for starters. Our design makes writing helper scripts much > easier for starters :) It was really easy to do so, I looked at dnsmasq and it was done in a few minutes :) > However, it is the job of resolvconf to update and restart the dns resolvers > when dns information has changed, thus there is no need for the dns resolver > init script to be resovconf aware. If it needs to be then the error is > elsewhere. Now it works as wanted - no need to edit init scripts. The pdnsd is able to reload configuration files, so I use this oportunity to do so.
OK, looking better now :) Last thing todo is to implement the split of domain and search options to make vpn users happy. Again, see the referenced dnsmasq and bind files for how this is done.
(In reply to comment #8) > Last thing todo is to implement the split of domain and search options to make > vpn users happy. Again, see the referenced dnsmasq and bind files for how this > is done. Thanks for a hint. I think I understand it. The problem is to ask the correct server for the particular domain/search. I will test it also, because I have both ppp0 and openvpn running. I will think about this issue the whole night and morning :-) There will be maybe some "sed" magic that will operate on a standard configuration file.
It has to be written as a bash script, or perl/python can be used?
(In reply to comment #10) > It has to be written as a bash script, or perl/python can be used? Any language can be used really. However, bash would be preferable for scripts in /etc.
Created attachment 87552 [details] pdnsd interaction with resolvconf As promissed, here is the little-bit-hard-core(TM) bash/sed script to edit the configuration. Each unique NEWDOMAIN part is created as a separate server section. Other settings - NEWSEARCH and NEWNS - are combined together and put into one server section. User can customize the created sections, only few options are always recreated (so changes to them will be lost). Details are in the attached file. The description of a sed script is also included in the file. Enjoy :-)
That's incredibly hardcore - much more complex than my scripts, but heh, if it works. Looks like it has the required features though :) net-dialup - your baby now (according to the meta data)
I'm now adding some sanity checks for some rare situations (mistakes in configuration files) - like missing closing brackets. I will post the result later today. Then it needs to be tested in the real world, because I would miss something :-)
Created attachment 87560 [details] pdnsd interaction with resolvconf Now I'm happy with the script. Sanity checks should ensure that the file will not get corrupted. The backup suffix is now ".backup" and not the ugly ".old". It is complex, because everything has to be in one file and it would be good for the user to be able to customize new server sections - like timeouts and caching.
@Oldrich : Can you get rid of all that debug stuff? Also, "Implementation notes" ends unexpectedly. @Roy : I'm puzzled about net-dialup's job in this bug. What exactly do you want me to do? Install this script in /etc/resolvconf/update.d? I don't see dnsmasq doing it. Also, don't you think resolvconf-gentoo should be moved in net-dns category? According to metadata.xml, "net-dns category contains DNS (Domain Name Service) related software".
Created attachment 88552 [details] pdnsd interaction with resolvconf (In reply to comment #16) > @Oldrich : Can you get rid of all that debug stuff? Also, "Implementation > notes" ends unexpectedly. Done. DEBUG is gone. The implementation notes are fixed (originally it was copied from bind/dnsmasq scripts and I missed one line - how this could happen?).
(In reply to comment #16) > @Roy : I'm puzzled about net-dialup's job in this bug. What exactly do you want > me to do? Install this script in /etc/resolvconf/update.d? I don't see dnsmasq > doing it. They will be doing it - the maintainers of dnsmasq and bind have said they would include similar scripts for them soon. > Also, don't you think resolvconf-gentoo should be moved in net-dns category? > According to metadata.xml, "net-dns category contains DNS (Domain Name Service) > related software". Possibly :)
Created attachment 88705 [details] pdnsd interaction with resolvconf Update with fixed policy for VPN users. The line "policy=excluded" is added every time now, without it the pdnsd ignores "include=" statement (so it searched all addresses).
fixed in pdnsd-1.2.4-r2. too bad I cannot use this for my IPSec VPN connection :( btw, I had to exclude my VPN domains manually, since otherwise the resolvconf entry was also used for these domains: server { label="resolvconf"; preset=on; ip="a.b.c.d"; exclude=".tsr",".tss",".tus",".tde"; exclude=".168.192.in-addr.arpa"; } thanks for your contribution!
(In reply to comment #20) > fixed in pdnsd-1.2.4-r2. > > too bad I cannot use this for my IPSec VPN connection :( Everything can be fixed and I would like to improve the script, I just need some information, but currently I do not know, where is the best place to discuss all resolvconf+pdnsd stuff - forums.gentoo.org (Networking&Security), or somewhere else? > btw, I had to exclude my VPN domains manually, since otherwise the resolvconf > entry was also used for these domains: > server { > label="resolvconf"; > preset=on; > ip="a.b.c.d"; > exclude=".tsr",".tss",".tus",".tde"; > exclude=".168.192.in-addr.arpa"; > } I was thinking about this (exclude= in "resolvconf" server), also about keeping the configuration and changing only preset=off/on for "resolvconf-<domain>" servers. Thanks for your feedback, I would like to move the discussion to a better place (with possibly more people). Where?
(In reply to comment #21) > > too bad I cannot use this for my IPSec VPN connection :( > > Everything can be fixed and I would like to improve the script, I just need > some information, but currently I do not know, where is the best place to > discuss all resolvconf+pdnsd stuff - forums.gentoo.org (Networking&Security), > or somewhere else? nah... You could set a {left,right}updown script in /etc/ipsec/ipsec.conf, but if you set it, it is the script's job to set/reset the routes. Beside, openswan don't know anything about internal DNS domains/servers. > Thanks for your feedback, I would like to move the discussion to a better place > (with possibly more people). Where? If you have more resolvconf related ideas, you should talk with Roy about them.
(In reply to comment #16) > Also, don't you think resolvconf-gentoo should be moved in net-dns category? Moved :)
(In reply to comment #22) > nah... You could set a {left,right}updown script in /etc/ipsec/ipsec.conf, but > if you set it, it is the script's job to set/reset the routes. Beside, openswan > don't know anything about internal DNS domains/servers. From the documentation (I do not have ipsec/openswan) you can execute /lib/ipsec/*updown manually from your *updown script. Then you can * think about a server configuration in pdnsd and starting it with "pdnsd-ctl server <name> up" and shutting-down it with "pdnsd-ctl server <name> down, or * you can use "resolvconf -a <interface>" and "resolvconf -d <interface>" from your *updown scripts to simulate DNS updates. Maybe the DNS configuration can be somewhere in /etc/conf.d/net.ipsec*? Just one stupid idea :-)
(In reply to comment #22) > If you have more resolvconf related ideas, you should talk with Roy about them. No, I do not have more ideas about resolvconf, but I would like to discuss pdnsd interaction - generation of config files. There is already the thing with exclude= in server "resolvconf" - it can be generated automatically, but it would be better to probably keep some user modifications. I will think about it and provide an update. BTW: Where to send updates? Reopen this bug, or create new one, or...?
Since openswan don't know anything about DNS configurations, I think we shouldn't stress ourselves with adding resolvconf functionality. I already solved it by adding a different server in pdnsd.conf and filtering my internal domain from the "resolvconf" server through exclude parameters. If you have updates to pdnsd resolvconf update script, you could reopen this bug, but please make it final. I don't want to hassle gentoo users with endless updates. Better to experiment with it several weeks, until you are happy with the result.
(In reply to comment #26) > Better to experiment with it several weeks, until you are happy with > the result. The last thing I have in mind is this "exclude=" and then I would be happy. I can experiment several months, but what is good to me, need not be good for you (for example I didn't miss "exclude=" in my configuration file, but it is logical to have it there). Anyway, if anybody has any feedback/ideas for changing pdnsd configuration by my script in some nice way, my e-mail is opened to everybody.
Finally I made a time for exclude directive in pdnsd. It automatically handles it's servers (those in format .<domain> or .<domain>., with and without double-quotes). Other things behaves the same.
Created attachment 90109 [details] pdnsd interaction with resolvconf, version 2006-06-25 Enjoy :-) Please test, if it works as expected also for you.
fixed in -r3. thanks!
