Package: resolvconf Version: 1.87 Severity: normal X-Debbugs-Cc: rossboy...@stanfordalumni.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 This is about section 3.5 (bind9) of the README and the resolvconf-update-bind script it references. The current documentation (including v1.91, which I checked online) does not reflect bind9's current setup. 1. The defaults file has been renamed to /etc/default/named. 2. Bug 483098 was part of a mass bug closing and so is inactive. 3. The sample script resolvconf-update-bind a) refers to bind9 when it should use named b) assumes init scripts even though systemd is the default c) doesn't use the current /run directory, /run/named, I think (I edited my copy awhile ago) 4. The advice to set RESOLVCONF=yes in /etc/default/named (formerly default/bind) is probably unnecessary and may not be sufficient. This is complicated by the fact that the file appears to be completely undocumented in bind9 (#1016943). As best I can tell, this setting is ignored in systemd settings, but the named-resolvconf.service shipped with bind9 does the same thing. I'm not entirely sure if it's on or off by default, and so instructions to activate it might be in order. RESOLVCONF=yes does affect the init scripts. But note that even setting RESOLVCONF=no will still get the RESOLVCONF=yes behavior if using systemd, assuming the named-resolvconf.service is active. 5. The resolvconf-update-bind currently executes an init script to reload bind. Aside from the fact it probably shouldn't (3b above), this means /etc/default/named and its RESOLVCONF setting might sneak in through this route. However, the code path for reload in the init script does not appear to use the RESOLVCONF setting. The update script assures that when a new interface with new nameservers comes up a fragment will be written that bind can use, and bind will be reloaded so it uses them. Does it also *prevent* those same nameservers from being written to the main resolv.conf? BTW, systemd *does* use the OPTIONS setting from the default file. There might also be some apparmor tweaks needed for this all to work. I noticed these things because I'm setting up bind, resolvconf and friends now, and so don't have a live system to see how these play out. - -- System Information: Debian Release: 11.4 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-16-amd64 (SMP w/8 CPU threads) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages resolvconf depends on: ii debconf [debconf-2.0] 1.5.77 ii lsb-base 11.1.0 resolvconf recommends no packages. resolvconf suggests no packages. - -- debconf information: resolvconf/reboot-recommended-after-removal: resolvconf/link-tail-to-original: false resolvconf/downup-interfaces: -----BEGIN PGP SIGNATURE----- iQFSBAEBCgA8FiEEreS674/HIyV9gBfdnAYPmOsbK2AFAmL0Dj8eHHJvc3Nib3ls YW5Ac3RhbmZvcmRhbHVtbmkub3JnAAoJEJwGD5jrGytg7YoIAIxFareH7xwzFLSk Y8RHPMsds5vD3QoCmZbxZQxz1z7oWCsP8KSEYCEX7riu/C3RAF7qdWonWjNlBD/+ 6nfkligBCtxipAgyyTtMrXL3QnZuIeMScFmfxO2BrUSi5dIrL6fKJp8cMFMWdNI/ 8LiPDSX66v+0R5dWpdZt+v8zxQOEMUK64QQcXdyxf2JPHWG878Esm+qVwOsD4yXr f0S0ScLyvZ/wP9SOhtjLVnv5NhJ/8uMRe9uitxyly+gKq0JPjpKvf0hOgmuv84VY 7q2DY+ELexsJKqIOvEjyXo2BgiyQd+dHkvwLzMal2mRT6j9u/KlmkKdCpf+0fYXs ZD0wJhg= =4GVp -----END PGP SIGNATURE-----
