Import openresolv 3.9.2vendor/openresolv/3.9.2vendor/openresolv

More information at: https://roy.marples.name/projects/openresolv

14 files changed, 435 insertions, 244 deletions

diff --git a/LICENSE b/LICENSE
new file mode 100644
index 000000000000..758aec338057
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,23 @@
+Copyright (c) 2007-2019 Roy Marples <roy@marples.name>
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
diff --git a/Makefile b/Makefile
index 095779b95b04..6cfa6e4ea072 100644
--- a/Makefile
+++ b/Makefile
@@ -10,6 +10,7 @@ SYSCONFDIR?=	/etc
 LIBEXECDIR?=	/libexec/resolvconf
 VARDIR?=	/var/run/resolvconf
 
+ECHO?=		echo
 INSTALL?=	install
 SED?=		sed
 
@@ -20,7 +21,7 @@ DOCMODE?=	0644
 MANMODE?=	0444
 
 RESOLVCONF=	resolvconf resolvconf.8 resolvconf.conf.5
-SUBSCRIBERS=	libc dnsmasq named pdnsd unbound
+SUBSCRIBERS=	libc dnsmasq named pdnsd pdns_recursor unbound
 TARGET=		${RESOLVCONF} ${SUBSCRIBERS}
 SRCS=		${TARGET:C,$,.in,} # pmake
 SRCS:=		${TARGET:=.in} # gmake
@@ -42,7 +43,7 @@ DISTINFOSIGN=	${DISTINFO}.asc
 CKSUM?=		cksum -a SHA256
 PGP?=		netpgp
 
-FOSSILID?=	current
+GITREF?=	HEAD
 
 .SUFFIXES: .in
 
@@ -79,15 +80,17 @@ maninstall:
 
 install: proginstall maninstall
 
-import:
+dist-git:
+	git archive --prefix=${DISTPREFIX}/ ${GITREF} | xz >${DISTFILE}
+
+dist-inst:
+	mkdir /tmp/${DISTPREFIX}
+	cp -RPp * /tmp/${DISTPREFIX}
+	(cd /tmp/${DISTPREFIX}; make clean)
+	tar -cvjpf ${DISTFILE} -C /tmp ${DISTPREFIX}
 	rm -rf /tmp/${DISTPREFIX}
-	${INSTALL} -d /tmp/${DISTPREFIX}
-	cp README ${SRCS} /tmp/${DISTPREFIX}
 
-dist:
-	fossil tarball --name ${DISTPREFIX} ${FOSSILID} ${DISTFILEGZ}
-	gunzip -c ${DISTFILEGZ} | xz >${DISTFILE}
-	rm ${DISTFILEGZ}
+dist: dist-git
 
 distinfo: dist
 	rm -f ${DISTINFO} ${DISTINFOSIGN}
@@ -96,3 +99,20 @@ distinfo: dist
 	${PGP} --clearsign --output=${DISTINFOSIGN} ${DISTINFO}
 	chmod 644 ${DISTINFOSIGN}
 	ls -l ${DISTFILE} ${DISTINFO} ${DISTINFOSIGN}
+
+import: dist
+	rm -rf /tmp/${DISTPREFIX}
+	${INSTALL} -d /tmp/${DISTPREFIX}
+	tar xvJpf ${DISTFILE} -C /tmp
+
+_import-src:
+	rm -rf ${DESTDIR}/*
+	${INSTALL} -d ${DESTDIR}
+	cp LICENSE README.md ${SRCS} resolvconf.conf ${DESTDIR};
+	cp resolvconf.8.in resolvconf.conf.5.in ${DESTDIR};
+	@${ECHO}
+	@${ECHO} "============================================================="
+	@${ECHO} "openresolv-${VERSION} imported to ${DESTDIR}"
+
+import-src:
+	${MAKE} _import-src DESTDIR=`if [ -n "${DESTDIR}" ]; then echo "${DESTDIR}"; else  echo /tmp/${DISTPREFIX}; fi`
diff --git a/README b/README
deleted file mode 100644
index b4042b0e81a5..000000000000
--- a/README
+++ /dev/null
@@ -1,11 +0,0 @@
-openresolv is a resolvconf implementation which manages resolv.conf
-You can find the latest version at http://roy.marples.name/projects/openresolv
-It is written and maintained by Roy Marples <roy@marples.name>
-
-This resolvconf implementation, along with its subscribers, work with a
-POSIX compliant shell and userland utilities. It is designed to work without
-tools such as sed as it *has* to work without /usr being available.
-
-On systems where resolvconf is expected to be used before /var/run is available
-for writing, you can configure openresolv to write somewhere else, like say a
-ramdisk.
diff --git a/README.md b/README.md
new file mode 100644
index 000000000000..739cc73356cb
--- /dev/null
+++ b/README.md
@@ -0,0 +1,64 @@
+# openresolv
+
+openresolv is a [resolvconf](https://en.wikipedia.org/wiki/Resolvconf)
+implementation which manages `/etc/resolv.conf`.
+
+`/etc/resolv.conf` is a file that holds the configuration for the local
+resolution of domain names.
+Normally this file is either static or maintained by a local daemon,
+normally a DHCP daemon. But what happens if more than one thing wants to
+control the file?
+Say you have wired and wireless interfaces to different subnets and run a VPN
+or two on top of that, how do you say which one controls the file?
+It's also not as easy as just adding and removing the nameservers each client
+knows about as different clients could add the same nameservers.
+
+Enter resolvconf, the middleman between the network configuration services and
+`/etc/resolv.conf`.
+resolvconf itself is just a script that stores, removes and lists a full
+`resolv.conf` generated for the interface. It then calls all the helper scripts
+it knows about so it can configure the real `/etc/resolv.conf` and optionally
+any local nameservers other than libc.
+
+## Reasons for using openresolv
+
+Why openresolv over the
+[Debian implementation](http://qref.sourceforge.net/Debian/reference/ch-gateway.en.html#s-dns-resolvconf)?
+Here's some reasons:
+  *  Works with
+  [POSIX shell and userland](http://www.opengroup.org/onlinepubs/009695399)
+  *  Does not need awk, grep or sed which means we can work without `/usr`
+  mounted
+  *  Works with other init systems than Debians' out of the box
+  *  Available as a 2 clause
+  [BSD license](http://www.freebsd.org/copyright/freebsd-license.html)
+  *  Prefer configs via IF_METRIC for dynamic ordering
+  *  Configures zones for local resolvers other than libc
+
+The last point is quite important, especially when running VPN systems.
+Take the following resolv.conf files which have been generated by a
+[DHCP client](../dhcpcd) and sent to resolvconf:
+
+```
+# resolv.conf from bge0
+search foo.com
+nameserver 1.2.3.4
+
+# resolv.conf from tap0
+domain bar.org
+nameserver 5.6.7.8
+```
+
+In this instance, queries for foo.com will go to 1.2.3.4 and queries for
+bar.org will go to 5.6.7.8.
+This does require the resolvers to be configured to pickup the resolvconf
+generated configuration for them though.
+openresolv ships with helpers for:
+  *  [unbound](http://www.unbound.net/)
+  *  [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html)
+  *  [ISC BIND](http://www.isc.org/software/bind)
+  *  [PowerDNS Recursor](http://wiki.powerdns.com/trac)
+
+See the
+[configuration section](https://roy.marples.name/projects/openresolv/config)
+for more details.
diff --git a/configure b/configure
index a890cf0dc634..c9422b74b69c 100644
--- a/configure
+++ b/configure
@@ -44,42 +44,8 @@ for x do
 	esac
 done
 
-if [ -z "$LIBEXECDIR" ]; then
-	printf "Checking for directory /libexec ... "
-	if [ -d /libexec ]; then
-		echo "yes"
-		LIBEXECDIR=$PREFIX/libexec/resolvconf
-	else
-		echo "no"
-		LIBEXECDIR=$PREFIX/lib/resolvconf
-	fi
-fi
-if [ -z "$RUNDIR" ]; then
-	printf "Checking for directory /run ... "
-	if [ -d /run ]; then
-		echo "yes"
-		RUNDIR=/run
-	else
-		echo "no"
-		RUNDIR=/var/run
-	fi
-fi	
-
 : ${SED:=sed}
 
-: ${SYSCONFDIR:=$PREFIX/etc}
-: ${SBINDIR:=$PREFIX/sbin}
-: ${LIBEXECDIR:=$PREFIX/libexec/resolvconf}
-: ${STATEDIR:=/var}
-: ${RUNDIR:=$STATEDIR/run}
-: ${MANDIR:=${PREFIX:-/usr}/share/man}
-
-eval SYSCONFDIR="$SYSCONFDIR"
-eval SBINDIR="$SBINDIR"
-eval LIBEXECDIR="$LIBEXECDIR"
-eval VARDIR="$RUNDIR/resolvconf"
-eval MANDIR="$MANDIR"
-
 CONFIG_MK=config.mk
 
 if [ -z "$BUILD" ]; then
@@ -121,7 +87,19 @@ rm -rf $CONFIG_MK
 echo "# $OS" >$CONFIG_MK
 
 case "$OS" in
-freebsd*)
+dragonfly*)
+	# This means /usr HAS to be mounted not via dhcpcd
+	: ${LIBEXECDIR:=${PREFIX:-/usr}/libexec/resolvconf}
+	;;
+linux*)
+	# cksum does't support -a and netpgp is rare
+	echo "CKSUM=		sha256sum --tag" >>$CONFIG_MK
+	echo "PGP=		gpg2" >>$CONFIG_MK
+	;;
+esac
+
+case "$OS" in
+dragonfly*|freebsd*)
 	# On FreeBSD, /etc/init.d/foo status returns 0 if foo is not enabled
 	# regardless of if it's not running.
 	# So we force onestatus to work around this silly bug.
@@ -129,13 +107,43 @@ freebsd*)
 		STATUSARG="onestatus"
 	fi
 	;;
-linux*)
-	# cksum does't support -a and netpgp is rare
-	echo "CKSUM=		sha256sum --tag" >>$CONFIG_MK
-	echo "PGP=		gpg2" >>$CONFIG_MK
-	;;
 esac
 
+
+if [ -z "$LIBEXECDIR" ]; then
+	printf "Checking for directory /libexec ... "
+	if [ -d /libexec ]; then
+		echo "yes"
+		LIBEXECDIR=$PREFIX/libexec/resolvconf
+	else
+		echo "no"
+		LIBEXECDIR=$PREFIX/lib/resolvconf
+	fi
+fi
+if [ -z "$RUNDIR" ]; then
+	printf "Checking for directory /run ... "
+	if [ -d /run ]; then
+		echo "yes"
+		RUNDIR=/run
+	else
+		echo "no"
+		RUNDIR=/var/run
+	fi
+fi
+
+: ${SYSCONFDIR:=$PREFIX/etc}
+: ${SBINDIR:=$PREFIX/sbin}
+: ${LIBEXECDIR:=$PREFIX/libexec/resolvconf}
+: ${STATEDIR:=/var}
+: ${RUNDIR:=$STATEDIR/run}
+: ${MANDIR:=${PREFIX:-/usr}/share/man}
+
+eval SYSCONFDIR="$SYSCONFDIR"
+eval SBINDIR="$SBINDIR"
+eval LIBEXECDIR="$LIBEXECDIR"
+eval VARDIR="$RUNDIR/resolvconf"
+eval MANDIR="$MANDIR"
+
 for x in SYSCONFDIR SBINDIR LIBEXECDIR VARDIR MANDIR RESTARTCMD RCDIR STATUSARG
 do
 	eval v=\$$x
diff --git a/dnsmasq.in b/dnsmasq.in
index b1a2c7408d9c..8b51866dca25 100644
--- a/dnsmasq.in
+++ b/dnsmasq.in
@@ -1,5 +1,5 @@
 #!/bin/sh
-# Copyright (c) 2007-2016 Roy Marples
+# Copyright (c) 2007-2019 Roy Marples
 # All rights reserved
 
 # dnsmasq subscriber for resolvconf
@@ -28,7 +28,7 @@
 
 [ -f "@SYSCONFDIR@"/resolvconf.conf ] || exit 0
 . "@SYSCONFDIR@/resolvconf.conf" || exit 1
-[ -z "$dnsmasq_conf" -a -z "$dnsmasq_resolv" ] && exit 0
+[ -z "${dnsmasq_conf}${dnsmasq_resolv}" ] && exit 0
 [ -z "$RESOLVCONF" ] && eval "$(@SBINDIR@/resolvconf -v)"
 NL="
 "
@@ -98,7 +98,7 @@ for d in $DOMAINS; do
 				empty=false i=0
 				IFS=:
 				set -- $n
-				while [ -n "$1" -o -n "$2" ]; do
+				while [ -n "$1" ] || [ -n "$2" ]; do
 					addr="$1"
 					shift
 					if [ -z "$addr" ]; then
@@ -184,7 +184,7 @@ if $changed; then
 		eval $dnsmasq_restart
 	elif [ -n "$RESTARTCMD" ]; then
 		set -- ${dnsmasq_service}
-		eval $RESTARTCMD
+		eval "$RESTARTCMD"
 	else
 		@SBINDIR@/resolvconf -r ${dnsmasq_service}
 	fi
@@ -206,4 +206,6 @@ if $dbus; then
 	dbus-send --system --dest=uk.org.thekelleys.dnsmasq \
  		/uk/org/thekelleys/dnsmasq uk.org.thekelleys.$method \
   		$dbusdest
+	dbus-send --system --dest=uk.org.thekelleys.dnsmasq \
+		/uk/org/thekelleys/dnsmasq uk.org.thekelleys.ClearCache
 fi
diff --git a/libc.in b/libc.in
index d49be65b67be..f44f61bac7fc 100644
--- a/libc.in
+++ b/libc.in
@@ -1,5 +1,5 @@
 #!/bin/sh
-# Copyright (c) 2007-2016 Roy Marples
+# Copyright (c) 2007-2019 Roy Marples
 # All rights reserved
 
 # libc subscriber for resolvconf
@@ -36,9 +36,9 @@ NL="
 # sed may not be available, and this is faster on small files
 key_get_value()
 {
-	local key="$1" x= line=
-
+	key="$1"
 	shift
+
 	if [ $# -eq 0 ]; then
 		while read -r line; do
 			case "$line" in
@@ -58,8 +58,6 @@ key_get_value()
 
 keys_remove()
 {
-	local key x line found
-
 	while read -r line; do
 		found=false
 		for key do
@@ -79,7 +77,7 @@ local_nameservers="127.* 0.0.0.0 255.255.255.255 ::1"
 if [ -f "$SYSCONFDIR"/resolvconf.conf ]; then
 	. "$SYSCONFDIR"/resolvconf.conf
 elif [ -d "$SYSCONFDIR"/resolvconf ]; then
-	SYSCONFDIR="$SYSCONFDIR/resolvconf/resolv.conf.d"
+	SYSCONFDIR="$SYSCONFDIR/resolvconf"
 	base="$SYSCONFDIR/resolv.conf.d/base"
 	if [ -f "$base" ]; then
 		prepend_nameservers="$(key_get_value "nameserver " "$base")"
@@ -98,10 +96,12 @@ fi
 : ${resolv_conf:=/etc/resolv.conf}
 : ${libc_service:=nscd}
 : ${list_resolv:=@SBINDIR@/resolvconf -l}
-if [ "${resolv_conf_head-x}" = x -a -f "$SYSCONFDIR"/resolv.conf.head ]; then
+if [ "${resolv_conf_head-x}" = x ] && [ -f "$SYSCONFDIR"/resolv.conf.head ]
+then
 	resolv_conf_head="$(cat "${SYSCONFDIR}"/resolv.conf.head)"
 fi
-if [ "${resolv_conf_tail-x}" = x -a -f "$SYSCONFDIR"/resolv.conf.tail ]; then
+if [ "${resolv_conf_tail-x}" = x ] && [ -f "$SYSCONFDIR"/resolv.conf.tail ]
+then
 	resolv_conf_tail="$(cat "$SYSCONFDIR"/resolv.conf.tail)"
 fi
 
@@ -110,7 +110,7 @@ signature="# Generated by resolvconf"
  
 uniqify()
 {
-	local result=
+	result=
 	while [ -n "$1" ]; do
 		case " $result " in
 		*" $1 "*);;
@@ -126,7 +126,7 @@ case "${resolv_conf_passthrough:-NO}" in
 	backup=false
 	newest=
 	for conf in "$IFACEDIR"/*; do
-		if [ -z "$newest" -o "$conf" -nt "$newest" ]; then
+		if [ -z "$newest" ] || [ "$conf" -nt "$newest" ]; then
 			newest="$conf"
 		fi
 	done
@@ -178,7 +178,7 @@ case "${resolv_conf_passthrough:-NO}" in
 	fi
 
 	[ -n "$domain" ] && newconf="${newconf}domain $domain$NL"
-	if [ -n "$newsearch" -a "$newsearch" != "$domain" ]; then
+	if [ -n "$newsearch" ] && [ "$newsearch" != "$domain" ]; then
 		newconf="${newconf}search $newsearch$NL"
 	fi
 	for n in $newns; do
@@ -232,7 +232,7 @@ if [ -n "$libc_restart" ]; then
 	eval $libc_restart
 elif [ -n "$RESTARTCMD" ]; then
 	set -- ${libc_service}
-	eval $RESTARTCMD
+	eval "$RESTARTCMD"
 else
 	@SBINDIR@/resolvconf -r ${libc_service}
 fi
diff --git a/named.in b/named.in
index 2083ea52058d..e5b5a91ee77a 100644
--- a/named.in
+++ b/named.in
@@ -28,14 +28,14 @@
 
 [ -f "@SYSCONFDIR@"/resolvconf.conf ] || exit 0
 . "@SYSCONFDIR@/resolvconf.conf" || exit 1
-[ -z "$named_zones" -a -z "$named_options" ] && exit 0
+[ -z "${named_zones}${named_options}" ] && exit 0
 [ -z "$RESOLVCONF" ] && eval "$(@SBINDIR@/resolvconf -v)"
 NL="
 "
 
 # Platform specific kludges
-if [ -z "$named_service" -a -z "$named_restart" -a \
-	-d "$RCDIR" -a ! -x "$RCDIR"/named ]
+if [ -z "${named_service}${named_restart}" ] &&
+   [ -d "$RCDIR" ] && ! [ -x "$RCDIR"/named ]
 then
 	if [ -x "$RCDIR"/bind9 ]; then
 		# Debian and derivatives
@@ -111,7 +111,7 @@ if $changed; then
 		eval $named_restart
 	elif [ -n "$RESTARTCMD" ]; then
 		set -- ${named_service}
-		eval $RESTARTCMD
+		eval "$RESTARTCMD"
 	else
 		@SBINDIR@/resolvconf -r ${named_service}
 	fi
diff --git a/pdns_recursor.in b/pdns_recursor.in
index ad2d922dc4de..f3632e000385 100644
--- a/pdns_recursor.in
+++ b/pdns_recursor.in
@@ -1,5 +1,5 @@
 #!/bin/sh
-# Copyright (c) 2009-2011 Roy Marples
+# Copyright (c) 2009-2019 Roy Marples
 # All rights reserved
 
 # PowerDNS Recursor subscriber for resolvconf
@@ -33,17 +33,14 @@
 NL="
 "
 
-: ${pdns_service:=pdns_recursor}
+: ${pdns_service:=pdns-recursor}
 
 newzones=
 
-# pds_recursor does not present support global forward servers, which
-# does limit it's usefulness somewhat.
-# If it did, the below code can be enabled, or something like it.
-#for n in $NAMESERVERS; do
-#	newzones="$newzones${newzones:+,}$n"
-#done
-#[ -n "$newzones" ] && newzones=".=$newzones$NL"
+for n in $NAMESERVERS; do
+	newzones="$newzones${newzones:+,}$n"
+done
+[ -n "$newzones" ] && newzones="+.=$newzones$NL"
 
 for d in $DOMAINS; do
 	newns=
@@ -71,7 +68,7 @@ then
 		eval $pdns_restart
 	elif [ -n "$RESTARTCMD" ]; then
 		set -- ${pdns_service}
-		eval $RESTARTCMD
+		eval "$RESTARTCMD"
 	else
 		@SBINDIR@/resolvconf -r ${pdns_service}
 	fi
diff --git a/pdnsd.in b/pdnsd.in
index 59a4755aff16..971d90d26a1a 100644
--- a/pdnsd.in
+++ b/pdnsd.in
@@ -1,5 +1,5 @@
 #!/bin/sh
-# Copyright (c) 2010-2013 Roy Marples
+# Copyright (c) 2010-2018 Roy Marples
 # All rights reserved
 
 # pdnsd subscriber for resolvconf
@@ -28,7 +28,7 @@
 
 [ -f "@SYSCONFDIR@"/resolvconf.conf ] || exit 0
 . "@SYSCONFDIR@/resolvconf.conf" || exit 1
-[ -z "$pdnsd_conf" -a -z "$pdnsd_resolv" ] && exit 0
+[ -z "${pdnsd_conf}${pdnsd_resolv}" ] && exit 0
 [ -z "$RESOLVCONF" ] && eval "$(@SBINDIR@/resolvconf -v)"
 NL="
 "
@@ -41,14 +41,16 @@ signature_end="# End of resolvconf"
 # but sed may not always be available at the time.
 remove_markers()
 {
-	local m1="$1" m2="$2" x= line= in_marker=0
+	m1="$1"
+	m2="$2"
+	in_marker=0
 
 	shift; shift
 	if type sed >/dev/null 2>&1; then
 		sed "/^$m1/,/^$m2/d" $@
 	else
-		for x; do
-			while read -r line; do
+		for x do
+			while read line; do
 				case "$line" in
 				"$m1"*) in_marker=1;;
 				"$m2"*) in_marker=0;;
diff --git a/resolvconf.conf b/resolvconf.conf
index 607f6af4d919..4f5f2e6f42ef 100644
--- a/resolvconf.conf
+++ b/resolvconf.conf
@@ -4,4 +4,4 @@
 resolv_conf=/etc/resolv.conf
 # If you run a local name server, you should uncomment the below line and
 # configure your subscribers configuration files below.
-#name_servers=127.0.0.1
\ No newline at end of file
+#name_servers=127.0.0.1
diff --git a/resolvconf.conf.5.in b/resolvconf.conf.5.in
index fcebd864e367..1b0c47160845 100644
--- a/resolvconf.conf.5.in
+++ b/resolvconf.conf.5.in
@@ -22,7 +22,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd December 29, 2016
+.Dd September 8, 2019
 .Dt RESOLVCONF.CONF 5
 .Os
 .Sh NAME
@@ -64,19 +64,25 @@ Defaults to YES.
 .It Sy interface_order
 These interfaces will always be processed first.
 If unset, defaults to the following:-
-.D1 lo lo[0-9]*
+.Bd -compact -literal -offset indent
+lo lo[0-9]*
+.Ed
 .It Sy dynamic_order
 These interfaces will be processed next, unless they have a metric.
 If unset, defaults to the following:-
-.D1 tap[0-9]* tun[0-9]* vpn vpn[0-9]* ppp[0-9]* ippp[0-9]*
+.Bd -compact -literal -offset indent
+tap[0-9]* tun[0-9]* vpn vpn[0-9]* ppp[0-9]* ippp[0-9]*
+.Ed
 .It Sy inclusive_interfaces
-Ignore any exlcusive marking for these interfaces.
+Ignore any exclusive marking for these interfaces.
 This is handy when 3rd party integrations force the
 .Nm resolvconf -x
 option and you want to disable it easily.
 .It Sy local_nameservers
 If unset, defaults to the following:-
-.D1 127.* 0.0.0.0 255.255.255.255 ::1
+.Bd -compact -literal -offset indent
+127.* 0.0.0.0 255.255.255.255 ::1
+.Ed
 .It Sy search_domains
 Prepend search domains to the dynamically generated list.
 .It Sy search_domains_append
@@ -118,16 +124,24 @@ The syntax is this:
 .Va $keyword Ns / Ns Va $match Ns / Ns Va $replacement
 .Pp
 Example, given this resolv.conf:
-.D1 domain foo.org
-.D1 search foo.org dead.beef
-.D1 nameserver 1.2.3.4
-.D1 nameserver 2.3.4.5
+.Bd -compact -literal -offset indent
+domain foo.org
+search foo.org dead.beef
+nameserver 1.2.3.4
+nameserver 2.3.4.5
+.Ed
 and this configuaration:
-.D1 replace="search/foo*/bar.com nameserver/1.2.3.4/5.6.7.8 nameserver/2.3.4.5/"
+.Bd -compact -literal -offset indent
+replace="search/foo*/bar.com"
+replace="$replace nameserver/1.2.3.4/5.6.7.8"
+replace="$replace nameserver/2.3.4.5/"
+.Ed
 you would get this resolv.conf instead:
-.D1 domain foo.org
-.D1 search bar.com
-.D1 nameserver 5.6.7.8
+.Bd -compact -literal -offset indent
+domain foo.org
+search bar.com
+nameserver 5.6.7.8
+.Ed
 .It Sy replace_sub
 Works the same way as
 .Sy replace
@@ -138,9 +152,11 @@ Using the same example resolv.conf and changing
 to
 .Sy replace_sub ,
 you would get this resolv.conf instead:
-.D1 domain foo.org
-.D1 search bar.com dead.beef
-.D1 nameserver 5.6.7.8
+.Bd -compact -literal -offset indent
+domain foo.org
+search bar.com dead.beef
+nameserver 5.6.7.8
+.Ed
 .It Sy state_dir
 Override the default state directory of
 .Pa @VARDIR@ .
@@ -195,7 +211,8 @@ Prepend search domains to the dynamically generated list.
 openresolv ships with subscribers for the name servers
 .Xr dnsmasq 8 ,
 .Xr named 8 ,
-.Xr pdnsd 8
+.Xr pdnsd 8 ,
+.Xr pdns_recursor 8 ,
 and
 .Xr unbound 8 .
 Each subscriber can create configuration files which should be included in
@@ -203,7 +220,9 @@ in the subscribers main configuration file.
 .Pp
 To disable a subscriber, simply set it's name to NO.
 For example, to disable the libc subscriber you would set:
-.D1 libc=NO
+.Bd -compact -literal -offset indent
+libc=NO
+.Ed
 .Bl -tag -width indent
 .It Sy dnsmasq_conf
 This file tells dnsmasq which name servers to use for specific domains.
@@ -211,17 +230,21 @@ This file tells dnsmasq which name servers to use for specific domains.
 This file tells dnsmasq which name servers to use for global lookups.
 .Pp
 Example resolvconf.conf for dnsmasq:
-.D1 name_servers=127.0.0.1
-.D1 dnsmasq_conf=/etc/dnsmasq-conf.conf
-.D1 dnsmasq_resolv=/etc/dnsmasq-resolv.conf
+.Bd -compact -literal -offset indent
+name_servers=127.0.0.1
+dnsmasq_conf=/etc/dnsmasq-conf.conf
+dnsmasq_resolv=/etc/dnsmasq-resolv.conf
+.Ed
 .Pp
 Example dnsmasq.conf:
-.D1 listen-address=127.0.0.1
-.D1 # If dnsmasq is compiled for DBus then we can take
-.D1 # advantage of not having to restart dnsmasq.
-.D1 enable-dbus
-.D1 conf-file=/etc/dnsmasq-conf.conf
-.D1 resolv-file=/etc/dnsmasq-resolv.conf
+.Bd -compact -literal -offset indent
+listen-address=127.0.0.1
+# If dnsmasq is compiled for DBus then we can take
+# advantage of not having to restart dnsmasq.
+enable-dbus
+conf-file=/etc/dnsmasq-conf.conf
+resolv-file=/etc/dnsmasq-resolv.conf
+.Ed
 .It Sy named_options
 Include this file in the named options block.
 This file tells named which name servers to use for global lookups.
@@ -230,16 +253,21 @@ Include this file in the named global scope, after the options block.
 This file tells named which name servers to use for specific domains.
 .Pp
 Example resolvconf.conf for named:
-.D1 name_servers=127.0.0.1
-.D1 named_options=/etc/named-options.conf
-.D1 named_zones=/etc/named-zones.conf
+.Bd -compact -literal -offset indent
+name_servers=127.0.0.1
+named_options=/etc/named-options.conf
+named_zones=/etc/named-zones.conf
+.Ed
 .Pp
 Example named.conf:
-.D1 options {
-.D1 	listen-on { 127.0.0.1; };
-.D1 	include "/etc/named-options.conf";
-.D1 };
-.D1 include "/etc/named-zones.conf";
+.Bd -compact -literal -offset indent
+options {
+	listen-on { 127.0.0.1; };
+	include "/etc/named-options.conf";
+};
+
+include "/etc/named-zones.conf";
+.Ed
 .It Sy pdnsd_conf
 This is the main pdnsd configuration file which we modify to add our
 forward domains to.
@@ -253,32 +281,54 @@ If this variable is not set then it's written to
 .Pa pdnsd_conf .
 .Pp
 Example resolvconf.conf for pdnsd:
-.D1 name_servers=127.0.0.1
-.D1 pdnsd_conf=/etc/pdnsd.conf
-.D1 # pdnsd_resolv=/etc/pdnsd-resolv.conf
+.Bd -compact -literal -offset indent
+name_servers=127.0.0.1
+pdnsd_conf=/etc/pdnsd.conf
+# pdnsd_resolv=/etc/pdnsd-resolv.conf
+.Ed
 .Pp
 Example pdnsd.conf:
-.D1 global {
-.D1 	server_ip = 127.0.0.1;
-.D1 	status_ctl = on;
-.D1 }
-.D1 server {
-.D1 	# A server definition is required, even if emtpy.
-.D1 	label="empty";
-.D1 	proxy_only=on;
-.D1 	# file="/etc/pdnsd-resolv.conf";
-.D1 }
+.Bd -compact -literal -offset indent
+global {
+	server_ip = 127.0.0.1;
+	status_ctl = on;
+}
+server {
+	# A server definition is required, even if empty.
+	label="empty";
+	proxy_only=on;
+	# file="/etc/pdnsd-resolv.conf";
+}
+.Ed
+.It Sy pdns_zones
+This file tells pdns_recursor about specific and global name servers.
+.Pp
+Example resolvconf.conf for pdns_recursor:
+.Bd -compact -literal -offset indent
+name_servers=127.0.0.1
+pdns_zones=/etc/pdns/recursor-zones.conf
+.Ed
+.Pp
+Example recursor.conf:
+.Bd -compact -literal -offset indent
+allow-from=127.0.0.0/8, ::1/128
+forward-zones-file=/etc/pdns/recursor-zones.conf
+.Ed
 .It Sy unbound_conf
 This file tells unbound about specific and global name servers.
 .It Sy unbound_insecure
 When set to YES, unbound marks the domains as insecure, thus ignoring DNSSEC.
 .Pp
 Example resolvconf.conf for unbound:
-.D1 name_servers=127.0.0.1
-.D1 unbound_conf=/etc/unbound-resolvconf.conf
+.Bd -compact -literal -offset indent
+name_servers=127.0.0.1
+unbound_conf=/etc/unbound-resolvconf.conf
+.Ed
 .Pp
 Example unbound.conf:
-.D1 include: /etc/unbound-resolvconf.conf
+.Bd -compact -literal -offset indent
+include: /etc/unbound-resolvconf.conf
+.Ed
 .El
 .Sh SUBSCRIBER INTEGRATION
 Not all distributions store the files the subscribers need in the same
@@ -292,7 +342,6 @@ Also, users could equally want to use a different version from the one
 installed by default, such as bind8 and bind9.
 To accommodate this, the subscribers have these files in configurable
 variables, documented below.
-.Pp
 .Bl -tag -width indent
 .It Sy dnsmasq_service
 Name of the dnsmasq service.
@@ -310,6 +359,10 @@ Name of the named service.
 Command to restart the named service.
 .It Sy pdnsd_restart
 Command to restart the pdnsd service.
+.It Sy pdns_service
+Command to restart the pdns_recursor service.
+.It Sy pdns_restart
+Command to restart the pdns_recursor service.
 .It Sy unbound_service
 Name of the unbound service.
 .It Sy unbound_restart
diff --git a/resolvconf.in b/resolvconf.in
index 7353cfc348d1..e7d382111813 100644
--- a/resolvconf.in
+++ b/resolvconf.in
@@ -1,5 +1,5 @@
 #!/bin/sh
-# Copyright (c) 2007-2016 Roy Marples
+# Copyright (c) 2007-2019 Roy Marples
 # All rights reserved
 
 # Redistribution and use in source and binary forms, with or without
@@ -25,7 +25,7 @@
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 RESOLVCONF="$0"
-OPENRESOLV_VERSION="3.9.0"
+OPENRESOLV_VERSION="3.9.2"
 SYSCONFDIR=@SYSCONFDIR@
 LIBEXECDIR=@LIBEXECDIR@
 VARDIR=@VARDIR@
@@ -125,21 +125,22 @@ usage()
 # If you think otherwise, capture a DNS trace and you'll see libc
 # will strip it regardless.
 # This also solves setting up duplicate zones in our subscribers.
-strip_trailing_dots()
+# Also strip any comments denoted by #.
+resolv_strip()
 {
-	local n= d=
-
-	for n; do
-		printf "$d%s" "${n%.}"
-		d=" "
+	space=
+	for word; do
+		case "$word" in
+		\#*) break;;
+		esac
+		printf "%s%s" "$space${word%.}"
+		space=" "
 	done
 	printf "\n"
 }
 
 private_iface()
 {
-	local p
-
 	# Allow expansion
 	cd "$IFACEDIR"
 
@@ -168,12 +169,15 @@ private_iface()
 # for domain name servers, search name servers and global nameservers
 parse_resolv()
 {
-	local line= ns= ds= search= d= n= newns=
-	local new=true iface= private=false p= domain= l= islocal=
-
+	domain=
+	new=true
 	newns=
+	ns=
+	private=false
+	search=
 
 	while read -r line; do
+		stripped_line="$(resolv_strip ${line#* })"
 		case "$line" in
 		"# resolv.conf from "*)
 			if ${new}; then
@@ -189,29 +193,32 @@ parse_resolv()
 		"nameserver "*)
 			islocal=false
 			for l in $local_nameservers; do
-				case "${line#* }" in
+				case "$stripped_line" in
 				$l)
 					islocal=true
-					echo "LOCALNAMESERVERS=\"\$LOCALNAMESERVERS ${line#* }\""
 					break
 					;;
 				esac
 			done
-			$islocal || ns="$ns${line#* } "
+			if $islocal; then
+				echo "LOCALNAMESERVERS=\"\$LOCALNAMESERVERS $stripped_line\""
+			else
+				ns="$ns$stripped_line "
+			fi
 			;;
 		"domain "*)
-			search="$(strip_trailing_dots ${line#* })"
+			search="$stripped_line"
 			if [ -z "$domain" ]; then
 				domain="$search"
 				echo "DOMAIN=\"$domain\""
 			fi
 			;;
 		"search "*)
-			search="$(strip_trailing_dots ${line#* })"
+			search="$stripped_line"
 			;;
 		*)
 			[ -n "$line" ] && continue
-			if [ -n "$ns" -a -n "$search" ]; then
+			if [ -n "$ns" ] && [ -n "$search" ]; then
 				newns=
 				for n in $ns; do
 					newns="$newns${newns:+,}$n"
@@ -236,7 +243,7 @@ parse_resolv()
 
 uniqify()
 {
-	local result=
+	result=
 	while [ -n "$1" ]; do
 		case " $result " in
 		*" $1 "*);;
@@ -249,8 +256,8 @@ uniqify()
 
 dirname()
 {
-	local dir= OIFS="$IFS"
-	local IFS=/
+	OIFS="$IFS"
+	IFS=/
 	set -- $@
 	IFS="$OIFS"
 	if [ -n "$1" ]; then
@@ -267,7 +274,7 @@ dirname()
 
 config_mkdirs()
 {
-	local e=0 f d
+	e=0
 	for f; do
 		[ -n "$f" ] || continue
 		d="$(dirname "$f")"
@@ -295,66 +302,86 @@ detect_init()
 	# Detect the running init system.
 	# As systemd and OpenRC can be installed on top of legacy init
 	# systems we try to detect them first.
-	local status="@STATUSARG@"
+	status="@STATUSARG@"
 	: ${status:=status}
-	if [ -x /bin/systemctl -a -S /run/systemd/private ]; then
-		RESTARTCMD="if /bin/systemctl --quiet is-active \$1.service; then
-	/bin/systemctl restart \$1.service;
-fi"
-	elif [ -x /usr/bin/systemctl -a -S /run/systemd/private ]; then
-		RESTARTCMD="if /usr/bin/systemctl --quiet is-active \$1.service; then
-	/usr/bin/systemctl restart \$1.service;
-fi"
-	elif [ -x /sbin/rc-service -a \
-	    -s /libexec/rc/init.d/softlevel -o -s /run/openrc/softlevel ]
+	if [ -x /bin/systemctl ] && [ -S /run/systemd/private ]; then
+		RESTARTCMD='
+			if /bin/systemctl --quiet is-active $1.service
+			then
+				/bin/systemctl restart $1.service
+			fi'
+	elif [ -x /usr/bin/systemctl ] && [ -S /run/systemd/private ]; then
+		RESTARTCMD='
+			if /usr/bin/systemctl --quiet is-active $1.service
+			then
+				/usr/bin/systemctl restart $1.service
+			fi'
+	elif [ -x /sbin/rc-service ] &&
+	     { [ -s /libexec/rc/init.d/softlevel ] ||
+	     [ -s /run/openrc/softlevel ]; }
 	then
-		RESTARTCMD="/sbin/rc-service -i \$1 -- -Ds restart"
+		RESTARTCMD='/sbin/rc-service -i $1 -- -Ds restart'
 	elif [ -x /usr/sbin/invoke-rc.d ]; then
 		RCDIR=/etc/init.d
-		RESTARTCMD="if /usr/sbin/invoke-rc.d --quiet \$1 status 1>/dev/null 2>&1; then
-	/usr/sbin/invoke-rc.d \$1 restart;
-fi"
+		RESTARTCMD='
+		   if /usr/sbin/invoke-rc.d --quiet $1 status >/dev/null 2>&1
+		   then
+			/usr/sbin/invoke-rc.d $1 restart
+		   fi'
 	elif [ -x /sbin/service ]; then
 		# Old RedHat
 		RCDIR=/etc/init.d
-		RESTARTCMD="if /sbin/service \$1; then
-	/sbin/service \$1 restart;
-fi"
+		RESTARTCMD='
+			if /sbin/service $1; then
+				/sbin/service $1 restart
+			fi'
 	elif [ -x /usr/sbin/service ]; then
 		# Could be FreeBSD
-		RESTARTCMD="if /usr/sbin/service \$1 $status 1>/dev/null 2>&1; then
-	/usr/sbin/service \$1 restart;
-fi"
+		RESTARTCMD="
+			if /usr/sbin/service \$1 $status >/dev/null 2>&1
+			then
+				/usr/sbin/service \$1 restart
+			fi"
 	elif [ -x /bin/sv ]; then
-		RESTARTCMD="/bin/sv status \$1 >/dev/null 2>&1 && /bin/sv try-restart \$1"
+		RESTARTCMD='/bin/sv status $1 >/dev/null 2>&1 &&
+			    /bin/sv try-restart $1'
 	elif [ -x /usr/bin/sv ]; then
-		RESTARTCMD="/usr/bin/sv status \$1 >/dev/null 2>&1 && /usr/bin/sv try-restart \$1"
-	elif [ -e /etc/arch-release -a -d /etc/rc.d ]; then
+		RESTARTCMD='/usr/bin/sv status $1 >/dev/null 2>&1 &&
+			    /usr/bin/sv try-restart $1'
+	elif [ -e /etc/arch-release ] && [ -d /etc/rc.d ]; then
 		RCDIR=/etc/rc.d
-		RESTARTCMD="if [ -e /var/run/daemons/\$1 ]; then
-	/etc/rc.d/\$1 restart;
-fi"
-	elif [ -e /etc/slackware-version -a -d /etc/rc.d ]; then
-		RESTARTCMD="if /etc/rc.d/rc.\$1 status 1>/dev/null 2>&1; then
-	/etc/rc.d/rc.\$1 restart;
-fi"
-	elif [ -e /etc/rc.d/rc.subr -a -d /etc/rc.d ]; then
+		RESTARTCMD='
+			if [ -e /var/run/daemons/$1 ]
+			then
+				/etc/rc.d/$1 restart
+			fi'
+	elif [ -e /etc/slackware-version ] && [ -d /etc/rc.d ]; then
+		RESTARTCMD='
+			if /etc/rc.d/rc.$1 status >/dev/null 2>&1
+			then
+				/etc/rc.d/rc.$1 restart
+			fi'
+	elif [ -e /etc/rc.d/rc.subr ] && [ -d /etc/rc.d ]; then
 		# OpenBSD
-		RESTARTCMD="if /etc/rc.d/\$1 check 1>/dev/null 2>&1; then
-	/etc/rc.d/\$1 restart;
-fi"
+		RESTARTCMD='
+			if /etc/rc.d/$1 check >/dev/null 2>&1
+			then
+				/etc/rc.d/$1 restart
+			fi'
 	else
 		for x in /etc/init.d/rc.d /etc/rc.d /etc/init.d; do
 			[ -d $x ] || continue
-			RESTARTCMD="if $x/\$1 $status 1>/dev/null 2>&1; then
-	$x/\$1 restart;
-fi"
+			RESTARTCMD="
+				if $x/\$1 $status >/dev/null 2>&1
+				then
+					$x/\$1 restart
+				fi"
 			break
 		done
 	fi
 
 	if [ -z "$RESTARTCMD" ]; then
-		if [ "$NOINIT_WARNED" != true ]; then
+		if [ "$_NOINIT_WARNED" != true ]; then
 			warn "could not detect a useable init system"
 			_NOINIT_WARNED=true
 		fi
@@ -366,9 +393,9 @@ fi"
 
 echo_resolv()
 {
-	local line= OIFS="$IFS"
+	OIFS="$IFS"
 
-	[ -n "$1" -a -f "$IFACEDIR/$1" ] || return 1
+	[ -n "$1" ] && [ -f "$IFACEDIR/$1" ] || return 1
 	echo "# resolv.conf from $1"
 	# Our variable maker works of the fact each resolv.conf per interface
 	# is separated by blank lines.
@@ -388,11 +415,16 @@ list_resolv()
 {
 	[ -d "$IFACEDIR" ] || return 0
 
-	local report=false list= retval=0 cmd="$1" excl=
+	cmd="$1"
 	shift
+	excl=false
+	list=
+	report=false
+	retval=0
 
 	case "$IF_EXCLUSIVE" in
 	[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]|[Oo][Nn]|1)
+		excl=true
 		if [ -d "$EXCLUSIVEDIR" ]; then
 			cd "$EXCLUSIVEDIR"
 			for i in *; do
@@ -402,19 +434,15 @@ list_resolv()
 				fi
 			done
 		fi
-		excl=true
 		cd "$IFACEDIR"
 		for i in $inclusive_interfaces; do
-			if [ -f "$i" -a "$list" = "$i" ]; then
+			if [ -f "$i" ] && [ "$list" = "$i" ]; then
 				list=
 				excl=false
 				break
 			fi
 		done
 		;;
-	*)
-		excl=false
-		;;
 	esac
 
 	# If we have an interface ordering list, then use that.
@@ -431,22 +459,28 @@ list_resolv()
 			done
 		done
 		for i in $dynamic_order; do
-			if [ -e "$i" -a ! -e "$METRICDIR/"*" $i" ]; then
+			if [ -e "$i" ] && ! [ -e "$METRICDIR/"*" $i" ]; then
 				list="$list $i"
 			fi
 			for ii in "$i":* "$i".*; do
-				if [ -f "$ii" -a ! -e "$METRICDIR/"*" $ii" ]; then
+				if [ -f "$ii" ] && ! [ -e "$METRICDIR/"*" $ii" ]
+				then
 					list="$list $ii"
 				fi
 			done
 		done
+		# Interfaces have an implicit metric of 0 if not specified.
+		for i in *; do
+			if [ -f "$i" ] && ! [ -e "$METRICDIR/"*" $i" ]; then
+				list="$list $i"
+			fi
+		done
 		if [ -d "$METRICDIR" ]; then
 			cd "$METRICDIR"
 			for i in *; do
 				[ -f "$i" ] && list="$list ${i#* }"
 			done
 		fi
-		list="$list *"
 	fi
 
 	cd "$IFACEDIR"
@@ -461,23 +495,24 @@ list_resolv()
 			continue
 		fi
 		
-		if [ "$cmd" = i -o "$cmd" = "-i" ]; then
+		if [ "$cmd" = i ] || [ "$cmd" = "-i" ]; then
 			printf %s "$i "
 		else
 			echo_resolv "$i" && echo
 		fi
-		[ $? = 0 -a "$retval" = 1 ] && retval=0
+		[ $? = 0 ] && [ "$retval" = 1 ] && retval=0
 	done
-	[ "$cmd" = i -o "$cmd" = "-i" ] && echo
+	[ "$cmd" = i ] || [ "$cmd" = "-i" ] && echo
 	return $retval
 }
 
-list_remove() {
-	local list= e= l= result= found= retval=0
-
+list_remove()
+{
 	[ -z "$2" ] && return 0
 	eval list=\"\$$1\"
 	shift
+	result=
+	retval=0
 
 	set -f
 	for e; do
@@ -525,8 +560,6 @@ echo_append()
 
 replace()
 {
-	local r= k= f= v= val= sub=
-
 	while read -r keyword value; do
 		for r in $replace; do
 			k="${r%%/*}"
@@ -566,8 +599,6 @@ replace()
 
 make_vars()
 {
-	local newdomains= d= dn= newns= ns=
-
 	# Clear variables
 	DOMAIN=
 	DOMAINS=
@@ -575,7 +606,7 @@ make_vars()
 	NAMESERVERS=
 	LOCALNAMESERVERS=
 	
-	if [ -n "$name_servers" -o -n "$search_domains" ]; then
+	if [ -n "${name_servers}${search_domains}" ]; then
 		eval "$(echo_prepend | parse_resolv)"
 	fi
 	if [ -z "$VFLAG" ]; then
@@ -583,11 +614,12 @@ make_vars()
 		list_resolv -i "$@" >/dev/null || IF_EXCLUSIVE=0
 		eval "$(list_resolv -l "$@" | replace | parse_resolv)"
 	fi
-	if [ -n "$name_servers_append" -o -n "$search_domains_append" ]; then
+	if [ -n "${name_servers_append}${search_domains_append}" ]; then
 		eval "$(echo_append | parse_resolv)"
 	fi
 
 	# Ensure that we only list each domain once
+	newdomains=
 	for d in $DOMAINS; do
 		dn="${d%%:*}"
 		list_remove domain_blacklist "$dn" >/dev/null || continue
@@ -667,36 +699,37 @@ if [ "$cmd" = D ]; then
 fi
 
 # -l lists our resolv files, optionally for a specific interface
-if [ "$cmd" = l -o "$cmd" = i ]; then
+if [ "$cmd" = l ] || [ "$cmd" = i ]; then
 	list_resolv "$cmd" "$args"
 	exit $?
 fi
 
 # Restart a service or echo the command to restart a service
-if [ "$cmd" = r -o "$cmd" = R ]; then
+if [ "$cmd" = r ] || [ "$cmd" = R ]; then
 	detect_init || exit 1
 	if [ "$cmd" = r ]; then
 		set -- $args
-		eval $RESTARTCMD
+		eval "$RESTARTCMD"
 	else
-		echo "$RESTARTCMD"
+		echo "$RESTARTCMD" |
+			sed -e '/^$/d' -e 's/^			//g'
 	fi
 	exit $?
 fi
 
 # Not normally needed, but subscribers should be able to run independently
-if [ "$cmd" = v -o -n "$VFLAG" ]; then
+if [ "$cmd" = v ] || [ -n "$VFLAG" ]; then
 	make_vars "$iface"
 	exit $?
 fi
 
 # Test that we have valid options
-if [ "$cmd" = a -o "$cmd" = d ]; then
+if [ "$cmd" = a ] || [ "$cmd" = d ]; then
 	if [ -z "$iface" ]; then
 		usage "Interface not specified"
 	fi
 elif [ "$cmd" != u ]; then
-	[ -n "$cmd" -a "$cmd" != h ] && usage "Unknown option $cmd"
+	[ -n "$cmd" ] && [ "$cmd" != h ] && usage "Unknown option $cmd"
 	usage
 fi
 
@@ -712,7 +745,7 @@ if [ "$cmd" = a ]; then
 			"$x not allowed at start of interface name";;
 		esac
 	done
-	[ "$cmd" = a -a -t 0 ] && error_exit "No file given via stdin"
+	[ "$cmd" = a ] && [ -t 0 ] && error_exit "No file given via stdin"
 fi
 
 if [ ! -d "$VARDIR" ]; then
@@ -808,8 +841,8 @@ a)
 		newmetric="$METRICDIR/$IF_METRIC $iface"
 	fi
 	rm -f "$METRICDIR/"*" $iface"
-	[ "$oldmetric" != "$newmetric" -a \
-	    "$oldmetric" != "$METRICDIR/* $iface" ] &&
+	[ "$oldmetric" != "$newmetric" ] &&
+	    [ "$oldmetric" != "$METRICDIR/* $iface" ] &&
 		changed=true
 	[ -n "$newmetric" ] && echo " " >"$newmetric"
 
diff --git a/unbound.in b/unbound.in
index 46d45246ff2e..34cb401f57c1 100644
--- a/unbound.in
+++ b/unbound.in
@@ -76,7 +76,7 @@ restart_unbound()
 		eval $unbound_restart
 	elif [ -n "$RESTARTCMD" ]; then
 		set -- ${unbound_service}
-		eval $RESTARTCMD
+		eval "$RESTARTCMD"
 	else
 		@SBINDIR@/resolvconf -r ${unbound_service}
 	fi