I haven’t ever gotten dnssec-trigger to work, but today based on IRC discussion, I finally understood what was wrong.

It’s very simple.

# Check for updates to the repos & install dnssec-trigger and unbound
sudo apt-get update && sudo apt-get install unbound dnssec-trigger

And this is the farthest I have gotten before. But today at IRC there was talk on DNS proxies which Ubuntu and Fedora use, Ubuntu uses dnsmasq and Fedora unbound. That made me read the fine manual of NetworkManager.conf…

           Set the DNS (resolv.conf) processing mode.

           default: The default if the key is not specified. NetworkManager
           will update resolv.conf to reflect the nameservers provided by
           currently active connections.

           dnsmasq: NetworkManager will run dnsmasq as a local caching
           nameserver, using a "split DNS" configuration if you are connected
           to a VPN, and then update resolv.conf to point to the local

           unbound: NetworkManager will talk to unbound and dnssec-triggerd,
           providing a "split DNS" configuration with DNSSEC support. The
           /etc/resolv.conf will be managed by dnssec-trigger daemon.

           none: NetworkManager will not modify resolv.conf.

And there is the solution, unbound. The third line of NetworkManager.conf is usually dns=dnsmasq, just change it to dns=unbound or add the line if it doesn’t exist and restart networkmanager with sudo systemctl restart NetworkManager.service and your dnssec-trigger should now work.

And when you sudo reboot you should see new dnssec-trigger tray icon in your tray bar or whatever it was called as.

Edit: Arch users do remember do systemctl enable dnssec-triggerd and systemctl enable unbound.