diff --git a/01-dnssec-trigger-hook b/01-dnssec-trigger-hook
new file mode 100755
index 0000000..f6c7d2a
--- /dev/null
+++ b/01-dnssec-trigger-hook
@@ -0,0 +1,98 @@
+#!/bin/sh
+#
+# NetworkManager trigger for in dispatcher.d
+# config items
+alias unbound-control="/usr/sbin/unbound-control"
+alias dnssec-trigger-control="/usr/sbin/dnssec-trigger-control"
+alias pidof="/usr/sbin/pidof"
+alias nmcli="/usr/bin/nmcli"
+
+state_dir="/var/run/dnssec-trigger"
+validate_forward_zones="no"
+
+# implementation
+ifname="$1"
+action="$2"
+domains=""
+nameservers=""
+global_nameservers=""
+conn_zones_file="$state_dir/$CONNECTION_UUID"
+
+################################################################
+# get domains and nameservers if provided by connection going up
+case "$action" in
+    "vpn-up" )
+        domains="`echo $VPN_IP4_DOMAINS $VPN_IP6_DOMAINS | tr " " "\n" | sort -u | tr "\n" " " | sed '$s/.$//'`"
+        nameservers="`echo $VPN_IP4_NAMESERVERS $VPN_IP6_NAMESERVERS`"
+        ;;
+    "up" )
+        domains="`echo $IP4_DOMAINS $IP6_DOMAINS | tr " " "\n" | sort -u | tr "\n" " " | sed '$s/.$//'`"
+        nameservers="`echo $IP4_NAMESERVERS $IP6_NAMESERVERS`"
+        ;;
+esac
+
+#########################
+# get global nameservers
+if [ -x "`which $nmcli 2>&1`" ]; then
+    global_nameservers="`$nmcli -f IP4,IP6 dev list | fgrep 'DNS' | awk '{print $2;}'`"
+else
+    global_nameservers="`nm-tool | grep 'DNS:' | awk '{print $2;}'`"
+fi
+# fix whitespaces
+global_nameservers="`echo $global_nameservers`"
+
+
+############################################################
+# configure global nameservers using dnssec-trigger-control
+if [ -n "`pidof dnssec-triggerd`" ] ; then
+    dnssec-trigger-control submit "$global_nameservers" &> /dev/null
+    logger "dnssec-trigger-hook(networkmanager) $ifname $action added global DNS $global_nameservers"
+else
+    logger "dnssec-trigger-hook(networkmanager) $ifname $action NOT added global DNS - dnssec-triggerd is not running"
+fi
+
+######################################################
+# add forward zones into unbound using unbound-control
+if [ -n "`pidof unbound`" ]; then
+    if [ -r "$conn_zones_file" ]; then
+        for domain in `cat $conn_zones_file`; do
+            # Remove forward zone from unbound
+            if [ "$validate_forward_zones" == "no" ]; then
+            	unbound-control forward_remove +i $domain &> /dev/null
+	    else
+            	unbound-control forward_remove $domain &> /dev/null
+	    fi
+            unbound-control flush_zone $domain &> /dev/null
+            unbound-control flush_requestlist &> /dev/null
+
+            logger "dnssec-trigger-hook(networkmanager) $ifname $action removed forward DNS zone $domain"
+        done
+
+        # Remove file with zones for this connection
+        rm -f $conn_zones_file &> /dev/null
+    fi
+
+    if [ "$action" == "vpn-up" ] || [ "$action" == "up" ]; then
+        if [ -n "$domains" ]; then
+            for domain in $domains; do
+                # Add forward zone into unbound
+                if [ "$validate_forward_zones" == "no" ]; then
+                    unbound-control forward_add +i $domain $nameservers &> /dev/null
+                else
+                    unbound-control forward_add $domain $nameservers &> /dev/null
+                fi
+                unbound-control flush_zone $domain &> /dev/null
+                unbound-control flush_requestlist &> /dev/null
+
+                # Create zone info file
+                echo $domain >> $conn_zones_file
+
+                logger "dnssec-trigger-hook(networkmanager) $ifname $action added forward DNS zone $domain $nameservers"
+            done
+        fi
+    fi
+else
+    logger "dnssec-trigger-hook(networkmanager) $ifname $action NOT added forward DNS zone(s) - unbound is not running"
+fi
+ 
+exit 0
diff --git a/01-dnssec-trigger-hook-f17 b/01-dnssec-trigger-hook-f17
deleted file mode 100755
index 85a8837..0000000
--- a/01-dnssec-trigger-hook-f17
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/sh
-#
-# NetworkManager trigger for in dispatcher.d
-# config items
-nmcli="nmcli"
-
-# implementation
-ifname="$1"
-action="$2"
-
-# get ips from NetworkManager
-if test -x "`which $nmcli 2>&1`"; then
-ips="`$nmcli -f IP4,IP6 dev list | fgrep 'DNS' | awk '{print $2;}'`"
-else
-ips="`nm-tool | grep 'DNS:' | awk '{print $2;}'`"
-fi
-# fix whitespace
-ips=`echo $ips`
-
-logger "dnssec-trigger-hook(networkmanager) $ifname $action DNS $ips"
-/usr/sbin/dnssec-trigger-control submit "$ips"
-exit 0
diff --git a/dnssec-trigger.spec b/dnssec-trigger.spec
index 2fab395..1832bb7 100644
--- a/dnssec-trigger.spec
+++ b/dnssec-trigger.spec
@@ -1,14 +1,17 @@
 Summary: NetworkManager plugin to update/reconfigure DNSSEC resolving
 Name: dnssec-trigger
 Version: 0.11
-Release: 11%{?dist}
+Release: 12%{?dist}
 License: BSD
 Url: http://www.nlnetlabs.nl/downloads/dnssec-trigger/
 Source: http://www.nlnetlabs.nl/downloads/dnssec-trigger/%{name}-%{version}.tar.gz
 Source1:dnssec-triggerd.service
 Source2: dnssec-triggerd-keygen.service
 Source3: dnssec-trigger.conf
-Source4: 01-dnssec-trigger-hook-f17
+# Latest NM dispatcher hook from upstream SVN
+# http://www.nlnetlabs.nl/svn/dnssec-trigger/trunk/01-dnssec-trigger-hook.sh.in
+Source4: 01-dnssec-trigger-hook
+Source5: dnssec-trigger.tmpfiles.d
 Patch1: dnssec-trigger-0.11-gui.patch
 Patch2: dnssec-trigger-842455.patch
 # https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=489
@@ -59,9 +62,16 @@ install -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/%{name}/
 
 desktop-file-install --dir=%{buildroot}%{_datadir}/applications dnssec-trigger-panel.desktop
 
-# overwrite the stock dhcp hook, as nmcli syntax changed on f17+
+# overwrite the stock NM hook since there is new one in upstream SVN that has not been released yet
 cp -p %{SOURCE4} %{buildroot}/%{_sysconfdir}/NetworkManager/dispatcher.d/01-dnssec-trigger-hook
 
+# install the configuration for /var/run/dnssec-trigger into tmpfiles.d dir
+mkdir -p %{buildroot}%{_tmpfilesdir}
+install -m 644 %{SOURCE5} ${RPM_BUILD_ROOT}%{_tmpfilesdir}/%{name}.conf
+# we must create the /var/run/dnssec-trigger directory
+mkdir -p %{buildroot}%{_localstatedir}/run
+install -d -m 0755 %{buildroot}%{_localstatedir}/run/%{name}
+
 # supress the panel name everywhere including the gnome3 panel at the bottom
 ln -s dnssec-trigger-panel %{buildroot}%{_bindir}/dnssec-trigger
 
@@ -85,6 +95,8 @@ rm -rf ${RPM_BUILD_ROOT}
 %attr(0755,root,root) %{_sysconfdir}/NetworkManager/dispatcher.d/01-dnssec-trigger-hook
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dnssec-trigger.conf
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/xdg/autostart/dnssec-trigger-panel.desktop
+%dir %{_localstatedir}/run/%{name}
+%{_tmpfilesdir}/%{name}.conf
 %{_bindir}/dnssec-trigger-panel
 %{_bindir}/dnssec-trigger
 %{_sbindir}/dnssec-trigger*
@@ -115,6 +127,10 @@ fi
     /bin/systemctl daemon-reload >/dev/null 2>&1 || :
 
 %changelog
+* Fri Aug 09 2013 Tomas Hozza <thozza@redhat.com> - 0.11-12
+- Use improved NM dispatcher script from upstream
+- Added tmpfiles.d config due to improved NM dispatcher script
+
 * Mon Mar 04 2013 Adam Tkac <atkac redhat com> - 0.11-11
 - link dnssec-trigger.conf.8 to dnssec-trigger.8
 - build dnssec-triggerd with full RELRO
diff --git a/dnssec-trigger.tmpfiles.d b/dnssec-trigger.tmpfiles.d
new file mode 100644
index 0000000..000d918
--- /dev/null
+++ b/dnssec-trigger.tmpfiles.d
@@ -0,0 +1 @@
+d /var/run/dnssec-trigger 0755 root root -