diff --git a/dnssec-trigger.spec b/dnssec-trigger.spec
index b6277c8..72cb6f0 100644
--- a/dnssec-trigger.spec
+++ b/dnssec-trigger.spec
@@ -1,7 +1,7 @@
 Summary: NetworkManager plugin to update/reconfigure DNSSEC resolving
 Name: dnssec-trigger
 Version: 0.11
-Release: 16%{?dist}
+Release: 17%{?dist}
 License: BSD
 Url: http://www.nlnetlabs.nl/downloads/dnssec-trigger/
 Source: http://www.nlnetlabs.nl/downloads/dnssec-trigger/%{name}-%{version}.tar.gz
@@ -12,6 +12,8 @@ Source3: dnssec-trigger.conf
 # http://www.nlnetlabs.nl/svn/dnssec-trigger/trunk/01-dnssec-trigger-hook.sh.in
 Source4: 01-dnssec-trigger-hook
 Source5: dnssec-trigger.tmpfiles.d
+Source6: dnssec-triggerd-resolvconf-handle.sh
+Source7: dnssec-triggerd-resolvconf-handle.service
 Patch1: dnssec-trigger-0.11-improve_dialog_texts.patch
 Patch2: dnssec-trigger-842455.patch
 # https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=489
@@ -63,6 +65,10 @@ install -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{name}d.service
 install -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{name}d-keygen.service
 install -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/%{name}/
 
+mkdir -p %{buildroot}%{_libexecdir}
+install -m 0755 %{SOURCE6} %{buildroot}%{_libexecdir}/%{name}d-resolvconf-handle.sh
+install -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/%{name}d-resolvconf-handle.service
+
 desktop-file-install --dir=%{buildroot}%{_datadir}/applications dnssec-trigger-panel.desktop
 
 # overwrite the stock NM hook since there is new one in upstream SVN that has not been released yet
@@ -93,6 +99,7 @@ rm -rf ${RPM_BUILD_ROOT}
 %doc README LICENSE
 %{_unitdir}/%{name}d.service
 %{_unitdir}/%{name}d-keygen.service
+%{_unitdir}/%{name}d-resolvconf-handle.service
 
 %attr(0755,root,root) %dir %{_sysconfdir}/%{name}
 %attr(0755,root,root) %{_sysconfdir}/NetworkManager/dispatcher.d/01-dnssec-trigger-hook
@@ -103,6 +110,7 @@ rm -rf ${RPM_BUILD_ROOT}
 %{_bindir}/dnssec-trigger-panel
 %{_bindir}/dnssec-trigger
 %{_sbindir}/dnssec-trigger*
+%{_libexecdir}/%{name}d-resolvconf-handle.sh
 %{_mandir}/*/*
 %attr(0755,root,root) %dir %{_datadir}/%{name}
 %attr(0644,root,root) %{_datadir}/%{name}/*
@@ -130,6 +138,9 @@ fi
     /bin/systemctl daemon-reload >/dev/null 2>&1 || :
 
 %changelog
+* Thu Nov 21 2013 Tomas Hozza <thozza@redhat.com> - 0.11-17
+- Add script to backup and restore resolv.conf on dnssec-trigger start/stop
+
 * Mon Nov 18 2013 Tomas Hozza <thozza@redhat.com> - 0.11-16
 - Improve GUI dialogs texts
 
diff --git a/dnssec-triggerd-resolvconf-handle.service b/dnssec-triggerd-resolvconf-handle.service
new file mode 100644
index 0000000..a23760c
--- /dev/null
+++ b/dnssec-triggerd-resolvconf-handle.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Backups and restores /etc/resolv.conf after dnssec-trigger starts/stops
+PartOf=dnssec-triggerd.service
+
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+
+ExecStart=/usr/libexec/dnssec-triggerd-resolvconf-handle.sh backup
+ExecStop=/usr/libexec/dnssec-triggerd-resolvconf-handle.sh restore
diff --git a/dnssec-triggerd-resolvconf-handle.sh b/dnssec-triggerd-resolvconf-handle.sh
new file mode 100755
index 0000000..4b8e672
--- /dev/null
+++ b/dnssec-triggerd-resolvconf-handle.sh
@@ -0,0 +1,83 @@
+#!/bin/sh
+# dnssec-trigger script handling possible backup and restore of resolv.conf
+
+SCRIPT_NAME="dnssec-trigger-resolvconf-handle.sh"
+STATE_DIR="/var/run/dnssec-trigger"
+RESOLV_CONF="/etc/resolv.conf"
+RESOLV_CONF_BAK="$STATE_DIR/resolv.conf.bak"
+NM_CONFIG="/etc/NetworkManager/NetworkManager.conf"
+
+usage()
+{
+    echo
+    echo "This script backs up or restores /etc/resolv.conf content"
+    echo "Usage: $SCRIPT_NAME [backup|restore]"
+}
+
+# check number of arguments
+if ! [ "$#" -eq 1 ]; then
+    echo "ERROR: Wrong number of arguments!"
+    usage
+    exit 1
+fi
+
+does_nm_handle_resolv_conf()
+{
+    grep -x "^dns=none" $NM_CONFIG &> /dev/null
+    echo "$?"
+}
+
+backup_resolv_conf()
+{
+    # find out if NM handles the resolv.conf
+    if [ "`does_nm_handle_resolv_conf`" -eq 0 ]; then
+        cp -fp $RESOLV_CONF $RESOLV_CONF_BAK
+    fi
+}
+
+restore_resolv_conf()
+{
+    # if we have a backup and NM does not handle resolv.conf -> restore it
+    if [ "`does_nm_handle_resolv_conf`" -eq 0 ] && [ -s $RESOLV_CONF_BAK ]; then
+        cp -fp $RESOLV_CONF_BAK $RESOLV_CONF
+    else
+        # get global nameservers
+        # try to get nmcli version
+        NMCLI_VER="`nmcli -v 2> /dev/null | sed 's/.*version \([0-9]\)\.\([0-9]\)\.\([0-9]\)\.\([0-9]\).*/\1\2\3\4/'`"
+        # if nmcli exists
+        if [ -n $NMCLI_VER ]; then
+            # if the version is greater or equal 0.9.9.0
+                if [ $NMCLI_VER -ge 0990 ]; then
+                    global_nameservers="`nmcli -f IP4,IP6 dev show | fgrep 'DNS' | awk '{print $2;}'`"
+                else
+                    global_nameservers="`nmcli -f IP4,IP6 dev list | fgrep 'DNS' | awk '{print $2;}'`"
+                fi
+        # nmcli does not exist
+        else
+            global_nameservers="`nm-tool | grep 'DNS:' | awk '{print $2;}'`"
+        fi
+        # fix whitespaces
+        global_nameservers="`echo $global_nameservers`"
+
+        # write servers to the resolv.conf
+        echo "# generated by $SCRIPT_NAME script" > $RESOLV_CONF
+        for server in $global_nameservers ; do
+            echo "nameserver $server" >> $RESOLV_CONF
+        done
+    fi
+}
+
+case "$1" in
+    backup)
+        backup_resolv_conf
+        ;;
+    restore)
+        restore_resolv_conf
+        ;;
+    *)
+        echo "ERROR: Wrong argument!"
+        usage
+        exit 1
+esac
+
+exit 0
diff --git a/dnssec-triggerd.service b/dnssec-triggerd.service
index bc8fcd8..9d55778 100644
--- a/dnssec-triggerd.service
+++ b/dnssec-triggerd.service
@@ -3,6 +3,8 @@ Description=Reconfigure local DNS(SEC) resolver on network change
 After=syslog.target network.target
 After=dnssec-triggerd-keygen.service
 Wants=dnssec-triggerd-keygen.service
+After=dnssec-triggerd-resolvconf-handle.service
+Wants=dnssec-triggerd-resolvconf-handle.service
 After=unbound.service
 Wants=unbound.service