about unbound and systemd units

Simon Deziel simon+unbound at sdeziel.info
Fri Nov 16 16:36:35 UTC 2018 

Hi Rubén,

On 2018-11-16 11:02 a.m., Rubén Torrero Marijnissen via Unbound-users wrote:
> I was getting suggestions to have unbound-anchor.timer enabled by
> default (even if unbound.service is not) but I'd say this way is
> better because it only runs unbound-anchor.servce if unbound.servce
> is running, but I might be completely wrong:
I think there is value in maintaining the root.key file even if unbound
isn't running. The rational is that other things (like unbound-host or
packages using libunbound2) might want a current one.

Not maintaining the root.key lead to at least one bug report in Ubuntu
[1] and for that reason, I believe that Ubuntu/Debian [2] should also
adopt a similar approach.

> unbound-anchor.service
> ----------------------
> [Unit]
> Description=update of the root trust anchor for DNSSEC validation in
> unbound
> Documentation=man:unbound-anchor(8)
> 
> [Service]
> Type=oneshot
> User=unbound
> ExecStart=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c
> /etc/unbound/icannbundle.pem
> SuccessExitStatus=1
> 
> 
> unbound-anchor.timer
> --------------------
> [Unit]
> Description=daily update of the root trust anchor for DNSSEC
> Documentation=man:unbound-anchor(8)
> BindsTo=unbound.service
> 
> [Timer]
> # Current DNSKEY TTL in root zone is 172800 seconds, i.e.
> 172800/60/60/24 = 2 days.
> # It means that unboud-anchor should be run at least once a day.
> OnCalendar=daily
> Persistent=true
> AccuracySec=24h
> 
> [Install]
> WantedBy=unbound.service
> 
> 
> unbound.service
> ---------------
> [Unit]
> Description=Unbound recursive Domain Name Server
> After=syslog.target network.target
> After=unbound-keygen.service
> Wants=unbound-keygen.service
> After=unbound-anchor.timer
> Wants=unbound-anchor.timer
> Before=nss-lookup.target
> Wants=nss-lookup.target
> 
> [Service]
> Type=simple
> EnvironmentFile=-/etc/sysconfig/unbound
> #ExecStartPre=/sbin/runuser --shell /bin/sh -c "/usr/sbin/unbound-
> anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem"
> unbound
> ExecStartPre=/usr/bin/sudo -u unbound /usr/sbin/unbound-anchor -a
> /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem

This ^ ExecStartPre is probably a leftover ;)

> ExecStartPre=/usr/sbin/unbound-checkconf
> ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS
> 
> [Install]
> WantedBy=multi-user.target

Aside from the minor caveat mentioned above, it looks good to me.

Regards,
Simon

1: https://bugs.launchpad.net/bugs/1771545
2: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900241

More information about the Unbound-users mailing list