about unbound and systemd units

Eric Luehrsen ericluehrsen at gmail.com
Sat Nov 17 15:57:39 UTC 2018

On 11/16/18 2:44 PM, Frank Habicht via Unbound-users wrote:
> first post. please be gentle
> On 16/11/2018 19:36, Simon Deziel via Unbound-users wrote:
>> Hi Rubén,
>> On 2018-11-16 11:02 a.m., Rubén Torrero Marijnissen via Unbound-users 
>> wrote:
>>> I was getting suggestions to have unbound-anchor.timer enabled by
>>> default (even if unbound.service is not) but I'd say this way is
>>> better because it only runs unbound-anchor.servce if unbound.servce
>>> is running, but I might be completely wrong:
>> I think there is value in maintaining the root.key file even if unbound
>> isn't running. The rational is that other things (like unbound-host or
>> packages using libunbound2) might want a current one.
>> Not maintaining the root.key lead to at least one bug report in Ubuntu
>> [1] and for that reason, I believe that Ubuntu/Debian [2] should also
>> adopt a similar approach.
> +1
> if you can, and you know how to, please keep it (root key) updated. even 
> if it's not used.
> tomorrow it might get used (the root key) [by the new dude, who enables 
> validation] and you want it to be updated.
> Frank

In OpenWrt, we run scripts around the root.key to prevent flash wear. 
Unbound works and chroots in /var/lib/unbound, So after checking 
root.key for cleanliness, it is copied back to /etc/unbound. Because 
unbound-anchor is one shot anyway, you could make unbound-anchor.service 
actually call a script instead. If Unbound is running and therefore 
doing its RFC5011 work, then don't run unbound-anchor. This script would 
check root.key for finger prints of success and no damage. If you 
modularize it, then it can also be used by the Unbound.service start and 
stop scripts.
Just some thoughts

More information about the Unbound-users mailing list