about unbound and systemd units
Rubén Torrero Marijnissen
rtorreromarijnissen at suse.de
Mon Nov 19 09:36:48 UTC 2018
Hi & thanks for all the replies,
I see now that it's also relevant to have unbound-anchor timer running
even if unbound service is not running.
About the ExecStartPre, it wasn't really a leftover: I was thinking
(and this is also relevant even if the timer is enabled by default)
that unbound-anchor.timer doesn't give any guaranties that unbound-
anchor.service will have been run at least once before unbound.service
starts. But it does feel kinda hacky to do it this way...
Regards,
Rubén
On Fri, 2018-11-16 at 11:36 -0500, Simon Deziel via Unbound-users
wrote:
> Hi Rubén,
>
> On 2018-11-16 11:02 a.m., Rubén Torrero Marijnissen via Unbound-users
> wrote:
> > I was getting suggestions to have unbound-anchor.timer enabled by
> > default (even if unbound.service is not) but I'd say this way is
> > better because it only runs unbound-anchor.servce if unbound.servce
> > is running, but I might be completely wrong:
>
> I think there is value in maintaining the root.key file even if
> unbound
> isn't running. The rational is that other things (like unbound-host
> or
> packages using libunbound2) might want a current one.
>
> Not maintaining the root.key lead to at least one bug report in
> Ubuntu
> [1] and for that reason, I believe that Ubuntu/Debian [2] should also
> adopt a similar approach.
>
> > unbound-anchor.service
> > ----------------------
> > [Unit]
> > Description=update of the root trust anchor for DNSSEC validation
> > in
> > unbound
> > Documentation=man:unbound-anchor(8)
> >
> > [Service]
> > Type=oneshot
> > User=unbound
> > ExecStart=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c
> > /etc/unbound/icannbundle.pem
> > SuccessExitStatus=1
> >
> >
> > unbound-anchor.timer
> > --------------------
> > [Unit]
> > Description=daily update of the root trust anchor for DNSSEC
> > Documentation=man:unbound-anchor(8)
> > BindsTo=unbound.service
> >
> > [Timer]
> > # Current DNSKEY TTL in root zone is 172800 seconds, i.e.
> > 172800/60/60/24 = 2 days.
> > # It means that unboud-anchor should be run at least once a day.
> > OnCalendar=daily
> > Persistent=true
> > AccuracySec=24h
> >
> > [Install]
> > WantedBy=unbound.service
> >
> >
> > unbound.service
> > ---------------
> > [Unit]
> > Description=Unbound recursive Domain Name Server
> > After=syslog.target network.target
> > After=unbound-keygen.service
> > Wants=unbound-keygen.service
> > After=unbound-anchor.timer
> > Wants=unbound-anchor.timer
> > Before=nss-lookup.target
> > Wants=nss-lookup.target
> >
> > [Service]
> > Type=simple
> > EnvironmentFile=-/etc/sysconfig/unbound
> > #ExecStartPre=/sbin/runuser --shell /bin/sh -c "/usr/sbin/unbound-
> > anchor -a /var/lib/unbound/root.key -c
> > /etc/unbound/icannbundle.pem"
> > unbound
> > ExecStartPre=/usr/bin/sudo -u unbound /usr/sbin/unbound-anchor -a
> > /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem
>
> This ^ ExecStartPre is probably a leftover ;)
>
> > ExecStartPre=/usr/sbin/unbound-checkconf
> > ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS
> >
> > [Install]
> > WantedBy=multi-user.target
>
> Aside from the minor caveat mentioned above, it looks good to me.
>
> Regards,
> Simon
>
> 1: https://bugs.launchpad.net/bugs/1771545
> 2: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900241
>
>
More information about the Unbound-users
mailing list