Hello, bjorn.ketela...@hydroxide.nl (Bjvrn Ketelaars), 2012.02.15 (Wed) 10:23 (CET): > > > From unbound-anchor.8 I understand that unbound-anchor can be run from the > > > command line, or run as part of startup scripts _before_ the actual > > > (unbound) > > > DNS server is started. So there is no need for DNS. Proposal therefor is > > > to > > > run unbound-anchor automatically before starting the unbound daemon > > > (rc_pre in > > > unbound rc-script). > > > > > > This (i.e. connecting out to https://data.iana.org from the system startup > > scripts) should *not* happen by default even if unbound is enabled. There > > would need to be a separate option controlling this. > > > How about letting /var/unbound/etc/unbound.conf control this behavior? > > In the startup script (rc.d-script): > > rc_pre() { > if ! egrep "# *auto-trust-anchor-file:" /var/unbound/etc/unbound.conf > >/dev/null; then > sudo -u _unbound /usr/sbin/unbound-anchor
would fail if ``!root_sudo'' is set in sudoers(5). But, quoting sudoers(5): "Disabling root_sudo provides no real additional security; it exists purely for historical reasons. This flag is on by default." Bye, Marcus > fi > } > > > > The same behavior can be obtained by writing a wrapper. Although these > 'solutions' work, they are not elegant. What say thou?
