On Thu, Oct 29, 2015 at 09:29:21AM +0100, Martijn Rijkeboer wrote: > Hi, > > I'm running a DNS resolver using Unbound (OpenBSD 5.8-stable AMD64) with the > auto-trust-anchor-file option set. This results in daily updates of the > /var/unbound/db/root.key file (only comments are changed). Unfortunately this > file is also checked via the security(8) script, which results in getting an > insecurity output mail every day (Cry Wolf problem). Is there a way to > exclude > the comments in the checks or the complete root.key file? > > Kind regards, > > > Martijn Rijkeboer
The security script checks the files listed in /etc/changelist. See changelist(5) for details. I don't think there's a way of checking 'everything but comments', but it shouldn't be hard to do that with a custom daily.local script, see daily(8).