On 2023/09/16 14:26, Bjorn Ketelaars wrote: > Currently /etc/rc.d/unbound only checks a configuration (using > unbound-checkconf) upon starting as part of rc_pre(). It would would be > nice to have a configtest, which checks a configuration before > restarting/reloading as well. > > I recently got bitten by a cron script, which made _invalid_ changes to > my unbound configuration. Upon restarting rc_pre() was called in the > start phase, and concluded that the configuration was invalid. As a > consequence no DNS. > > Proposal is to change rc_pre() here to rc_configtest(). rc_pre() is only > used when starting a daemon, and is preceded by rc_configtest() [0]. > > [0] https://github.com/openbsd/src/blob/master/etc/rc.d/rc.subr#L231-L236 > > OK? > > diff --git etc/rc.d/unbound etc/rc.d/unbound > index 0f19c90fdf1..e62951b9dae 100644 > --- etc/rc.d/unbound > +++ etc/rc.d/unbound > @@ -7,7 +7,7 @@ daemon_flags="-c /var/unbound/etc/unbound.conf" > > . /etc/rc.d/rc.subr > > -rc_pre() { > +rc_configtest() { > if grep '^[[:space:]]*auto-trust-anchor-file:' \ > /var/unbound/etc/unbound.conf > /dev/null 2>&1; then > /usr/sbin/unbound-anchor -v
I would quite like configtest to work, but doing it like this means that "rcctl configtest unbound" will run unbound-anchor. Not sure about anyone else but personally I don't think this is really desirable. And you can't have an rc_configtest with just the unbound-checkconf call, because it will fail if dnssec is enabled but root.key hasn't been created yet (which is still a reasonable configuration imho, because the rc script specifically copes with this). Not sure of a good way around it...