Hi, I'm doing some package maintenance for Unbound in SLES. We are migrating from cron to systemd-timers and I've come up, based on what I've seen being done in other distros, with the following solution regarding unbound-anchor and unbound relation and I'd like some feedback on this, specially if you'd done it in a different way. I was getting suggestions to have unbound-anchor.timer enabled by default (even if unbound.service is not) but I'd say this way is better because it only runs unbound-anchor.servce if unbound.servce is running, but I might be completely wrong:
unbound-anchor.service ---------------------- [Unit] Description=update of the root trust anchor for DNSSEC validation in unbound Documentation=man:unbound-anchor(8) [Service] Type=oneshot User=unbound ExecStart=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem SuccessExitStatus=1 unbound-anchor.timer -------------------- [Unit] Description=daily update of the root trust anchor for DNSSEC Documentation=man:unbound-anchor(8) BindsTo=unbound.service [Timer] # Current DNSKEY TTL in root zone is 172800 seconds, i.e. 172800/60/60/24 = 2 days. # It means that unboud-anchor should be run at least once a day. OnCalendar=daily Persistent=true AccuracySec=24h [Install] WantedBy=unbound.service unbound.service --------------- [Unit] Description=Unbound recursive Domain Name Server After=syslog.target network.target After=unbound-keygen.service Wants=unbound-keygen.service After=unbound-anchor.timer Wants=unbound-anchor.timer Before=nss-lookup.target Wants=nss-lookup.target [Service] Type=simple EnvironmentFile=-/etc/sysconfig/unbound #ExecStartPre=/sbin/runuser --shell /bin/sh -c "/usr/sbin/unbound- anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem" unbound ExecStartPre=/usr/bin/sudo -u unbound /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem ExecStartPre=/usr/sbin/unbound-checkconf ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS [Install] WantedBy=multi-user.target Thanks, Rubén Torrero Marijnissen
