Hi Rubén, On 2018-11-16 11:02 a.m., Rubén Torrero Marijnissen via Unbound-users wrote: > I was getting suggestions to have unbound-anchor.timer enabled by > default (even if unbound.service is not) but I'd say this way is > better because it only runs unbound-anchor.servce if unbound.servce > is running, but I might be completely wrong: I think there is value in maintaining the root.key file even if unbound isn't running. The rational is that other things (like unbound-host or packages using libunbound2) might want a current one.
Not maintaining the root.key lead to at least one bug report in Ubuntu [1] and for that reason, I believe that Ubuntu/Debian [2] should also adopt a similar approach. > unbound-anchor.service > ---------------------- > [Unit] > Description=update of the root trust anchor for DNSSEC validation in > unbound > Documentation=man:unbound-anchor(8) > > [Service] > Type=oneshot > User=unbound > ExecStart=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c > /etc/unbound/icannbundle.pem > SuccessExitStatus=1 > > > unbound-anchor.timer > -------------------- > [Unit] > Description=daily update of the root trust anchor for DNSSEC > Documentation=man:unbound-anchor(8) > BindsTo=unbound.service > > [Timer] > # Current DNSKEY TTL in root zone is 172800 seconds, i.e. > 172800/60/60/24 = 2 days. > # It means that unboud-anchor should be run at least once a day. > OnCalendar=daily > Persistent=true > AccuracySec=24h > > [Install] > WantedBy=unbound.service > > > unbound.service > --------------- > [Unit] > Description=Unbound recursive Domain Name Server > After=syslog.target network.target > After=unbound-keygen.service > Wants=unbound-keygen.service > After=unbound-anchor.timer > Wants=unbound-anchor.timer > Before=nss-lookup.target > Wants=nss-lookup.target > > [Service] > Type=simple > EnvironmentFile=-/etc/sysconfig/unbound > #ExecStartPre=/sbin/runuser --shell /bin/sh -c "/usr/sbin/unbound- > anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem" > unbound > ExecStartPre=/usr/bin/sudo -u unbound /usr/sbin/unbound-anchor -a > /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem This ^ ExecStartPre is probably a leftover ;) > ExecStartPre=/usr/sbin/unbound-checkconf > ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS > > [Install] > WantedBy=multi-user.target Aside from the minor caveat mentioned above, it looks good to me. Regards, Simon 1: https://bugs.launchpad.net/bugs/1771545 2: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900241
