Hi & thanks for all the replies, I see now that it's also relevant to have unbound-anchor timer running even if unbound service is not running.
About the ExecStartPre, it wasn't really a leftover: I was thinking (and this is also relevant even if the timer is enabled by default) that unbound-anchor.timer doesn't give any guaranties that unbound- anchor.service will have been run at least once before unbound.service starts. But it does feel kinda hacky to do it this way... Regards, Rubén On Fri, 2018-11-16 at 11:36 -0500, Simon Deziel via Unbound-users wrote: > Hi Rubén, > > On 2018-11-16 11:02 a.m., Rubén Torrero Marijnissen via Unbound-users > wrote: > > I was getting suggestions to have unbound-anchor.timer enabled by > > default (even if unbound.service is not) but I'd say this way is > > better because it only runs unbound-anchor.servce if unbound.servce > > is running, but I might be completely wrong: > > I think there is value in maintaining the root.key file even if > unbound > isn't running. The rational is that other things (like unbound-host > or > packages using libunbound2) might want a current one. > > Not maintaining the root.key lead to at least one bug report in > Ubuntu > [1] and for that reason, I believe that Ubuntu/Debian [2] should also > adopt a similar approach. > > > unbound-anchor.service > > ---------------------- > > [Unit] > > Description=update of the root trust anchor for DNSSEC validation > > in > > unbound > > Documentation=man:unbound-anchor(8) > > > > [Service] > > Type=oneshot > > User=unbound > > ExecStart=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c > > /etc/unbound/icannbundle.pem > > SuccessExitStatus=1 > > > > > > unbound-anchor.timer > > -------------------- > > [Unit] > > Description=daily update of the root trust anchor for DNSSEC > > Documentation=man:unbound-anchor(8) > > BindsTo=unbound.service > > > > [Timer] > > # Current DNSKEY TTL in root zone is 172800 seconds, i.e. > > 172800/60/60/24 = 2 days. > > # It means that unboud-anchor should be run at least once a day. > > OnCalendar=daily > > Persistent=true > > AccuracySec=24h > > > > [Install] > > WantedBy=unbound.service > > > > > > unbound.service > > --------------- > > [Unit] > > Description=Unbound recursive Domain Name Server > > After=syslog.target network.target > > After=unbound-keygen.service > > Wants=unbound-keygen.service > > After=unbound-anchor.timer > > Wants=unbound-anchor.timer > > Before=nss-lookup.target > > Wants=nss-lookup.target > > > > [Service] > > Type=simple > > EnvironmentFile=-/etc/sysconfig/unbound > > #ExecStartPre=/sbin/runuser --shell /bin/sh -c "/usr/sbin/unbound- > > anchor -a /var/lib/unbound/root.key -c > > /etc/unbound/icannbundle.pem" > > unbound > > ExecStartPre=/usr/bin/sudo -u unbound /usr/sbin/unbound-anchor -a > > /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem > > This ^ ExecStartPre is probably a leftover ;) > > > ExecStartPre=/usr/sbin/unbound-checkconf > > ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS > > > > [Install] > > WantedBy=multi-user.target > > Aside from the minor caveat mentioned above, it looks good to me. > > Regards, > Simon > > 1: https://bugs.launchpad.net/bugs/1771545 > 2: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900241 > >
