(In reply to Wolfgang Frisch from comment #18) > I just experimented with latest version of unbound in Tumbleweed, adjusted > the permissions, and could not detect any problems. `unbound-control` also > continues to function normally. Thanks for testing that. How to proceed? IMHO the use of ExecStartPre= in unbound.service is kind of a mess. Do we really still need it? Could we set User= and Group= to unbound in unbound.service? Worth to note is this discussion on the unbound-users list: "unbound itself manages root trust anchor automatically these days" see https://lists.nlnetlabs.nl/pipermail/unbound-users/2022-May/007747.html Also this thoughts on Linux distros distributions shipping root.key and root.hints: https://lists.nlnetlabs.nl/pipermail/unbound-users/2022-May/007749.html