http://bugzilla.opensuse.org/show_bug.cgi?id=1173619
http://bugzilla.opensuse.org/show_bug.cgi?id=1173619#c20
--- Comment #20 from Wolfgang Frisch
(In reply to Wolfgang Frisch from comment #18)
I just experimented with latest version of unbound in Tumbleweed, adjusted the permissions, and could not detect any problems. `unbound-control` also continues to function normally.
Thanks for testing that.
How to proceed? We can definitely apply the aforementioned permission changes: https://bugzilla.opensuse.org/attachment.cgi?id=849858
IMHO the use of ExecStartPre= in unbound.service is kind of a mess. Do we really still need it? Could we set User= and Group= to unbound in unbound.service? I agree, it's not very elegant, and it ties in with your research below:
"unbound itself manages root trust anchor automatically these days" see https://lists.nlnetlabs.nl/pipermail/unbound-users/2022-May/007747.html This indeed appears to work, but if I'm not mistaken we would then have to ship the DNS root data ourselves as well, similar to Debian:
Also this thoughts on Linux distros distributions shipping root.key and root.hints:
https://lists.nlnetlabs.nl/pipermail/unbound-users/2022-May/007749.html
I'm all for it but we should test it carefully. Breaking DNS servers are not a fun experience ;) There's currently a version bump underway (sr#980737). Let's wait for it to go through and then test and submit our changes: - adjust permissions - build a separate package with DNS root data - remove unbound-anchor from the systemd .service files - remove dependency on unbound-anchor -- You are receiving this mail because: You are on the CC list for the bug.