http://bugzilla.opensuse.org/show_bug.cgi?id=1173619 http://bugzilla.opensuse.org/show_bug.cgi?id=1173619#c20 --- Comment #20 from Wolfgang Frisch <wolfgang.frisch@suse.com> --- (In reply to Michael Str�der from comment #19)
(In reply to Wolfgang Frisch from comment #18)
I just experimented with latest version of unbound in Tumbleweed, adjusted the permissions, and could not detect any problems. `unbound-control` also continues to function normally.
Thanks for testing that.
How to proceed? We can definitely apply the aforementioned permission changes: https://bugzilla.opensuse.org/attachment.cgi?id=849858
IMHO the use of ExecStartPre= in unbound.service is kind of a mess. Do we really still need it? Could we set User= and Group= to unbound in unbound.service? I agree, it's not very elegant, and it ties in with your research below:
"unbound itself manages root trust anchor automatically these days" see https://lists.nlnetlabs.nl/pipermail/unbound-users/2022-May/007747.html This indeed appears to work, but if I'm not mistaken we would then have to ship the DNS root data ourselves as well, similar to Debian:
Also this thoughts on Linux distros distributions shipping root.key and root.hints:
https://lists.nlnetlabs.nl/pipermail/unbound-users/2022-May/007749.html
I'm all for it but we should test it carefully. Breaking DNS servers are not a fun experience ;) There's currently a version bump underway (sr#980737). Let's wait for it to go through and then test and submit our changes: - adjust permissions - build a separate package with DNS root data - remove unbound-anchor from the systemd .service files - remove dependency on unbound-anchor -- You are receiving this mail because: You are on the CC list for the bug.