Comment # 20 on bug 1173619 from 
(In reply to Michael Str���der from comment #19)
> (In reply to Wolfgang Frisch from comment #18)
> > I just experimented with latest version of unbound in Tumbleweed, adjusted
> > the permissions, and could not detect any problems. `unbound-control` also
> > continues to function normally.
> 
> Thanks for testing that.
> 
> How to proceed?
We can definitely apply the aforementioned permission changes:
https://bugzilla.opensuse.org/attachment.cgi?id=849858

> IMHO the use of ExecStartPre= in unbound.service is kind of a mess. Do we
> really still need it? Could we set User= and Group= to unbound in
> unbound.service?
I agree, it's not very elegant, and it ties in with your research below:

> "unbound itself manages root trust anchor automatically these days"
> see https://lists.nlnetlabs.nl/pipermail/unbound-users/2022-May/007747.html
This indeed appears to work, but if I'm not mistaken we would then have to ship
the DNS root data ourselves as well, similar to Debian:

> Also this thoughts on Linux distros distributions shipping root.key and
> root.hints:
> 
> https://lists.nlnetlabs.nl/pipermail/unbound-users/2022-May/007749.html

I'm all for it but we should test it carefully. Breaking DNS servers are not a
fun experience ;)

There's currently a version bump underway (sr#980737).
Let's wait for it to go through and then test and submit our changes:

- adjust permissions
- build a separate package with DNS root data
- remove unbound-anchor from the systemd .service files
- remove dependency on unbound-anchor

You are receiving this mail because: