Unbound 1.6.1rc1 prerelease

Paul Wouters paul at nohats.ca
Thu Feb 9 20:24:59 UTC 2017 

On Thu, 9 Feb 2017, W.C.A. Wijngaards via Unbound-users wrote:

> - configure --enable-systemd and lets unbound use systemd sockets if you
> enable use-systemd: yes in unbound.conf. Also there are
> contrib/unbound.socket and contrib/unbound.service: systemd files for

Looking at the unbound.conf man page, I see that the socket support is
for socket activation. I know that the systemd people think that is
all cool and stuff, but I really don't know if this is appropriate
for various daemons, especially DNS. Any service requiring DNS will
pretty much block until it gets a DNS answer.

I don't think pointing resolv.conf to something not running yet is
a swell idea either. Much better to confirm the DNS server is working
before pointing resolv.conf at it.

And what is port 1153 used for? According to IANA this port is used
for transporting ANSI C12.22/IEEE 1703/MC12.22 Advanced Metering
Infrastructure (AMI) Application Layer Messages on an IP network as
per RFC-6142. I don't think unbound should be using that port.

c1222-acse      1153/tcp                # ANSI C12.22 Port

Also, the port is > 1024, so that makes me double reserved about
unbound as a daemon running the port. Any user could grab that
port. I'm not clear on the security implications of that.

If you really want to ship an unbound service file, I think this one
that is used by rhel/fedora is much better, as it also deals with
not restarting and failing on a bad configuration file, trying to
update the DNSSEC root key before starting, and generating the keys
and certs to use unbound-control properly.

[Unit]
Description=Unbound recursive Domain Name Server
After=network.target
After=unbound-keygen.service
Wants=unbound-keygen.service
Wants=unbound-anchor.timer
Before=nss-lookup.target
Wants=nss-lookup.target

[Service]
Type=simple
EnvironmentFile=-/etc/sysconfig/unbound
ExecStartPre=/usr/sbin/unbound-checkconf
ExecStartPre=-/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem
ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS
ExecReload=/usr/sbin/unbound-control reload

[Install]
WantedBy=multi-user.target


Paul

More information about the Unbound-users mailing list