On Tue, 31 Dec 2013, Chris Smith wrote: > From: Chris Smith <obsd_m...@chrissmith.org> > To: Dennis Davis <dennisdavis+openbsd-m...@fastmail.fm> > Cc: OpenBSD-Misc <misc@openbsd.org> > Date: Tue, 31 Dec 2013 19:53:03 > Subject: Re: unbound dnssec revisited > > On Tue, Dec 31, 2013 at 2:40 PM, Dennis Davis > <dennisdavis+openbsd-m...@fastmail.fm> wrote: > > It's a while since I looked at this, so the exact details are hazy, > > but is all this necessary? > <snip> > > Doesn't seem to me that you need to run unbound-anchor as a part of > > /etc/rc.d/unbound. You just need to run it once as part of setting > > up unbound. After that a running unbound will periodically check > > the root key. > > Good question - I've wondered if it was all necessary as well. > Although I see it as probably useful. For one, it keeps the user > involved housekeeping to a minimum.
I'd suggest that the housekeeping is built into unbound because it periodically checks the root key. See my slightly tongue-in-cheek example below. > And my other thought was that in case of a server that was retired > for a time and brought back into service that it would be proper > for an updated root.key to be installed at startup and without > some automation the onus again falls on the user for additional > housekeeping. There should be no need to add any automation. It's built into unbound. To re-use my example I noted my root.key contains: ;;last_queried: 1388517505 ;;Tue Dec 31 19:18:25 2013 ;;last_success: 1388517505 ;;Tue Dec 31 19:18:25 2013 ;;next_probe_time: 1388557610 ;;Wed Jan 1 06:26:50 2014 It's New Year's Eve. I'll be shortly switching off this laptop and indulging in a small glass or two of alcofrolic beverages. I *very* much doubt I'll be switching this machine on again before Wed Jan 1 06:26:50 2014. So, when I do switch it on, the first thing unbound will do is check the root key and update it if necessary. This should cover your case of a server that was retired for a time and brought back into service. -- Dennis Davis <dennisda...@fastmail.fm>
