>> I'm running a DNS resolver using Unbound (OpenBSD 5.8-stable AMD64) with >> the auto-trust-anchor-file option set. This results in daily updates of the >> /var/unbound/db/root.key file (only comments are changed). Unfortunately >> this file is also checked via the security(8) script, which results in >> getting an insecurity output mail every day (Cry Wolf problem). Is there a >> way to exclude the comments in the checks or the complete root.key file?
> The security script checks the files listed in /etc/changelist. > See changelist(5) for details. > > I don't think there's a way of checking 'everything but comments', but > it shouldn't be hard to do that with a custom daily.local script, > see daily(8). As Martijn van Duren suggested I will comment out the entry in /etc/changelist. Kind regards, Martijn Rijkeboer
