> > From unbound-anchor.8 I understand that unbound-anchor can be run from the > > command line, or run as part of startup scripts _before_ the actual > > (unbound) > > DNS server is started. So there is no need for DNS. Proposal therefor is to > > run unbound-anchor automatically before starting the unbound daemon (rc_pre > > in > > unbound rc-script). > > > This (i.e. connecting out to https://data.iana.org from the system startup > scripts) should *not* happen by default even if unbound is enabled. There > would need to be a separate option controlling this.
How about letting /var/unbound/etc/unbound.conf control this behavior? In the startup script (rc.d-script): rc_pre() { if ! egrep "# *auto-trust-anchor-file:" /var/unbound/etc/unbound.conf >/dev/null; then sudo -u _unbound /usr/sbin/unbound-anchor fi } The same behavior can be obtained by writing a wrapper. Although these 'solutions' work, they are not elegant. What say thou?