On Thu, 9 Feb 2017, W.C.A. Wijngaards via Unbound-users wrote:
- configure --enable-systemd and lets unbound use systemd sockets if you enable use-systemd: yes in unbound.conf. Also there are contrib/unbound.socket and contrib/unbound.service: systemd files for
Looking at the unbound.conf man page, I see that the socket support is for socket activation. I know that the systemd people think that is all cool and stuff, but I really don't know if this is appropriate for various daemons, especially DNS. Any service requiring DNS will pretty much block until it gets a DNS answer. I don't think pointing resolv.conf to something not running yet is a swell idea either. Much better to confirm the DNS server is working before pointing resolv.conf at it. And what is port 1153 used for? According to IANA this port is used for transporting ANSI C12.22/IEEE 1703/MC12.22 Advanced Metering Infrastructure (AMI) Application Layer Messages on an IP network as per RFC-6142. I don't think unbound should be using that port. c1222-acse 1153/tcp # ANSI C12.22 Port Also, the port is > 1024, so that makes me double reserved about unbound as a daemon running the port. Any user could grab that port. I'm not clear on the security implications of that. If you really want to ship an unbound service file, I think this one that is used by rhel/fedora is much better, as it also deals with not restarting and failing on a bad configuration file, trying to update the DNSSEC root key before starting, and generating the keys and certs to use unbound-control properly. [Unit] Description=Unbound recursive Domain Name Server After=network.target After=unbound-keygen.service Wants=unbound-keygen.service Wants=unbound-anchor.timer Before=nss-lookup.target Wants=nss-lookup.target [Service] Type=simple EnvironmentFile=-/etc/sysconfig/unbound ExecStartPre=/usr/sbin/unbound-checkconf ExecStartPre=-/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS ExecReload=/usr/sbin/unbound-control reload [Install] WantedBy=multi-user.target Paul
