diff --git a/unbound-anchor.service b/unbound-anchor.service new file mode 100644 index 0000000..ef71cd3 --- /dev/null +++ b/unbound-anchor.service @@ -0,0 +1,9 @@ +[Unit] +Description=update of the root trust anchor for DNSSEC validation in unbound +Documentation=man:unbound-anchor(8) + +[Service] +Type=oneshot +User=unbound +ExecStart=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem +SuccessExitStatus=1 diff --git a/unbound-anchor.timer b/unbound-anchor.timer new file mode 100644 index 0000000..082e063 --- /dev/null +++ b/unbound-anchor.timer @@ -0,0 +1,13 @@ +[Unit] +Description=daily update of the root trust anchor for DNSSEC +Documentation=man:unbound-anchor(8) + +[Timer] +# Current DNSKEY TTL in root zone is 172800 seconds, i.e. 172800/60/60/24 = 2 days. +# It means that unboud-anchor should be run at least once a day. +OnCalendar=daily +Persistent=true +AccuracySec=24h + +[Install] +WantedBy=timers.target diff --git a/unbound.changes b/unbound.changes index c209191..c08ea8f 100644 --- a/unbound.changes +++ b/unbound.changes @@ -4,6 +4,11 @@ Tue Dec 11 19:59:00 UTC 2018 - Michael Ströder - update to 1.8.3 fixes crash bug introduced in 1.8.2 in the dns64 processing. +------------------------------------------------------------------- +Tue Dec 11 17:44:56 UTC 2018 - Rubén Torrero Marijnissen + +- Migrate from cron to systemd timers (bsc#1115417) + ------------------------------------------------------------------- Wed Dec 5 11:12:42 UTC 2018 - Michael Ströder diff --git a/unbound.cron b/unbound.cron deleted file mode 100644 index e928178..0000000 --- a/unbound.cron +++ /dev/null @@ -1,3 +0,0 @@ -# Look to see if the DNSSEC Root key got rolled, if so check trust and update - -10 3 1 * * unbound /usr/sbin/unbound-anchor -a /var/lib/unbound/root.anchor -c /etc/unbound/icannbundle.pem diff --git a/unbound.service b/unbound.service index 54f6c99..8ccb407 100644 --- a/unbound.service +++ b/unbound.service @@ -3,6 +3,7 @@ Description=Unbound recursive Domain Name Server After=syslog.target network.target After=unbound-keygen.service Wants=unbound-keygen.service +Wants=unbound-anchor.timer Before=nss-lookup.target Wants=nss-lookup.target diff --git a/unbound.spec b/unbound.spec index 7e75911..abdd88d 100644 --- a/unbound.spec +++ b/unbound.spec @@ -109,9 +109,10 @@ Source11: block-example.com.conf Source12: icannbundle.pem Source13: root.anchor Source14: unbound.sysconfig -Source15: unbound.cron +Source15: unbound-anchor.timer Source16: unbound-munin.README Source17: unbound.firewall +Source18: unbound-anchor.service Summary: Validating, recursive, and caching DNS(SEC) resolver License: BSD-3-Clause @@ -171,7 +172,6 @@ This package holds the development files to work with libunbound. %package anchor # -Requires: cron Summary: Unbound Anchor cert management tools Group: Productivity/Networking/DNS/Servers @@ -240,9 +240,9 @@ install -D -p -m 0644 %{SOURCE14} %{buildroot}%{_fillupdir}/sysconfig.%{name} ln -sf /usr/sbin/service %{buildroot}%{_sbindir}/rcunbound ln -sf /usr/sbin/service %{buildroot}%{_sbindir}/rcunbound-keygen +install -p -m 0644 %{SOURCE15} %{buildroot}%{_unitdir}/unbound-anchor.timer +install -p -m 0644 %{SOURCE18} %{buildroot}%{_unitdir}/unbound-anchor.service install -p -m 0644 %{SOURCE16} . -install -d 0755 %{buildroot}%{_sysconfdir}/cron.d -install -p -m 0644 %{SOURCE15} %{buildroot}%{_sysconfdir}/cron.d/unbound-anchor install -d 0755 %{buildroot}%{fwdir} install -p -m 0644 %{SOURCE17} %{buildroot}%{fwdir}/%{name} @@ -306,6 +306,7 @@ echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control make check ||: %pre anchor +%service_add_pre unbound-anchor.service unbound-anchor.timer getent group unbound >/dev/null || groupadd -r unbound getent passwd unbound >/dev/null || \ useradd -g unbound -s /bin/false -r -c "unbound caching DNS server" \ @@ -316,6 +317,11 @@ getent passwd unbound >/dev/null || \ %service_add_pre unbound-keygen.service unbound.service %endif +%post anchor +%if %{with systemd} +%service_add_post unbound-anchor.service unbound-anchor.timer +%endif + %post %fillup_only %{name} %if %{with systemd} @@ -323,6 +329,11 @@ systemd-tmpfiles --create %{_tmpfilesdir}/unbound.conf || : %service_add_post unbound-keygen.service unbound.service %endif +%preun anchor +%if %{with systemd} +%service_del_preun unbound-anchor.service unbound-anchor.timer +%endif + %preun %if %{with systemd} %service_del_preun unbound-keygen.service unbound.service @@ -330,6 +341,11 @@ systemd-tmpfiles --create %{_tmpfilesdir}/unbound.conf || : %stop_on_removal %{name} %endif +%postun anchor +%if %{with systemd} +%service_del_postun unbound-anchor.service unbound-anchor.timer +%endif + %postun %if %{with systemd} %service_del_postun unbound-keygen.service unbound.service @@ -418,7 +434,8 @@ systemd-tmpfiles --create %{_tmpfilesdir}/unbound.conf || : %dir %{_sysconfdir}/%{name}/ %{_sbindir}/unbound-anchor %config %{_sysconfdir}/%{name}/icannbundle.pem -%config %{_sysconfdir}/cron.d/unbound-anchor +%{_unitdir}/unbound-anchor.timer +%{_unitdir}/unbound-anchor.service %dir %attr(-,unbound,unbound) %{_sharedstatedir}/%{name} %attr(0644,unbound,unbound) %config(noreplace) %{_sharedstatedir}/%{name}/root.key %attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key