summaryrefslogtreecommitdiff
path: root/etc
diff options
context:
space:
mode:
authorStuart Henderson <sthen@cvs.openbsd.org>2014-03-21 00:23:16 +0000
committerStuart Henderson <sthen@cvs.openbsd.org>2014-03-21 00:23:16 +0000
commitff7420b529f117c8ca03b43c5c758761d1f80d1a (patch)
tree79d3ceaddba84a7425655dcb8b5bab54a50f46cf /etc
parent6333e27bc7d51ca9bbef167cac8021835a22160c (diff)
Install a /var/unbound/db directory, writable by the _unbound daemon,
and use it as the default location for the DNSSEC root key. Update default config for this location. With this, the only step required to enable DNSSEC validation is to uncomment these default config entries and restart: #module-config: "validator iterator" #auto-trust-anchor-file: "/var/unbound/db/root.key" There is no longer a requirement to run unbound-anchor manually to update the root key. The rc.d script will take care of updates at boot, and Unbound will manage the file itself at runtime. Test with "dig test.dnssec-or-not.net txt @127.0.0.1" or similar.
Diffstat (limited to 'etc')
-rw-r--r--etc/mtree/4.4BSD.dist7
-rw-r--r--etc/unbound.conf6
2 files changed, 9 insertions, 4 deletions
diff --git a/etc/mtree/4.4BSD.dist b/etc/mtree/4.4BSD.dist
index 7798585370f..2c92afb50d2 100644
--- a/etc/mtree/4.4BSD.dist
+++ b/etc/mtree/4.4BSD.dist
@@ -1,4 +1,4 @@
-# $OpenBSD: 4.4BSD.dist,v 1.244 2014/03/18 22:36:29 miod Exp $
+# $OpenBSD: 4.4BSD.dist,v 1.245 2014/03/21 00:23:15 sthen Exp $
/set type=dir uname=root gname=wheel mode=0755
# .
@@ -1362,6 +1362,11 @@ etc uname=root gname=wheel mode=0755
# ./var/unbound/etc
..
+# ./var/unbound/db
+db uname=root gname=_unbound mode=0775
+# ./var/unbound/db
+..
+
# ./var/unbound
..
diff --git a/etc/unbound.conf b/etc/unbound.conf
index 4e0e8148b4c..ecb1fd1f382 100644
--- a/etc/unbound.conf
+++ b/etc/unbound.conf
@@ -1,4 +1,4 @@
-# $OpenBSD: unbound.conf,v 1.1 2014/03/15 00:34:18 sthen Exp $
+# $OpenBSD: unbound.conf,v 1.2 2014/03/21 00:23:15 sthen Exp $
server:
interface: 127.0.0.1
@@ -14,10 +14,10 @@ server:
hide-identity: yes
hide-version: yes
- # Enable DNSSEC validation. Fetch a root key with unbound-anchor(8).
+ # Uncomment to enable DNSSEC validation.
#
#module-config: "validator iterator"
- #auto-trust-anchor-file: "/var/unbound/etc/root.key"
+ #auto-trust-anchor-file: "/var/unbound/db/root.key"
# Serve zones authoritatively from Unbound to resolver clients.
# Not for external service. Note use of "nodefault" for AS112 zones,