unbound: improve maintenance of trust anchor

Unbound UCI tries to protect embedded flash from excess use. Unbound RFC5011 KSK tracking can rewrite root.key every few minutes to an hour. It also writes and destroys files in the same directory during the process. Recommended UCI delays for copying busy work in /var/ back to /etc/ may be too conservative. These are all changed from 28 to 9 days. The RFC5011 KSK results were also destroyed by an init.d restart, even if /var/ is mounted on persistent storage like USB drive. /var/lib/unbound/root.key is now preserved during this process, unless a newer key is installed in /etc/ manually or package update. Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2026-04-30 15:38:40 +01:00 · 2017-03-02 00:28:35 -05:00
parent 2b6a84ff65
commit a4f23e52bf
5 changed files with 23 additions and 9 deletions
@@ -26,7 +26,7 @@ rootzone_uci() {
  # This will likely be called outside of "start_service()" context
  config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0
  config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1
-  config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 30
+  config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 9
 }

 ##############################################################################