Open Gatsby-Lee opened 8 months ago
Gatsby, good question.
You're understanding is correct that the unbound.sh script that runs at container creation executes /opt/unbound/sbin/unbound-anchor -a /opt/unbound/etc/unbound/var/root.key
and sets auto-trust-anchor-file: "var/root.key"
in the default config. It uses that location due to the chroot setting (chroot: "/opt/unbound/etc/unbound"
).
I have not explicitly tested this to confirm that it updates itself if the container isn't re-initialized for a long-time. However, my understanding of the Unbound docs is that "Unbound uses RFC5011 updates to keep the anchor updated if it is changed while the computer is in operation, but the unbound-anchor tool is used if it is changed while the computer is not in operation."
This other doc may also be helpful: https://unbound.docs.nlnetlabs.nl/en/latest/getting-started/configuration.html
Does this help?
@MatthewVance Thank you for your response.
I was confused root.hints
and root.key
.
I am trying to use unbound DNS as a recursive DNS, not forwarding DNS. To do that, I should get the root.hints and I should refresh it every 6mo. To refresh, I pretty much have to restart the container and the unbound DNS will lose the cached DNS and get slower.
I am wondering if there is a way not to stop the running unbound and reload the updated config or root.hints. If you're not sure, no worries.
Thank you
@MatthewVance BTW, do you happen know why this repo's Dockerfile can't be used to build a image for amd64? Also, whenI tried to build ARM / ARM64 images with unbound-docker repo, it failed as well.
When I compared the two dockerfiles, I don't see much difference. ( maybe I can't see the difference due to the lack of knowledge )
Hello,
First, I really appreciate to your work. I believes your works have helped lots of people.
The question I'd like to ask you is if it's required or necessary to restart Unbound to refresh the root.key. I read from somewhere that says the root.key should be updated. ( mostly by package manager )
If I understood the
unbound.sh
in this repo, theunbound.sh
updates theroot.key
when the container is initialized first time.So, I am wondering if I have to ( or need to ) setup an crontab schedule that stop ( and remove ) Unbound container by schedule.
Thank you Gatsby