[Unit]
Description=Validating, recursive, and caching DNS resolver
Documentation=man:unbound(8)
+After=network.target
+Before=network-online.target nss-lookup.target
+Wants=nss-lookup.target
[Install]
WantedBy=multi-user.target
ExecStart=@UNBOUND_SBIN_DIR@/unbound
NotifyAccess=main
Type=notify
-CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectSystem=strict
ReadWritePaths=@UNBOUND_SYSCONF_DIR@ @UNBOUND_LOCALSTATE_DIR@ /run @UNBOUND_RUN_DIR@
-RestrictAddressFamilies=AF_INET AF_UNIX
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictRealtime=true
SystemCallArchitectures=native
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
+7 August 2018: Wouter
+ - Fix #4142: unbound.service.in: improvements and fixes.
+ Add unit dependency ordering (based on systemd-resolved).
+ Add 'CAP_SYS_RESOURCE' to 'CapabilityBoundingSet' (fixes warnings
+ about missing privileges during startup). Add 'AF_INET6' to
+ 'RestrictAddressFamilies' (without it IPV6 can't work). From
+ Guido Shanahan.
+
6 August 2018: Wouter
- Fix for #4136: Fix to unconditionally call destroy in daemon.c.
projects / thirdparty / unbound.git / commitdiff
