unbound (1.5.7-2) unstable; urgency=medium The unbound package no longer ships an /etc/default/unbound conffile. If modified, it will be renamed to /etc/default/unbound.dpkg-bak after upgrading. The /etc/default/unbound file, if it exists, will still be read and the behavior of the package can be modified, but the defaults have been changed to make it unnecessary for most users to need an /etc/default/unbound file. The following variables are still supported by the /etc/default/unbound file, if it exists: DAEMON_OPTS If set, the value of this variable will be appended to the daemon command-line. RESOLVCONF This variable now must be explicitly set to "false" to disable the unbound package's resolvconf provider. Otherwise, it defaults to enabled if unset. In previous versions, this variable had to be explicitly set to "true" to enable the resolvconf provider, but the /etc/default/unbound file shipped with it explicitly enabled. ROOT_TRUST_ANCHOR_FILE This variable can be explicitly set to override the path used by the root trust anchor update mechanism for the root trust anchor. Otherwise, it defaults to /var/lib/unbound/root.key if unset. ROOT_TRUST_ANCHOR_UPDATE This variable now must be explicitly set to "false" to disable the root trust anchor update mechanism. Otherwise, it defaults to enabled if unset. In previous versions, this variable had to be explicitly set to "true" to enable the update mechanism, but the /etc/default/unbound file shipped with it explicitly enabled. The following variables are no longer supported by the /etc/default/unbound file, but were present in previous versions: UNBOUND_ENABLE This variable controlled whether or not the init script would start the Unbound daemon. Instead, use the standard Debian mechanisms for enabling or disabling a service started by the init system. RESOLVCONF_FORWARDERS This variable controlled whether or not the upstream nameservers supplied by resolvconf were configured into the running Unbound instance with the "unbound-control forward" command, via a resolvconf update.d hook. This mechanism still exists, but the variable controlling it has been removed. Instead, add or remove the executable bit from the /etc/resolvconf/update.d/unbound file to enable or disable the hook. This release also makes the following changes: The resolvconf update.d hook can be problematic, especially if the upstream nameservers do not perform DNSSEC validation, or if a "forward-zone" declaration for the root zone has been statically configured by the administrator. In previous versions, the hook was enabled by default, but it is now disabled by default. It can be explicitly enabled by running "chmod +x /etc/resolvconf/update.d/unbound". The unbound package now depends on the dns-root-data package, and the root trust anchor update mechanism has been enhanced to import the root trust anchor from /usr/share/dns/root.key on new installations, or if the /usr/share/dns/root.key file is newer than /var/lib/unbound/root.key. -- Robert Edmonds Sun, 21 Feb 2016 16:01:33 -0500