Unbound/NSD rc startup order

[Matt Smith]

Hi,

I have run Unbound and NSD for a long time and everything was working 
fine until the recent 1.5.x update for Unbound. Now if I reboot my 
server I get DNSSEC validation errors for my own local domain until I 
restart Unbound once again. I believe this is possibly related to the rc 
startup order.

My setup is that I have my local domain as an authoritative DNSSEC 
signed zone in NSD and then I use a stub-zone in Unbound which points to 
the NSD instance.  I also hard-wire the DNSSEC key for this domain into 
Unbound using a trust-anchor-file declaration.

When I rebooted my server last night this domain was failing validation 
with this error:

info: validation failure <host.example.com. A IN>: no DNSKEY rrset for 
trust anchor example.com. while building chain of trust

If I restart unbound again then it works fine. The default rcorder is to 
start Unbound first followed by Unbound. I'm wondering if since 1.5.x 
Unbound now attempts to read some data from the stub-zone which fails 
because NSD isn't running but then when I restart it it works 
successfully?

As a test I added nsd as a REQUIRE in the unbound rc.d script, rebooted 
again, and saw that it successfully worked as it did before I upgraded.  
It could just be an unrelated coincidence, but if it isn't I'm thinking 
the default rc order should maybe be changed for these ports?

--
Matt