Store 0 conf dnssec state in /var/cache/stubby with systemd setups

Relates to issue #106

stubby.yml.example

@@ -75,12 +75,17 @@ round_robin_upstreams: 1
 # dnssec_return_status: GETDNS_EXTENSION_TRUE
 
 # Stubby tries to fetch and validate the DNSSEC root trust anchor on the fly
-# when needed (Zero configuration DNSSEC), but only if it can store it.
-# The default location to store these files is the ".getdns" subdirectory in
-# the user's home directory, but when stubby runs as a special user without
-# a home directory (such as in setups using systemd), a directory needs to
-# be provided that is writable (and readable) by that special system user.
-# appdata_dir: "/run/stubby"
+# when needed (Zero configuration DNSSEC), but only if it can store then
+# somewhere.  The default location to store these files is the ".getdns"
+# subdirectory in the user's home directory. If there is no home directory, or
+# the .getdns subdirectory could not be created (or is not present), Stubby
+# will fall back to the current working directory to try to store the
+# trust-anchor files.
+# When stubby runs as a special system-level user without a home directory
+# however (such as in setups using systemd), it is recommended that an explicit
+# location for storing the trust-anchor files is provided that is writable (and
+# readable) by that special system user.
+# appdata_dir: "/var/cache/stubby"
 
 # Specify the location of the installed trust anchor file (leave commented out
 # for zero configuration DNSSEC)

systemd/README.md

@@ -5,18 +5,38 @@ For GNU/Linux operating systems which use systemd as a process
 manager, you might want to run stubby as a system service.
 
 This directory provides recommended systemd unit files.
+Normally, a downstream distributor will install it as:
 
-This setup assumes that there is a system-level user named "stubby"
-which is in group "stubby", and try to limit the privileges of the
-running daemon to that user as closely as possible.
+    /lib/systemd/system/stubby.service
 
-Normally, a downstream distributor will install them as:
+For systemd versions before 235:
 
-    /usr/lib/tmpfiles.d/stubby.conf
-    /lib/systemd/system/stubby.service
+  * This setup assumes that there is a system-level user named "stubby"
+    which is in group "stubby", and try to limit the privileges of the running
+    daemon to that user as closely as possible.
+
+    The stubby.conf file also needs to be installed in:
+
+        /usr/lib/tmpfiles.d/stubby.conf
+
+    to make sure a cache directory is created for stubby on startup.
+
+
+For systemd version of 235 and higher:
+
+  * Creation of the system-level user and the cache directory is handled
+    automatically by systemd and no further actions are required.
+
+
+When the system-level user does have a home directory, stubby will store the
+for Zero configuration DNSSEC dynamically acquired root trust anchor in a
+subdirectory called ".getdns" of that home directory.  If the system-level
+user does not have a home directory or the home directory is not writeable
+or readable, stubby will fallback to the current working directory.
 
-When the system-level user does not have a home directory, a directory
-for storing the with Zero configuration DNSSEC dynamically acquired root
-trust anchor needs to be specified with a "appdata_dir" directive in the
-stubby.yml configuration file.  Please see the relevant section in the
-stubby.yml.example example configuration file.
+This can be overruled by supplying a "appdata_dir" in the stubby.yml
+configuration file.  When a "appdata_dir" was specified, that directory will be
+used for storing data related to Zero configuration DNSSEC immediately, without
+the other paths being tried.  It is recommended for systemd setups using the
+provided systemd.service file(s) to have a "appdata_dir" directive set to
+"/var/cache/stubby" in the stubby.yml configuration file.

systemd/stubby.conf

@@ -1,2 +1,2 @@
 # tmpfiles.d (5) for use with stubby.service
-d /run/stubby 0750 stubby stubby - -
+d /var/cache/stubby 0750 stubby stubby - -

systemd/stubby.service

@@ -2,11 +2,13 @@
 Description=stubby DNS resolver
 
 [Service]
-WorkingDirectory=/run/stubby
+User=stubby
+DynamicUser=yes
+CacheDirectory=stubby
+WorkingDirectory=/var/cache/stubby
 ExecStart=/usr/bin/stubby
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
-User=stubby
 
 [Install]
 WantedBy=multi-user.target