# Implementation Plan: Unbound Isolated Restore Test

Date: 2026-06-07

## Goal

Verify that the Unbound config-level backup can be restored and used by Unbound without overwriting production DNS configuration, changing the production systemd service, or touching router/DHCP/Tailscale settings.

## Safety Boundaries

- Do not modify production `/etc/unbound/` on CTID 106.
- Do not restart or reload the production `unbound` systemd service.
- Do not change router, DHCP, OPNsense, or Tailscale DNS settings.
- Use a temporary restore directory under `/tmp/` and a temporary Unbound process bound to `127.0.0.1:1053`.
- Remove temporary files/processes after verification.

This test uses CTID 106 as the runtime environment because it already has compatible Unbound tooling installed. It is isolated from production by using temporary config paths and a non-production loopback port.

## Artifact

Source backup artifact on Nimrod:

```text
/home/piagent/backups/unbound/unbound-20260607T044755Z.tar.gz
/home/piagent/backups/unbound/unbound-20260607T044755Z.sha256
```

## Procedure Used

1. Verify the off-guest artifact checksum on Nimrod:

   ```sh
   cd /home/piagent/backups/unbound
   sha256sum -c unbound-20260607T044755Z.sha256
   ```

2. Copy the artifact temporarily to CTID 106 under `/tmp/`.
3. Extract it into `/tmp/unbound-restore-test.*`.
4. Rewrite only the temporary restored config so:
   - `include-toplevel` points at the temporary restored config directory
   - interface is `127.0.0.1`
   - port is `1053`
5. Run `unbound-checkconf` against the temporary restored config.
6. Start a temporary `unbound -d -c <temporary config>` process.
7. Query representative records on `127.0.0.1:1053`.
8. Verify production `systemctl is-active unbound` remains `active`.
9. Remove temporary process, restore directory, copied artifact, and log.

## Verification Evidence

Observed successful results:

```text
unbound-20260607T044755Z.tar.gz: OK
unbound-checkconf: no errors in /tmp/unbound-restore-test.*/etc/unbound/unbound.conf
search=192.168.0.137
proxy=192.168.0.137
dashboard=192.168.0.137
production unbound service: active
```

Cleanup check after the test found no remaining temporary restore directory, copied artifact, or temporary Unbound process.

## Documentation Updates

Updated:

- `runbooks/unbound-internal-dns.md`
- `infra/proxmox-registry.yaml`
- `ansible/inventories/homelab/hosts.yml`
- `tickets/active/2026-06-07-service-backup-standard.md`
- `tickets/active/2026-06-07-standalone-unbound-internal-dns.md`
- `docs/server-change-log.md`