As part of DNS over TLS enabling for RHEL, we have discovered unbound starts After=network-online.target. That is not desired in the default configuration, where it listens only on localhost.

Unbound has to start Before=nss-lookup.target, effectively it may provide basic name resolution for the system. At least we want it with dnsconfd that way.

Because of integration with Network Manager, we may enter deadlock from NM. It wants to set network-online.target only after DNS were successfully configured. Therefore it has to start only After=network.target, because network-online.target may depend on unbound.service activated. Therefore we cannot wait for it.

Reproducible: Always

Steps to Reproduce:
1. systemctl enable unbound.service
2. change unbound.service to have only After=network.target
3. reboot
4. verify it started correctly
Actual Results:
It starts only after network-online.target is reached

Expected Results:
It starts before network-online.target is reached

Changed by commit https://src.fedoraproject.org/forks/pemensik/rpms/unbound/c/2b640c85f833618e67f3b412d3a5b88f4518c34b.

This needs to be reverted back.