diff --git a/manifests/unbound.pp b/manifests/unbound.pp
index 3f1fb91..4061e93 100644
--- a/manifests/unbound.pp
+++ b/manifests/unbound.pp
@@ -1,55 +1,68 @@
 # Parameters for the unbound DNS resolver
 class profile::unbound {
   $has_local_cache = hiera('dns::local_cache')
 
   $package = 'unbound'
   $service = 'unbound'
   $forwarders_file = '/etc/unbound/unbound.conf.d/forwarders.conf'
 
   if $has_local_cache {
     include ::profile::resolv_conf
 
     $forwarders = hiera('dns::forwarders')
     $forward_zones = hiera('dns::forward_zones')
+    $insecure = hiera('dns::forwarder_insecure')
 
     package {$package:
       ensure => installed,
     }
 
     service {$service:
       ensure  => running,
       enable  => true,
       require => [
         Package[$package],
         File[$forwarders_file],
-      ]
-    } -> File['/etc/resolv.conf']
+      ],
+    }
+
+    Service[$service] -> File['/etc/resolv.conf']
 
     # uses variables $forwarders, $forward_zones
     file {'/etc/unbound/unbound.conf.d/forwarders.conf':
       ensure  => present,
       owner   => 'root',
       group   => 'root',
       mode    => '0644',
       content => template('profile/unbound/forwarders.conf.erb'),
       require => Package[$package],
       notify  => Service[$service],
     }
 
-    if $::location == 'sesi_rocquencourt' {
-      file {'/etc/unbound/unbound.conf.d/insecure.conf':
-        ensure  => present,
-        owner   => 'root',
-        group   => 'root',
-        mode    => '0644',
-        source  => 'puppet:///modules/profile/unbound/insecure.conf',
-        require => Package[$package],
-        notify  => Service[$service],
-      }
-    } else {
-      file {'/etc/unbound/unbound.conf.d/insecure.conf':
-        ensure => absent,
-      }
+    $insecure_ensure = $insecure ? {
+      true    => present,
+      default => absent,
+    }
+
+    file {'/etc/unbound/unbound.conf.d/insecure.conf':
+      ensure  => $insecure_ensure,
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0644',
+      source  => 'puppet:///modules/profile/unbound/insecure.conf',
+      require => Package[$package],
+      notify  => Service[$service],
+    }
+
+    $root_auto_update = bool2str(!$insecure)
+
+    file_line {'unbound root auto update':
+      ensure  => present,
+      file    => '/etc/default/unbound',
+      match   => '^ROOT_TRUST_ANCHOR_UPDATE\=',
+      line    => "ROOT_TRUST_ANCHOR_UPDATE=${root_auto_update}",
+      require => Package[$package],
+      notify  => Service[$service],
     }
   }
 }