diff --git a/src/etc/rc.d/unbound b/src/etc/rc.d/unbound
new file mode 100644
index 00000000..8f006944
--- /dev/null
+++ b/src/etc/rc.d/unbound
@@ -0,0 +1,32 @@
+#!/bin/sh
+#
+# $OpenBSD: unbound,v 1.1 2014/03/15 00:34:18 sthen Exp $
+
+daemon="/usr/sbin/unbound"
+daemon_flags="-c /var/unbound/etc/unbound.conf"
+
+. /etc/rc.d/rc.subr
+
+pexp="unbound${daemon_flags:+ ${daemon_flags}}"
+
+rc_pre() {
+	if grep '^[[:space:]]*control-enable:[[:space:]]*yes' \
+	    /var/unbound/etc/unbound.conf > /dev/null 2>&1 && \
+	    ! [[ -f /var/unbound/etc/unbound_server.key ||
+	    -f /var/unbound/etc/unbound_server.pem ||
+	    -f /var/unbound/etc/unbound_control.key ||
+	    -f /var/unbound/etc/unbound_control.pem ]]; then
+		/usr/sbin/unbound-control-setup 2> /dev/null
+	fi
+	if grep '^[[:space:]]*auto-trust-anchor-file:' \
+            /var/unbound/etc/unbound.conf > /dev/null 2>&1; then
+		/usr/sbin/unbound-anchor -v || true
+	fi
+}
+
+rc_start() {
+	/usr/sbin/unbound-checkconf > /dev/null &&
+	    ${rcexec} "unbound ${daemon_flags}"
+}
+
+rc_cmd $1
diff --git a/src/etc/unbound.conf b/src/etc/unbound.conf
new file mode 100644
index 00000000..4e0e8148
--- /dev/null
+++ b/src/etc/unbound.conf
@@ -0,0 +1,52 @@
+# $OpenBSD: unbound.conf,v 1.1 2014/03/15 00:34:18 sthen Exp $
+
+server:
+	interface: 127.0.0.1
+	#interface: 127.0.0.1@5353	# listen on alternative port
+	interface: ::1
+	#do-ip6: no
+
+	access-control: 0.0.0.0/0 refuse
+	access-control: 127.0.0.0/8 allow
+	access-control: ::0/0 refuse
+	access-control: ::1 allow
+
+	hide-identity: yes
+	hide-version: yes
+
+	# Enable DNSSEC validation. Fetch a root key with unbound-anchor(8).
+	#
+	#module-config: "validator iterator"
+	#auto-trust-anchor-file: "/var/unbound/etc/root.key"
+
+	# Serve zones authoritatively from Unbound to resolver clients.
+	# Not for external service. Note use of "nodefault" for AS112 zones,
+	# i.e. reverse lookup zones for RFC1918 and similar addresses.
+	#
+	#local-zone: "local." static
+	#local-data: "mycomputer.local. IN A 192.0.2.51"
+	#local-zone: "2.0.192.in-addr.arpa." static nodefault
+	#local-data-ptr: "192.0.2.51 mycomputer.local"
+
+	# UDP EDNS reassembly buffer advertised to peers. Default 4096.
+	# May need lowering on broken networks with fragmentation/MTU issues,
+	# particularly if validating DNSSEC.
+	#
+	#edns-buffer-size: 1480
+
+	# Use TCP for "forward-zone" requests. Useful if you are making
+	# DNS requests over an SSH port forwarding.
+	#
+	#tcp-upstream: yes
+
+# Use an upstream forwarder (recursive resolver) for specific zones.
+# Example addresses given below are public resolvers valid as of 2014/03.
+#
+#forward-zone:
+#	name: "."				# use for ALL queries
+#	forward-addr: 74.82.42.42		# he.net
+#	forward-addr: 2001:470:20::2		# he.net v6
+#	forward-addr: 8.8.8.8			# google.com
+#	forward-addr: 2001:4860:4860::8888	# google.com v6
+#	forward-addr: 208.67.222.222		# opendns.com
+#	forward-first: yes			# try direct if forwarder fails