Side note... > doas unbound-checkconf unbound-checkconf: no errors in /var/unbound/etc/unbound.conf
Yeah, no errors in that file, nor in local.unbound, but why didn't unbound-checkconf complain about file ownership instead of wasting my day chasing the dog's tail? On Friday, December 19th, 2025 at 6:22 PM, Otto Cooper <[email protected]> wrote: > > > > doas /usr/sbin/unbound -dd -c /var/unbound/etc/unbound.conf -vvv > > > [1766162929] unbound[55896:0] notice: Start of unbound 1.24.0. > [1766162929] unbound[55896:0] debug: setting msg-cache-slabs: 1 > [1766162929] unbound[55896:0] debug: setting rrset-cache-slabs: 1 > [1766162929] unbound[55896:0] debug: setting infra-cache-slabs: 1 > [1766162929] unbound[55896:0] debug: setting key-cache-slabs: 1 > [1766162929] unbound[55896:0] debug: setting ip-ratelimit-slabs: 1 > [1766162929] unbound[55896:0] debug: setting ratelimit-slabs: 1 > [1766162929] unbound[55896:0] debug: setting > dnscrypt-shared-secret-cache-slabs: 1 > [1766162929] unbound[55896:0] debug: setting dnscrypt-nonce-cache-slabs: 1 > Dec 19 17:48:49 unbound[55896:0] debug: increased limit(open files) from 128 > to 4152 > Dec 19 17:48:49 unbound[55896:0] debug: interface em0 has address 192.168.1.11 > Dec 19 17:48:49 unbound[55896:0] debug: creating udp4 socket 127.0.0.1 53 > Dec 19 17:48:49 unbound[55896:0] warning: setsockopt(..., SO_SNDBUF, ...) was > not granted: No buffer space available > Dec 19 17:48:49 unbound[55896:0] warning: so-sndbuf 4194304 was not granted. > Got 9216. To fix: start with root permissions(linux) or sysctl bigger > net.core.wmem_max(linux) or kern.ipc.maxsockbuf(bsd) values. or set > so-sndbuf: 0 (use system value). > Dec 19 17:48:49 unbound[55896:0] debug: creating tcp4 socket 127.0.0.1 53 > Dec 19 17:48:49 unbound[55896:0] debug: creating udp4 socket 192.168.1.11 53 > Dec 19 17:48:49 unbound[55896:0] warning: setsockopt(..., SO_SNDBUF, ...) was > not granted: No buffer space available > Dec 19 17:48:49 unbound[55896:0] warning: so-sndbuf 4194304 was not granted. > Got 9216. To fix: start with root permissions(linux) or sysctl bigger > net.core.wmem_max(linux) or kern.ipc.maxsockbuf(bsd) values. or set > so-sndbuf: 0 (use system value). > Dec 19 17:48:49 unbound[55896:0] debug: creating tcp4 socket 192.168.1.11 53 > Dec 19 17:48:49 unbound[55896:0] debug: creating unix socket > /var/run/unbound.sock > Dec 19 17:48:50 unbound[55896:0] debug: module config: "validator iterator" > Dec 19 17:48:50 unbound[55896:0] debug: chdir to /var/unbound > Dec 19 17:48:50 unbound[55896:0] debug: chroot to /var/unbound > Dec 19 17:48:50 unbound[55896:0] debug: chdir to /etc > Dec 19 17:48:50 unbound[55896:0] debug: drop user privileges, run as _unbound > Dec 19 17:48:50 unbound[55896:0] debug: switching log to stderr > Dec 19 17:48:50 unbound[55896:0] debug: no config, using builtin root hints. > Dec 19 17:48:50 unbound[55896:0] notice: init module 0: validator > Dec 19 17:48:50 unbound[55896:0] debug: reading autotrust anchor file > /db/root.key > Dec 19 17:48:50 unbound[55896:0] info: trust point . : 1 > Dec 19 17:48:50 unbound[55896:0] info: assembled 0 DS and 2 DNSKEYs > Dec 19 17:48:50 unbound[55896:0] info: DNSKEY:: . 86400 IN DNSKEY 257 3 8 > AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= > ;{id = 38696 (ksk),size = 2048b} > > Dec 19 17:48:50 unbound[55896:0] info: DNSKEY:: . 86400 IN DNSKEY 257 3 8 > AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= > ;{id = 20326 (ksk),size = 2048b} > > Dec 19 17:48:50 unbound[55896:0] info: file /db/root.key > Dec 19 17:48:50 unbound[55896:0] info: last_queried: 1766145041 Fri Dec 19 > 12:50:41 2025 > Dec 19 17:48:50 unbound[55896:0] info: last_success: 1766145041 Fri Dec 19 > 12:50:41 2025 > Dec 19 17:48:50 unbound[55896:0] info: next_probe_time: 1766184064 Fri Dec 19 > 23:41:04 2025 > Dec 19 17:48:50 unbound[55896:0] info: query_interval: 43200 > Dec 19 17:48:50 unbound[55896:0] info: retry_time: 8640 > Dec 19 17:48:50 unbound[55896:0] info: query_failed: 0 > Dec 19 17:48:50 unbound[55896:0] info: [ VALID ] . 86400 IN DNSKEY 257 3 8 > AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= > ;{id = 38696 (ksk),size = 2048b} ;;state:2 ;;pending_count:0 last:Wed Apr 30 > 13:42:01 2025 > Dec 19 17:48:50 unbound[55896:0] info: [ VALID ] . 86400 IN DNSKEY 257 3 8 > AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= > ;{id = 20326 (ksk),size = 2048b} ;;state:2 ;;pending_count:0 last:Thu Feb 7 > 16:39:17 2019 > Dec 19 17:48:50 unbound[55896:0] debug: validator nsec3cfg keysz 1024 mxiter > 150 > Dec 19 17:48:50 unbound[55896:0] debug: validator nsec3cfg keysz 2048 mxiter > 150 > Dec 19 17:48:50 unbound[55896:0] debug: validator nsec3cfg keysz 4096 mxiter > 150 > Dec 19 17:48:50 unbound[55896:0] notice: init module 1: iterator > Dec 19 17:48:50 unbound[55896:0] debug: target fetch policy for level 0 is 3 > Dec 19 17:48:50 unbound[55896:0] debug: target fetch policy for level 1 is 2 > Dec 19 17:48:50 unbound[55896:0] debug: target fetch policy for level 2 is 1 > Dec 19 17:48:50 unbound[55896:0] debug: target fetch policy for level 3 is 0 > Dec 19 17:48:50 unbound[55896:0] debug: target fetch policy for level 4 is 0 > Dec 19 17:48:50 unbound[55896:0] debug: donotq: 127.0.0.0/8 > Dec 19 17:48:50 unbound[55896:0] debug: total of 59441 outgoing ports > available > Dec 19 17:48:50 unbound[55896:0] debug: start threads > Dec 19 17:48:50 unbound[55896:0] debug: pluggable-libevent 1.4.15-stable uses > kqueue method. > Dec 19 17:48:50 unbound[55896:0] debug: cache memory msg=16544 rrset=16544 > infra=2120 val=16760 > Dec 19 17:48:50 unbound[55896:0] info: start of service (unbound 1.24.0). > Dec 19 17:48:50 unbound[55896:0] debug: autotrust probe timer callback > Dec 19 17:48:50 unbound[55896:0] debug: autotrust probe timer 0 callbacks done > Dec 19 17:49:19 unbound[55896:0] info: service stopped (unbound 1.24.0). > Dec 19 17:49:19 unbound[55896:0] debug: stop threads > Dec 19 17:49:19 unbound[55896:0] debug: cleanup. > Dec 19 17:49:19 unbound[55896:0] debug: comm_point_close of 7: event_del > Dec 19 17:49:19 unbound[55896:0] info: server stats for thread 0: 0 queries, > 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting > Dec 19 17:49:19 unbound[55896:0] info: server stats for thread 0: requestlist > max 0 avg 0 exceeded 0 jostled 0 > Dec 19 17:49:19 unbound[55896:0] info: mesh has 0 recursion states (0 with > reply, 0 detached), 0 waiting replies, 0 recursion replies sent, 0 replies > dropped, 0 states jostled out > Dec 19 17:49:19 unbound[55896:0] debug: cache memory msg=16544 rrset=16544 > infra=2120 val=16760 > Dec 19 17:49:19 unbound[55896:0] debug: comm_point_close of 3: event_del > Dec 19 17:49:19 unbound[55896:0] debug: comm_point_close of 4: event_del > Dec 19 17:49:19 unbound[55896:0] debug: comm_point_close of 5: event_del > Dec 19 17:49:19 unbound[55896:0] debug: comm_point_close of 6: event_del > Dec 19 17:49:19 unbound[55896:0] debug: comm_point_close of 8: event_del > Dec 19 17:49:19 unbound[55896:0] notice: Restart of unbound 1.24.0. > /etc/unbound.conf:18: error: cannot open include file '/etc/local.unbound': > Permission denied > read /etc/unbound.conf failed: 1 errors in configuration file > Dec 19 17:49:19 unbound[55896:0] fatal error: Could not read config file: > /etc/unbound.conf. Maybe try unbound -dd, it stays on the commandline to see > more errors, or unbound-checkconf > > > What you see in the end is the result of > > doas pkill -1 unbound > > ls -l /var/unbound/etc/local.unbound > > > -rw-r----- 1 root wheel 2957 Dec 12 10:46 local.unbound > > > In all my openbsd servers, local.unbound has the same ownership and > permissions. > > Setting this file's ownership to _unbound solved the problem with reloading. > > -rw-r----- 1 _unbound wheel 3484 Aug 11 2020 local.unbound > > In summary, to solve this problem, I had to make the following two changes to > openbsd's base installation of unbound: > > In /etc/login.conf > > > unbound:\ > > :openfiles-max=8192:\ > > :tc=daemon: > > > and > > doas chown _unbound /var/unbound/etc/* > > I see something new in the log above: > > Dec 19 17:48:49 unbound[55896:0] warning: setsockopt(..., SO_SNDBUF, ...) was > not granted: No buffer space available > Dec 19 17:48:49 unbound[55896:0] warning: so-sndbuf 4194304 was not granted. > Got 9216. To fix: start with root permissions(linux) or sysctl bigger > net.core.wmem_max(linux) or kern.ipc.maxsockbuf(bsd) values. or set > so-sndbuf: 0 (use system value). > > > doas sysctl | grep 9216 > > > net.inet.udp.sendspace=9216 > > Is this the buffer space that needs to be changed?
