Hello, dear OpenBSD developers,
Has anyone noticed, that Unbound on OpenBSD 6.7 is leaking memory, probably
only when using DNS-over-TLS?
The configuration below exhausts 2GB of RAM and gets killed in two-three days
if running as a DNS resolver for a small office.
$ uname -a
OpenBSD r1.my.domain 6.7 GENERIC.MP#1 amd64
$ syspatch -l
001_wscons
002_rpki
003_ssh
004_libssl
005_unbound
006_smtpd_sockaddr
unbound.conf diff from original:
--- /var/unbound/etc/unbound.conf.original Mon Jun 1 19:22:01 2020
+++ /var/unbound/etc/unbound.conf Mon Jun 1 19:19:55 2020
@@ -51,7 +51,8 @@
# CA Certificates used for forward-tls-upstream (RFC7858) hostname
# verification. Since it's outside the chroot it is only loaded at
# startup and thus cannot be changed via a reload.
- #tls-cert-bundle: "/etc/ssl/cert.pem"
+ tls-cert-bundle: "/etc/ssl/cert.pem"
remote-control:
control-enable: yes
@@ -66,9 +67,11 @@
# Use an upstream DNS-over-TLS forwarder and do not fall back to cleartext
# if that fails.
-#forward-zone:
-# name: "."
-# forward-tls-upstream: yes # use DNS-over-TLS forwarder
-# forward-first: no # do NOT send direct
+forward-zone:
+ name: "."
+ forward-tls-upstream: yes # use DNS-over-TLS forwarder
+ forward-first: no # do NOT send direct
# # the hostname after "#" is not a comment, it is used for TLS checks:
# forward-addr: 192.0.2.53@853#resolver.hostname.example
+ forward-addr: 1.1.1.1@853#cloudflare-dns.com
+ forward-addr: 1.0.0.1@853#cloudflare-dns.com
I have not investigated if the default configuration leaks memory as well, but
this definitely does.
It worked fine on OpenBSD 6.6.
Thanks in advance.
Kind regards
Armands Stiegra
