Hi, > since upgrading my router to 7.1 unbound doesn't start up automatically > anymore, > instead it times out: > > starting early daemons: syslogd pflogd unbound(timeout) ntpd. > > It can be started successfully manually later. This setup worked with 7.0.
I have a very similar configuration (apu2 acting as a firewall/router for home network), with a similar unbound.conf (given below) which is working fine as of 7.1-stable. I recently switched from one ISP to another and there was no problem (literally: unplug ethernet cable from $OLD_ISP router, plug into $NEW_ISP router, reboot firewall). My outside interface has --- begin /etc/hostname.em0 --- inet autoconf --- end /etc/hostname.em0 --- Does the -d unbound flag give any useful output for you? More generally, how are you starting unbound, i.e., what (if any) flags are you passing in /etc/rc.conf.local? I have --- begin /etc/rc.conf.local --- dhcpd_flags="em1 em2 em3" unbound_flags="" dhcpleased_flags= --- end /etc/rc.conf.local --- Here is my unbound.conf --- begin /var/unbound/etc/unbound.conf --- # $OpenBSD: unbound.conf,v 1.21 2020/10/28 11:35:58 sthen Exp $ server: interface: 127.0.0.1 interface: em1 # wired interface: em2 # wifi interface: em3 # voip #interface: 127.0.0.1@5353 # listen on alternative port #interface: ::1 do-ip6: no prefer-ip4: yes # override the default "any" address to send queries; if multiple # addresses are available, they are used randomly to counter spoofing #outgoing-interface: 192.0.2.1 #outgoing-interface: 2001:db8::53 access-control: 0.0.0.0/0 refuse access-control: 127.0.0.0/8 allow access-control: ::0/0 refuse access-control: ::1 allow access-control: 192.168.155.0/24 allow # any internal address private-address: 192.168.0.0/16 # block DNS rebinding attacks # where local browser becomes # a trojen hide-identity: yes hide-version: yes # Perform DNSSEC validation. # root-hints: "/var/unbound/etc/root.hints" auto-trust-anchor-file: "/var/unbound/db/root.key" qname-minimisation: yes #val-log-level: 2 # Synthesize NXDOMAINs from DNSSEC NSEC chains. # https://tools.ietf.org/html/rfc8198 # #aggressive-nsec: yes # Serve zones authoritatively from Unbound to resolver clients. # Not for external service. # #local-zone: "local." static #local-data: "mycomputer.local. IN A 192.0.2.51" #local-zone: "2.0.192.in-addr.arpa." static #local-data-ptr: "192.0.2.51 mycomputer.local" # Use TCP for "forward-zone" requests. Useful if you are making # DNS requests over an SSH port forwarding. # #tcp-upstream: yes # CA Certificates used for forward-tls-upstream (RFC7858) hostname # verification. Since it's outside the chroot it is only loaded at # startup and thus cannot be changed via a reload. tls-cert-bundle: "/etc/ssl/cert.pem" remote-control: control-enable: yes control-interface: /var/run/unbound.sock # Use an upstream forwarder (recursive resolver) for some or all zones. # forward-zone: name: "." # use for ALL queries ##forward-addr: 192.168.1.254 # Telus router # next non-comment line configures Cloudflare DNS-over-TLS # ... hostname after the '#' is not a comment, it is used for TLS checks forward-addr: 1.1.1.1@853#cloudflare-dns.com forward-tls-upstream: yes forward-first: no # don't fallback to insecure DNS --- end /var/unbound/etc/unbound.conf --- ciao, -- -- "Jonathan Thornburg [remove -color to reply]" <dr.j.thornb...@gmail-pink.com> on the west coast of Canada "Now back when I worked in banking, if someone went to Barclays, pretended to be me, borrowed UKP10,000 and legged it, that was `impersonation', and it was the bank's money that had been stolen, not my identity. How did things change?" -- Ross Anderson