I wrote this in /etc/login.conf:
unbound:\ :openfiles-max=8192:\ :openfiles-cur=512:\ :tc=daemon: The original data from openbsd's installation is: unbound:\ :openfiles=512:\ :tc=daemon: I made sure it is using it: > doas grep unbound /etc/master.passwd _unbound:*:53:53:unbound:0:0:Unbound Daemon:/var/unbound:/sbin/nologin .................^^^^^^^^ To replicate your test, I added the following in the "server" section: module-config: "respip validator iterator" >doas rcctl start unbound unbound(ok) >doas rcctl restart unbound unbound(ok) unbound(ok) >doas rcctl reload unbound unbound(ok) However, this is what the log says: ==> /var/unbound/log/current <== Dec 19 13:00:00 unbound[39240:0] info: service stopped (unbound 1.24.0). Dec 19 13:00:00 unbound[39240:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting Dec 19 13:00:00 unbound[39240:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0 Dec 19 13:00:00 unbound[39240:0] notice: Restart of unbound 1.24.0. Dec 19 13:00:00 unbound[39240:0] fatal error: Could not read config file: /etc/unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconf -- Otto On Friday, December 19th, 2025 at 11:25 AM, Zé Loff <[email protected]> wrote: > > > On Fri, Dec 19, 2025 at 08:25:18AM +0000, Otto Cooper wrote: > > > chrooted unbound is the default in openbsd. > > chrooted unbound has its configuration file in /var/unbound/etc. The > > command "rcctl reload unbound" fails because it looks for the configuration > > in /etc. To solve this problem, the rc.d config for reloading the daemon > > needs to be pointed at /var/unbound/etc. > > > (switching from ports@ to misc@, as this is not about a port, and also > cc-ing bugs@) > > Trying to reproduce this -- which I can't, 'reload' uses the .conf > inside the chroot -- I came across a bug: the reloading fails to parse > the entire configuration file correctly. > > Everything below is on a vanilla unbound configuration, on a Dec 7 > snapshot (GENERIC.MP#140 amd64). > > 1. (Force) start unbound with "rcctl -f start unbound". > > /var/log/daemon: > > Dec 19 10:07:19 amphiprion unbound: [4466:0] notice: init module 0: validator > Dec 19 10:07:19 amphiprion unbound: [4466:0] notice: init module 1: iterator > Dec 19 10:07:19 amphiprion unbound: [4466:0] info: start of service (unbound > 1.24.1). > > > 2. Edit /var/unbound/etc/unbound.conf, adding "module-config: "respip > validator iterator" > > > 3. Reload the daemon with "rcctl reload unbound". The parsing seems to > fail. Note that the only the iterator module is inited (second to last > line): > > Dec 19 10:07:50 amphiprion unbound: [4466:0] info: service stopped (unbound > 1.24.1). > Dec 19 10:07:50 amphiprion unbound: [4466:0] info: server stats for thread 0: > 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip > ratelimiting > Dec 19 10:07:50 amphiprion unbound: [4466:0] info: server stats for thread 0: > requestlist max 0 avg 0 exceeded 0 jostled 0 > Dec 19 10:07:50 amphiprion unbound: [4466:0] notice: Restart of unbound > 1.24.1. > Dec 19 10:07:50 amphiprion unbound: [4466:0] warning: setrlimit: Operation > not permitted > Dec 19 10:07:50 amphiprion unbound: [4466:0] warning: cannot increase max > open fds from 512 to 4152 > Dec 19 10:07:50 amphiprion unbound: [4466:0] warning: continuing with less > udp ports: 460 > Dec 19 10:07:50 amphiprion unbound: [4466:0] warning: increase ulimit or > decrease threads, ports in config to remove this warning > Dec 19 10:07:50 amphiprion unbound: [4466:0] notice: init module 0: iterator > Dec 19 10:07:50 amphiprion unbound: [4466:0] info: start of service (unbound > 1.24.1). > > > 4. Try reloading again with "rcctl reload unbound". This fails > altogether, which means that unbound is stopped but not restarted. > Note the missing "v" on the module name: > > Dec 19 10:08:10 amphiprion unbound: [4466:0] info: service stopped (unbound > 1.24.1). > Dec 19 10:08:10 amphiprion unbound: [4466:0] info: server stats for thread 0: > 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip > ratelimiting > Dec 19 10:08:10 amphiprion unbound: [4466:0] info: server stats for thread 0: > requestlist max 0 avg 0 exceeded 0 jostled 0 > Dec 19 10:08:10 amphiprion unbound: [4466:0] notice: Restart of unbound > 1.24.1. > Dec 19 10:08:10 amphiprion unbound: [4466:0] warning: setrlimit: Operation > not permitted > Dec 19 10:08:10 amphiprion unbound: [4466:0] warning: cannot increase max > open fds from 512 to 4152 > Dec 19 10:08:10 amphiprion unbound: [4466:0] warning: continuing with less > udp ports: 460 > Dec 19 10:08:10 amphiprion unbound: [4466:0] warning: increase ulimit or > decrease threads, ports in config to remove this warning > Dec 19 10:08:10 amphiprion unbound: [4466:0] error: Unknown value in > module-config, module: 'alidator'. This module is not present (not compiled > in); see the list of linked modules with unbound -V > Dec 19 10:08:10 amphiprion unbound: [4466:0] fatal error: failed to init > modules > > > 5. (Re)starting unbound with the changed config works: > > Dec 19 10:20:08 amphiprion unbound: [72001:0] notice: init module 0: respip > Dec 19 10:20:08 amphiprion unbound: [72001:0] notice: init module 1: validator > Dec 19 10:20:08 amphiprion unbound: [72001:0] notice: init module 2: iterator > Dec 19 10:20:08 amphiprion unbound: [72001:0] info: start of service (unbound > 1.24.1). > > > > -- >
