Re: rcctl reload unbound failure

Holger Glaess Fri, 19 Dec 2025 10:47:43 -0800


On 12/19/25 18:26, Otto Cooper wrote:

Side note...

doas unbound-checkconf

unbound-checkconf: no errors in /var/unbound/etc/unbound.conf

Yeah, no errors in that file, nor in local.unbound, but why didn't 
unbound-checkconf complain about file ownership instead of wasting my day 
chasing the dog's tail?





On Friday, December 19th, 2025 at 6:22 PM, Otto Cooper <[email protected]> 
wrote:

doas /usr/sbin/unbound -dd -c /var/unbound/etc/unbound.conf -vvv


[1766162929] unbound[55896:0] notice: Start of unbound 1.24.0.
[1766162929] unbound[55896:0] debug: setting msg-cache-slabs: 1
[1766162929] unbound[55896:0] debug: setting rrset-cache-slabs: 1
[1766162929] unbound[55896:0] debug: setting infra-cache-slabs: 1
[1766162929] unbound[55896:0] debug: setting key-cache-slabs: 1
[1766162929] unbound[55896:0] debug: setting ip-ratelimit-slabs: 1
[1766162929] unbound[55896:0] debug: setting ratelimit-slabs: 1
[1766162929] unbound[55896:0] debug: setting 
dnscrypt-shared-secret-cache-slabs: 1
[1766162929] unbound[55896:0] debug: setting dnscrypt-nonce-cache-slabs: 1
Dec 19 17:48:49 unbound[55896:0] debug: increased limit(open files) from 128 to 
4152
Dec 19 17:48:49 unbound[55896:0] debug: interface em0 has address 192.168.1.11
Dec 19 17:48:49 unbound[55896:0] debug: creating udp4 socket 127.0.0.1 53
Dec 19 17:48:49 unbound[55896:0] warning: setsockopt(..., SO_SNDBUF, ...) was 
not granted: No buffer space available
Dec 19 17:48:49 unbound[55896:0] warning: so-sndbuf 4194304 was not granted. 
Got 9216. To fix: start with root permissions(linux) or sysctl bigger 
net.core.wmem_max(linux) or kern.ipc.maxsockbuf(bsd) values. or set so-sndbuf: 
0 (use system value).
Dec 19 17:48:49 unbound[55896:0] debug: creating tcp4 socket 127.0.0.1 53
Dec 19 17:48:49 unbound[55896:0] debug: creating udp4 socket 192.168.1.11 53
Dec 19 17:48:49 unbound[55896:0] warning: setsockopt(..., SO_SNDBUF, ...) was 
not granted: No buffer space available
Dec 19 17:48:49 unbound[55896:0] warning: so-sndbuf 4194304 was not granted. 
Got 9216. To fix: start with root permissions(linux) or sysctl bigger 
net.core.wmem_max(linux) or kern.ipc.maxsockbuf(bsd) values. or set so-sndbuf: 
0 (use system value).
Dec 19 17:48:49 unbound[55896:0] debug: creating tcp4 socket 192.168.1.11 53
Dec 19 17:48:49 unbound[55896:0] debug: creating unix socket 
/var/run/unbound.sock
Dec 19 17:48:50 unbound[55896:0] debug: module config: "validator iterator"
Dec 19 17:48:50 unbound[55896:0] debug: chdir to /var/unbound
Dec 19 17:48:50 unbound[55896:0] debug: chroot to /var/unbound
Dec 19 17:48:50 unbound[55896:0] debug: chdir to /etc
Dec 19 17:48:50 unbound[55896:0] debug: drop user privileges, run as _unbound
Dec 19 17:48:50 unbound[55896:0] debug: switching log to stderr
Dec 19 17:48:50 unbound[55896:0] debug: no config, using builtin root hints.
Dec 19 17:48:50 unbound[55896:0] notice: init module 0: validator
Dec 19 17:48:50 unbound[55896:0] debug: reading autotrust anchor file 
/db/root.key
Dec 19 17:48:50 unbound[55896:0] info: trust point . : 1
Dec 19 17:48:50 unbound[55896:0] info: assembled 0 DS and 2 DNSKEYs
Dec 19 17:48:50 unbound[55896:0] info: DNSKEY:: . 86400 IN DNSKEY 257 3 8 
AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc=
 ;{id = 38696 (ksk),size = 2048b}

Dec 19 17:48:50 unbound[55896:0] info: DNSKEY:: . 86400 IN DNSKEY 257 3 8 
AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
 ;{id = 20326 (ksk),size = 2048b}

Dec 19 17:48:50 unbound[55896:0] info: file /db/root.key
Dec 19 17:48:50 unbound[55896:0] info: last_queried: 1766145041 Fri Dec 19 
12:50:41 2025
Dec 19 17:48:50 unbound[55896:0] info: last_success: 1766145041 Fri Dec 19 
12:50:41 2025
Dec 19 17:48:50 unbound[55896:0] info: next_probe_time: 1766184064 Fri Dec 19 
23:41:04 2025
Dec 19 17:48:50 unbound[55896:0] info: query_interval: 43200
Dec 19 17:48:50 unbound[55896:0] info: retry_time: 8640
Dec 19 17:48:50 unbound[55896:0] info: query_failed: 0
Dec 19 17:48:50 unbound[55896:0] info: [ VALID ] . 86400 IN DNSKEY 257 3 8 
AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc=
 ;{id = 38696 (ksk),size = 2048b} ;;state:2 ;;pending_count:0 last:Wed Apr 30 
13:42:01 2025
Dec 19 17:48:50 unbound[55896:0] info: [ VALID ] . 86400 IN DNSKEY 257 3 8 
AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
 ;{id = 20326 (ksk),size = 2048b} ;;state:2 ;;pending_count:0 last:Thu Feb 7 
16:39:17 2019
Dec 19 17:48:50 unbound[55896:0] debug: validator nsec3cfg keysz 1024 mxiter 150
Dec 19 17:48:50 unbound[55896:0] debug: validator nsec3cfg keysz 2048 mxiter 150
Dec 19 17:48:50 unbound[55896:0] debug: validator nsec3cfg keysz 4096 mxiter 150
Dec 19 17:48:50 unbound[55896:0] notice: init module 1: iterator
Dec 19 17:48:50 unbound[55896:0] debug: target fetch policy for level 0 is 3
Dec 19 17:48:50 unbound[55896:0] debug: target fetch policy for level 1 is 2
Dec 19 17:48:50 unbound[55896:0] debug: target fetch policy for level 2 is 1
Dec 19 17:48:50 unbound[55896:0] debug: target fetch policy for level 3 is 0
Dec 19 17:48:50 unbound[55896:0] debug: target fetch policy for level 4 is 0
Dec 19 17:48:50 unbound[55896:0] debug: donotq: 127.0.0.0/8
Dec 19 17:48:50 unbound[55896:0] debug: total of 59441 outgoing ports available
Dec 19 17:48:50 unbound[55896:0] debug: start threads
Dec 19 17:48:50 unbound[55896:0] debug: pluggable-libevent 1.4.15-stable uses 
kqueue method.
Dec 19 17:48:50 unbound[55896:0] debug: cache memory msg=16544 rrset=16544 
infra=2120 val=16760
Dec 19 17:48:50 unbound[55896:0] info: start of service (unbound 1.24.0).
Dec 19 17:48:50 unbound[55896:0] debug: autotrust probe timer callback
Dec 19 17:48:50 unbound[55896:0] debug: autotrust probe timer 0 callbacks done
Dec 19 17:49:19 unbound[55896:0] info: service stopped (unbound 1.24.0).
Dec 19 17:49:19 unbound[55896:0] debug: stop threads
Dec 19 17:49:19 unbound[55896:0] debug: cleanup.
Dec 19 17:49:19 unbound[55896:0] debug: comm_point_close of 7: event_del
Dec 19 17:49:19 unbound[55896:0] info: server stats for thread 0: 0 queries, 0 
answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Dec 19 17:49:19 unbound[55896:0] info: server stats for thread 0: requestlist 
max 0 avg 0 exceeded 0 jostled 0
Dec 19 17:49:19 unbound[55896:0] info: mesh has 0 recursion states (0 with 
reply, 0 detached), 0 waiting replies, 0 recursion replies sent, 0 replies 
dropped, 0 states jostled out
Dec 19 17:49:19 unbound[55896:0] debug: cache memory msg=16544 rrset=16544 
infra=2120 val=16760
Dec 19 17:49:19 unbound[55896:0] debug: comm_point_close of 3: event_del
Dec 19 17:49:19 unbound[55896:0] debug: comm_point_close of 4: event_del
Dec 19 17:49:19 unbound[55896:0] debug: comm_point_close of 5: event_del
Dec 19 17:49:19 unbound[55896:0] debug: comm_point_close of 6: event_del
Dec 19 17:49:19 unbound[55896:0] debug: comm_point_close of 8: event_del
Dec 19 17:49:19 unbound[55896:0] notice: Restart of unbound 1.24.0.
/etc/unbound.conf:18: error: cannot open include file '/etc/local.unbound': 
Permission denied
read /etc/unbound.conf failed: 1 errors in configuration file
Dec 19 17:49:19 unbound[55896:0] fatal error: Could not read config file: 
/etc/unbound.conf. Maybe try unbound -dd, it stays on the commandline to see 
more errors, or unbound-checkconf


What you see in the end is the result of

doas pkill -1 unbound

ls -l /var/unbound/etc/local.unbound

-rw-r----- 1 root wheel 2957 Dec 12 10:46 local.unbound


In all my openbsd servers, local.unbound has the same ownership and permissions.

Setting this file's ownership to _unbound solved the problem with reloading.

-rw-r----- 1 _unbound wheel 3484 Aug 11 2020 local.unbound

In summary, to solve this problem, I had to make the following two changes to 
openbsd's base installation of unbound:

In /etc/login.conf

unbound:\
:openfiles-max=8192:\
:tc=daemon:


and

doas chown _unbound /var/unbound/etc/*

I see something new in the log above:

Dec 19 17:48:49 unbound[55896:0] warning: setsockopt(..., SO_SNDBUF, ...) was 
not granted: No buffer space available
Dec 19 17:48:49 unbound[55896:0] warning: so-sndbuf 4194304 was not granted. 
Got 9216. To fix: start with root permissions(linux) or sysctl bigger 
net.core.wmem_max(linux) or kern.ipc.maxsockbuf(bsd) values. or set so-sndbuf: 
0 (use system value).

doas sysctl | grep 9216


net.inet.udp.sendspace=9216

Is this the buffer space that needs to be changed?


hi

i think/remember  that unbound do an chroot at start to /var/unbound

if you try to load ab config /etc/unbound.conf unbound dident foundthem at start.


unbound-checkconf use always the chroot path !


Holger



H

Re: rcctl reload unbound failure

Reply via email to