I sent only to misc@ because I don't believe this to be a bug.
On Fri, Dec 19, 2025 at 08:25:18AM +0000, Otto Cooper wrote:
> chrooted unbound is the default in openbsd.
> chrooted unbound has its configuration file in /var/unbound/etc. The command
> "rcctl \
> reload unbound" fails because it looks for the configuration in /etc. To
> solve this \
> problem, the rc.d config for reloading the daemon needs to be pointed at \
> /var/unbound/etc.
As mentioned before unbound runs chrooted to /var/unbound so after chroot is in
effect
logs and such will say /etc/unbound.conf but in really is
/var/unbound/etc/unbound.conf.
Also of note unbound changes userid to _unbound so permissions must be for that
user.
> > cat /var/unbound/etc/unbound.conf
> server:
> include: "/var/unbound/etc/local.unbound"
> use-syslog: no
> logfile: /var/unbound/log/current
> ls -l /var/unbound/etc/local.unbound
>
> > -rw-r----- 1 root wheel 2957 Dec 12 10:46 local.unbound
Your unbound service will NOT be able to read this file!
Unbound is running as user _unbound:_unbound so none of the permissions match.
OpenBSD's default permissions in 7.8 (and Dec 19th snapshot) is root:wheel
-rw-r--r--
for files in /var/unbound/etc/. Note: the _unbound user has read-only access
(good security).
Either "chmod 644 local.unbound" or "chgrp _unbound local.unbound".
Be sure unbound.conf also has correct permissions or chmod/chgrp.
Syslog is the default for logging but as you did you can specify your own log
file.
Be sure the _unbound user has write access here.
Using db directory as template guide:
Set /var/unbound/log to root:_unbound drwxrwxr-x and
set logfile current to _unbound:_unbound -rw-r--r--.
> In summary, to solve this problem, I had to make the following two changes to
> \
> openbsd's base installation of unbound:
> In /etc/login.conf
>
> > unbound:\
> > > openfiles-max=8192:\
> > > tc=daemon:
I don't understand why unbound wants so many openfiles, my running system never
shows
more than 400 files opened systemwide (sysctl kern.nfiles) and I'm running two
unbound services.
But it does seem to complain (but continue) with the default openfiles=512.
For what it's worth, on my system I set openfiles=1024 and in unbound.conf I
use:
outgoing-range: 950
num-queries-per-thread: 512
For good(?) measure I recently added "num-threads: 4" (I settled on four after
monitoring,
but having just 1 thread has always worked too)
Since I have a second unbound running named unbound2 in /etc/rc.d I also had to
create:
$ cat /etc/login.conf.d/unbound2
unbound2:\
:tc=unbound:
to pick-up the same settings for both instances.
> and
>
> doas chown _unbound /var/unbound/etc/*
I wouldn't do that, leave the files owned/writable only by root, readable by
_unbound (or other).
> I see something new in the log above:
>
> Dec 19 17:48:49 unbound[55896:0] warning: setsockopt(..., SO_SNDBUF, ...) was
> not \
> granted: No buffer space available Dec 19 17:48:49 unbound[55896:0] warning: \
> so-sndbuf 4194304 was not granted. Got 9216. To fix: start with root \
> permissions(linux) or sysctl bigger net.core.wmem_max(linux) or \
> kern.ipc.maxsockbuf(bsd) values. or set so-sndbuf: 0 (use system value).
See https://marc.info/?l=openbsd-bugs&m=176026002606676&w=2
Upstream changed default for so-sndbuf to 4M, OpenBSD is different (see thread).
Stuart set it to 1M in OpenBSD so if you are getting this error you most likely
are setting so-sndbuf in your config (or did the 1.24.2 import loose this
setting?)
In my system I had added "so-sndbuf: 2m" (even before upgrading to 7.8).
I use a handful of values from nlnetlabs's tunning guide:
https://unbound.docs.nlnetlabs.nl/en/latest/topics/core/performance.html#configuration
"man unbound.conf" has very good descriptions of all the settings, a must read!
