Too Long Didn't Read version The following works (so far).
>ls -halFR /var/unbound /var/unbound: total 40 drwxr-xr-x 5 root wheel 512B Oct 12 20:32 ./ drwxr-xr-x 32 root wheel 1.0K Dec 18 13:23 ../ drwxrwxr-x 2 root _unbound 512B Dec 20 11:00 db/ drwxr-xr-x 2 root _unbound 512B Dec 20 11:59 etc/ drwxr-xr-x 2 root _unbound 512B May 11 2023 log/ /var/unbound/db: total 24 drwxrwxr-x 2 root _unbound 512B Dec 20 11:00 ./ drwxr-xr-x 5 root wheel 512B Oct 12 20:32 ../ -rw-r--r-- 1 _unbound _unbound 1.2K Dec 20 11:00 root.key /var/unbound/etc: total 3800 drwxr-xr-x 2 root _unbound 512B Dec 20 11:59 ./ drwxr-xr-x 5 root wheel 512B Oct 12 20:32 ../ -rw-r----- 1 root _unbound 1.7M Mar 22 2023 blacklist.unbound -rw-r--r-- 1 root _unbound 386B Aug 10 2020 dlv.isc.org.key -rw-r----- 1 root _unbound 622B Aug 11 2020 example.unbound -rw-r----- 1 root _unbound 930B Aug 11 2020 invalid.unbound -rw-r----- 1 root _unbound 3.4K Aug 11 2020 local.unbound -rw-r--r-- 1 root _unbound 3.2K Aug 11 2020 named.root -rw-r----- 1 root _unbound 1.9K Aug 11 2020 test.unbound -rw-r--r-- 1 root _unbound 2.4K Dec 20 11:57 unbound.conf -rw-r----- 1 root _unbound 2.4K Aug 10 2020 unbound_control.key -rw-r----- 1 root _unbound 1.3K Aug 10 2020 unbound_control.pem -rw-r----- 1 root _unbound 2.4K Aug 10 2020 unbound_server.key -rw-r----- 1 root _unbound 1.3K Aug 10 2020 unbound_server.pem -rw-r--r-- 1 root _unbound 608B May 11 2023 unbound_stub_zones.conf /var/unbound/log: total 4176 drwxr-xr-x 2 root _unbound 512B May 11 2023 ./ drwxr-xr-x 5 root wheel 512B Oct 12 20:32 ../ -rw-rw---- 1 root _unbound 2.0M Dec 20 11:59 current > cat /var/unbound/etc/unbound.conf # $OpenBSD: unbound.conf,v 1.21 2020/10/28 11:35:58 sthen Exp $ server: # https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#unbound-conf-so-rcvbuf #> On OpenBSD change header and recompile kernel [for 4m, 2m is the maximum otherwise] #so-rcvbuf: 4m so-rcvbuf: 2m # https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#unbound-conf-so-sndbuf # https://unbound.docs.nlnetlabs.nl/en/latest/topics/core/performance.html # https://marc.info/?l=openbsd-bugs&m=176026427208159&w=2 #> On OpenBSD change header and recompile kernel [for 4m, 2m is the maximum otherwise] #so-sndbuf: 4m so-sndbuf: 2m # https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#unbound-conf-num-threads num-threads: 2 # more cache memory, rrset=msg*2 rrset-cache-size: 100m msg-cache-size: 50m # https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#unbound-conf-outgoing-range # # > ldd /usr/sbin/unbound #/usr/sbin/unbound: #Start End Type Open Ref GrpRef Name #0000071455e52000 0000071455f80000 exe 1 0 0 /usr/sbin/unbound #0000071656ed6000 0000071656f43000 rlib 0 1 0 /usr/lib/libssl.so.60.1 #0000071734d40000 0000071734d51000 rlib 0 1 0 /usr/lib/libevent.so.4.1 <------ #00000716f729b000 00000716f74e4000 rlib 0 2 0 /usr/lib/libcrypto.so.57.1 #0000071657a39000 0000071657b3f000 rlib 0 1 0 /usr/lib/libc.so.102.0 #00000716cb9fe000 00000716cb9fe000 ld.so 0 1 0 /usr/libexec/ld.so # outgoing-range: 4096 # https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#unbound-conf-num-queries-per-thread num-queries-per-thread: 2048 interface: 127.0.0.1 interface: em0 do-ip6: no access-control: 0.0.0.0/0 refuse access-control: 127.0.0.0/8 allow hide-identity: yes hide-version: yes auto-trust-anchor-file: "/var/unbound/db/root.key" val-log-level: 2 aggressive-nsec: yes include: "/var/unbound/etc/local.unbound" # LOG use-syslog: no logfile: /var/unbound/log/current log-time-ascii: yes verbosity: 3 log-queries: yes val-log-level: 2 extended-statistics: no statistics-interval: 0 statistics-cumulative: no remote-control: control-enable: yes control-interface: /var/run/unbound.sock TEST > doas rcctl reload unbound unbound(ok) Note that "ok" here does NOT mean the operation was successful: in fact, the debug log showed errors. The new log shows everything is fine as the result of the above changes. It still does not meet the 4m recommendation, but I do not want to recompile the kernel. I hope it will solve the problem with the milter, as SPF validation kept failing occasionally because of DNS timeouts. -- Otto
