On 2025/12/21 14:39, Otto Cooper wrote: > Openbsd's default configuration is clearly not a sane configuration, because > file permissions turn out to be mistaken to the point that I reload fails. I > would not have started this thread otherwise
How is OpenBSD responsible for *a file which you have added yourself*?! > On logs, you are jumping to conclusions. My real configuration is not the one > I posted here for the sake of testing. So you have a problem with resolution failures but you report a problem with reloading not working. Then when you're asked for config you only show part of it. Then you say it's not the real configuration anyway. (There are some known problems with resolution failures particularly around RBLs and some SPF lookups, but if you won't show logs I can't see if they might apply to you). > On udp buffer absent on obsd, assuming it to be a good thing, it may not be > the same buffer used by unbound. I did not check the source code, but the > question is why they need to specify it in unbound.conf if they are just > pumping packets as they come? Perhaps there is a buffer inside unbound and > the purpose with then config is to make you aware of their need to align > their buffer with that in the kernel. If the debug log says they need 4m, > then I assume they have a good reason, supported by their experimental > results. So, the most I can give, without recompiling the kernel, is 2m > because this is the allowed maximum. Again, if it is true that udp buffer is > absent on obsd, then why having the variable in sysctl, and why limiting to > 2m? Perhaps there is a kernel buffer after all. > > On cpu, unbound hits mine with >2%. I observed DNS timeouts at the command > line, and timeouts from SPF validation. If buffer overflow is the cause of > it, I need the problem solved, not hidden. so-sndbuf is relating to a kernel limit not something inside unbound. it does different things on linux (socket buffer) compared to BSDs (just limiting the size of a single packet). they bumped it to work around a problem some people were seeing *on linux* (filling the buffer which OpenBSD dodsn't have when waiting for ARP responses), they changed from a value which is overkill for what that setting does on BSDs (but was accepted anyway) to a value which is not accepted at all. their advice to recompile kernels on OpenBSD is poor. I give up trying to help. turn on the logging that I suggested, look for failures when you see SPF problems, if you find something then search unbound github issues for it.
