<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></head><body style='font-size: 10pt; font-family: Verdana,Geneva,sans-serif'>
<p>Erik Ruwalder wrote:</p>
<div class="v1elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: #000000;"><span style="font-family: arial, helvetica, sans-serif; color: #843fa1;">Hi Arnold,</span></div>
<div class="v1elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: #000000;"> </div>
<div class="v1elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: #000000;"><span style="font-family: arial, helvetica, sans-serif; color: #843fa1;">You have to start the daemon as root, then it falls back to a "normal" user.</span></div>
<div class="v1elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: #000000;"><span style="font-family: arial, helvetica, sans-serif; color: #843fa1;">A normal user cannot bind to port 53.</span></div>
<div class="v1elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: #000000;"> </div>
<div class="v1elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: #000000;"><span style="font-family: arial, helvetica, sans-serif; color: #843fa1;">See manual:</span></div>
<div class="v1elementToProof" style="direction: ltr; text-align: left; text-indent: 0px; line-height: 1.4; white-space: normal; font-family: Monaco, Menlo, Consolas, 'Roboto Mono', 'Andale Mono', 'Ubuntu Mono', monospace; font-size: 13px; color: #141414;"><span style="font-family: arial, helvetica, sans-serif; color: #843fa1;"><code>username: <name>
</code></span></div>
<div class="v1elementToProof" style="direction: ltr; text-align: left; text-indent: 0px; line-height: 1.4; font-family: Monaco, Menlo, Consolas, 'Roboto Mono', 'Andale Mono', 'Ubuntu Mono', monospace; font-size: 13px; color: #141414;"><span style="font-family: arial, helvetica, sans-serif; color: #843fa1;"> <code>If given, after binding the port the user privileges are
dropped. Default is "unbound". If you give username: "" no user
change is performed.
If this user is not capable of binding the port, reloads (by
signal HUP) will still retain the opened ports. If you change
the port number in the config file, and that new port number
requires privileges, then a reload will fail; a restart is
needed.</code></span></div>
<div class="v1elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: #000000;"> </div>
<div id="v1appendonsend"></div>
<div class="v1elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: #000000;"><span style="font-family: arial, helvetica, sans-serif; color: #843fa1;">Cheers,</span></div>
<div class="v1elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: #000000;"><span style="font-family: arial, helvetica, sans-serif; color: #843fa1;">Erik.</span></div>
<div class="v1elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: #000000;"> </div>
<div class="v1elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: #000000;"><span style="font-family: arial, helvetica, sans-serif; color: #000000;">And Yorgos Thessalonikefs wrote: </span></div>
<div class="v1elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: #000000;"> </div>
<div class="v1elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: #000000;">
<p><span style="color: #843fa1;">Hi Arnold,</span></p>
<p><span style="color: #843fa1;">This is because Unbound is *started* as the "unbound" user.</span><br /><span style="color: #843fa1;">Port 53 needs elevated privileges to open.</span><br /><span style="color: #843fa1;">I would start Unbound as root in your case, unbound will drop root</span><br /><span style="color: #843fa1;">privileges at startup right after when not needed anymore (after reading</span><br /><span style="color: #843fa1;">certain files and opening ports for example) and it will change to the</span><br /><span style="color: #843fa1;">configured 'username:' user.</span></p>
<p><span style="color: #843fa1;">The default value of username is "unbound" if you haven't provided</span><br /><span style="color: #843fa1;">another one during compilation.</span></p>
<p><span style="color: #843fa1;">The value "" in the configuration file means that Unbound will continue</span><br /><span style="color: #843fa1;">to operate as the startup user; in your case root but I believe you</span><br /><span style="color: #843fa1;">don't want that.</span></p>
<p><span style="color: #843fa1;">Best regards,</span><br /><span style="color: #843fa1;">-- Yorgos</span></p>
</div>
<div class="v1elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: #000000;"> </div>
<div class="v1elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: #000000;"> </div>
<div class="v1elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: #000000;">Thank you both for your assistance. This was, indeed, the issue and, once fixed it got me a lot further along in the initiation process. A lot further, including opening of tcp4 and udp4 sockets on ports 53 and 8953 for my local machine IP, ( also one tcp6 socket ::1 on 8953, and one tcp4 socket on 127.0.0.1 on 8953). The log shows whee it "dropped" the root privileges and started running as "unbound." It also initiated DNSSEC operations and validated the two root keys in the root.key file. It also recognizes the forward resolver IPs (8.8.8.8 and 1.1.1.1) for port 53. </div>
<div class="v1elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: #000000;"> </div>
<div class="v1elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: #000000;">That said, we still have a bit more to do. There are some files for which I got the "permission denied" error. It can't open/read them. One of which I believe caused the "fatal error" that stopped/killed the process. This was the "root hints" file, with permission error on "<strong>/usr/local/etc/unbound/db.roots</strong>" file. it's owned by "<strong>unbound:unbound</strong>" and has 777 permissions (most of my files are 777 since it's only me on the system). Still, it can't read the root hints file. </div>
<div class="v1elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: #000000;"> </div>
<div class="v1elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: #000000;">I was able to fix the permission denied error on the "<strong>ubound.pid</strong>" file by changing ownership to "<strong>root:unbound</strong>" and granting 777 permissions. It appears I need to do the same for the log file (<strong>/etc/unbound/log-main.log</strong>). It is currently owned by <strong>unbound:unbound</strong>. Not sure if root is still active (not yet dropped down) and owning the process while it attempts to open the log file. THe only other permission denied error is db.roots. Otherwise, all other files appear to be accessible including the "root.key" file for DNSSEC. </div>
<div class="v1elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: #000000;"> </div>
<div class="v1elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: #000000;">Whatever help you all can offer would be greatly appreciated.</div>
<div class="v1elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: #000000;"> </div>
<div class="v1elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: #000000;">Regards,<br />Arnold.</div>
<div class="v1elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: #000000;"> </div>
</body></html>