Update - Some Progress.

ub40 at mag3.co ub40 at mag3.co
Wed Sep 10 20:06:08 UTC 2025 

Erik Ruwalder wrote:

Hi Arnold,

You have to start the daemon as root, then it falls back to a "normal" 
user.
A normal user cannot bind to port 53.

See manual:
username: <name>
              If given, after binding the port the user privileges are 
dropped. Default is "unbound". If you give username: "" no user change 
is performed. If this user is not capable of binding the port, reloads 
(by signal HUP) will still retain the opened ports. If you change the 
port number in the config file, and that new port number requires 
privileges, then a reload will fail; a restart is needed.

Cheers,
Erik.

And Yorgos Thessalonikefs wrote:

Hi Arnold,

This is because Unbound is *started* as the "unbound" user.
Port 53 needs elevated privileges to open.
I would start Unbound as root in your case, unbound will drop root
privileges at startup right after when not needed anymore (after reading
certain files and opening ports for example) and it will change to the
configured 'username:' user.

The default value of username is "unbound" if you haven't provided
another one during compilation.

The value "" in the configuration file means that Unbound will continue
to operate as the startup user; in your case root but I believe you
don't want that.

Best regards,
-- Yorgos

Thank you both for your assistance.   This was, indeed, the issue and, 
once fixed it got me a lot further along in the initiation process.  A 
lot further, including opening of tcp4 and udp4 sockets on ports 53 and 
8953 for my local machine IP,  ( also one tcp6 socket  ::1 on 8953, and 
one tcp4 socket on 127.0.0.1 on 8953). The log shows whee it "dropped" 
the root privileges and started running as "unbound." It also initiated 
DNSSEC operations and validated the two root keys in the root.key file.  
It also recognizes the forward resolver IPs (8.8.8.8 and 1.1.1.1) for 
port 53.

That said, we still have a bit more to do. There are some files for 
which I got the "permission denied" error. It can't open/read them. One 
of which I believe caused the "fatal error" that stopped/killed the 
process. This was the "root hints" file, with permission error on 
"/usr/local/etc/unbound/db.roots" file. it's owned by "unbound:unbound" 
and has 777 permissions (most of my files are 777 since it's only me on 
the system). Still, it can't read the root hints file.

I was able to fix the permission denied error on the "ubound.pid" file 
by changing ownership to "root:unbound" and granting 777 permissions. It 
appears I need to do the same for the log file 
(/etc/unbound/log-main.log).  It is currently owned by unbound:unbound.  
Not sure if root is still active (not yet dropped down) and owning the 
process while it attempts to open the log file.  THe only other 
permission denied error is db.roots. Otherwise, all other files appear 
to be accessible including the "root.key" file for DNSSEC.

Whatever help you all can offer would be greatly appreciated.

Regards,
Arnold.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20250910/5cb9936b/attachment.htm>

More information about the Unbound-users mailing list