Maintained by: NLnet Labs

[Unbound-users] Suggested config settings for chrooting unbound

Ilya Bakulin
Thu Nov 22 09:35:33 CET 2012

Hi list,
I have a question about chrooting unbound daemon under FreeBSD (although the
same is true on all platforms).
Suppose I'm going to chroot into /var/run/unbound, which seems logical to me,
since unbound is going to write root.key in the current directory (and having
anything application-writable under /usr/local is bad).
But seems I need to place unbound config file also under /var/unbound,
because otherwise the daemon cannot reread its config on SIGHUP.
Placing config file under /var is a bad practice and violates hier(7)
I also cannot make hardlinks, because /usr and /var are on the separate
filesystems (which is a recommended setting).
Normally this problem is solved by having two processes, one with root
privileges which runs unchrooted, and some number of workers. unbound seems
not to use this model, having only single process.

So I'd like to ask what is considered "best practice" for chrooting unbound?

// Ilya