unbound cannot start with large zone files > 24.000 lines : memory exhausted

Thanks for taking the time to report a bug.

I can't reproduce it here inside a pristine Noble container. Here's how I'm generating the file:

# cd /etc/unbound/unbound.conf.d/
# echo "server:" > test.conf
# printf ' local-zone: "vip.xvpn%d.io" always_nxdomain\n' {1..40000} >> test.conf

This will generate a file with 40001 lines, which is automatically included by /etc/unbound/unbound.conf. Restarting the service works as expected.

Note that I'm composing different domain names in order to avoid repetition, but even without this trick things work.

Could you please provide more detailed steps to reproduce, as well as information about your system (how much memory/swap you have, whether you can reproduce this issue on a different system, etc.)?

Thank you.

Minimal unbound.conf - see attached

unbound-checkconf failed to start:

/etc/unbound/zones/security.zone:9990: error: memory exhausted
read /etc/unbound/unbound.conf failed: 1 errors in configuration file

The system has 32 GB memory with 24,2 GB free
+ 10 GB swap - nothing used

/etc/unbound/zones/security.zone

Hi Andreas,

Thanks for providing the files and the info.

I could reproduce the issue you're facing in unbound version in Oracular and Noble, but the good case for you, with the 1.19.2-1ubuntu3.1 version, what I got is the OOM killer arising:

Nov 21 09:56:55 Nclamav unbound-helper[916]: /etc/unbound/unbound.conf.d/unbound.conf:32: error: cannot open include file '/etc/unbound/zones/security.zone': Too many open files
Nov 21 09:57:30 Nclamav systemd[1]: unbound.service: A process of this unit has been killed by the OOM killer.

Even with 32 or 64 GB of RAM in a pristine VM.

So, I tried to play with the libevent parameters to optimize unbound, per [1]:

        # with libevent
        outgoing-range: 8192
        num-queries-per-thread: 4096

and I got a similar error error:

Nov 22 09:20:21 ip-172-31-65-173 unbound-helper[7301]: /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:1: error: cannot open include file '/et>
Nov 22 09:20:21 ip-172-31-65-173 unbound-helper[7301]: /etc/unbound/unbound.conf.d/unbound.conf:1: error: cannot open include file '/etc/unbound/unbound.co>
Nov 22 09:20:21 ip-172-31-65-173 unbound-helper[7301]: /etc/unbound/unbound.conf.d/unbound.conf:1: error: cannot open include file '/etc/unbound/unbound.co>
Nov 22 09:20:21 ip-172-31-65-173 unbound-helper[7301]: /etc/unbound/unbound.conf.d/unbound.conf:10: error: cannot open include file '/etc/unbound/unbound.c>
Nov 22 09:20:21 ip-172-31-65-173 unbound-helper[7301]: /etc/unbound/unbound.conf.d/unbound.conf:39: error: cannot open include file '/etc/unbound/zones/sec>
Nov 22 09:21:51 ip-172-31-65-173 systemd[1]: unbound.service: State 'stop-post' timed out. Terminating.
Nov 22 09:21:51 ip-172-31-65-173 systemd[1]: unbound.service: Failed with result 'timeout'.

Therefore, I don't know if you have another additional settings to make it works.

Fortunately, the "memory exhausted" error was reported upstream [2] and [3], and a fix [4] is included in the last release (1.22.0 [5]) that we are in the process of releasing in Ubuntu 25.04 Plucky. Once we get it there, we can patch the rest of the affected versions in the supported series as part of an SRU process [6].

Then, I'm creating the corresponding tasks per series so that we can work on them sooner rather than later as time permits.

Thanks again, Andreas.

[1] https://unbound.docs.nlnetlabs.nl/en/latest/topics/core/performance.html#using-libevent
[2] https://github.com/NLnetLabs/unbound/issues/1127
[3] https://github.com/NLnetLabs/unbound/issues/1129
[4] https://github.com/NLnetLabs/unbound/commit/db1167c8b38daf2a4352ba3e4e6d54740e999d29
[5] https://github.com/NLnetLabs/unbound/releases/tag/release-1.22.0
[6] https://canonical-sru-docs.readthedocs-hosted.com/en/latest/

This bug was fixed in the package unbound - 1.22.0-1ubuntu1

---------------
unbound (1.22.0-1ubuntu1) plucky; urgency=medium

  * Merge with Debian unstable (LP: #2087526, LP: #2085302). Remaining changes:
    - Don't build with hiredis on i386. hiredis and redis are not built
      on i386 and require bootstrapping due to circular
      build-dependencies; simpler to just disable this in the i386
      unbound server binary (that no one will ever use).
  * Dropped:
    - SECURITY UPDATE: null pointer dereference
      + debian/patches/CVE-2024-43167-1.patch: fix null pointer
        dereference issue in function ub_ctx_set_fwd of file
        libunbound/libunbound.c
      + debian/patches/CVE-2024-43167-2.patch: fix to print a parse
        error when config is read with no name for a forward-zone, stub-
        zone or view.
      + CVE-2024-43167
        [Fixed upstream]
    - SECURITY UPDATE: denial of service via large RRsets compression
      + debian/patches/CVE-2024-8508.patch: limit name compression
        calculations per packet to avoid CPU lockup in util/data/msgencode.c
      + CVE-2024-8508
        [Fixed upstream]

unbound (1.22.0-1) unstable; urgency=medium

  * new upstream release (1.22.0)

unbound (1.21.1-1) unstable; urgency=medium

  * new upstream release 1.21.1
    Closes: #1078647, CVE-2024-43167 (NULL ptr deref in ub_ctx_set_fwd)
    Closes: #1083282, CVE-2024-8508 (Unbounded name compression)

 -- Andreas Hasenack <email address hidden> Tue, 28 Jan 2025 18:44:57 -0300

checking past series against upstream code, i see CVE-2024-43167-2.patch being backported. That looks to be the exact directive upstream patched to solve the bug.

i haven't been able to repro on the older versions, but it may be a failing on my side

@am155 - I have a PPA with the patch applied. I haven't been able to reproduce locally. Would you be able to test this PPA while I prepare the SRU?

https://launchpad.net/~jchittum/+archive/ubuntu/lp-2087526-unbound/+packages

SRU template added. I've got everything reproducing properly, and testing steps show the steps for reproduction.

John - PPA for Noble (1.19.2-1ubuntu3.4~ppa2) is working perfect. Unbound now working again with large NXDOMAIN files. Thanks for your effort.

oracular is listed as affected but no upload on the queue?

fixed

I pair-reviewed from an SRU perspective this with @enr0n, and we will accept it into proposed.

Hello Andreas, or anyone else affected,

Accepted unbound into oracular-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/unbound/1.20.0-1ubuntu2.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-oracular to verification-done-oracular. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-oracular. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Andreas, or anyone else affected,

Accepted unbound into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/unbound/1.19.2-1ubuntu3.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-noble. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Andreas, or anyone else affected,

Accepted unbound into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/unbound/1.13.1-1ubuntu5.9 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Andreas, or anyone else affected,

Accepted unbound into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/unbound/1.9.4-2ubuntu1.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted unbound (1.13.1-1ubuntu5.9) for jammy have finished running.
The following regressions have been reported in tests triggered by the package:

asterisk/unknown (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/jammy/update_excuses.html#unbound

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted unbound (1.20.0-1ubuntu2.3) for oracular have finished running.
The following regressions have been reported in tests triggered by the package:

gnutls28/unknown (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/oracular/update_excuses.html#unbound

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted unbound (1.19.2-1ubuntu3.4) for noble have finished running.
The following regressions have been reported in tests triggered by the package:

asterisk/unknown (ppc64el)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/noble/update_excuses.html#unbound

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

re: #21

rerun of asterisk w/ unbound in noble-proposed passed

https://autopkgtest.ubuntu.com/results/autopkgtest-noble/noble/ppc64el/a/asterisk/20250307_011412_23c7d@/log.gz

oracular sru test:

following test plan

1. copied config and security.zones file
2. start oracular lxc instance
3. pushed files
4. install unbound from `-updates`
5. stopped unbound
6. put config and security.zones into proper place
7. started unbound, saw the known failure [0]
8. stopped unbound
9. configured proposed by adding `oracular-proposed` to `/etc/apt/sources.list.d/ubuntu.sources`
10. apt update
11. apt install unbound=1.20.0-1ubuntu2.3
12. journal does _not_ show the memory exhausted. it does show the mentioned resolveconf issue, unrelated to the memory exhaustion issue [1]

[0]
root@unbound-sru-oracular:~# journalctl -f
Mar 14 17:17:43 unbound-sru-oracular systemd[1]: Stopped unbound.service - Unbound DNS server.
Mar 14 17:17:43 unbound-sru-oracular sudo[1769]: pam_unix(sudo:session): session closed for user root
Mar 14 17:18:14 unbound-sru-oracular systemd[1]: Starting update-notifier-download.service - Download data for packages that failed at package install time...
Mar 14 17:18:14 unbound-sru-oracular systemd[1]: update-notifier-download.service: Deactivated successfully.
Mar 14 17:18:14 unbound-sru-oracular systemd[1]: Finished update-notifier-download.service - Download data for packages that failed at package install time.
Mar 14 17:18:31 unbound-sru-oracular su[1803]: (to root) root on pts/1
Mar 14 17:18:31 unbound-sru-oracular su[1803]: pam_unix(su-l:session): session opened for user root(uid=0) by (uid=0)
Mar 14 17:18:31 unbound-sru-oracular su[1803]: pam_systemd(su-l:session): New sd-bus connection (system-bus-pam-systemd-1803) opened.
Mar 14 17:18:31 unbound-sru-oracular systemd-logind[851]: New session c2 of user root.
Mar 14 17:18:31 unbound-sru-oracular systemd[1]: Started session-c2.scope - Session c2 of User root.
Mar 14 17:18:41 unbound-sru-oracular sudo[1818]: root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/service unbound start
Mar 14 17:18:41 unbound-sru-oracular sudo[1818]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Mar 14 17:18:41 unbound-sru-oracular systemd[1]: Starting unbound.service - Unbound DNS server...
Mar 14 17:18:41 unbound-sru-oracular unbound-helper[1828]: /etc/unbound/zones/security.zone:9994: error: memory exhausted
Mar 14 17:18:41 unbound-sru-oracular unbound-helper[1828]: read /etc/unbound/unbound.conf failed: 1 errors in configuration file
Mar 14 17:18:41 unbound-sru-oracular unbound-helper[1831]: /etc/unbound/zones/security.zone:9994: error: memory exhausted
Mar 14 17:18:41 unbound-sru-oracular unbound-helper[1831]: read /etc/unbound/unbound.conf failed: 1 errors in configuration file
Mar 14 17:18:41 unbound-sru-oracular (unbound)[1833]: unbound.service: Referenced but unset environment variable evaluates to an empty string: DAEMON_OPTS
Mar 14 17:18:41 unbound-sru-oracular unbound[1833]: /etc/unbound/zones/security.zone:9994: error: memory exhausted
Mar 14 17:18:41 unbound-sru-oracular unbound[1833]: read /etc/unbound/unbound.conf failed: 1 errors in configuration file
Mar 14 17:18:41 unbound-sru-oracular unbound[1833]: [1741972721] unbound[1833:0] fatal error: Could not read config file: /etc/unbound/unbound.conf. Maybe try unbound -dd, it s...

noble sru test:

following test plan

1. i have the files already :)
2. start noble lxc instance
3. pushed files
4. install unbound from `-updates` (1.19.2-1ubuntu3.3)
5. stopped unbound
6. put config and security.zones into proper place
7. started unbound, saw the known failure [0]
8. stopped unbound
9. configured proposed by adding `noble-proposed` to `/etc/apt/sources.list.d/ubuntu.sources`
10. apt update
11. apt install unbound=1.19.2-1ubuntu3.4
12. journal does _not_ show the memory exhausted. it does show the mentioned resolveconf issue, unrelated to the memory exhaustion issue [1]

[0]
Mar 14 17:32:36 unbound-sru-noble systemd[1]: Starting unbound.service - Unbound DNS server...
Mar 14 17:32:36 unbound-sru-noble unbound-helper[2506]: /etc/unbound/zones/security.zone:9994: error: memory exhausted
Mar 14 17:32:36 unbound-sru-noble unbound-helper[2506]: read /etc/unbound/unbound.conf failed: 1 errors in configuration file
Mar 14 17:32:36 unbound-sru-noble unbound-helper[2509]: /etc/unbound/zones/security.zone:9994: error: memory exhausted
Mar 14 17:32:36 unbound-sru-noble unbound-helper[2509]: read /etc/unbound/unbound.conf failed: 1 errors in configuration file
Mar 14 17:32:36 unbound-sru-noble (unbound)[2510]: unbound.service: Referenced but unset environment variable evaluates to an empty string: DAEMON_OPTS
Mar 14 17:32:36 unbound-sru-noble unbound[2510]: /etc/unbound/zones/security.zone:9994: error: memory exhausted
Mar 14 17:32:36 unbound-sru-noble unbound[2510]: read /etc/unbound/unbound.conf failed: 1 errors in configuration file
Mar 14 17:32:36 unbound-sru-noble unbound[2510]: [1741973556] unbound[2510:0] fatal error: Could not read config file: /etc/unbound/unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconf
Mar 14 17:32:36 unbound-sru-noble systemd[1]: unbound.service: Main process exited, code=exited, status=1/FAILURE
Mar 14 17:32:36 unbound-sru-noble unbound-helper[2514]: /etc/unbound/zones/security.zone:9994: error: memory exhausted
Mar 14 17:32:36 unbound-sru-noble unbound-helper[2514]: read /etc/unbound/unbound.conf failed: 1 errors in configuration file
Mar 14 17:32:36 unbound-sru-noble systemd[1]: unbound.service: Failed with result 'exit-code'.
Mar 14 17:32:36 unbound-sru-noble systemd[1]: Failed to start unbound.service - Unbound DNS server.

[1]
Mar 14 17:33:26 unbound-sru-noble systemd[1]: Starting unbound.service - Unbound DNS server...
Mar 14 17:33:26 unbound-sru-noble (unbound)[2729]: unbound.service: Referenced but unset environment variable evaluates to an empty string: DAEMON_OPTS
Mar 14 17:33:27 unbound-sru-noble unbound[2729]: [2729:0] notice: init module 0: subnetcache
Mar 14 17:33:27 unbound-sru-noble unbound[2729]: [2729:0] notice: init module 1: validator
Mar 14 17:33:27 unbound-sru-noble unbound[2729]: [2729:0] notice: init module 2: iterator
Mar 14 17:33:27 unbound-sru-noble unbound[2729]: [2729:0] info: start of service (unbound 1.19.2).
Mar 14 17:33:27 unbound-sru-noble systemd[1]: Started unbound.service - Unbound DNS server.
Mar 14 17:33:27 unbound-sru-noble systemd[1]: Started unbound-resolvconf.service - Unbound asyncronous resolvconf update he...

This bug was fixed in the package unbound - 1.20.0-1ubuntu2.3

---------------
unbound (1.20.0-1ubuntu2.3) oracular; urgency=medium

  * debian/patches/lp-2087526-1-fix-memory-exhaust-in-local-zones.patch:
    fix error: "memory exhausted" when defining more than 9994
    local_zones. (LP: #2087526).

 -- John Chittum <email address hidden> Thu, 06 Feb 2025 15:01:30 -0500

The verification of the Stable Release Update for unbound has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package unbound - 1.19.2-1ubuntu3.4

---------------
unbound (1.19.2-1ubuntu3.4) noble; urgency=medium

  * debian/patches/lp-2087526-1-fix-memory-exhaust-in-local-zones.patch:
    fix error: "memory exhausted" when defining more than 9994
    local_zones. (LP: #2087526).

 -- John Chittum <email address hidden> Thu, 06 Feb 2025 14:41:07 -0500

Jammy and Focal proposed packages did not pass the test plan. I still see memory exhaustion happening. My initial guess is I did not properly patch _and_ my original testing before moving into review was not setup properly. I'm looking at jammy and focal now to see

Do not release the Jammy and Focal packages from proposed.

I've found an incorrect statement in the patch on Jammy

-contents_view: content_view contents_view
- |;

+contents_view: contents_view content_view
+ |;

I'm building in a PPA now and will verify that this is indeed the only missing piece on Jammy. After verification there, I'll work backwards to Focal. I likely made the same mistake there.

I believe I've identified my test mistake during development as well -- I failed to first install the failing version to ensure my configuration setup was correct. I likely mistyped the directory creation on Jammy and Focal, which were prepared days later than oracular and noble. Thanks to the better written test plan in the SRU, I can ensure this doesn't happen again.

verified the same issue is present on the Focal patch. I've prepared the update and am building in a PPA now

the 22.04 MP is up

Hello Andreas, or anyone else affected,

Accepted unbound into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/unbound/1.13.1-1ubuntu5.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Andreas, or anyone else affected,

Accepted unbound into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/unbound/1.9.4-2ubuntu1.11 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted unbound (1.13.1-1ubuntu5.10) for jammy have finished running.
The following regressions have been reported in tests triggered by the package:

gnutls28/3.7.3-4ubuntu1.6 (arm64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/jammy/update_excuses.html#unbound

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

jammy verification PASSED

1. started lxc container
    lxc launch ubuntu-daily:jammy
2. updated lxc container
    lxc shell square-snapper
    sudo apt update && sudo apt full-upgrade
3. restarted container
4. uploaded files
    lxc file push $FILE square-snapper/root/
5. installed unbound
    sudo apt install unbound
6. stopped unbound
    sudo service stop unbound
7. copied unbound.conf
    cp unbound.conf /etc/unbound/unbound.conf
8. made zones directory
    mkdir /etc/unbound/zones
9. copied zones file
    cp security.zone /etc/unbound/zones/
10. in a separate terminal, followed the journal to watch for the error
    journalctl -f
11. started unbound
    sudo service unbound start
12. saw the error [0]
13. stopped unbound
    sudo service unbound stop
14. setup proposed by adding the following to sources.list
    deb http://archive.ubuntu.com/ubuntu jammy-proposed main universe restricted
15. apt update
16. upgraded unbound
    sudo apt install unbound=1.13.1-1ubuntu5.10
17. on upgrade, the service starts. unbound starts successfully and no errors in the journal[1]

[0]
Apr 04 12:07:19 square-snapper systemd[1]: Starting Unbound DNS server...
Apr 04 12:07:19 square-snapper package-helper[940]: /etc/unbound/zones/security.zone:9994: error: memory exhausted
Apr 04 12:07:19 square-snapper package-helper[940]: read /etc/unbound/unbound.conf failed: 1 errors in configuration file
Apr 04 12:07:19 square-snapper package-helper[943]: /etc/unbound/zones/security.zone:9994: error: memory exhausted
Apr 04 12:07:19 square-snapper package-helper[943]: read /etc/unbound/unbound.conf failed: 1 errors in configuration file
Apr 04 12:07:19 square-snapper unbound[944]: /etc/unbound/zones/security.zone:9994: error: memory exhausted
Apr 04 12:07:19 square-snapper unbound[944]: read /etc/unbound/unbound.conf failed: 1 errors in configuration file
Apr 04 12:07:19 square-snapper unbound[944]: [1743768439] unbound[944:0] fatal error: Could not read config file: /etc/unbound/unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconf
Apr 04 12:07:19 square-snapper systemd[1]: unbound.service: Main process exited, code=exited, status=1/FAILURE
Apr 04 12:07:19 square-snapper package-helper[947]: /etc/unbound/zones/security.zone:9994: error: memory exhausted
Apr 04 12:07:19 square-snapper package-helper[947]: read /etc/unbound/unbound.conf failed: 1 errors in configuration file
Apr 04 12:07:19 square-snapper systemd[1]: unbound.service: Failed with result 'exit-code'.

[1]
Apr 04 12:15:21 square-snapper unbound[2055]: [2055:0] info: start of service (unbound 1.13.1).
Apr 04 12:15:21 square-snapper systemd[1]: Started Unbound DNS server.
Apr 04 12:15:21 square-snapper systemd[1]: Condition check resulted in Unbound DNS server via resolvconf being skipped.
Apr 04 12:15:21 square-snapper systemd[1]: Reloading.
Apr 04 12:15:21 square-snapper systemd[1]: Configuration file /run/systemd/system/netplan-ovs-cleanup.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.
Apr 04 12:15:21 square-snapper systemd[1]: /lib/systemd/system/snap...

looking at the autopkgtest failure on Jammy. it's libunbound-dev is an build rdep of gnutls28.

test fails with a loop of:

unreserved port 53012

until hitting timeout

digging through the test being run (tests/ocsp-test/ocsp-must-stable-connection.sh), i've gotten to a call to `eval $GETPORT` and down to the continuously repeated string until timeout

"unreserved port $PORT" in tests/scripts/common.sh:66

it never hits the next echo lin:96: echo "=== Generating good server certificate ===". in good runs, i don't even see the echoes in tests/scripts/common.sh:57:reserve_port() or :64:unreserve_port() being called. My guess is some condition where port 53012 is already reserved on the system by _something_ and it cannot free it properly? or a permission issue? not enough info.

i'll start by requesting a retry

a retry of the autopkgtest was successful

https://autopkgtest.ubuntu.com/results/autopkgtest-jammy/jammy/arm64/g/gnutls28/20250404_132509_7ed3c@/log.gz

I'm assuming my guess of "bad random draw or some other factor" was true

focal verification of 1.9.4-2ubuntu1.11 PASSED

1. started lxc container
    lxc launch ubuntu-daily:focal
2. updated lxc container
    lxc shell focal-unbound
    sudo apt update && sudo apt full-upgrade
3. restarted container
4. uploaded files
    lxc file push $FILE focal-unbound/root/
5. installed unbound
    sudo apt install unbound
6. stopped unbound
    sudo service stop unbound
7. copied unbound.conf
    cp unbound.conf /etc/unbound/unbound.conf
8. made zones directory
    mkdir /etc/unbound/zones
9. copied zones file
    cp security.zone /etc/unbound/zones/
10. in a separate terminal, followed the journal to watch for the error
    journalctl -f
11. started unbound
    sudo service unbound start
12. saw the error [0]
13. stopped unbound
    sudo service unbound stop
14. setup proposed by adding the following to sources.list
    deb http://archive.ubuntu.com/ubuntu focal-proposed main universe restricted
15. apt update
16. upgraded unbound
     sudo apt install unbound=1.9.4-2ubuntu1.11
17. on upgrade, service starts. following journalctl (journalctl -f), shows no errors in launching[1]

NOTE: yes there is a time gap between install and upgrade. there were some issues getting the amd64 package built, so i started verification while requesting a retry on the build, ended up not getting back to it quickly

[0]
Apr 04 14:19:03 focal-unbound systemd[1]: Starting Unbound DNS server...
Apr 04 14:19:03 focal-unbound package-helper[2433]: /etc/unbound/zones/security.zone:9994: error: memory exhausted
Apr 04 14:19:03 focal-unbound package-helper[2433]: read /etc/unbound/unbound.conf failed: 1 errors in configuration file
Apr 04 14:19:03 focal-unbound package-helper[2436]: /etc/unbound/zones/security.zone:9994: error: memory exhausted
Apr 04 14:19:03 focal-unbound package-helper[2436]: read /etc/unbound/unbound.conf failed: 1 errors in configuration file
Apr 04 14:19:03 focal-unbound unbound[2437]: /etc/unbound/zones/security.zone:9994: error: memory exhausted
Apr 04 14:19:03 focal-unbound unbound[2437]: read /etc/unbound/unbound.conf failed: 1 errors in configuration file
Apr 04 14:19:03 focal-unbound unbound[2437]: [1743776343] unbound[2437:0] fatal error: Could not read config file: /etc/unbound/unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconf
Apr 04 14:19:03 focal-unbound systemd[1]: unbound.service: Main process exited, code=exited, status=1/FAILURE
Apr 04 14:19:03 focal-unbound systemd[1]: unbound.service: Failed with result 'exit-code'.
Apr 04 14:19:03 focal-unbound systemd[1]: Failed to start Unbound DNS server.

[1]
Apr 07 10:59:41 focal-unbound systemd[1]: Starting Unbound DNS server...
Apr 07 10:59:47 focal-unbound package-helper[7937]: /var/lib/unbound/root.key has content
Apr 07 10:59:47 focal-unbound package-helper[7937]: success: the anchor is ok
Apr 07 10:59:47 focal-unbound unbound[7938]: [7938:0] notice: init module 0: subnet
Apr 07 10:59:47 focal-unbound unbound[7938]: [7938:0] notice: init module 1: validator
Apr 07 10:59:47 focal-unbound unbound[7938]: [7938:0] notice: init module 2: iterator
Apr 07 10:59:47 focal-unbound unbound[7938]: [7938:0] info: start of servic...

Builds, autopkgtests, and test/verification all look good to me. Seeing no other blockers, I think this is ready to be released in focal and jammy.

This bug was fixed in the package unbound - 1.13.1-1ubuntu5.10

---------------
unbound (1.13.1-1ubuntu5.10) jammy; urgency=medium

  * d/p/lp-2087526-1-fix-memory-exhaust-in-local-zones.patch:
    fix error: fix contents_view ordering in patch (LP: #2087526)

unbound (1.13.1-1ubuntu5.9) jammy; urgency=medium

  * d/p/lp-2087526-1-fix-memory-exhaust-in-local-zones.patch:
    fix error: "memory exhausted" when defining more than 9994
    local_zones. (LP: #2087526).

 -- John Chittum <email address hidden> Wed, 19 Mar 2025 10:04:46 -0500

This bug was fixed in the package unbound - 1.9.4-2ubuntu1.11

---------------
unbound (1.9.4-2ubuntu1.11) focal; urgency=medium

  * d/p/lp-2087526-1-fix-memory-exhaust-in-local-zones.patch:
    fix error: fix contents_view ordering in patch (LP: #2087526)

unbound (1.9.4-2ubuntu1.10) focal; urgency=medium

  * debian/patches/lp-2087526-1-fix-memory-exhaust-in-local-zones.patch:
    fix error: "memory exhausted" when defining more than 9994
    local_zones. (LP: #2087526)

 -- John Chittum <email address hidden> Wed, 20 Mar 2025 09:22:39 -0500