fatal error: Could not set up local zones

Brian_Marshall · December 17, 2018, 10:38pm

Hello list,

I am running unbound 1.66 on OpenBSD and import a couple of spam/malware/c&c lists that I blackhole via local zone data in unbound.
I seem to have run into some kind of limitation on the number of records I can load. I get the following error recently when my list reached 156550 local-data entries :

unbound: [50167:0] error: out of memory adding local data
unbound: [50167:0] fatal error: Could not set up local zones

and the process exits.

Is there a way to increase the maximum number of local entries that can be loaded?
Thanks!

-Brian Marshall

PS:

Version 1.6.6
linked libs: pluggable-libevent 1.4.15-stable (it uses kqueue), LibreSSL 2.6.3
linked modules: dns64 respip validator iterator

Ralph_Dolmans · December 24, 2018, 2:36pm

Hi Brian,

Unbound does not have a hard limit for the number of local zones, but
will need memory to store them. The error message you see indicates that
Unbound is not able to allocate enough memory.

Regards,
-- Ralph

Stuart_Henderson · December 24, 2018, 10:46pm

You are bumping into an OS limit set in login.conf. If you're starting
unbound the normal way via "rcctl start unbound" then it will be using
the class named "unbound" and you can check the configured limit like
this:

# su -c unbound -s /bin/sh _unbound -c "ulimit -a"

However the default login.conf provided with the OS doesn't impose any
particular limit for unbound, so the CPU architecture's MAXDSIZ is the
only limiting factor, 32Gb on amd64, so I suspect you are probably
not starting unbound the normal way.

That is a huge number of local-data entries though. You might be
better off using something more optimized for blocking. Maybe
worth looking at "adsuck" and configuring that to use a local
unbound instance as a forwarder instead.

Chris_Narkiewicz · December 29, 2018, 12:36pm

Try to minimize number of zones. For 156550 entries you'll need around 450MB of RAM.

I had similar problem and solved it by creating transparent zones per TLD:

https://github.com/ezaquarii/vpn-at-home/blob/master/ansible/roles/unbound/templates/02-ad-block-zone.conf.j2

It looks like zones require a lot of ram, but local-data entries
are packed tightly.

Best regards,
Chris Narkiewicz