On 2017-07-26, Damian McGuckin <dami...@esi.com.au> wrote: > > Theo, > > On Wed, 26 Jul 2017, Theo de Raadt wrote: > >> This is due to the socket pledge code, with SOCK_DNS. This area was >> damaged during the transition to pledge, and hasn't been repaired.
/usr/bin/dig is certainly restricted by pledge. Compare with one of the alternatives from packages - drill, kdig (in the knot package), /usr/local/bin/dig (isc-bind). The latter does also use pledge but a weaker one than /usr/bin/dig which still allows normal DNS admin operations. > I am not convinced it is. But I can always be proven wrong and often am. > > I think my problem is purely an issue with unbound or maybe the way I am > using/configuring it. You don't show a complete unbound.conf so I can't be sure, but my first guess would be that you have left do-not-query-localhost at the default.
