Failed unbound-checkconf when unbound hasn't been started yet

Solution Verified - Updated -


  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8
  • Unbound DNS server


  • Checking configuration using unbound-checkconf before running unbound the first time, it complains about missing /etc/unbound/unbound_server.key and fails.
  • Key required to complete the action successfully is not generated at that time, yet.


  • The recommended way to trigger unbound control key generation is to activate the keygen service by running systemctl restart unbound-keygen as administrator.
  • An alternative way is to avoid running unbound-checkconf manually and rely on the fact that unbound-checkconf is being run before unbound daemon as part of the unbound systemd service.

Root Cause

  • The unbound control key is not automatically generated at install time or boot time but rather the first time unbound is started.
  • That may be too late for administrators who want to check unbound configuration without running the unbound daemon.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.