Winfried Angele

I tested again and it looks good so far. The Recursor does not stop responding after `rec_control reload-lua-config` anymore. But now the journal keeps claiming things which I haven't seen...

> A more recent configuration has been found, stopping the existing RPZ update thread" subsystem="rpz" level="0" prio="Info" tid="0" ts="1660294653.147" zone="A.rpz" Any idea what's causing this messages?

You are right, it's only the result of the `reload-lua-config`.

> While DoQ is still an unfinished draft Now it is published. [RFC 9250 ](https://www.rfc-editor.org/rfc/rfc9250.html)

Your solution works for us, the problem has gone. Thanks!! We would be grateful if you could backport this to 4.7.x if possible.

> CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SYS_ADMIN > AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_SYS_ADMIN > LimitMEMLOCK=infinity That's exactly what I tried. But it does not work. I also tried `CAP_BPF`. But still this error message: ``` Caught exception:...

> would you be able to confirm that issuing `sysctl kernel.unprivileged_bpf_disabled=0` allows dnsdist to start? Yes, I can confirm, with this setting dnsdist starts without errors.

It turned out, AppArmor is the reason why it fails here. ``` # cat /etc/apparmor.d/usr.sbin.dnsdist #include /usr/sbin/dnsdist { #include #include capability net_bind_service, capability setgid, capability setuid, network tcp, network udp,...

``` echo "capability bpf," >> /etc/apparmor.d/local/usr.sbin.dnsdist systemctl restart apparmor.service ``` did the trick. Now it works with your suggestions.

It is internal. But it was inspired from a [OBS project](https://build.opensuse.org/package/show/server:dns/dnsdist). I can try to send the maintainer a note about it.