FYI: This bug was brought to you by AppArmor ;-) Yes, seriously - this started on the upstream AppArmor mailinglist where we are testing an AppArmor profile for unbound. I found this bug after Simon Deziel gave me a hint to try chroot, and after I told him about this bugreport, he came up with a useful reply: ----------------------------------------------------------------------------- We've been through something similar on Debian/Ubuntu. The solution was to augment the init script to setup the chroot then pass the in-chroot path of the config file to unbound-checkconf. The Debian maintainer has written a helper script [1] to factor this out of the init script. Adding a "check_config" action to it would probably make it suitable for reuse in your systemd unit. 1: https://anonscm.debian.org/cgit/pkg-dns/unbound.git/tree/debian/package-helper ----------------------------------------------------------------------------- HTH ;-) If you want to test the AppArmor profile, you can find it at http://bazaar.launchpad.net/~apparmor-dev/apparmor-profiles/master/view/head:/ubuntu/16.10/usr.sbin.unbound (copy it to /etc/apparmor.d and run "rcapparmor reload; rcunbound restart" to enable it)