pfSense

I can reproduce the issue. Load up an assload (technical term) of lists in the pfBlockerNG plugin in the DNSBL Feeds tab. Get 100,000 or so blocked domains, make sure the feeds are all pulled and updated, and the issue will begin to present. You may have to toy around a bit, restart the DNS Resolver or something to get the issue to start presenting. Removing the DNSBL feeds and restarting the router eliminates the issue.

I believe whats happening here is the process to check the configuration has to do a fairly large file copy, this isn't being completed in time meaning when the test is run it hasn't finished moving other files like the key, and the error presents. Just a guess however.

There is validation of DNSBL after each feed is downloaded and parsed.
If you add the include line in /var/unbound/unbound.conf

server:include: /var/unbound/pfb_dnsbl.conf

Then

unbound-checkconf /var/unbound/unbound.conf

Does it complete with "no errors"

I just want to chime in on this problem. I'm experiencing this problem also.
Something I noticed is, that I cannot execute the command listed above as the unbound account is existent in master.passwd but unavailable for "su - unbound".
When executing "su -m unbound" I get the pfsense menu (with interface list, etc).

I have a system that came with pfsense preinstalled (Netgate XG-2758) and currently at 2.3.4-RELEASE-p1 (amd64).

In the past I disabled unbound in preference of dnsmasq and now wanted to give it another try. But now I cannot enable unbound due to the described error.

I have also just faced this problem on my 2.3.5-RELEASE-p1 (i386) nanobsd (2g). Interesting is, that adding Host Overrides does not trigger the problem, although it changes and saves DNS Resolver configuration.

I can agree that is in the 2.4.3-RELEASE-p1 (amd64) as well!!

My solution was to deactivate and deinstall "pfBlockerNG" and the dns resolver comes back to life!!! So it have definitly to do something with this blocker!!!