2020-04-18 15:42:31 +02:00
|
|
|
# {{ ansible_managed }}
|
|
|
|
|
2020-04-13 16:35:09 +02:00
|
|
|
server:
|
2020-04-13 18:24:45 +02:00
|
|
|
# Timestamps use UTC ASCII instead of UNIX epoch.
|
2020-04-13 16:35:09 +02:00
|
|
|
log-time-ascii: yes
|
2020-04-13 18:24:45 +02:00
|
|
|
|
2020-04-18 15:42:31 +02:00
|
|
|
# Only log errors.
|
2020-04-28 20:13:56 +02:00
|
|
|
verbosity: 3
|
2020-04-18 15:42:31 +02:00
|
|
|
|
2020-04-18 16:23:57 +02:00
|
|
|
# "" sends logs to stderr, journalctl will pick things up.
|
|
|
|
logfile: ""
|
|
|
|
|
|
|
|
|
2020-04-13 18:24:45 +02:00
|
|
|
do-ip4: yes
|
|
|
|
# FIXME: IPv6 deployment... someday...
|
|
|
|
do-ip6: no
|
|
|
|
|
2020-04-13 16:35:09 +02:00
|
|
|
# IP addresses on which to listen.
|
|
|
|
interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }}
|
|
|
|
interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }}
|
|
|
|
interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }}
|
|
|
|
|
|
|
|
|
|
|
|
# By default, anything other than localhost is refused.
|
|
|
|
# Whitelist some subnets:
|
|
|
|
access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow
|
|
|
|
access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow
|
|
|
|
access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow
|
|
|
|
|
|
|
|
num-threads: {{ ansible_processor_vcpus }}
|
|
|
|
|
|
|
|
private-address: 10.0.0.0/8
|
2020-04-28 23:14:43 +02:00
|
|
|
|
|
|
|
# XXX
|
|
|
|
# We've been having issues with bogus DNSSEC responses, and unintended
|
|
|
|
# blacklisting of nameservers because of that.
|
|
|
|
# The following is intended as a stopgap solution.
|
|
|
|
#
|
|
|
|
# unbound had issues with auro.re's DS records, apparently;
|
|
|
|
# it kept receiving an error, which subsequently caused a blacklisting
|
|
|
|
# of relevant servers and an inability to resolve auro.re and its
|
|
|
|
# subdomains.
|
|
|
|
#
|
|
|
|
# auro.re does not have DNSSEC anyway, so we can treat it as insecure.
|
|
|
|
domain-insecure: "auro.re"
|
|
|
|
|
|
|
|
|
|
|
|
# The host cache TTL affects blacklisting of supposedly bogus hosts.
|
|
|
|
# The default was 900 (15 minutes).
|
|
|
|
infra-host-ttl: 60
|
|
|
|
|
|
|
|
harden-dnssec-stripped: no
|
|
|
|
disable-dnssec-lame-check: yes
|
|
|
|
|
|
|
|
|
|
|
|
|