ansible/roles/unbound/templates/recursive.conf.j2

# {{ ansible_managed }}

server:
    # Timestamps use UTC ASCII instead of UNIX epoch.
    log-time-ascii: yes

    # Only log errors.
    verbosity: 3

    # "" sends logs to stderr, journalctl will pick things up.
    logfile: "/var/log/unbound/unbound.log"

    do-ip4: yes
    # FIXME: IPv6 deployment... someday...
    do-ip6: no

    # IP addresses on which to listen.
    interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }}
    interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }}
    interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }}

 
    # By default, anything other than localhost is refused.
    # Whitelist some subnets:
    access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow
    access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow
    access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow

    num-threads: {{ ansible_processor_vcpus }}

    private-address: 10.0.0.0/8

    # XXX
    # We've been having issues with bogus DNSSEC responses, and unintended
    # blacklisting of nameservers because of that.
    # The following is intended as a stopgap solution.
    #
    # unbound had issues with auro.re's DS records, apparently;
    # it kept receiving an error, which subsequently caused a blacklisting
    # of relevant servers and an inability to resolve auro.re and its
    # subdomains.
    #
    # auro.re does not have DNSSEC anyway, so we can treat it as insecure.
    domain-insecure: "auro.re"


    # The host cache TTL affects blacklisting of supposedly bogus hosts.
    # The default was 900 (15 minutes).
    infra-host-ttl: 60

    harden-dnssec-stripped: no
    disable-dnssec-lame-check: yes
unbound: log to /var/log/unbound.log, errors only 2020-04-18 15:42:31 +02:00			`# {{ ansible_managed }}`

unbound: initial deployment 2020-04-13 16:35:09 +02:00			`server:`
unbound: remove unchecked configuration keys 2020-04-13 18:24:45 +02:00			`# Timestamps use UTC ASCII instead of UNIX epoch.`
unbound: initial deployment 2020-04-13 16:35:09 +02:00			`log-time-ascii: yes`
unbound: remove unchecked configuration keys 2020-04-13 18:24:45 +02:00
unbound: log to /var/log/unbound.log, errors only 2020-04-18 15:42:31 +02:00			`# Only log errors.`
unbound: bump verbosity up to 3 Some users are having issues resolving *.auro.re domains from our network, and the bug does not show itself reliably. Increased verbosity should help us pinpoint its source. 2020-04-28 20:13:56 +02:00			`verbosity: 3`
unbound: log to /var/log/unbound.log, errors only 2020-04-18 15:42:31 +02:00
unbound: log to journalctl 2020-04-18 16:23:57 +02:00			`# "" sends logs to stderr, journalctl will pick things up.`
unbound: smarter logging - stop using journald, write to /var/log/unbound/ - set up frequent log rotation for the huge log files we are producing 2020-05-02 16:49:33 +02:00			`logfile: "/var/log/unbound/unbound.log"`
unbound: log to journalctl 2020-04-18 16:23:57 +02:00
unbound: remove unchecked configuration keys 2020-04-13 18:24:45 +02:00			`do-ip4: yes`
			`# FIXME: IPv6 deployment... someday...`
			`do-ip6: no`

unbound: initial deployment 2020-04-13 16:35:09 +02:00			`# IP addresses on which to listen.`
			`interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }}`
			`interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }}`
			`interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }}`


			`# By default, anything other than localhost is refused.`
			`# Whitelist some subnets:`
			`access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow`
			`access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow`
			`access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow`

			`num-threads: {{ ansible_processor_vcpus }}`

			`private-address: 10.0.0.0/8`
unbound: attempt to fix spurious blacklisting 2020-04-28 23:14:43 +02:00
			`# XXX`
			`# We've been having issues with bogus DNSSEC responses, and unintended`
			`# blacklisting of nameservers because of that.`
			`# The following is intended as a stopgap solution.`
			`#`
			`# unbound had issues with auro.re's DS records, apparently;`
			`# it kept receiving an error, which subsequently caused a blacklisting`
			`# of relevant servers and an inability to resolve auro.re and its`
			`# subdomains.`
			`#`
			`# auro.re does not have DNSSEC anyway, so we can treat it as insecure.`
			`domain-insecure: "auro.re"`


			`# The host cache TTL affects blacklisting of supposedly bogus hosts.`
			`# The default was 900 (15 minutes).`
			`infra-host-ttl: 60`

			`harden-dnssec-stripped: no`
			`disable-dnssec-lame-check: yes`