From 3695a3d771ad19b4350041ae836d6e4cae606933 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= <yberreby@protonmail.ch>
Date: Tue, 28 Apr 2020 23:14:43 +0200
Subject: [PATCH] unbound: attempt to fix spurious blacklisting

---
 roles/unbound/templates/recursive.conf.j2 | 24 +++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2
index 2b4a442..a65bd43 100644
--- a/roles/unbound/templates/recursive.conf.j2
+++ b/roles/unbound/templates/recursive.conf.j2
@@ -30,3 +30,27 @@ server:
     num-threads: {{ ansible_processor_vcpus }}
 
     private-address: 10.0.0.0/8
+
+    # XXX
+    # We've been having issues with bogus DNSSEC responses, and unintended
+    # blacklisting of nameservers because of that.
+    # The following is intended as a stopgap solution.
+    #
+    # unbound had issues with auro.re's DS records, apparently;
+    # it kept receiving an error, which subsequently caused a blacklisting
+    # of relevant servers and an inability to resolve auro.re and its
+    # subdomains.
+    #
+    # auro.re does not have DNSSEC anyway, so we can treat it as insecure.
+    domain-insecure: "auro.re"
+
+
+    # The host cache TTL affects blacklisting of supposedly bogus hosts.
+    # The default was 900 (15 minutes).
+    infra-host-ttl: 60
+
+    harden-dnssec-stripped: no
+    disable-dnssec-lame-check: yes
+
+
+