unbound: attempt to fix spurious blacklisting
This commit is contained in:
Yohaï-Eliel BERREBY
parent
b4482b6d3b
commit
3695a3d771
1 changed files with 24 additions and 0 deletions
|
|
@ -30,3 +30,27 @@ server:
|
||||||
num-threads: {{ ansible_processor_vcpus }}
|
num-threads: {{ ansible_processor_vcpus }}
|
||||||
|
|
||||||
private-address: 10.0.0.0/8
|
private-address: 10.0.0.0/8
|
||||||
|
|
||||||
|
# XXX
|
||||||
|
# We've been having issues with bogus DNSSEC responses, and unintended
|
||||||
|
# blacklisting of nameservers because of that.
|
||||||
|
# The following is intended as a stopgap solution.
|
||||||
|
#
|
||||||
|
# unbound had issues with auro.re's DS records, apparently;
|
||||||
|
# it kept receiving an error, which subsequently caused a blacklisting
|
||||||
|
# of relevant servers and an inability to resolve auro.re and its
|
||||||
|
# subdomains.
|
||||||
|
#
|
||||||
|
# auro.re does not have DNSSEC anyway, so we can treat it as insecure.
|
||||||
|
domain-insecure: "auro.re"
|
||||||
|
|
||||||
|
|
||||||
|
# The host cache TTL affects blacklisting of supposedly bogus hosts.
|
||||||
|
# The default was 900 (15 minutes).
|
||||||
|
infra-host-ttl: 60
|
||||||
|
|
||||||
|
harden-dnssec-stripped: no
|
||||||
|
disable-dnssec-lame-check: yes
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue