unbound: attempt to fix spurious blacklisting

2020-04-28 23:14:43 +02:00 · 2020-04-28 23:14:43 +02:00 · 3695a3d771
commit 3695a3d771
parent b4482b6d3b
1 changed files with 24 additions and 0 deletions
--- a/roles/unbound/templates/recursive.conf.j2
+++ b/roles/unbound/templates/recursive.conf.j2
@ -30,3 +30,27 @@ server:
    num-threads: {{ ansible_processor_vcpus }}

    private-address: 10.0.0.0/8
+
+    # XXX
+    # We've been having issues with bogus DNSSEC responses, and unintended
+    # blacklisting of nameservers because of that.
+    # The following is intended as a stopgap solution.
+    #
+    # unbound had issues with auro.re's DS records, apparently;
+    # it kept receiving an error, which subsequently caused a blacklisting
+    # of relevant servers and an inability to resolve auro.re and its
+    # subdomains.
+    #
+    # auro.re does not have DNSSEC anyway, so we can treat it as insecure.
+    domain-insecure: "auro.re"
+
+
+    # The host cache TTL affects blacklisting of supposedly bogus hosts.
+    # The default was 900 (15 minutes).
+    infra-host-ttl: 60
+
+    harden-dnssec-stripped: no
+    disable-dnssec-lame-check: yes
+
+
+