unbound: fix MTU settings

That was the root cause of all our DNSSEC issues. Now that this was fixed, we're not having these anymore, so the relaxed checks can be restored back to their original state.
2020-05-02 18:44:17 +02:00 · 2020-05-02 18:44:17 +02:00 · a77b2c4f0f
parent aae7e0120a
commit a77b2c4f0f
3 changed files with 12 additions and 18 deletions
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@ -49,3 +49,5 @@ dns_host_suffix_backup: 153
 backup_dns_servers:
  - "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr)

+
+mtu: 1400
--- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2
+++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2
@ -5,8 +5,7 @@ max-lease-time 86400;

 # Option definitions common to all supported networks.

-# The MTU theoretically could go as high as 1496 (4-byte VLAN tag).
-option interface-mtu 1400;
+option interface-mtu {{ mtu }};
 option root-path "/";

 # The ddns-updates-style parameter controls whether or not the server will
--- a/roles/unbound/templates/recursive.conf.j2
+++ b/roles/unbound/templates/recursive.conf.j2
@ -30,26 +30,19 @@ server:

    private-address: 10.0.0.0/8

-    # XXX
-    # We've been having issues with bogus DNSSEC responses, and unintended
-    # blacklisting of nameservers because of that.
-    # The following is intended as a stopgap solution.
-    #
-    # unbound had issues with auro.re's DS records, apparently;
-    # it kept receiving an error, which subsequently caused a blacklisting
-    # of relevant servers and an inability to resolve auro.re and its
-    # subdomains.
-    #
-    # auro.re does not have DNSSEC anyway, so we can treat it as insecure.
-    domain-insecure: "auro.re"
-
-
    # The host cache TTL affects blacklisting of supposedly bogus hosts.
    # The default was 900 (15 minutes).
    infra-host-ttl: 60

-    harden-dnssec-stripped: no
-    disable-dnssec-lame-check: yes

+    # The following is vital, we were having issues
+    # with DNSSEC that turned out to be due to UDP responses that were too
+    # large.

+    # EDNS reassembly buffer to advertise to UDP peers (the actual buffer
+    # is set with msg-buffer-size). 1472 can solve fragmentation (timeouts)
+    edns-buffer-size: {{ mtu }}

+    # Maximum UDP response size (not applied to TCP response).
+    # Suggested values are 512 to 4096. Default is 4096. 65536 disables it.
+    max-udp-size: {{ mtu }}