diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index be601da..6a0b66b 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -49,3 +49,5 @@ dns_host_suffix_backup: 153 backup_dns_servers: - "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr) + +mtu: 1400 diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 index f0a35fe..dc642ae 100644 --- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 +++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 @@ -5,8 +5,7 @@ max-lease-time 86400; # Option definitions common to all supported networks. -# The MTU theoretically could go as high as 1496 (4-byte VLAN tag). -option interface-mtu 1400; +option interface-mtu {{ mtu }}; option root-path "/"; # The ddns-updates-style parameter controls whether or not the server will diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 index 0ba6f5b..62c93be 100644 --- a/roles/unbound/templates/recursive.conf.j2 +++ b/roles/unbound/templates/recursive.conf.j2 @@ -30,26 +30,19 @@ server: private-address: 10.0.0.0/8 - # XXX - # We've been having issues with bogus DNSSEC responses, and unintended - # blacklisting of nameservers because of that. - # The following is intended as a stopgap solution. - # - # unbound had issues with auro.re's DS records, apparently; - # it kept receiving an error, which subsequently caused a blacklisting - # of relevant servers and an inability to resolve auro.re and its - # subdomains. - # - # auro.re does not have DNSSEC anyway, so we can treat it as insecure. - domain-insecure: "auro.re" - - # The host cache TTL affects blacklisting of supposedly bogus hosts. # The default was 900 (15 minutes). infra-host-ttl: 60 - harden-dnssec-stripped: no - disable-dnssec-lame-check: yes + # The following is vital, we were having issues + # with DNSSEC that turned out to be due to UDP responses that were too + # large. + # EDNS reassembly buffer to advertise to UDP peers (the actual buffer + # is set with msg-buffer-size). 1472 can solve fragmentation (timeouts) + edns-buffer-size: {{ mtu }} + # Maximum UDP response size (not applied to TCP response). + # Suggested values are 512 to 4096. Default is 4096. 65536 disables it. + max-udp-size: {{ mtu }}