unbound: fix MTU settings

That was the root cause of all our DNSSEC issues.
Now that this was fixed, we're not having these anymore,
so the relaxed checks can be restored back to their original state.
This commit is contained in:
Yohaï-Eliel BERREBY 2020-05-02 18:44:17 +02:00
parent aae7e0120a
commit a77b2c4f0f
3 changed files with 12 additions and 18 deletions

View file

@ -49,3 +49,5 @@ dns_host_suffix_backup: 153
backup_dns_servers: backup_dns_servers:
- "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr) - "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr)
mtu: 1400

View file

@ -5,8 +5,7 @@ max-lease-time 86400;
# Option definitions common to all supported networks. # Option definitions common to all supported networks.
# The MTU theoretically could go as high as 1496 (4-byte VLAN tag). option interface-mtu {{ mtu }};
option interface-mtu 1400;
option root-path "/"; option root-path "/";
# The ddns-updates-style parameter controls whether or not the server will # The ddns-updates-style parameter controls whether or not the server will

View file

@ -30,26 +30,19 @@ server:
private-address: 10.0.0.0/8 private-address: 10.0.0.0/8
# XXX
# We've been having issues with bogus DNSSEC responses, and unintended
# blacklisting of nameservers because of that.
# The following is intended as a stopgap solution.
#
# unbound had issues with auro.re's DS records, apparently;
# it kept receiving an error, which subsequently caused a blacklisting
# of relevant servers and an inability to resolve auro.re and its
# subdomains.
#
# auro.re does not have DNSSEC anyway, so we can treat it as insecure.
domain-insecure: "auro.re"
# The host cache TTL affects blacklisting of supposedly bogus hosts. # The host cache TTL affects blacklisting of supposedly bogus hosts.
# The default was 900 (15 minutes). # The default was 900 (15 minutes).
infra-host-ttl: 60 infra-host-ttl: 60
harden-dnssec-stripped: no
disable-dnssec-lame-check: yes
# The following is vital, we were having issues
# with DNSSEC that turned out to be due to UDP responses that were too
# large.
# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
# is set with msg-buffer-size). 1472 can solve fragmentation (timeouts)
edns-buffer-size: {{ mtu }}
# Maximum UDP response size (not applied to TCP response).
# Suggested values are 512 to 4096. Default is 4096. 65536 disables it.
max-udp-size: {{ mtu }}