unbound: remove unchecked configuration keys

2020-04-13 18:24:45 +02:00 · 2020-04-13 18:24:45 +02:00 · f05e92dc5e
parent b3712ed335
commit f05e92dc5e
1 changed files with 6 additions and 72 deletions
--- a/roles/unbound/templates/recursive.conf.j2
+++ b/roles/unbound/templates/recursive.conf.j2
@ -1,9 +1,11 @@
 server:
-    verbosity: 1
-    use-syslog: yes
-    logfile: "/var/log/unbound.log"
+    # Timestamps use UTC ASCII instead of UNIX epoch.
    log-time-ascii: yes
- 
+
+    do-ip4: yes
+    # FIXME: IPv6 deployment... someday...
+    do-ip6: no
+
    # IP addresses on which to listen.
    interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }}
    interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }}
@ -16,74 +18,6 @@ server:
    access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow
    access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow

-    do-ip4: yes
-    # FIXME: IPv6 deployment... someday...
-    do-ip6: no
-
-    do-udp: yes
-    do-tcp: yes
- 
    num-threads: {{ ansible_processor_vcpus }}
- 
-    # power of 2 close to num-threads  
-    # TODO: compute this dynamically w/ Ansible
-    msg-cache-slabs: 16
-    rrset-cache-slabs: 16
-    infra-cache-slabs: 16
-    key-cache-slabs: 16
- 
-    # Read the root hints from this file
-    # FIXME: missing file.
-    # root-hints: "/var/lib/unbound/root.hints"
- 
-    harden-referral-path: yes  
-    use-caps-for-id: yes
-    hide-identity: yes
-    hide-version: yes
-    harden-glue: yes
-    harden-dnssec-stripped: yes
- 
-    # the time to live (TTL) value lower bound, in seconds. Default 0.
-    # If more than an hour could easily give trouble due to stale data.
-    # WARNING : against protocol rule but efficient against stupidly too low TTLs
- 
-    cache-min-ttl: 3600	
- 
-    # the time to live (TTL) value cap for RRsets and messages in the
-    # cache. Items are not cached for longer. In seconds.
-    cache-max-ttl: 86400
- 
-    prefetch: yes	
- 
-    # If nonzero, unwanted replies are not only reported in statistics, but also
-    # a running total is kept per thread. If it reaches the threshold, a warning
-    # is printed and a defensive action is taken, the cache is cleared to flush
-    # potential poison out of it.  A suggested value is 10000000, the default is
-    # 0 (turned off). We think 10K is a good value.
-    unwanted-reply-threshold: 10000
- 
-    # Should additional section of secure message also be kept clean of unsecure
-    # data. Useful to shield the users of this validator from potential bogus
-    # data in the additional section. All unsigned data in the additional section
-    # is removed from secure messages.
-    val-clean-additional: yes
- 
-    # Log validation failures
-    val-log-level: 2
-

    private-address: 10.0.0.0/8
- 
-    # Optimise
-    # https://unbound.net/documentation/howto_optimise.html
- 
-    # Faster UDP with multithreading (only on Linux).
-    so-reuseport: yes
- 
-    # Taille du cache
-    rrset-cache-size: 100m
-    msg-cache-size: 50m
- 
-    # gestion DNSSEC
-   harden-below-nxdomain: yes
-   harden-dnssec-stripped: yes