diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 index 1660ccb..f650b6c 100644 --- a/roles/unbound/templates/recursive.conf.j2 +++ b/roles/unbound/templates/recursive.conf.j2 @@ -1,9 +1,11 @@ server: - verbosity: 1 - use-syslog: yes - logfile: "/var/log/unbound.log" + # Timestamps use UTC ASCII instead of UNIX epoch. log-time-ascii: yes - + + do-ip4: yes + # FIXME: IPv6 deployment... someday... + do-ip6: no + # IP addresses on which to listen. interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }} interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }} @@ -16,74 +18,6 @@ server: access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow - do-ip4: yes - # FIXME: IPv6 deployment... someday... - do-ip6: no - - do-udp: yes - do-tcp: yes - num-threads: {{ ansible_processor_vcpus }} - - # power of 2 close to num-threads - # TODO: compute this dynamically w/ Ansible - msg-cache-slabs: 16 - rrset-cache-slabs: 16 - infra-cache-slabs: 16 - key-cache-slabs: 16 - - # Read the root hints from this file - # FIXME: missing file. - # root-hints: "/var/lib/unbound/root.hints" - - harden-referral-path: yes - use-caps-for-id: yes - hide-identity: yes - hide-version: yes - harden-glue: yes - harden-dnssec-stripped: yes - - # the time to live (TTL) value lower bound, in seconds. Default 0. - # If more than an hour could easily give trouble due to stale data. - # WARNING : against protocol rule but efficient against stupidly too low TTLs - - cache-min-ttl: 3600 - - # the time to live (TTL) value cap for RRsets and messages in the - # cache. Items are not cached for longer. In seconds. - cache-max-ttl: 86400 - - prefetch: yes - - # If nonzero, unwanted replies are not only reported in statistics, but also - # a running total is kept per thread. If it reaches the threshold, a warning - # is printed and a defensive action is taken, the cache is cleared to flush - # potential poison out of it. A suggested value is 10000000, the default is - # 0 (turned off). We think 10K is a good value. - unwanted-reply-threshold: 10000 - - # Should additional section of secure message also be kept clean of unsecure - # data. Useful to shield the users of this validator from potential bogus - # data in the additional section. All unsigned data in the additional section - # is removed from secure messages. - val-clean-additional: yes - - # Log validation failures - val-log-level: 2 - private-address: 10.0.0.0/8 - - # Optimise - # https://unbound.net/documentation/howto_optimise.html - - # Faster UDP with multithreading (only on Linux). - so-reuseport: yes - - # Taille du cache - rrset-cache-size: 100m - msg-cache-size: 50m - - # gestion DNSSEC - harden-below-nxdomain: yes - harden-dnssec-stripped: yes