# {{ ansible_managed }} server: # Timestamps use UTC ASCII instead of UNIX epoch. log-time-ascii: yes # Only log errors. verbosity: 0 log-servfail: yes logfile: "/var/log/unbound/unbound.log" do-ip4: yes # FIXME: IPv6 deployment... someday... do-ip6: no # IP addresses on which to listen. interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }} interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }} interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }} # By default, anything other than localhost is refused. # Whitelist some subnets: access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow num-threads: {{ ansible_processor_vcpus }} private-address: 10.0.0.0/8 # XXX # We've been having issues with bogus DNSSEC responses, and unintended # blacklisting of nameservers because of that. # The following is intended as a stopgap solution. # # unbound had issues with auro.re's DS records, apparently; # it kept receiving an error, which subsequently caused a blacklisting # of relevant servers and an inability to resolve auro.re and its # subdomains. # # auro.re does not have DNSSEC anyway, so we can treat it as insecure. domain-insecure: "auro.re" # The host cache TTL affects blacklisting of supposedly bogus hosts. # The default was 900 (15 minutes). infra-host-ttl: 60 harden-dnssec-stripped: no disable-dnssec-lame-check: yes