a77b2c4f0f
That was the root cause of all our DNSSEC issues. Now that this was fixed, we're not having these anymore, so the relaxed checks can be restored back to their original state.
48 lines
1.5 KiB
Django/Jinja
48 lines
1.5 KiB
Django/Jinja
# {{ ansible_managed }}
|
|
|
|
server:
|
|
# Timestamps use UTC ASCII instead of UNIX epoch.
|
|
log-time-ascii: yes
|
|
|
|
# Only log errors.
|
|
verbosity: 0
|
|
log-servfail: yes
|
|
|
|
logfile: "/var/log/unbound/unbound.log"
|
|
|
|
do-ip4: yes
|
|
# FIXME: IPv6 deployment... someday...
|
|
do-ip6: no
|
|
|
|
# IP addresses on which to listen.
|
|
interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }}
|
|
interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }}
|
|
interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }}
|
|
|
|
|
|
# By default, anything other than localhost is refused.
|
|
# Whitelist some subnets:
|
|
access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow
|
|
access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow
|
|
access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow
|
|
|
|
num-threads: {{ ansible_processor_vcpus }}
|
|
|
|
private-address: 10.0.0.0/8
|
|
|
|
# The host cache TTL affects blacklisting of supposedly bogus hosts.
|
|
# The default was 900 (15 minutes).
|
|
infra-host-ttl: 60
|
|
|
|
|
|
# The following is vital, we were having issues
|
|
# with DNSSEC that turned out to be due to UDP responses that were too
|
|
# large.
|
|
|
|
# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
|
|
# is set with msg-buffer-size). 1472 can solve fragmentation (timeouts)
|
|
edns-buffer-size: {{ mtu }}
|
|
|
|
# Maximum UDP response size (not applied to TCP response).
|
|
# Suggested values are 512 to 4096. Default is 4096. 65536 disables it.
|
|
max-udp-size: {{ mtu }}
|