variable assignment does not clone string...

[dsa-puppet.git] / modules / unbound / templates / unbound.conf.erb
diff --git a/modules/unbound/templates/unbound.conf.erb b/modules/unbound/templates/unbound.conf.erb

index ebda9f80b1de8ddaba5a83ac681d0f7eac5a1a9c..8e06b7df09a2baaeb1adb2d2008785440e0b3f10 100644 (file)
--- a/modules/unbound/templates/unbound.conf.erb
+++ b/modules/unbound/templates/unbound.conf.erb
@@ -6,38 +6,28 @@
  server:
         verbosity: 1
  
-       # specify the interfaces to answer queries from by ip-address.
-       # The default is to listen to localhost (127.0.0.1 and ::1).
-       # specify 0.0.0.0 and ::0 to bind to all available interfaces.
-       # specify every interface[@port] on a new 'interface:' labelled line.
-       # The listen interfaces are not changed on reload, only on restart.
-       # interface: 192.0.2.153
-       # interface: 192.0.2.154
-       # interface: 192.0.2.154@5003
-       # interface: 2001:DB8::5
+<% if (@is_recursor and (not @client_ranges.empty?)) -%>
+       interface: 0.0.0.0
+       interface: ::0
  
-       # enable this feature to copy the source address of queries to reply.
-       # Socket options are not supported on all platforms. experimental. 
         interface-automatic: yes
  
-       # control which clients are allowed to make (recursive) queries
-       # to this server. Specify classless netblocks with /size and action.
-       # By default everything is refused, except for localhost.
-       # Choose deny (drop message), refuse (polite error reply),
-       # allow (recursive ok), allow_snoop (recursive and nonrecursive ok)
-       # access-control: 0.0.0.0/0 refuse
-       # access-control: 127.0.0.0/8 allow
-       # access-control: ::0/0 refuse
-       # access-control: ::1 allow
-       # access-control: ::ffff:127.0.0.1 allow
+       access-control: 0.0.0.0/0 refuse
+       access-control: ::0/0 refuse
+       access-control: 127.0.0.0/8 allow
+       access-control: ::0/0 refuse
+       access-control: ::1 allow
+       access-control: ::ffff:127.0.0.1 allow
+<% @client_ranges.to_a.flatten.each do |net| -%>
+       access-control: <%= net -%> allow
+<% end -%>
+<% end -%>
  
         #chroot: ""
  
         hide-identity: yes
         hide-version: yes
  
-       use-caps-for-id: yes
-
         # Do not query the following addresses. No DNS queries are sent there.
         # List one address per entry. List classless netblocks with /size,
         # do-not-query-address: 127.0.0.1/8
@@ -53,18 +43,25 @@ server:
         # auto-trust-anchor-file: ""
         auto-trust-anchor-file: "/var/lib/unbound/root.key"
         auto-trust-anchor-file: "/var/lib/unbound/debian.org.key"
+       auto-trust-anchor-file: "/var/lib/unbound/29.172.in-addr.arpa.key"
  
-<%=
-       out = []
-       unless results['misc']['resolver-recursive']
-               forwarders = nodeinfo['hoster']['nameservers']
-               forwarders ||= []
+local-zone: "29.172.in-addr.arpa" nodefault
+forward-zone:
+       name: "29.172.in-addr.arpa"
+       forward-host: geo1.debian.org
+       forward-host: geo2.debian.org
+       forward-host: geo3.debian.org
  
-               out << 'forward-zone:'
-               out << '        name: "."'
-               forwarders.each do |ns|
-                       out << "        forward-addr: #{ns}"
-               end
-       end
-       out.join("\n")
-%>
+# recursive: <%= @is_recursor ? "y" : "n" %>
+<% if not @is_recursor -%>
+forward-zone:
+       name: "."
+<% @ns.to_a.flatten.each do |nms| -%>
+       forward-addr: <%= nms %>
+<% end -%>
+<% if @lsbmajdistrelease >= '7' -%>
+       # This will actually only work starting with unbound 1.4.18 (wheezy has 1.4.17)
+       # previously, forward-first was not implemented for the root zone.
+       forward-first: yes
+<% end -%>
+<% end -%>