X-Git-Url: https://git.donarmstrong.com/?a=blobdiff_plain;f=modules%2Funbound%2Ftemplates%2Funbound.conf.erb;h=8e06b7df09a2baaeb1adb2d2008785440e0b3f10;hb=cdf648b13dacc11edd25af11c93a67dbe7097743;hp=ebda9f80b1de8ddaba5a83ac681d0f7eac5a1a9c;hpb=c9e68aa1553fc05fac01385c65bf5a8b10c9f657;p=dsa-puppet.git diff --git a/modules/unbound/templates/unbound.conf.erb b/modules/unbound/templates/unbound.conf.erb index ebda9f80..8e06b7df 100644 --- a/modules/unbound/templates/unbound.conf.erb +++ b/modules/unbound/templates/unbound.conf.erb @@ -6,38 +6,28 @@ server: verbosity: 1 - # specify the interfaces to answer queries from by ip-address. - # The default is to listen to localhost (127.0.0.1 and ::1). - # specify 0.0.0.0 and ::0 to bind to all available interfaces. - # specify every interface[@port] on a new 'interface:' labelled line. - # The listen interfaces are not changed on reload, only on restart. - # interface: 192.0.2.153 - # interface: 192.0.2.154 - # interface: 192.0.2.154@5003 - # interface: 2001:DB8::5 +<% if (@is_recursor and (not @client_ranges.empty?)) -%> + interface: 0.0.0.0 + interface: ::0 - # enable this feature to copy the source address of queries to reply. - # Socket options are not supported on all platforms. experimental. interface-automatic: yes - # control which clients are allowed to make (recursive) queries - # to this server. Specify classless netblocks with /size and action. - # By default everything is refused, except for localhost. - # Choose deny (drop message), refuse (polite error reply), - # allow (recursive ok), allow_snoop (recursive and nonrecursive ok) - # access-control: 0.0.0.0/0 refuse - # access-control: 127.0.0.0/8 allow - # access-control: ::0/0 refuse - # access-control: ::1 allow - # access-control: ::ffff:127.0.0.1 allow + access-control: 0.0.0.0/0 refuse + access-control: ::0/0 refuse + access-control: 127.0.0.0/8 allow + access-control: ::0/0 refuse + access-control: ::1 allow + access-control: ::ffff:127.0.0.1 allow +<% @client_ranges.to_a.flatten.each do |net| -%> + access-control: <%= net -%> allow +<% end -%> +<% end -%> #chroot: "" hide-identity: yes hide-version: yes - use-caps-for-id: yes - # Do not query the following addresses. No DNS queries are sent there. # List one address per entry. List classless netblocks with /size, # do-not-query-address: 127.0.0.1/8 @@ -53,18 +43,25 @@ server: # auto-trust-anchor-file: "" auto-trust-anchor-file: "/var/lib/unbound/root.key" auto-trust-anchor-file: "/var/lib/unbound/debian.org.key" + auto-trust-anchor-file: "/var/lib/unbound/29.172.in-addr.arpa.key" -<%= - out = [] - unless results['misc']['resolver-recursive'] - forwarders = nodeinfo['hoster']['nameservers'] - forwarders ||= [] +local-zone: "29.172.in-addr.arpa" nodefault +forward-zone: + name: "29.172.in-addr.arpa" + forward-host: geo1.debian.org + forward-host: geo2.debian.org + forward-host: geo3.debian.org - out << 'forward-zone:' - out << ' name: "."' - forwarders.each do |ns| - out << " forward-addr: #{ns}" - end - end - out.join("\n") -%> +# recursive: <%= @is_recursor ? "y" : "n" %> +<% if not @is_recursor -%> +forward-zone: + name: "." +<% @ns.to_a.flatten.each do |nms| -%> + forward-addr: <%= nms %> +<% end -%> +<% if @lsbmajdistrelease >= '7' -%> + # This will actually only work starting with unbound 1.4.18 (wheezy has 1.4.17) + # previously, forward-first was not implemented for the root zone. + forward-first: yes +<% end -%> +<% end -%>