From 0e7f3f8bafd5509c7aaee25acdfb9e9753ba16ea Mon Sep 17 00:00:00 2001 From: Stephen Gran Date: Sun, 14 Apr 2013 17:18:07 +0100 Subject: [PATCH] get rid of broken nameservers Signed-off-by: Stephen Gran --- modules/debian-org/misc/hoster.yaml | 22 ---------------------- modules/unbound/manifests/init.pp | 1 - modules/unbound/templates/unbound.conf.erb | 2 +- 3 files changed, 1 insertion(+), 24 deletions(-) diff --git a/modules/debian-org/misc/hoster.yaml b/modules/debian-org/misc/hoster.yaml index ef050fc2..0bfeab36 100644 --- a/modules/debian-org/misc/hoster.yaml +++ b/modules/debian-org/misc/hoster.yaml @@ -3,8 +3,6 @@ netrange: - 87.106.0.0/16 - 2001:8d8:81:1520::/64 - nameservers_break_dnssec: true - nameservers: [87.106.64.251, 195.20.224.99, 195.20.224.234] # for i in `awk '$1=="nameserver" {print $2}' /etc/resolv.conf; [ -e /etc/unbound/unbound.conf ] && awk '$1=="forward-addr:" {print $2}' /etc/unbound/unbound.conf`; do dig +dnssec @$i -t ns . | grep RRSIG || echo BROKEN; echo;echo $i; echo;read; done 1und1-sec: netrange: @@ -12,8 +10,6 @@ - 212.227.126.32/27 - 2001:8d8:2:1::/64 searchpaths: [debprivate-oneandone.debian.org] - nameservers_break_dnssec: true - nameservers: [195.20.224.99, 195.20.224.234, 87.106.64.251] accumu: netrange: - 130.236.0.0/14 @@ -23,8 +19,6 @@ accumu: arm: netrange: - 217.140.96.0/22 - nameservers_break_dnssec: true - nameservers: [158.43.128.1, 217.140.108.113] entropy_provider_hoster: sil brainfood: netrange: @@ -56,15 +50,11 @@ bytemark: carnet: netrange: - 193.198.0.0/16 - nameservers_break_dnssec: true - nameservers: [161.53.160.3, 161.53.123.3] ana: # rename to cecsit netrange: - 150.203.164.0/24 - 2001:388:1034:2900::64 - nameservers_break_dnssec: true - nameservers: [150.203.1.10, 150.203.164.10, 150.203.164.9] conova: netrange: - 217.196.149.224/28 @@ -82,8 +72,6 @@ dgi: freenet: netrange: - 62.104.0.0/16 - nameservers_break_dnssec: true - nameservers: [194.97.3.83, 62.104.64.3, 194.97.3.11] ftcollins: netrange: - 192.25.206.0/24 @@ -130,8 +118,6 @@ osuosl: netrange: - 140.211.166.0/25 - 140.211.15.0/24 - nameservers_break_dnssec: true - nameservers: [140.211.166.130, 140.211.166.131, 216.165.191.54] sanger: netrange: - 193.62.202.24/29 @@ -150,15 +136,11 @@ scanplus: - 212.211.132.0/26 - 212.211.132.248/29 - 2001:a78::/64 - nameservers_break_dnssec: true - nameservers: [212.211.132.4, 212.75.32.4] sil: netrange: - 86.59.118.144/28 - 2001:858:2:2::/64 searchpaths: [debprivate-sil.debian.org] - #nameservers_break_dnssec: true - #nameservers: [213.129.232.1, 213.129.226.2] nameservers: [86.59.118.147, 86.59.118.148] allow_dns_query: [86.59.118.144/28, 2001:858:2:2::/64] mirror-debian: http://ftp.at.debian.org/debian/ @@ -177,8 +159,6 @@ ugent: umn: netrange: - 128.101.240.212 - nameservers_break_dnssec: true - nameservers: [128.101.101.101, 134.84.84.84] utwente: netrange: - 130.89.0.0/16 @@ -198,7 +178,5 @@ ynic: zivit: netrange: - 80.245.144.0/22 - nameservers_break_dnssec: true - nameservers: [80.245.147.53, 80.245.147.54] # vim:set et sts=2 ts=2 sw=2: diff --git a/modules/unbound/manifests/init.pp b/modules/unbound/manifests/init.pp index 587b19bb..5261009b 100644 --- a/modules/unbound/manifests/init.pp +++ b/modules/unbound/manifests/init.pp @@ -10,7 +10,6 @@ class unbound { $is_recursor = getfromhash($site::nodeinfo, 'misc', 'resolver-recursive') $client_ranges = getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query') - $dodgy_ns = getfromhash($site::nodeinfo, 'hoster', 'nameservers_break_dnssec') $ns = hiera('nameservers') package { 'unbound': diff --git a/modules/unbound/templates/unbound.conf.erb b/modules/unbound/templates/unbound.conf.erb index 0546980c..fe710ea9 100644 --- a/modules/unbound/templates/unbound.conf.erb +++ b/modules/unbound/templates/unbound.conf.erb @@ -44,7 +44,7 @@ server: auto-trust-anchor-file: "/var/lib/unbound/root.key" auto-trust-anchor-file: "/var/lib/unbound/debian.org.key" -<% if not @is_recursor and not @dodgy_ns -%> +<% if (not @is_recursor) and @ns -%> forward-zone: name: "." <% @ns.to_a.flatten.each do |nms| -%> -- 2.39.2