aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--Makefile4
-rw-r--r--Makefile.inc.unbound1
-rw-r--r--unbound.conf.erb5
3 files changed, 10 insertions, 0 deletions
diff --git a/Makefile b/Makefile
index 80a74ee..272ca4c 100644
--- a/Makefile
+++ b/Makefile
@@ -54,6 +54,10 @@ DN42_ZONES= \
26.172.in-addr.arpa 27.172.in-addr.arpa 28.172.in-addr.arpa \
29.172.in-addr.arpa 30.172.in-addr.arpa 31.172.in-addr.arpa
+# These zones are always insecure, because they don't exist on the Internet.
+INSECURE_ZONES= \
+ 18.198.in-addr.arpa
+
# Our local networks.
# TODO: Generate these from LDAP.
LFNETWORKS= \
diff --git a/Makefile.inc.unbound b/Makefile.inc.unbound
index 2071b1a..070ed8d 100644
--- a/Makefile.inc.unbound
+++ b/Makefile.inc.unbound
@@ -10,6 +10,7 @@ UNBOUND_PROCESS_FLAGS?= \
-Dmaster_addr="${MASTER_ADDR}" \
-Dlfnetworks="${LFNETWORKS}" \
-Dlocal_zones="${ZONES}" \
+ -Dinsecure_zones="${INSECURE_ZONES}" \
-Ddn42_zones="${DN42_ZONES}" \
-Ddn42_master="${DN42_MASTER}" \
-Dforwarders="${UNBOUND_FORWARDERS}"
diff --git a/unbound.conf.erb b/unbound.conf.erb
index 4755c83..1490c41 100644
--- a/unbound.conf.erb
+++ b/unbound.conf.erb
@@ -96,6 +96,11 @@ server:
<% end -%>
<% end -%>
+# Zones which are always insecure, because they don't exist on the Internet.
+<% insecure_zones.split.each do |zone| -%>
+ domain-insecure: <%= zone %>
+<% end -%>
+
# DN42 zones. These don't need to be private, but should be insecure for now.
# Ideally we'd have a way to validate these properly.
<% dn42_zones.split.each do |zone| %>