aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--Makefile10
-rw-r--r--unbound.conf.erb38
2 files changed, 45 insertions, 3 deletions
diff --git a/Makefile b/Makefile
index 14655b4..1bca4ad 100644
--- a/Makefile
+++ b/Makefile
@@ -90,9 +90,16 @@ LFNETWORKS= \
10.0.0.0/8 \
198.18.0.0/15
+# All servers which run Unbound.
UNBOUND_SERVERS= \
witch.le-fay.org \
- turnera.le-fay.org
+ turnera.le-fay.org \
+ hemlock.eden.le-fay.org
+
+# Forwarder addresses for Unbound forwarders.
+UNBOUND_FORWARDERS= \
+ 2001:8b0:aab5:c401::1:3 \
+ 2001:8b0:aab5:c401::1:4
UNBOUND_PROCESS_FLAGS= \
-Dconfdir=/usr/local/etc/unbound \
@@ -102,6 +109,7 @@ UNBOUND_PROCESS_FLAGS= \
-Dlocal_zones="${ZONES}" \
-Ddn42_zones="${DN42_ZONES}" \
-Ddn42_master="${DN42_MASTER}"
+UNBOUND_PROCESS_FLAGS.hemlock.eden.le-fay.org= -Dforwarder=yes
UNBOUND_PROCESS_FLAGS.witch.le-fay.org= -Dtls=yes
UNBOUND_PROCESS_FLAGS.turnera.le-fay.org= -Dtls=yes
diff --git a/unbound.conf.erb b/unbound.conf.erb
index 5136093..b2f1f6e 100644
--- a/unbound.conf.erb
+++ b/unbound.conf.erb
@@ -14,9 +14,31 @@ server:
auto-trust-anchor-file: "<%= confdir %>/secondary/root.key"
- # The local config file configures listen addresses.
+<% if defined?(forwarder) %>
+ # Forwarders only listen on localhost.
+ interface: ::1
+ # Only localhost has access.
+ access-control: ::1 allow
+
+ # Be more forgiving of broken servers, so that everything doesn't stop
+ # working if the network is down for a bit.
+ infra-keep-probing: yes
+ infra-host-ttl: 60
+ log-servfail: yes
+<% else %>
+ # For resolvers, the local config file configures listen addresses.
include: "<%= confdir %>/unbound.conf.local"
+ # Allow access from LF networks.
+<% lfnetworks.split.each do |network| %>
+ access-control: <%= network %> allow
+<% end %>
+
+ # We might want to enable this in the future.
+ #use-caps-for-id: yes
+ #caps-exempt: example.org
+<% end %>
+
tls-upstream: no
pad-responses: yes
<%# quic-port: 853 %>
@@ -63,9 +85,9 @@ server:
nat64-prefix: <%= nat64_prefix %>
<% end %>
+# Private addresses that should not be found in Internet zones.
<% lfnetworks.split.each do |network| %>
private-address: <%= network %>
- access-control: <%= network %> allow
<% end %>
private-domain: sikol.co.uk
@@ -95,6 +117,16 @@ remote-control:
control-key-file: "<%= confdir %>/unbound_control.key"
control-cert-file: "<%= confdir %>/unbound_control.pem"
+<% if defined?(forwarder) %>
+# This server is a forwarder.
+forward-zone:
+ name: "."
+ forward-addr: 2001:8b0:aab5:c401::1:3
+ forward-addr: 2001:8b0:aab5:c401::1:4
+ forward-first: yes
+<% else %>
+# This server is a resolver, so it wants a local copy of all zones.
+
# SiKol zones
auth-zone:
name: "lethe.sikol.co.uk"
@@ -129,3 +161,5 @@ stub-zone:
name: <%= zone %>.
stub-addr: <%= dn42_master %>
<% end %>
+
+<% end %>