diff options
| -rw-r--r-- | Makefile | 16 | ||||
| -rw-r--r-- | Makefile.inc.unbound | 1 | ||||
| -rw-r--r-- | unbound.conf.erb | 45 |
3 files changed, 20 insertions, 42 deletions
@@ -58,22 +58,6 @@ DN42_ZONES= \ INSECURE_ZONES= \ 18.198.in-addr.arpa -# Our local networks. -# TODO: Generate these from LDAP. -LFNETWORKS= \ - 2001:8b0:aab5::/48 \ - 81.187.47.192/28 \ - 81.2.96.160/28 \ - 81.187.73.117/32 \ - 2a00:1098:6b::/48 \ - 2001:ba8:4015::/48 \ - 2001:ba8:404a::/48 \ - fd5b:a83:b06b::/48 \ - 172.16.0.0/12 \ - 10.0.0.0/8 \ - 198.18.0.0/15 - - ####################################################################### # Unbound configuration for resolvers. diff --git a/Makefile.inc.unbound b/Makefile.inc.unbound index 221d480..db6f1fb 100644 --- a/Makefile.inc.unbound +++ b/Makefile.inc.unbound @@ -8,7 +8,6 @@ UNBOUND_PROCESS_FLAGS?= \ -Dconfdir=/usr/local/etc/unbound \ -Dmaster="${MASTER}" \ -Dmaster_addr="${MASTER_ADDR}" \ - -Dlfnetworks="${LFNETWORKS}" \ -Dlocal_zones="${ZONES}" \ -Dinsecure_zones="${INSECURE_ZONES}" \ -Ddn42_zones="${DN42_ZONES}" \ diff --git a/unbound.conf.erb b/unbound.conf.erb index 1490c41..b807b3b 100644 --- a/unbound.conf.erb +++ b/unbound.conf.erb @@ -24,9 +24,7 @@ server: include: "<%= confdir %>/unbound.conf.local" # Allow access from LF networks. -<% lfnetworks.split.each do |network| -%> - access-control: <%= network %> allow -<% end %> + include: "<%= confdir %>/allow_ldap.conf" # We might want to enable this in the future. #use-caps-for-id: yes @@ -34,13 +32,14 @@ server: tls-upstream: no pad-responses: yes -<%# quic-port: 853 %> +<%# quic-port: 853 -%> # Networks that shouldn't be found in public zones. private-address: 169.254.0.0/16 private-address: fe80::/10 private-address: ::ffff:0:0/96 private-address: 64:ff9b::/96 + include: "<%= confdir %>/private_ldap.conf" # General tuning. prefer-ip6: yes @@ -71,24 +70,19 @@ server: tls-use-sni: yes tls-port: 853 https-port: 443 -<% end %> +<% end -%> <% if defined?(nat64_prefix) -%> do-nat64: yes nat64-prefix: <%= nat64_prefix %> -<% end %> - -# Private addresses that should not be found in Internet zones. -<% lfnetworks.split.each do |network| -%> - private-address: <%= network %> -<% end %> +<% end -%> private-domain: sikol.co.uk -# Local zones that we want to serve. Mark these as private so we accept our -# addresses, and if they're local zones, mark them as insecure so that the -# resolver doesn't try to validate the DNSSEC chain (which would break DNS -# without Internet access). + # Local zones that we want to serve. Mark these as private so we + # accept our addresses, and if they're local zones, mark them as + # insecure so that the resolver doesn't try to validate the DNSSEC + # chain (which would break DNS without Internet access). <% local_zones.split.each do |zone| -%> private-domain: <%= zone %> <% if not defined?(nolocal) -%> @@ -96,17 +90,18 @@ server: <% end -%> <% end -%> -# Zones which are always insecure, because they don't exist on the Internet. + # Zones which are always insecure, because they don't exist on the + # Internet. <% insecure_zones.split.each do |zone| -%> domain-insecure: <%= zone %> <% end -%> -# DN42 zones. These don't need to be private, but should be insecure for now. -# Ideally we'd have a way to validate these properly. -<% dn42_zones.split.each do |zone| %> + # DN42 zones. These don't need to be private, but should be insecure + # for now. Ideally we'd have a way to validate these properly. +<% dn42_zones.split.each do |zone| -%> local-zone: <%= zone %>. nodefault domain-insecure: <%= zone %>. -<% end %> +<% end -%> remote-control: control-enable: yes @@ -119,7 +114,7 @@ remote-control: control-key-file: "<%= confdir %>/unbound_control.key" control-cert-file: "<%= confdir %>/unbound_control.pem" -<% if defined?(forwarder) %> +<% if defined?(forwarder) -%> # This server is a forwarder. forward-zone: name: "." @@ -127,9 +122,9 @@ forward-zone: forward-addr: <%= addr %> <% end -%> forward-first: yes -<% end %> +<% end -%> -<% if not defined?(nolocal) %> +<% if not defined?(nolocal) -%> # This server is a resolver, so it wants a local copy of all zones. # SiKol zones @@ -150,7 +145,7 @@ auth-zone: zonefile: <%= confdir %>/secondary/_msdcs.lethe.sikol.co.uk # Local internet DNS zones -<% local_zones.split.each do |zone| %> +<% local_zones.split.each do |zone| -%> auth-zone: name: <%= zone %> primary: <%= master_addr %> # <%= master %> @@ -161,7 +156,7 @@ auth-zone: <% end %> # DN42 zones -<% dn42_zones.split.each do |zone| %> +<% dn42_zones.split.each do |zone| -%> stub-zone: name: <%= zone %>. stub-addr: <%= dn42_master %> |