diff options
| -rw-r--r-- | Makefile | 40 | ||||
| -rw-r--r-- | Makefile.inc.knot | 4 | ||||
| -rw-r--r-- | Makefile.inc.unbound | 18 | ||||
| -rw-r--r-- | unbound.conf.erb | 42 |
4 files changed, 58 insertions, 46 deletions
@@ -93,40 +93,36 @@ LFNETWORKS= \ 10.0.0.0/8 \ 198.18.0.0/15 -# All servers which run Unbound. -UNBOUND_SERVERS= \ - hemlock.eden.le-fay.org -# witch.le-fay.org \ -# turnera.le-fay.org \ -# hemlock.eden.le-fay.org -UNBOUND_CONF_DIR=/usr/local/etc/unbound -UNBOUND_CONF_FILE=${UNBOUND_CONF_DIR}/unbound.conf +####################################################################### +# Unbound configuration for resolvers. + +# All servers which run Unbound. +UNBOUND_SERVERS?= \ + hemlock.eden.le-fay.org \ + fuchsia.eden.le-fay.org \ + amaranth.le-fay.org \ + witch.le-fay.org \ +# turnera.le-fay.org # Forwarder addresses for Unbound forwarders. -UNBOUND_FORWARDERS= \ +UNBOUND_FORWARDERS?= \ 2001:8b0:aab5:c401::1:3 \ 2001:8b0:aab5:c401::1:4 -UNBOUND_PROCESS_FLAGS= \ - -Dconfdir=/usr/local/etc/unbound \ - -Dmaster="${MASTER}" \ - -Dmaster_addr="${MASTER_ADDR}" \ - -Dlfnetworks="${LFNETWORKS}" \ - -Dlocal_zones="${ZONES}" \ - -Ddn42_zones="${DN42_ZONES}" \ - -Ddn42_master="${DN42_MASTER}" -UNBOUND_PROCESS_FLAGS.hemlock.eden.le-fay.org= -Dforwarder=yes +# -Dforwarder means this server forwards queries to ${UNBOUND_FORWARDERS}. +# -Dnolocal means this server doesn't have a copy of our local zones. +# +UNBOUND_PROCESS_FLAGS.hemlock.eden.le-fay.org= -Dnolocal=yes -Dforwarder=yes +UNBOUND_PROCESS_FLAGS.amaranth.le-fay.org= -Dnolocal=yes UNBOUND_PROCESS_FLAGS.witch.le-fay.org= -Dtls=yes UNBOUND_PROCESS_FLAGS.turnera.le-fay.org= -Dtls=yes + ####################################################################### # Knot configuration for primary servers. # -KNOT_CONF_DIR=/usr/local/etc/knot -KNOT_CONF_FILE=${KNOT_CONF_DIR}/knot.conf - # Global options. KNOT_SERVERS?= \ yarrow.le-fay.org \ @@ -153,6 +149,7 @@ KNOT_LISTEN.fuchsia.eden.le-fay.org= \ fd5b:a83:b06b:4::9@53 \ fd5b:a83:b06b:600::5@53 + ####################################################################### # The default target doesn't do anything. # @@ -173,7 +170,6 @@ clean: .include "Makefile.inc.unbound" .include "Makefile.inc.zones" - # File paths. .PATH: ${ZONEDIR} .OBJDIR: ${.CURDIR}/build diff --git a/Makefile.inc.knot b/Makefile.inc.knot index a2f74e2..89d173a 100644 --- a/Makefile.inc.knot +++ b/Makefile.inc.knot @@ -2,9 +2,11 @@ # # Make targets for Knot. -.PHONY: knot +KNOT_CONF_DIR=/usr/local/etc/knot +KNOT_CONF_FILE=${KNOT_CONF_DIR}/knot.conf knot: +.PHONY: knot .for server in ${KNOT_SERVERS} diff --git a/Makefile.inc.unbound b/Makefile.inc.unbound index 7437149..2071b1a 100644 --- a/Makefile.inc.unbound +++ b/Makefile.inc.unbound @@ -1,18 +1,30 @@ # This source code is released into the public domain. -### Unbound configuration files. +# Unbound configuration files. + +UNBOUND_CONF_DIR?=/usr/local/etc/unbound +UNBOUND_CONF_FILE?=${UNBOUND_CONF_DIR}/unbound.conf +UNBOUND_PROCESS_FLAGS?= \ + -Dconfdir=/usr/local/etc/unbound \ + -Dmaster="${MASTER}" \ + -Dmaster_addr="${MASTER_ADDR}" \ + -Dlfnetworks="${LFNETWORKS}" \ + -Dlocal_zones="${ZONES}" \ + -Ddn42_zones="${DN42_ZONES}" \ + -Ddn42_master="${DN42_MASTER}" \ + -Dforwarders="${UNBOUND_FORWARDERS}" unbound: .PHONY: unbound .for server in ${UNBOUND_SERVERS} -unbound.conf.${server}: unbound.conf.erb +unbound.conf.${server}: Makefile unbound.conf.erb ${.CURDIR}/bin/process \ -Dservername=${server} \ ${UNBOUND_PROCESS_FLAGS} \ ${UNBOUND_PROCESS_FLAGS.${server}} \ - $> $@ + ${.CURDIR}/unbound.conf.erb $@ unbound: unbound-${server} unbound-${server}: unbound.conf.${server} diff --git a/unbound.conf.erb b/unbound.conf.erb index 1b63458..4755c83 100644 --- a/unbound.conf.erb +++ b/unbound.conf.erb @@ -12,30 +12,25 @@ server: auto-trust-anchor-file: "<%= confdir %>/secondary/root.key" -<% if defined?(forwarder) %> - # Forwarders only listen on localhost. - interface: ::1 - # Only localhost has access. - access-control: ::1 allow - +<% if defined?(forwarder) -%> # Be more forgiving of broken servers, so that everything doesn't stop # working if the network is down for a bit. infra-keep-probing: yes infra-host-ttl: 60 log-servfail: yes -<% else %> - # For resolvers, the local config file configures listen addresses. +<% end %> + + # The local config file configures listen addresses. include: "<%= confdir %>/unbound.conf.local" # Allow access from LF networks. -<% lfnetworks.split.each do |network| %> +<% lfnetworks.split.each do |network| -%> access-control: <%= network %> allow <% end %> # We might want to enable this in the future. #use-caps-for-id: yes #caps-exempt: example.org -<% end %> tls-upstream: no pad-responses: yes @@ -69,7 +64,7 @@ server: ede: yes ede-serve-expired: yes -<% if defined?(tls) %> +<% if defined?(tls) -%> tls-service-key: "<%= confdir %>/tls/key.pem" tls-service-pem: "<%= confdir %>/tls/cert.pem" @@ -78,24 +73,28 @@ server: https-port: 443 <% end %> -<% if defined?(nat64_prefix) %> +<% if defined?(nat64_prefix) -%> do-nat64: yes nat64-prefix: <%= nat64_prefix %> <% end %> # Private addresses that should not be found in Internet zones. -<% lfnetworks.split.each do |network| %> +<% lfnetworks.split.each do |network| -%> private-address: <%= network %> <% end %> private-domain: sikol.co.uk -# Local zones that we want to serve. Mark these as both private and insecure -# otherwise the validator will still try to validate them and (possibly) fail. -<% local_zones.split.each do |zone| %> +# Local zones that we want to serve. Mark these as private so we accept our +# addresses, and if they're local zones, mark them as insecure so that the +# resolver doesn't try to validate the DNSSEC chain (which would break DNS +# without Internet access). +<% local_zones.split.each do |zone| -%> private-domain: <%= zone %> +<% if not defined?(nolocal) -%> domain-insecure: <%= zone %> -<% end %> +<% end -%> +<% end -%> # DN42 zones. These don't need to be private, but should be insecure for now. # Ideally we'd have a way to validate these properly. @@ -119,10 +118,13 @@ remote-control: # This server is a forwarder. forward-zone: name: "." - forward-addr: 2001:8b0:aab5:c401::1:3 - forward-addr: 2001:8b0:aab5:c401::1:4 +<% forwarders.split.each do |addr| -%> + forward-addr: <%= addr %> +<% end -%> forward-first: yes -<% else %> +<% end %> + +<% if not defined?(nolocal) %> # This server is a resolver, so it wants a local copy of all zones. # SiKol zones |