1 files changed, 36 insertions, 2 deletions

diff --git a/unbound.conf.erb b/unbound.conf.erb
index 5136093..b2f1f6e 100644
--- a/unbound.conf.erb
+++ b/unbound.conf.erb
@@ -14,9 +14,31 @@ server:
 
 	auto-trust-anchor-file: "<%= confdir %>/secondary/root.key"
 
-	# The local config file configures listen addresses.
+<% if defined?(forwarder) %>
+	# Forwarders only listen on localhost.
+	interface: ::1
+	# Only localhost has access.
+	access-control: ::1 allow
+
+	# Be more forgiving of broken servers, so that everything doesn't stop
+	# working if the network is down for a bit.
+	infra-keep-probing: yes
+	infra-host-ttl: 60
+	log-servfail: yes
+<% else %>
+	# For resolvers, the local config file configures listen addresses.
 	include: "<%= confdir %>/unbound.conf.local"
 
+	# Allow access from LF networks.
+<% lfnetworks.split.each do |network| %>
+	access-control: <%= network %> allow
+<% end %>
+
+	# We might want to enable this in the future.
+	#use-caps-for-id: yes
+	#caps-exempt: example.org
+<% end %>
+
 	tls-upstream: no
 	pad-responses: yes
 <%#	quic-port: 853 %>
@@ -63,9 +85,9 @@ server:
 	nat64-prefix: <%= nat64_prefix %>
 <% end %>
 
+# Private addresses that should not be found in Internet zones.
 <% lfnetworks.split.each do |network| %>
 	private-address: <%= network %>
-	access-control: <%= network %> allow
 <% end %>
 
 	private-domain: sikol.co.uk
@@ -95,6 +117,16 @@ remote-control:
 	control-key-file: "<%= confdir %>/unbound_control.key"
 	control-cert-file: "<%= confdir %>/unbound_control.pem"
 
+<% if defined?(forwarder) %>
+# This server is a forwarder.
+forward-zone:
+	name: "."
+	forward-addr: 2001:8b0:aab5:c401::1:3
+	forward-addr: 2001:8b0:aab5:c401::1:4
+	forward-first: yes
+<% else %>
+# This server is a resolver, so it wants a local copy of all zones.
+
 # SiKol zones
 auth-zone:
 	name: "lethe.sikol.co.uk"
@@ -129,3 +161,5 @@ stub-zone:
 	name: <%= zone %>.
 	stub-addr: <%= dn42_master %>
 <% end %>
+
+<% end %>