From 5cafd30fce6e27728e651d86a9740c296a63e965 Mon Sep 17 00:00:00 2001 From: Lexi Winter Date: Sat, 12 Jul 2025 09:21:26 +0100 Subject: unbound: use lfldap for local network list --- unbound.conf.erb | 45 ++++++++++++++++++++------------------------- 1 file changed, 20 insertions(+), 25 deletions(-) (limited to 'unbound.conf.erb') diff --git a/unbound.conf.erb b/unbound.conf.erb index 1490c41..b807b3b 100644 --- a/unbound.conf.erb +++ b/unbound.conf.erb @@ -24,9 +24,7 @@ server: include: "<%= confdir %>/unbound.conf.local" # Allow access from LF networks. -<% lfnetworks.split.each do |network| -%> - access-control: <%= network %> allow -<% end %> + include: "<%= confdir %>/allow_ldap.conf" # We might want to enable this in the future. #use-caps-for-id: yes @@ -34,13 +32,14 @@ server: tls-upstream: no pad-responses: yes -<%# quic-port: 853 %> +<%# quic-port: 853 -%> # Networks that shouldn't be found in public zones. private-address: 169.254.0.0/16 private-address: fe80::/10 private-address: ::ffff:0:0/96 private-address: 64:ff9b::/96 + include: "<%= confdir %>/private_ldap.conf" # General tuning. prefer-ip6: yes @@ -71,24 +70,19 @@ server: tls-use-sni: yes tls-port: 853 https-port: 443 -<% end %> +<% end -%> <% if defined?(nat64_prefix) -%> do-nat64: yes nat64-prefix: <%= nat64_prefix %> -<% end %> - -# Private addresses that should not be found in Internet zones. -<% lfnetworks.split.each do |network| -%> - private-address: <%= network %> -<% end %> +<% end -%> private-domain: sikol.co.uk -# Local zones that we want to serve. Mark these as private so we accept our -# addresses, and if they're local zones, mark them as insecure so that the -# resolver doesn't try to validate the DNSSEC chain (which would break DNS -# without Internet access). + # Local zones that we want to serve. Mark these as private so we + # accept our addresses, and if they're local zones, mark them as + # insecure so that the resolver doesn't try to validate the DNSSEC + # chain (which would break DNS without Internet access). <% local_zones.split.each do |zone| -%> private-domain: <%= zone %> <% if not defined?(nolocal) -%> @@ -96,17 +90,18 @@ server: <% end -%> <% end -%> -# Zones which are always insecure, because they don't exist on the Internet. + # Zones which are always insecure, because they don't exist on the + # Internet. <% insecure_zones.split.each do |zone| -%> domain-insecure: <%= zone %> <% end -%> -# DN42 zones. These don't need to be private, but should be insecure for now. -# Ideally we'd have a way to validate these properly. -<% dn42_zones.split.each do |zone| %> + # DN42 zones. These don't need to be private, but should be insecure + # for now. Ideally we'd have a way to validate these properly. +<% dn42_zones.split.each do |zone| -%> local-zone: <%= zone %>. nodefault domain-insecure: <%= zone %>. -<% end %> +<% end -%> remote-control: control-enable: yes @@ -119,7 +114,7 @@ remote-control: control-key-file: "<%= confdir %>/unbound_control.key" control-cert-file: "<%= confdir %>/unbound_control.pem" -<% if defined?(forwarder) %> +<% if defined?(forwarder) -%> # This server is a forwarder. forward-zone: name: "." @@ -127,9 +122,9 @@ forward-zone: forward-addr: <%= addr %> <% end -%> forward-first: yes -<% end %> +<% end -%> -<% if not defined?(nolocal) %> +<% if not defined?(nolocal) -%> # This server is a resolver, so it wants a local copy of all zones. # SiKol zones @@ -150,7 +145,7 @@ auth-zone: zonefile: <%= confdir %>/secondary/_msdcs.lethe.sikol.co.uk # Local internet DNS zones -<% local_zones.split.each do |zone| %> +<% local_zones.split.each do |zone| -%> auth-zone: name: <%= zone %> primary: <%= master_addr %> # <%= master %> @@ -161,7 +156,7 @@ auth-zone: <% end %> # DN42 zones -<% dn42_zones.split.each do |zone| %> +<% dn42_zones.split.each do |zone| -%> stub-zone: name: <%= zone %>. stub-addr: <%= dn42_master %> -- cgit v1.2.3