<%# vim:set noet ts=8 sw=8 sts=8: # Standard unbound.conf for a resolver. %> server: module-config: "validator iterator" identity: <%= servername %> hide-identity: no hide-version: no hide-http-user-agent: yes auto-trust-anchor-file: "<%= confdir %>/secondary/root.key" <% if defined?(forwarder) -%> # Be more forgiving of broken servers, so that everything doesn't stop # working if the network is down for a bit. infra-keep-probing: yes infra-host-ttl: 60 log-servfail: yes <% end %> # The local config file configures listen addresses. include: "<%= confdir %>/unbound.conf.local" # Allow access from LF networks. include: "<%= confdir %>/allow_ldap.conf" # We might want to enable this in the future. #use-caps-for-id: yes #caps-exempt: example.org tls-upstream: no pad-responses: yes <%# quic-port: 853 -%> # Networks that shouldn't be found in public zones. private-address: 169.254.0.0/16 private-address: fe80::/10 private-address: ::ffff:0:0/96 private-address: 64:ff9b::/96 include: "<%= confdir %>/private_ldap.conf" # General tuning. prefer-ip6: yes rrset-cache-size: 128m unwanted-reply-threshold: 10000 minimal-responses: yes # Make Unbound be more lenient when resolving long CNAME chains. max-query-restarts: 15 max-global-quota: 256 # Prefetch expiring records, and serve expired records if needed. prefetch: yes prefetch-key: yes serve-expired: yes serve-expired-ttl: 30 serve-expired-ttl-reset: yes serve-expired-reply-ttl: 30 serve-expired-client-timeout: 1800 ede: yes ede-serve-expired: yes <% if defined?(tls) -%> tls-service-key: "<%= confdir %>/tls/key.pem" tls-service-pem: "<%= confdir %>/tls/cert.pem" tls-use-sni: yes tls-port: 853 https-port: 443 <% end -%> <% if defined?(nat64_prefix) -%> do-nat64: yes nat64-prefix: <%= nat64_prefix %> <% end -%> private-domain: sikol.co.uk # Local zones that we want to serve. Mark these as private so we # accept our addresses, and if they're local zones, mark them as # insecure so that the resolver doesn't try to validate the DNSSEC # chain (which would break DNS without Internet access). <% local_zones.split.each do |zone| -%> private-domain: <%= zone %> <% if not defined?(nolocal) -%> domain-insecure: <%= zone %> <% end -%> <% end -%> # Zones which are always insecure, because they don't exist on the # Internet. <% insecure_zones.split.each do |zone| -%> domain-insecure: <%= zone %> <% end -%> remote-control: control-enable: yes control-interface: ::1 control-port: 8954 server-key-file: "<%= confdir %>/unbound_server.key" server-cert-file: "<%= confdir %>/unbound_server.pem" control-key-file: "<%= confdir %>/unbound_control.key" control-cert-file: "<%= confdir %>/unbound_control.pem" <% if defined?(forwarder) -%> # This server is a forwarder. forward-zone: name: "." <% forwarders.split.each do |addr| -%> forward-addr: <%= addr %> <% end -%> forward-first: yes <% end -%> <% if not defined?(nolocal) -%> # This server is a resolver, so it wants a local copy of all zones. # SiKol zones auth-zone: name: "lethe.sikol.co.uk" primary: <%= master_addr %> # <%= master %> fallback-enabled: yes for-downstream: no for-upstream: yes zonefile: <%= confdir %>/secondary/lethe.sikol.co.uk auth-zone: name: "_msdcs.lethe.sikol.co.uk" primary: <%= master_addr %> # <%= master %> fallback-enabled: yes for-downstream: no for-upstream: yes zonefile: <%= confdir %>/secondary/_msdcs.lethe.sikol.co.uk # Local internet DNS zones <% local_zones.split.each do |zone| -%> auth-zone: name: <%= zone %> primary: <%= master_addr %> # <%= master %> fallback-enabled: yes for-downstream: no for-upstream: yes zonefile: <%= confdir %>/secondary/<%= zone.gsub('/', '_') %> <% end -%> <% end %>