blob: 4755c832b26d700e397e85ab61f0fa3cea479631 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
|
<%# vim:set noet ts=8 sw=8 sts=8:
# Standard unbound.conf for a resolver.
%>
server:
module-config: "validator iterator"
identity: <%= servername %>
hide-identity: no
hide-version: no
hide-http-user-agent: yes
auto-trust-anchor-file: "<%= confdir %>/secondary/root.key"
<% if defined?(forwarder) -%>
# Be more forgiving of broken servers, so that everything doesn't stop
# working if the network is down for a bit.
infra-keep-probing: yes
infra-host-ttl: 60
log-servfail: yes
<% end %>
# The local config file configures listen addresses.
include: "<%= confdir %>/unbound.conf.local"
# Allow access from LF networks.
<% lfnetworks.split.each do |network| -%>
access-control: <%= network %> allow
<% end %>
# We might want to enable this in the future.
#use-caps-for-id: yes
#caps-exempt: example.org
tls-upstream: no
pad-responses: yes
<%# quic-port: 853 %>
# Networks that shouldn't be found in public zones.
private-address: 169.254.0.0/16
private-address: fe80::/10
private-address: ::ffff:0:0/96
private-address: 64:ff9b::/96
# General tuning.
prefer-ip6: yes
rrset-cache-size: 128m
unwanted-reply-threshold: 10000
minimal-responses: yes
# Make Unbound be more lenient when resolving long CNAME chains.
max-query-restarts: 15
max-global-quota: 256
# Prefetch expiring records, and serve expired records if needed.
prefetch: yes
prefetch-key: yes
serve-expired: yes
serve-expired-ttl: 30
serve-expired-ttl-reset: yes
serve-expired-reply-ttl: 30
serve-expired-client-timeout: 1800
ede: yes
ede-serve-expired: yes
<% if defined?(tls) -%>
tls-service-key: "<%= confdir %>/tls/key.pem"
tls-service-pem: "<%= confdir %>/tls/cert.pem"
tls-use-sni: yes
tls-port: 853
https-port: 443
<% end %>
<% if defined?(nat64_prefix) -%>
do-nat64: yes
nat64-prefix: <%= nat64_prefix %>
<% end %>
# Private addresses that should not be found in Internet zones.
<% lfnetworks.split.each do |network| -%>
private-address: <%= network %>
<% end %>
private-domain: sikol.co.uk
# Local zones that we want to serve. Mark these as private so we accept our
# addresses, and if they're local zones, mark them as insecure so that the
# resolver doesn't try to validate the DNSSEC chain (which would break DNS
# without Internet access).
<% local_zones.split.each do |zone| -%>
private-domain: <%= zone %>
<% if not defined?(nolocal) -%>
domain-insecure: <%= zone %>
<% end -%>
<% end -%>
# DN42 zones. These don't need to be private, but should be insecure for now.
# Ideally we'd have a way to validate these properly.
<% dn42_zones.split.each do |zone| %>
local-zone: <%= zone %>. nodefault
domain-insecure: <%= zone %>.
<% end %>
remote-control:
control-enable: yes
control-interface: ::1
control-port: 8954
server-key-file: "<%= confdir %>/unbound_server.key"
server-cert-file: "<%= confdir %>/unbound_server.pem"
control-key-file: "<%= confdir %>/unbound_control.key"
control-cert-file: "<%= confdir %>/unbound_control.pem"
<% if defined?(forwarder) %>
# This server is a forwarder.
forward-zone:
name: "."
<% forwarders.split.each do |addr| -%>
forward-addr: <%= addr %>
<% end -%>
forward-first: yes
<% end %>
<% if not defined?(nolocal) %>
# This server is a resolver, so it wants a local copy of all zones.
# SiKol zones
auth-zone:
name: "lethe.sikol.co.uk"
primary: <%= master_addr %> # <%= master %>
fallback-enabled: yes
for-downstream: no
for-upstream: yes
zonefile: <%= confdir %>/secondary/lethe.sikol.co.uk
auth-zone:
name: "_msdcs.lethe.sikol.co.uk"
primary: <%= master_addr %> # <%= master %>
fallback-enabled: yes
for-downstream: no
for-upstream: yes
zonefile: <%= confdir %>/secondary/_msdcs.lethe.sikol.co.uk
# Local internet DNS zones
<% local_zones.split.each do |zone| %>
auth-zone:
name: <%= zone %>
primary: <%= master_addr %> # <%= master %>
fallback-enabled: yes
for-downstream: no
for-upstream: yes
zonefile: <%= confdir %>/secondary/<%= zone.gsub('/', '_') %>
<% end %>
# DN42 zones
<% dn42_zones.split.each do |zone| %>
stub-zone:
name: <%= zone %>.
stub-addr: <%= dn42_master %>
<% end %>
<% end %>
|
