2 ## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
3 ## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
9 <% if (@is_recursor and (not @client_ranges.empty?)) -%>
13 interface-automatic: yes
15 access-control: 0.0.0.0/0 refuse
16 access-control: ::0/0 refuse
17 access-control: 127.0.0.0/8 allow
18 access-control: ::0/0 refuse
19 access-control: ::1 allow
20 access-control: ::ffff:127.0.0.1 allow
21 <% @client_ranges.to_a.flatten.each do |net| -%>
22 access-control: <%= net -%> allow
31 # Do not query the following addresses. No DNS queries are sent there.
32 # List one address per entry. List classless netblocks with /size,
33 # do-not-query-address: 127.0.0.1/8
34 # do-not-query-address: ::1
36 # if yes, the above default do-not-query-address entries are present.
37 # if no, localhost can be queried (for testing and debugging).
38 # do-not-query-localhost: yes
40 # File with trusted keys, kept uptodate using RFC5011 probes,
41 # initial file like trust-anchor-file, then it stores metadata.
42 # Use several entries, one per domain name, to track multiple zones.
43 # auto-trust-anchor-file: ""
44 auto-trust-anchor-file: "/var/lib/unbound/root.key"
45 auto-trust-anchor-file: "/var/lib/unbound/debian.org.key"
46 auto-trust-anchor-file: "/var/lib/unbound/29.172.in-addr.arpa.key"
48 local-zone: "29.172.in-addr.arpa" nodefault
50 name: "29.172.in-addr.arpa"
51 forward-host: geo1.debian.org
52 forward-host: geo2.debian.org
53 forward-host: geo3.debian.org
55 # recursive: <%= @is_recursor ? "y" : "n" %>
56 <% if not @is_recursor -%>
59 <% @ns.to_a.flatten.each do |nms| -%>
60 forward-addr: <%= nms %>
62 <% if @lsbmajdistrelease >= '7' -%>
63 # This will actually only work starting with unbound 1.4.18 (wheezy has 1.4.17)
64 # previously, forward-first was not implemented for the root zone.