2 ## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
3 ## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
11 if scope.lookupvar('site::nodeinfo')['misc']['resolver-recursive'] and scope.lookupvar('site::nodeinfo')['hoster']['allow_dns_query']
12 out << " interface: 0.0.0.0"
13 out << " interface: ::0"
15 out << " interface-automatic: yes"
17 out << " access-control: 0.0.0.0/0 refuse"
18 out << " access-control: ::0/0 refuse"
19 out << " access-control: 127.0.0.0/8 allow"
20 out << " access-control: ::0/0 refuse"
21 out << " access-control: ::1 allow"
22 out << " access-control: ::ffff:127.0.0.1 allow"
23 nodeinfo['hoster']['allow_dns_query'].each do |net|
24 out << " access-control: #{net} allow"
35 # Do not query the following addresses. No DNS queries are sent there.
36 # List one address per entry. List classless netblocks with /size,
37 # do-not-query-address: 127.0.0.1/8
38 # do-not-query-address: ::1
40 # if yes, the above default do-not-query-address entries are present.
41 # if no, localhost can be queried (for testing and debugging).
42 # do-not-query-localhost: yes
44 # File with trusted keys, kept uptodate using RFC5011 probes,
45 # initial file like trust-anchor-file, then it stores metadata.
46 # Use several entries, one per domain name, to track multiple zones.
47 # auto-trust-anchor-file: ""
48 auto-trust-anchor-file: "/var/lib/unbound/root.key"
49 auto-trust-anchor-file: "/var/lib/unbound/debian.org.key"
53 if not scope.lookupvar('site::nodeinfo')['misc']['resolver-recursive'] and not scope.lookupvar('site::nodeinfo')['hoster']['nameservers_break_dnssec']
54 forwarders = scope.lookupvar('site::nodeinfo')['hoster']['nameservers']
57 out << 'forward-zone:'
59 forwarders.each do |ns|
60 out << " forward-addr: #{ns}"
65 if hostname == "zappa"
66 out << "edns-buffer-size: 512"