## ## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. ## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git ## server: verbosity: 1 <%= out = [] if scope.lookupvar('site::nodeinfo')['misc']['resolver-recursive'] and scope.lookupvar('site::nodeinfo')['hoster']['allow_dns_query'] out << " interface: 0.0.0.0" out << " interface: ::0" out << "" out << " interface-automatic: yes" out << " access-control: 0.0.0.0/0 refuse" out << " access-control: ::0/0 refuse" out << " access-control: 127.0.0.0/8 allow" out << " access-control: ::0/0 refuse" out << " access-control: ::1 allow" out << " access-control: ::ffff:127.0.0.1 allow" scope.lookupvar('site::nodeinfo')['hoster']['allow_dns_query'].each do |net| out << " access-control: #{net} allow" end end out.join("\n") %> #chroot: "" hide-identity: yes hide-version: yes # Do not query the following addresses. No DNS queries are sent there. # List one address per entry. List classless netblocks with /size, # do-not-query-address: 127.0.0.1/8 # do-not-query-address: ::1 # if yes, the above default do-not-query-address entries are present. # if no, localhost can be queried (for testing and debugging). # do-not-query-localhost: yes # File with trusted keys, kept uptodate using RFC5011 probes, # initial file like trust-anchor-file, then it stores metadata. # Use several entries, one per domain name, to track multiple zones. # auto-trust-anchor-file: "" auto-trust-anchor-file: "/var/lib/unbound/root.key" auto-trust-anchor-file: "/var/lib/unbound/debian.org.key" <%= out = [] if not scope.lookupvar('site::nodeinfo')['misc']['resolver-recursive'] and not scope.lookupvar('site::nodeinfo')['hoster']['nameservers_break_dnssec'] forwarders = scope.lookupvar('site::nodeinfo')['hoster']['nameservers'] forwarders ||= [] out << 'forward-zone:' out << ' name: "."' forwarders.each do |ns| out << " forward-addr: #{ns}" end end if hostname == "zappa" out << "edns-buffer-size: 512" end out.join("\n") %>