## ## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. ## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git ## server: verbosity: 1 <% if (@is_recursor and (not @client_ranges.empty?)) -%> interface: 0.0.0.0 interface: ::0 interface-automatic: yes access-control: 0.0.0.0/0 refuse access-control: ::0/0 refuse access-control: 127.0.0.0/8 allow access-control: ::0/0 refuse access-control: ::1 allow access-control: ::ffff:127.0.0.1 allow <% @client_ranges.to_a.flatten.each do |net| -%> access-control: <%= net -%> allow <% end -%> <% end -%> #chroot: "" hide-identity: yes hide-version: yes # Do not query the following addresses. No DNS queries are sent there. # List one address per entry. List classless netblocks with /size, # do-not-query-address: 127.0.0.1/8 # do-not-query-address: ::1 # if yes, the above default do-not-query-address entries are present. # if no, localhost can be queried (for testing and debugging). # do-not-query-localhost: yes # File with trusted keys, kept uptodate using RFC5011 probes, # initial file like trust-anchor-file, then it stores metadata. # Use several entries, one per domain name, to track multiple zones. # auto-trust-anchor-file: "" auto-trust-anchor-file: "/var/lib/unbound/root.key" auto-trust-anchor-file: "/var/lib/unbound/debian.org.key" <% if not @firewall_blocks_dns %> auto-trust-anchor-file: "/var/lib/unbound/29.172.in-addr.arpa.key" <% end -%> prefetch: yes prefetch-key: yes <% if not @firewall_blocks_dns %> local-zone: "29.172.in-addr.arpa" nodefault forward-zone: name: "29.172.in-addr.arpa" forward-host: geo1.debian.org forward-host: geo2.debian.org forward-host: geo3.debian.org <% end -%> # recursive: <%= @is_recursor ? "y" : "n" %> <% if not @is_recursor -%> forward-zone: name: "." <% @ns.to_a.flatten.each do |nms| -%> forward-addr: <%= nms %> <% end -%> forward-first: yes <% end -%>