X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;ds=sidebyside;f=modules%2Funbound%2Ftemplates%2Funbound.conf.erb;h=4206f81b2ae3a089c3b869547c29255b47c7ddc0;hb=6680306de7b2f9911a4da12b8484d3431056ea53;hp=4680b3350b6c41ed483809b9867d002e2eaeec1e;hpb=5eec87e1f0ec58dbd106bbffbeaa1fc4b381c9ab;p=mirror%2Fdsa-puppet.git

diff --git a/modules/unbound/templates/unbound.conf.erb b/modules/unbound/templates/unbound.conf.erb
index 4680b3350..4206f81b2 100644
--- a/modules/unbound/templates/unbound.conf.erb
+++ b/modules/unbound/templates/unbound.conf.erb
@@ -43,14 +43,22 @@ server:
 	# auto-trust-anchor-file: ""
 	auto-trust-anchor-file: "/var/lib/unbound/root.key"
 	auto-trust-anchor-file: "/var/lib/unbound/debian.org.key"
+<% if not @firewall_blocks_dns %>
 	auto-trust-anchor-file: "/var/lib/unbound/29.172.in-addr.arpa.key"
+<% end -%>
+
+	prefetch: yes
+	prefetch-key: yes
 
+
+<% if not @firewall_blocks_dns %>
 local-zone: "29.172.in-addr.arpa" nodefault
 forward-zone:
 	name: "29.172.in-addr.arpa"
 	forward-host: geo1.debian.org
 	forward-host: geo2.debian.org
 	forward-host: geo3.debian.org
+<% end -%>
 
 # recursive: <%= @is_recursor ? "y" : "n" %>
 <% if not @is_recursor -%>
@@ -59,7 +67,5 @@ forward-zone:
 <% @ns.to_a.flatten.each do |nms| -%>
 	forward-addr: <%= nms %>
 <% end -%>
-	# This will actually only work starting with unbound 1.4.18 (wheezy has 1.4.17)
-	# previously, forward-first was not implemented for the root zone.
 	forward-first: yes
 <% end -%>