X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Funbound%2Ftemplates%2Funbound.conf.erb;h=d909f74c974b8dab45ee15d810318cb36d698b70;hb=87e8c26653128159565d887ecc9172aa65010e1f;hp=35610496c77cfaf5bf87429d22b2cc0177fca52a;hpb=05faa1898f975f27c9ccbec5b4e45ac776d64b4e;p=mirror%2Fdsa-puppet.git diff --git a/modules/unbound/templates/unbound.conf.erb b/modules/unbound/templates/unbound.conf.erb index 35610496c..d909f74c9 100644 --- a/modules/unbound/templates/unbound.conf.erb +++ b/modules/unbound/templates/unbound.conf.erb @@ -6,38 +6,32 @@ server: verbosity: 1 - # specify the interfaces to answer queries from by ip-address. - # The default is to listen to localhost (127.0.0.1 and ::1). - # specify 0.0.0.0 and ::0 to bind to all available interfaces. - # specify every interface[@port] on a new 'interface:' labelled line. - # The listen interfaces are not changed on reload, only on restart. - # interface: 192.0.2.153 - # interface: 192.0.2.154 - # interface: 192.0.2.154@5003 - # interface: 2001:DB8::5 - - # enable this feature to copy the source address of queries to reply. - # Socket options are not supported on all platforms. experimental. - interface-automatic: yes - - # control which clients are allowed to make (recursive) queries - # to this server. Specify classless netblocks with /size and action. - # By default everything is refused, except for localhost. - # Choose deny (drop message), refuse (polite error reply), - # allow (recursive ok), allow_snoop (recursive and nonrecursive ok) - # access-control: 0.0.0.0/0 refuse - # access-control: 127.0.0.0/8 allow - # access-control: ::0/0 refuse - # access-control: ::1 allow - # access-control: ::ffff:127.0.0.1 allow +<%= + out = [] + if scope.lookupvar('site::nodeinfo')['misc']['resolver-recursive'] and scope.lookupvar('site::nodeinfo')['hoster']['allow_dns_query'] + out << " interface: 0.0.0.0" + out << " interface: ::0" + out << "" + out << " interface-automatic: yes" + + out << " access-control: 0.0.0.0/0 refuse" + out << " access-control: ::0/0 refuse" + out << " access-control: 127.0.0.0/8 allow" + out << " access-control: ::0/0 refuse" + out << " access-control: ::1 allow" + out << " access-control: ::ffff:127.0.0.1 allow" + scope.lookupvar('site::nodeinfo')['hoster']['allow_dns_query'].each do |net| + out << " access-control: #{net} allow" + end + end + out.join("\n") +%> #chroot: "" hide-identity: yes hide-version: yes - use-caps-for-id: yes - # Do not query the following addresses. No DNS queries are sent there. # List one address per entry. List classless netblocks with /size, # do-not-query-address: 127.0.0.1/8 @@ -54,7 +48,23 @@ server: auto-trust-anchor-file: "/var/lib/unbound/root.key" auto-trust-anchor-file: "/var/lib/unbound/debian.org.key" -#forward-zone: -# name: "." -# forward-addr: 192.0.2.1 -# forward-addr: 192.0.2.199 +<%= + out = [] + if not scope.lookupvar('site::nodeinfo')['misc']['resolver-recursive'] and not scope.lookupvar('site::nodeinfo')['hoster']['nameservers_break_dnssec'] + forwarders = scope.lookupvar('site::nodeinfo')['hoster']['nameservers'] + forwarders ||= [] + + out << 'forward-zone:' + out << ' name: "."' + forwarders.each do |ns| + out << " forward-addr: #{ns}" + end + end + + + if hostname == "zappa" + out << "edns-buffer-size: 512" + end + + out.join("\n") +%>