From: Peter Palfrader <peter@palfrader.org>
Date: Tue, 9 Oct 2018 18:21:21 +0000 (+0200)
Subject: Do not put our 29.172.in-addr.arpa zone into unbound configs behind fascist firewalls, 4
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=7bc1c500a16a18dcec7b729eecdbd566dae849ee;p=mirror%2Fdsa-puppet.git

Do not put our 29.172.in-addr.arpa zone into unbound configs behind fascist firewalls, 4
---

diff --git a/modules/unbound/templates/unbound.conf.erb b/modules/unbound/templates/unbound.conf.erb
index e33b519c5..4206f81b2 100644
--- a/modules/unbound/templates/unbound.conf.erb
+++ b/modules/unbound/templates/unbound.conf.erb
@@ -43,7 +43,9 @@ server:
 	# auto-trust-anchor-file: ""
 	auto-trust-anchor-file: "/var/lib/unbound/root.key"
 	auto-trust-anchor-file: "/var/lib/unbound/debian.org.key"
+<% if not @firewall_blocks_dns %>
 	auto-trust-anchor-file: "/var/lib/unbound/29.172.in-addr.arpa.key"
+<% end -%>
 
 	prefetch: yes
 	prefetch-key: yes