From 7bc1c500a16a18dcec7b729eecdbd566dae849ee Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Tue, 9 Oct 2018 20:21:21 +0200
Subject: [PATCH] Do not put our 29.172.in-addr.arpa zone into unbound configs
 behind fascist firewalls, 4

---
 modules/unbound/templates/unbound.conf.erb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/modules/unbound/templates/unbound.conf.erb b/modules/unbound/templates/unbound.conf.erb
index e33b519c5..4206f81b2 100644
--- a/modules/unbound/templates/unbound.conf.erb
+++ b/modules/unbound/templates/unbound.conf.erb
@@ -43,7 +43,9 @@ server:
 	# auto-trust-anchor-file: ""
 	auto-trust-anchor-file: "/var/lib/unbound/root.key"
 	auto-trust-anchor-file: "/var/lib/unbound/debian.org.key"
+<% if not @firewall_blocks_dns %>
 	auto-trust-anchor-file: "/var/lib/unbound/29.172.in-addr.arpa.key"
+<% end -%>
 
 	prefetch: yes
 	prefetch-key: yes
-- 
2.20.1