rt1(z9 host) unbound(role) kea_dhcp(role): create unbound and kea_dhcp role for rt1

- create unbound role - create kea_dhcp role - configure unbound and keadhcp on rt1(z9 host)
2026-05-24 04:01:11 +02:00 · 2026-05-24 04:01:11 +02:00 · 866005c055
commit 866005c055
parent 50cf34e3f3
24 changed files with 1043 additions and 0 deletions
--- a/roles/unbound/templates/unbound.conf.j2
+++ b/roles/unbound/templates/unbound.conf.j2
@ -0,0 +1,73 @@
+# ref: https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html
+#      unbound.conf(5) man page
+server:
+    {% if unbound_enable_dnssec -%}
+    # disable chroot because unbound is the only thing running on the VM
+    # and because it has issues with how archlinux configures the systemd units write protection regarding the anchor file
+    chroot: ""
+
+    # location of the trust anchor file that enables DNSSEC
+    # this file is generated by the `unbound-anchor` command
+    auto-trust-anchor-file: "/etc/unbound/trusted-key.key"
+    {% endif -%}
+
+	# use all CPUs
+	num-threads: 2
+
+	# more cache memory
+    rrset-cache-size: 60m
+    msg-cache-size: 30m
+
+	# prefetch to keep the cache up to date
+	prefetch: yes
+
+	# fetch the DNSKEYs earlier in the validation process, when a DS record is encountered
+	prefetch-key: yes
+
+	# Faster UDP with multithreading (only on Linux).
+    so-reuseport: yes
+
+	# disable special large send buffer handling and just use kernel defaults
+    so-sndbuf: 0
+
+    # send minimal amount of information to upstream servers to enhance privacy
+    qname-minimisation: yes
+
+    # specify the interface to answer queries from by ip-address.
+    {% for i in unbound_bind_interfaces -%}
+    interface: "{{ i }}"
+    {% endfor %}
+
+    # addresses from the IP range that are allowed to connect to the resolver
+    {% for i in unbound_access_control -%}
+    access-control: {{ i }}
+    {% endfor -%}
+
+    {% for i in unbound_private_domain -%}
+    private-domain: {{ i }}
+    {% endfor -%}
+
+    # The number of seconds between printing statistics to the log for every thread.
+    statistics-interval: 0
+
+    # Extended statistics are printed, Keeping track of more statistics takes time.
+    extended-statistics: yes
+
+remote-control:
+    control-enable: {{ "yes" if unbound_enable_unbound_control else "no" }}
+    control-interface: /run/unbound-control.sock
+
+
+# configure some zones for which this resolver will act authoritatively
+# https://www.dns.icann.org/services/axfr/
+{% for i in [ ".", "in-addr.arpa.", "arpa.", "root-servers.net.", "ip6.arpa.", "ip6-servers.arpa.", "mcast.net." ] %}
+auth-zone:
+    name: "{{ i }}"
+    primary: "lax.xfr.dns.icann.org"
+    primary: "iad.xfr.dns.icann.org"
+    fallback-enabled: yes
+    for-downstream: no
+    for-upstream: yes
+
+
+{% endfor %}