diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index 3b038c6..2cf2261 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -6,6 +6,11 @@ ansible.builtin.package: name: unbound + - name: install unbound-anchor + become: true + ansible.builtin.package: + name: unbound-anchor + - name: ensure correct directory permissions become: true ansible.builtin.file: diff --git a/roles/unbound/templates/unbound.conf.j2 b/roles/unbound/templates/unbound.conf.j2 index d9b612c..3213f46 100644 --- a/roles/unbound/templates/unbound.conf.j2 +++ b/roles/unbound/templates/unbound.conf.j2 @@ -4,26 +4,26 @@ server: {% if unbound_enable_dnssec -%} # location of the trust anchor file that enables DNSSEC # this file is generated by the `unbound-anchor` command - auto-trust-anchor-file: "/etc/unbound/trusted-key.key" + trust-anchor-file: "/usr/share/dns/root.key" {% endif -%} - # num of threads - num-threads: {{ unbound_thread_count | default(ansible_facts['processor_vcpus']) }} + # num of threads + num-threads: {{ unbound_thread_count | default(ansible_facts['processor_vcpus']) }} - # more cache memory + # more cache memory rrset-cache-size: 60m msg-cache-size: 30m - # prefetch to keep the cache up to date - prefetch: yes + # prefetch to keep the cache up to date + prefetch: yes - # fetch the DNSKEYs earlier in the validation process, when a DS record is encountered - prefetch-key: yes + # fetch the DNSKEYs earlier in the validation process, when a DS record is encountered + prefetch-key: yes - # Faster UDP with multithreading (only on Linux). + # Faster UDP with multithreading (only on Linux). so-reuseport: yes - # disable special large send buffer handling and just use kernel defaults + # disable special large send buffer handling and just use kernel defaults so-sndbuf: 0 # send minimal amount of information to upstream servers to enhance privacy @@ -36,7 +36,7 @@ server: # addresses from the IP range that are allowed to connect to the resolver {% for i in unbound_access_control -%} - access-control: {{ i }} + access-control: {{ i }} allow {% endfor -%} {% for i in unbound_private_domain -%} @@ -51,7 +51,8 @@ server: remote-control: control-enable: {{ "yes" if unbound_enable_unbound_control else "no" }} - control-interface: /run/unbound-control.sock + control-interface: "/run/unbound.ctl" # debian appamour does not allow any other path!!! + control-use-cert: no # configure some zones for which this resolver will act authoritatively