# ref: https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html
#      unbound.conf(5) man page
server:
    {% if unbound_enable_dnssec -%}
    # disable chroot because unbound is the only thing running on the VM
    # and because it has issues with how archlinux configures the systemd units write protection regarding the anchor file
    chroot: ""

    # location of the trust anchor file that enables DNSSEC
    # this file is generated by the `unbound-anchor` command
    auto-trust-anchor-file: "/etc/unbound/trusted-key.key"
    {% endif -%}

	# use all CPUs
	num-threads: 2

	# more cache memory
    rrset-cache-size: 60m
    msg-cache-size: 30m

	# prefetch to keep the cache up to date
	prefetch: yes

	# fetch the DNSKEYs earlier in the validation process, when a DS record is encountered
	prefetch-key: yes

	# Faster UDP with multithreading (only on Linux).
    so-reuseport: yes

	# disable special large send buffer handling and just use kernel defaults
    so-sndbuf: 0

    # send minimal amount of information to upstream servers to enhance privacy
    qname-minimisation: yes

    # specify the interface to answer queries from by ip-address.
    {% for i in unbound_bind_interfaces -%}
    interface: "{{ i }}"
    {% endfor %}

    # addresses from the IP range that are allowed to connect to the resolver
    {% for i in unbound_access_control -%}
    access-control: {{ i }}
    {% endfor -%}

    {% for i in unbound_private_domain -%}
    private-domain: {{ i }}
    {% endfor -%}

    # The number of seconds between printing statistics to the log for every thread.
    statistics-interval: 0

    # Extended statistics are printed, Keeping track of more statistics takes time.
    extended-statistics: yes

remote-control:
    control-enable: {{ "yes" if unbound_enable_unbound_control else "no" }}
    control-interface: /run/unbound-control.sock


# configure some zones for which this resolver will act authoritatively
# https://www.dns.icann.org/services/axfr/
{% for i in [ ".", "in-addr.arpa.", "arpa.", "root-servers.net.", "ip6.arpa.", "ip6-servers.arpa.", "mcast.net." ] %}
auth-zone:
    name: "{{ i }}"
    primary: "lax.xfr.dns.icann.org"
    primary: "iad.xfr.dns.icann.org"
    fallback-enabled: yes
    for-downstream: no
    for-upstream: yes


{% endfor %}