CCCHH/ansible-infra
CCCHH/ansible-infra
2
2
Fork 1
Code Issues 7 Pull requests 9 Wiki Activity Actions
ansible-infra/roles/unbound/templates/unbound.conf.j2
bitwhisker 866005c055
Some checks failed
/ Ansible Lint (push) Failing after 2m30s
Details
/ Ansible Lint (pull_request) Failing after 2m27s
Details
/ build (pull_request) Failing after 2m39s
Details
rt1(z9 host) unbound(role) kea_dhcp(role): create unbound and kea_dhcp role for rt1 
- create unbound role
- create kea_dhcp role
- configure unbound and keadhcp on rt1(z9 host)
2026-05-24 04:19:16 +02:00

73 lines
2.3 KiB
Django/Jinja
Raw Blame History

# ref: https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html
# unbound.conf(5) man page
server:
{% if unbound_enable_dnssec -%}
# disable chroot because unbound is the only thing running on the VM
# and because it has issues with how archlinux configures the systemd units write protection regarding the anchor file
chroot: ""
# location of the trust anchor file that enables DNSSEC
# this file is generated by the `unbound-anchor` command
auto-trust-anchor-file: "/etc/unbound/trusted-key.key"
{% endif -%}
# use all CPUs
num-threads: 2
# more cache memory
rrset-cache-size: 60m
msg-cache-size: 30m
# prefetch to keep the cache up to date
prefetch: yes
# fetch the DNSKEYs earlier in the validation process, when a DS record is encountered
prefetch-key: yes
# Faster UDP with multithreading (only on Linux).
so-reuseport: yes
# disable special large send buffer handling and just use kernel defaults
so-sndbuf: 0
# send minimal amount of information to upstream servers to enhance privacy
qname-minimisation: yes
# specify the interface to answer queries from by ip-address.
{% for i in unbound_bind_interfaces -%}
interface: "{{ i }}"
{% endfor %}
# addresses from the IP range that are allowed to connect to the resolver
{% for i in unbound_access_control -%}
access-control: {{ i }}
{% endfor -%}
{% for i in unbound_private_domain -%}
private-domain: {{ i }}
{% endfor -%}
# The number of seconds between printing statistics to the log for every thread.
statistics-interval: 0
# Extended statistics are printed, Keeping track of more statistics takes time.
extended-statistics: yes
remote-control:
control-enable: {{ "yes" if unbound_enable_unbound_control else "no" }}
control-interface: /run/unbound-control.sock
# configure some zones for which this resolver will act authoritatively
# https://www.dns.icann.org/services/axfr/
{% for i in [ ".", "in-addr.arpa.", "arpa.", "root-servers.net.", "ip6.arpa.", "ip6-servers.arpa.", "mcast.net." ] %}
auth-zone:
name: "{{ i }}"
primary: "lax.xfr.dns.icann.org"
primary: "iad.xfr.dns.icann.org"
fallback-enabled: yes
for-downstream: no
for-upstream: yes
{% endfor %}
Reference in a new issue View git blame Copy permalink