Reliability fixes
- Prevent hang on start related to DNSSEC
- Timeout unavailable severs more quickly, which works around transient
failures (previously wouldn't query a "dead" server for 900s)
- Limit TTL on NXDOMAIN responses
- Fixes for galaxy and linting
Change-Id: I95bf71ec2841e4036a6a14501e9ed285d5249732
diff --git a/.reuse/dep5 b/.reuse/dep5
index 36ce305..40fef72 100644
--- a/.reuse/dep5
+++ b/.reuse/dep5
@@ -1,5 +1,5 @@
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
-Files: .cookiecutter_params.json VERSION .gitreview
+Files: .cookiecutter_params.json VERSION .gitreview README.md
Copyright: 2020 Open Networking Foundation
License: Apache-2.0
diff --git a/Makefile b/Makefile
index 4176d9f..e32f68e 100644
--- a/Makefile
+++ b/Makefile
@@ -23,10 +23,13 @@
-d "{extends: default, rules: {line-length: {max: 99}}}" \
-s $(YAML_FILES)
+# List of molecule files, not including base molecule.yml which isn't ansible format
+MOLECULE_FILES ?= $(shell find molecule -type f -name '*.yml' \! -name 'molecule.yml' -print )
+
ansiblelint: ## lint check with ansible-lint
ansible-lint --version
ansible-lint -v .
- ansible-lint -v molecule/*/*
+ ansible-lint -v $(MOLECULE_FILES)
license: ## Check license with the reuse tool
reuse --version
diff --git a/README.md b/README.md
index c85a6d0..8ec5477 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,3 @@
-<!--
-SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
-SPDX-License-Identifier: Apache-2.0
---!>
# unbound
Unbound Recursive DNS Server
diff --git a/files/default_unbound b/files/default_unbound
new file mode 100644
index 0000000..083c07e
--- /dev/null
+++ b/files/default_unbound
@@ -0,0 +1,4 @@
+# SPDX-FileCopyrightText: 2021 Open Networking Foundation <support@opennetworking.org>
+# SPDX-License-Identifier: Apache-2.0
+
+ROOT_TRUST_ANCHOR_UPDATE="false"
diff --git a/meta/main.yml b/meta/main.yml
index 9e66e47..92fe89f 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -5,6 +5,9 @@
# SPDX-License-Identifier: Apache-2.0
galaxy_info:
+ role_name: unbound
+ namespace: onf
+
author: Open Networking Foundation
description: Unbound Recursive DNS Server
company: Open Networking Foundation
diff --git a/tasks/Debian.yml b/tasks/Debian.yml
index 88f9c4b..d0d2338 100644
--- a/tasks/Debian.yml
+++ b/tasks/Debian.yml
@@ -24,6 +24,14 @@
group: root
mode: "0644"
+- name: Disable DNSSEC anchor download that can hang on startup
+ copy:
+ src: "default_unbound"
+ dest: "/etc/default/unbound"
+ owner: root
+ group: root
+ mode: "0644"
+
- name: Install unbound packages (Debian)
apt:
name: "unbound"
diff --git a/templates/unbound.conf.j2 b/templates/unbound.conf.j2
index 1c2f1c3..3dbddea 100644
--- a/templates/unbound.conf.j2
+++ b/templates/unbound.conf.j2
@@ -1,4 +1,5 @@
# unbound templates/unbound.conf.j2 - {{ ansible_managed }}
+# docs: https://www.nlnetlabs.nl/documentation/unbound/unbound.conf
{#
SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
SPDX-License-Identifier: Apache-2.0
@@ -15,6 +16,16 @@
# logging
verbosity: 1
+ # caching overrides
+ # Cache SERVFAIL for less time (normally 900s)
+ infra-host-ttl: 10
+{% if ansible_distribution_version != "18.04" %}
+ # keep probing failed hosts, in case of network issues
+ infra-keep-probing: yes
+{% endif %}
+ # Maximum TTL on NXDOMAIN queries (normally set by upstream)
+ cache-max-negative-ttl: 60
+
# RFC7816 query name minimization
qname-minimisation: yes
@@ -39,13 +50,12 @@
interface: {{ ansible_default_ipv4.address }}
{% endif %}
-
{% if unbound_listen_ips %}
# listen on specific IPs
{% for ip in unbound_listen_ips %}
interface: {{ ip | ipaddr('address') }}
-
{% endfor %}
+
{% endif %}
# disable DNS-over-HTTP (DoH) as it breaks split horizon
# https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https