Reliability fixes
- Prevent hang on start related to DNSSEC
- Timeout unavailable severs more quickly, which works around transient
failures (previously wouldn't query a "dead" server for 900s)
- Limit TTL on NXDOMAIN responses
- Fixes for galaxy and linting
Change-Id: I95bf71ec2841e4036a6a14501e9ed285d5249732
diff --git a/templates/unbound.conf.j2 b/templates/unbound.conf.j2
index 1c2f1c3..3dbddea 100644
--- a/templates/unbound.conf.j2
+++ b/templates/unbound.conf.j2
@@ -1,4 +1,5 @@
# unbound templates/unbound.conf.j2 - {{ ansible_managed }}
+# docs: https://www.nlnetlabs.nl/documentation/unbound/unbound.conf
{#
SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
SPDX-License-Identifier: Apache-2.0
@@ -15,6 +16,16 @@
# logging
verbosity: 1
+ # caching overrides
+ # Cache SERVFAIL for less time (normally 900s)
+ infra-host-ttl: 10
+{% if ansible_distribution_version != "18.04" %}
+ # keep probing failed hosts, in case of network issues
+ infra-keep-probing: yes
+{% endif %}
+ # Maximum TTL on NXDOMAIN queries (normally set by upstream)
+ cache-max-negative-ttl: 60
+
# RFC7816 query name minimization
qname-minimisation: yes
@@ -39,13 +50,12 @@
interface: {{ ansible_default_ipv4.address }}
{% endif %}
-
{% if unbound_listen_ips %}
# listen on specific IPs
{% for ip in unbound_listen_ips %}
interface: {{ ip | ipaddr('address') }}
-
{% endfor %}
+
{% endif %}
# disable DNS-over-HTTP (DoH) as it breaks split horizon
# https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https