diff options
author | Aaron LI <aly@aaronly.me> | 2018-02-24 17:49:06 +0800 |
---|---|---|
committer | Aaron LI <aly@aaronly.me> | 2018-03-14 11:28:44 +0800 |
commit | 5fcd532b648824d947ec009d8d63508b9d3be7fa (patch) | |
tree | c12f3cc6dcd16eaef2ead40b630bf95efcc98bc5 | |
parent | 30724d5f9f13530d7d81a51e6b040970bab49c00 (diff) | |
download | ansible-dfly-vps-5fcd532b648824d947ec009d8d63508b9d3be7fa.tar.bz2 |
dns/unbound: update config and enable remote-control
-rw-r--r-- | roles/dns/files/unbound.conf | 35 | ||||
-rw-r--r-- | roles/dns/tasks/main.yml | 12 |
2 files changed, 35 insertions, 12 deletions
diff --git a/roles/dns/files/unbound.conf b/roles/dns/files/unbound.conf index 18e3ae6..848945c 100644 --- a/roles/dns/files/unbound.conf +++ b/roles/dns/files/unbound.conf @@ -58,16 +58,11 @@ server: statistics-interval: 7200 # Enable or disable whether IPv4 queries are answered or issued. - # Default: yes do-ip4: yes # Enable or disable whether IPv6 queries are answered or issued. do-ip6: yes - # Whether prefer IPv6 transport for sending queries? - # Default: no - #prefer-ip6: no - # Enable or disable whether UDP queries are answered or issued. # Default: yes do-udp: yes @@ -126,14 +121,30 @@ server: # Default: 1 (operational info). verbosity: 1 - # The log file, "" means log to stderr. - # NOTE: set the below "use-syslog" to "no" when to use this option. - logfile: "/usr/local/etc/unbound/unbound.log" - - # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to - # NOTE: will override the above "logfile" option if enabled. - #use-syslog: no + # Log messages to syslog(3) with the LOG_DAEMON facility. use-syslog: yes + # + # Log messages to the specified file. + #use-syslog: no + #logfile: "/usr/local/etc/unbound/unbound.log" + +# Remote control config section. +# +remote-control: + # Enable remote control with unbound-control(8) here. + control-enable: yes + + # Interfaces listened to for remote control. + control-interface: 127.0.0.1 + control-interface: ::1 + + # Server and unbound-control key and certificate files. + # Set up the keys and certificates with unbound-control-setup. + control-use-cert: yes + server-key-file: "/usr/local/etc/unbound/unbound_server.key" + server-cert-file: "/usr/local/etc/unbound/unbound_server.pem" + control-key-file: "/usr/local/etc/unbound/unbound_control.key" + control-cert-file: "/usr/local/etc/unbound/unbound_control.pem" # WARNING: diff --git a/roles/dns/tasks/main.yml b/roles/dns/tasks/main.yml index 04c45f3..d6bfb2f 100644 --- a/roles/dns/tasks/main.yml +++ b/roles/dns/tasks/main.yml @@ -22,6 +22,15 @@ "https://www.internic.net/domain/named.cache" notify: reload-unbound +- name: unbound - check existence of control key/cert + stat: + path: /usr/local/etc/unbound/unbound_control.key + register: stat_result + +- name: unbound - generate self-signed key/cert for control + command: unbound-control-setup + when: stat_result.stat.exists == False + - name: unbound - copy configuration copy: src: unbound.conf @@ -36,6 +45,9 @@ src: resolv.conf dest: /etc/resolv.conf +# +# NSD +# - name: NSD - copy configuration template: src: nsd.conf.j2 |