From 5fcd532b648824d947ec009d8d63508b9d3be7fa Mon Sep 17 00:00:00 2001
From: Aaron LI <aly@aaronly.me>
Date: Sat, 24 Feb 2018 17:49:06 +0800
Subject: dns/unbound: update config and enable remote-control

---
 roles/dns/files/unbound.conf | 35 +++++++++++++++++++++++------------
 1 file changed, 23 insertions(+), 12 deletions(-)

(limited to 'roles/dns/files')

diff --git a/roles/dns/files/unbound.conf b/roles/dns/files/unbound.conf
index 18e3ae6..848945c 100644
--- a/roles/dns/files/unbound.conf
+++ b/roles/dns/files/unbound.conf
@@ -58,16 +58,11 @@ server:
     statistics-interval: 7200
 
     # Enable or disable whether IPv4 queries are answered or issued.
-    # Default: yes
     do-ip4: yes
 
     # Enable or disable whether IPv6 queries are answered or issued.
     do-ip6: yes
 
-    # Whether prefer IPv6 transport for sending queries?
-    # Default: no
-    #prefer-ip6: no
-
     # Enable or disable whether UDP queries are answered or issued.
     # Default: yes
     do-udp: yes
@@ -126,14 +121,30 @@ server:
     # Default: 1 (operational info).
     verbosity: 1
 
-    # The log file, "" means log to stderr.
-    # NOTE: set the below "use-syslog" to "no" when to use this option.
-    logfile: "/usr/local/etc/unbound/unbound.log"
-
-    # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
-    # NOTE: will override the above "logfile" option if enabled.
-    #use-syslog: no
+    # Log messages to syslog(3) with the LOG_DAEMON facility.
     use-syslog: yes
+    #
+    # Log messages to the specified file.
+    #use-syslog: no
+    #logfile: "/usr/local/etc/unbound/unbound.log"
+
+# Remote control config section.
+#
+remote-control:
+    # Enable remote control with unbound-control(8) here.
+    control-enable: yes
+
+    # Interfaces listened to for remote control.
+    control-interface: 127.0.0.1
+    control-interface: ::1
+
+    # Server and unbound-control key and certificate files.
+    # Set up the keys and certificates with unbound-control-setup.
+    control-use-cert: yes
+    server-key-file: "/usr/local/etc/unbound/unbound_server.key"
+    server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
+    control-key-file: "/usr/local/etc/unbound/unbound_control.key"
+    control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"
 
 
 # WARNING:
-- 
cgit v1.2.2