2ba7af7a34
Ianw noticed problems on fedora29 with unbound. That resulted in a bug filed upstream, https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4226. In this bug the helpful unbound maintainers point out that OpenDNS servers are having trouble with RRSIG records which leads to not validating dnssec which we require in our unbound config. Address this by switching to CloudFlare DNS which is suppsoed to be super localized (aka responsive), and not record queries against it. Also if we want to we can update our config to do dns over tls against these servers. Change-Id: I8137239c2f53381afd87d420a5fe44064c669f87
25 lines
1.1 KiB
YAML
25 lines
1.1 KiB
YAML
# OpenDNS
|
|
unbound_primary_nameserver_v6: "2606:4700:4700::1111"
|
|
unbound_primary_nameserver_v4: "1.1.1.1"
|
|
|
|
# Google
|
|
unbound_secondary_nameserver_v6: "2001:4860:4860::8888"
|
|
unbound_secondary_nameserver_v4: "8.8.8.8"
|
|
|
|
# Time to live maximum for RRsets and messages in the cache.
|
|
# Default is 86400 seconds (1 day). If the maximum kicks in,
|
|
# responses to clients still get decrementing TTLs based on the
|
|
# original (larger) values. When the internal TTL expires, the
|
|
# cache item has expired. Can be set lower to force the resolver
|
|
# to query for data often, and not trust (very large) TTL values.
|
|
unbound_cache_max_ttl: 86400
|
|
|
|
# Time to live minimum for RRsets and messages in the cache.
|
|
# Default is 0. If the minimum kicks in, the data is cached for
|
|
# longer than the domain owner intended, and thus less queries are
|
|
# made to look up the data. Zero makes sure the data in the cache
|
|
# is as the domain owner intended, higher values, especially more
|
|
# than an hour or so, can lead to trouble as the data in the cache
|
|
# does not match up with the actual data any more.
|
|
unbound_cache_min_ttl: 0
|