Don't use dlv-anchor-file with unbound

According to the unbound.conf manpage this value should no longer be used. It creates lookaside queries for DNSSEC which introduces more servers which can fail on us. This is no longer necessary beacuse root servers have the appropriate DNSSEC configuration now. Follow the unbound suggestion and make unbound more reliable by avoiding DLV entirely. Change-Id: Ib6c0cf83bfdeb1eb2f6f22951fd44ce9839cab92
2017-08-22 09:29:52 -07:00 · 2017-08-22 09:29:52 -07:00 · b8aeacb54d
parent d51dc22535
commit b8aeacb54d
1 changed files with 7 additions and 0 deletions
--- a/nodepool/elements/nodepool-base/finalise.d/89-unbound
+++ b/nodepool/elements/nodepool-base/finalise.d/89-unbound
@ -117,6 +117,13 @@ chmod a+x $rclocal

 echo 'include: /etc/unbound/forwarding.conf' >> /etc/unbound/unbound.conf

+# Disable dlv. Per the unbound.conf manpage this should not be used
+# anymore but is in use by some of our distros. The problem here is it
+# does lookasides for DNSSEC which increases the number of queries and
+# introduces more points of lookup failure. Disable it to avoid these
+# problems.
+sed -i -e 's/dlv-anchor-file:/#dlv-anchor-file:/g' /etc/unbound/unbound.conf
+
 # This defaults file must be in place to work around this bug:
 # https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/988513
 # The issue is fixed for Xenial so this is only required for Trusty.