Add DNS resolver forwarding support to Unbound

This patch adds support for DNS resolver forwarding to the tripleo_unbound role. This allows the configuration of "upstream" dns resolvers that TripleO Unbound will query if it doesn't have a local answer to a query. If forwarders are not defined, Unbound will perform a standard recursive DNS resolution. Change-Id: I04d9b2d198f83882a8a4ca7ff4c196d06f8c9ee2 (cherry picked from commit 4f4cb587db)
2021-02-04 23:23:44 +00:00 · 2021-02-04 23:23:44 +00:00 · 538791aa08
parent 772b827a69
commit 538791aa08
4 changed files with 46 additions and 1 deletions
--- a/releasenotes/notes/Add-Unbound-forwarder-support-9bdc3ef54104ff30.yaml
+++ b/releasenotes/notes/Add-Unbound-forwarder-support-9bdc3ef54104ff30.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Adds support for Unbound to forward DNS resolution requests to other
+    DNS resolvers (DNS resolver forwarding).
--- a/tripleo_ansible/roles/tripleo_unbound/defaults/main.yml
+++ b/tripleo_ansible/roles/tripleo_unbound/defaults/main.yml
@ -25,3 +25,6 @@ tripleo_unbound_config_basedir: "/var/lib/config-data/ansible-generated/unbound"
 tripleo_unbound_allowed_cidrs: []
 tripleo_unbound_log_queries: false
 tripleo_unbound_security_harden: true
+tripleo_unbound_forward_resolvers: []
+tripleo_unbound_allow_recursion: true
+tripleo_unbound_forward_fallback: true
--- a/tripleo_ansible/roles/tripleo_unbound/tasks/main.yml
+++ b/tripleo_ansible/roles/tripleo_unbound/tasks/main.yml
@ -58,9 +58,21 @@
    setype: container_file_t
  register: _unbound_config_result

+- name: Create the TripleO Unbound forwarders configuration file
+  become: true
+  ansible.builtin.template:
+    src: tripleo-forwarder-unbound.conf.j2
+    dest: "{{ tripleo_unbound_config_basedir }}/tripleo-forwarder-unbound.conf"
+    mode: '0640'
+    selevel: s0
+    setype: container_file_t
+  when:
+    - tripleo_unbound_forward_resolvers is defined and tripleo_unbound_forward_resolvers != ""
+  register: _unbound_fwd_config_result
+
 - name: Restart Unbound
  when:
-    - _unbound_config_result.changed
+    - _unbound_config_result.changed or _unbound_fwd_config_result.changed
  block:
    - name: check if tripleo_unbound systemd service is active
      become: true
--- a/tripleo_ansible/roles/tripleo_unbound/templates/tripleo-forwarder-unbound.conf.j2
+++ b/tripleo_ansible/roles/tripleo_unbound/templates/tripleo-forwarder-unbound.conf.j2
@ -0,0 +1,25 @@
+# {{ ansible_managed }}
+{#
+This template is for the TripleO forwarder Unbound configuration file.
+
+No service specific settings should be made in this file.
+
+It will be placed in the /etc/unbound/conf.d directory and will override the
+configuration settings provided in the base Unbound package from the
+distribution.
+#}
+#
+# These settings are made by TripleO, do not modify directly.
+# The settings in this file will override the package provided settings.
+#
+
+forward-zone:
+    name: "."
+{% for forwarder in tripleo_unbound_forward_resolvers %}
+    forward-addr: {{ forwarder }}
+{% endfor %}
+{% if tripleo_unbound_forward_fallback and tripleo_unbound_allow_recursion %}
+    forward-first: yes
+{% else %}
+    forward-first: no
+{% endif %}