2ba7af7a34
Ianw noticed problems on fedora29 with unbound. That resulted in a bug filed upstream, https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4226. In this bug the helpful unbound maintainers point out that OpenDNS servers are having trouble with RRSIG records which leads to not validating dnssec which we require in our unbound config. Address this by switching to CloudFlare DNS which is suppsoed to be super localized (aka responsive), and not record queries against it. Also if we want to we can update our config to do dns over tls against these servers. Change-Id: I8137239c2f53381afd87d420a5fe44064c669f87
An ansible role to dynamically configure DNS forwarders for the
unbound caching service. IPv6 will be preferred when there
is a usable IPv6 default route, otherwise IPv4.
Note
This is not a standalone unbound configuration role. Base setup is
done during image builds in
project-config:nodepool/elements/nodepool-base/finalise.d/89-unbound;
here we just do dynamic configuration of forwarders based on the
interfaces available on the actual host.
Role Variables