From ee6b7be6a24ea7112869f1b234760d89b4a990ce Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
Date: Wed, 17 Jun 2020 17:53:11 +0200
Subject: [PATCH] unbound: Add some configuration options.

---
 .../roles/unbound-resolver/defaults/main.yml  | 13 +++++++-
 .../templates/unbound-server.conf             | 32 ++++++++-----------
 2 files changed, 25 insertions(+), 20 deletions(-)

diff --git a/library/roles/unbound-resolver/defaults/main.yml b/library/roles/unbound-resolver/defaults/main.yml
index 7987ae25..7c6f47cd 100644
--- a/library/roles/unbound-resolver/defaults/main.yml
+++ b/library/roles/unbound-resolver/defaults/main.yml
@@ -27,11 +27,22 @@ unbound_so_sndbuf: 4m
 # Faster UDP with multithreading (only on Linux).
 unbound_so_reuseport: 'yes'
 # with libevent
-unbound_outgoing_range: 8192
 unbound_num_queries_per_thread: 4096
 
 unbound_max_negative_ttl: 3600
 
+unbound_hide_identity: 'yes'
+unbound_hide_version: 'yes'
+unbound_qname_minimisation: 'no'
+unbound_val_clean_additional: 'yes'
+# The following is experimental
+unbound_use_caps_for_id: 'no'
+unbound_unwanted_reply_threshold: '10000000'
+unbound_do_not_query_localhost: 'no'
+unbound_rrset_roundrobin: 'yes'
+unbound_unblock_lan_zones: 'no'
+unbound_do_ipv6: 'yes'
+
 unbound_private_addresses: []
 unbound_private_domains: []
 # Stub zones
diff --git a/library/roles/unbound-resolver/templates/unbound-server.conf b/library/roles/unbound-resolver/templates/unbound-server.conf
index 910cf0fb..46505edf 100644
--- a/library/roles/unbound-resolver/templates/unbound-server.conf
+++ b/library/roles/unbound-resolver/templates/unbound-server.conf
@@ -26,7 +26,7 @@ server:
 
         # more outgoing connections
         # depends on number of cores: 1024/cores - 50 
-        outgoing-range: {{ 1024 // unbound_threads - 50 }}
+        outgoing-range: {{ 1024 * unbound_threads - 50 }}
 
         # Larger socket buffer.  OS may need config.
         so-rcvbuf: {{ unbound_so_rcvbuf }}
@@ -38,24 +38,18 @@ server:
         # Faster UDP with multithreading (only on Linux).
 	so-reuseport: {{ unbound_so_reuseport }}
         # with libevent
-        outgoing-range: {{ unbound_outgoing_range }}
-        num-queries-per-thread:  {{ unbound_num_queries_per_thread }}
-        hide-identity: yes
-        hide-version: yes
-        harden-short-bufsize: yes
-        harden-large-queries: yes
-        harden-glue: yes
-        harden-dnssec-stripped: yes
-        harden-below-nxdomain: yes
-        harden-algo-downgrade: yes
-        qname-minimisation: yes
-        use-caps-for-id: yes
-        unwanted-reply-threshold: 10000
-        do-not-query-localhost: no
-        prefetch: yes
-        rrset-roundrobin: yes
-        minimal-responses: yes
-        val-clean-additional: yes
+        num-queries-per-thread: {{ unbound_num_queries_per_thread }}
+        hide-identity: {{ unbound_hide_identity  }}
+        hide-version: {{ unbound_hide_version  }}
+        qname-minimisation: {{ unbound_qname_minimisation }}
+        # The following is experimental
+        use-caps-for-id: {{ unbound_use_caps_for_id }}
+        unwanted-reply-threshold: {{ unbound_unwanted_reply_threshold }}
+        do-not-query-localhost: {{ unbound_do_not_query_localhost }}
+        rrset-roundrobin: {{ unbound_rrset_roundrobin }}
+        val-clean-additional: {{ unbound_val_clean_additional }}
+        unblock-lan-zones: {{ unbound_unblock_lan_zones }}
+        do-ip6: {{ unbound_do_ipv6 }}
         #
 {% if ansible_service_mgr == 'systemd' %}
         use-systemd: yes