From 2ba7af7a34b2e479ed6dcdcf68323212f7cde054 Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Fri, 8 Feb 2019 09:37:45 -0800 Subject: [PATCH] Stop using OpenDNS Ianw noticed problems on fedora29 with unbound. That resulted in a bug filed upstream, https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4226. In this bug the helpful unbound maintainers point out that OpenDNS servers are having trouble with RRSIG records which leads to not validating dnssec which we require in our unbound config. Address this by switching to CloudFlare DNS which is suppsoed to be super localized (aka responsive), and not record queries against it. Also if we want to we can update our config to do dns over tls against these servers. Change-Id: I8137239c2f53381afd87d420a5fe44064c669f87 --- roles/configure-unbound/README.rst | 4 ++-- roles/configure-unbound/defaults/main.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/configure-unbound/README.rst b/roles/configure-unbound/README.rst index 9e80061..1ce9297 100644 --- a/roles/configure-unbound/README.rst +++ b/roles/configure-unbound/README.rst @@ -11,7 +11,7 @@ usable IPv6 default route, otherwise IPv4. **Role Variables** .. zuul:rolevar:: unbound_primary_nameserver_v4 - :default: 208.67.222.222 (OpenDNS) + :default: 1.1.1.1 (CloudFlare) The primary IPv4 nameserver for fowarding requests @@ -21,7 +21,7 @@ usable IPv6 default route, otherwise IPv4. The secondary IPv4 nameserver for fowarding requests .. zuul:rolevar:: unbound_primary_nameserver_v6 - :default: 2620:0:ccc::2 (OpenDNS) + :default: 2606:4700:4700::1111 (CloudFlare) The primary IPv6 nameserver for fowarding requests diff --git a/roles/configure-unbound/defaults/main.yaml b/roles/configure-unbound/defaults/main.yaml index e67192d..2051a30 100644 --- a/roles/configure-unbound/defaults/main.yaml +++ b/roles/configure-unbound/defaults/main.yaml @@ -1,6 +1,6 @@ # OpenDNS -unbound_primary_nameserver_v6: "2620:0:ccc::2" -unbound_primary_nameserver_v4: "208.67.222.222" +unbound_primary_nameserver_v6: "2606:4700:4700::1111" +unbound_primary_nameserver_v4: "1.1.1.1" # Google unbound_secondary_nameserver_v6: "2001:4860:4860::8888"