From: Kristof Provost <kp@FreeBSD.org>
Date: Sun, 2 Mar 2025 19:10:58 +0000 (+0100)
Subject: ansible: disable dnssec validation
X-Git-Url: https://git.sigsegv.be/?a=commitdiff_plain;h=a391d6f6927cf3cb85fb2d0b10e91c008d0d8cfc;p=pennestraat-domotica

ansible: disable dnssec validation

On at least one internet connection (Proximus DSL) we've seen failures to
resolve kosmos.sigsegv.be. Disabling DNSSec makes it work again (despite dnssec
being correct on the domain).
---

diff --git a/ansible/roles/domotica/tasks/main.yaml b/ansible/roles/domotica/tasks/main.yaml
index 130a21d..fa9b923 100644
--- a/ansible/roles/domotica/tasks/main.yaml
+++ b/ansible/roles/domotica/tasks/main.yaml
@@ -26,6 +26,14 @@
     mode: 0644
   become: true
   notify: "restart pf"
+- name: disable unbound dnssec validation
+  template:
+    src: disable_dnssec_validation.conf
+    dest: "/etc/unbound/conf.d/disable_dnssec_validation.conf"
+    owner: root
+    group: wheel
+    mode: 0644
+  become: true
 - name: unbound enable
   community.general.sysrc:
     name: local_unbound_enable
diff --git a/ansible/roles/domotica/templates/disable_dnssec_validation.conf b/ansible/roles/domotica/templates/disable_dnssec_validation.conf
new file mode 100644
index 0000000..9ca4352
--- /dev/null
+++ b/ansible/roles/domotica/templates/disable_dnssec_validation.conf
@@ -0,0 +1,2 @@
+server:
+	val-permissive-mode: yes