From a391d6f6927cf3cb85fb2d0b10e91c008d0d8cfc Mon Sep 17 00:00:00 2001
From: Kristof Provost <kp@FreeBSD.org>
Date: Sun, 2 Mar 2025 20:10:58 +0100
Subject: [PATCH] ansible: disable dnssec validation

On at least one internet connection (Proximus DSL) we've seen failures to
resolve kosmos.sigsegv.be. Disabling DNSSec makes it work again (despite dnssec
being correct on the domain).
---
 ansible/roles/domotica/tasks/main.yaml                    | 8 ++++++++
 .../domotica/templates/disable_dnssec_validation.conf     | 2 ++
 2 files changed, 10 insertions(+)
 create mode 100644 ansible/roles/domotica/templates/disable_dnssec_validation.conf

diff --git a/ansible/roles/domotica/tasks/main.yaml b/ansible/roles/domotica/tasks/main.yaml
index 130a21d..fa9b923 100644
--- a/ansible/roles/domotica/tasks/main.yaml
+++ b/ansible/roles/domotica/tasks/main.yaml
@@ -26,6 +26,14 @@
     mode: 0644
   become: true
   notify: "restart pf"
+- name: disable unbound dnssec validation
+  template:
+    src: disable_dnssec_validation.conf
+    dest: "/etc/unbound/conf.d/disable_dnssec_validation.conf"
+    owner: root
+    group: wheel
+    mode: 0644
+  become: true
 - name: unbound enable
   community.general.sysrc:
     name: local_unbound_enable
diff --git a/ansible/roles/domotica/templates/disable_dnssec_validation.conf b/ansible/roles/domotica/templates/disable_dnssec_validation.conf
new file mode 100644
index 0000000..9ca4352
--- /dev/null
+++ b/ansible/roles/domotica/templates/disable_dnssec_validation.conf
@@ -0,0 +1,2 @@
+server:
+	val-permissive-mode: yes
-- 
2.51.0