X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/ab5751cdbec569aaf0eb0edbd0f88f45f31f1161..968ffb7b7c28a0673554aba399ec55549dc6a41c:/cookbooks/bind/templates/default/named.options.erb

diff --git a/cookbooks/bind/templates/default/named.options.erb b/cookbooks/bind/templates/default/named.options.erb
index f9cebbc10..b175b6839 100644
--- a/cookbooks/bind/templates/default/named.options.erb
+++ b/cookbooks/bind/templates/default/named.options.erb
@@ -1,37 +1,25 @@
 # DO NOT EDIT - This file is being maintained by Chef
 
-acl "osm" {
-	127.0.0.1/32;
-<% @ipv4_clients.sort.each do |address| -%>
-	<%= address %>/32;
-<% end -%>
-
-	::1/128;
-<% @ipv6_clients.sort.each do |address| -%>
-	<%= address %>/128;
-<% end -%>
-};
-
 options {
         # Directory to use for any working files
 	directory "/var/cache/bind";
 
-<% if node[:bind][:forwarders] -%>
-	# Forward any queries we can't answer
-	forwarders {
-<% node[:bind][:forwarders].each do |forwarder| -%>
-		<%= forwarder %>;
-<% end -%>
-	};
-<% end -%>
-
 	# Only allow queries from our machines
-	allow-query { osm; };
+	allow-query { localnets; };
 
 	# Don't allow transfers
 	allow-transfer { none; };
 
 	# Listen on any IPv6 interfaces
 	listen-on-v6 { any; };
+
+	# Ensure dnssec validation is enabled using embedded trust anchors
+	dnssec-validation auto;
+
+	# Set reasonably memory limit for cache
+	max-cache-size 10%;
+
+	# Ensure dnssec synth is disabled
+	synth-from-dnssec no;
 };