From e054e38c2cb698d7f9e634c6d8f0fe12407c7f94 Mon Sep 17 00:00:00 2001
From: John Helmert III <jchelmert3@posteo.net>
Date: Wed, 6 Dec 2023 21:31:52 -0800
Subject: [PATCH] roles/dnsserver: set unbound's dnssec-permissive mode

Signed-off-by: John Helmert III <jchelmert3@posteo.net>
---
 roles/dnsserver/templates/unbound.conf.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/dnsserver/templates/unbound.conf.j2 b/roles/dnsserver/templates/unbound.conf.j2
index cc67270..ee80dab 100644
--- a/roles/dnsserver/templates/unbound.conf.j2
+++ b/roles/dnsserver/templates/unbound.conf.j2
@@ -589,7 +589,7 @@ server:
         # instead of SERVFAIL. It still performs the security checks, which
         # result in interesting log files and possibly the AD bit in
         # replies if the message is found secure. The default is off.
-        # val-permissive-mode: no
+        val-permissive-mode: yes
 
         # Ignore the CD flag in incoming queries and refuse them bogus data.
         # Enable it if the only clients of Unbound are legacy servers (w2008)