From 72736c8b13606d54d7b100f89de507d7fa4a6367 Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Wed, 16 Jul 2025 17:53:48 +0000
Subject: [PATCH] unbound: Enable DNSSEC validation for dna-gw hosts

---
 roles/unbound/templates/unbound.conf.dna.j2 | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/roles/unbound/templates/unbound.conf.dna.j2 b/roles/unbound/templates/unbound.conf.dna.j2
index 75ce886..955e007 100644
--- a/roles/unbound/templates/unbound.conf.dna.j2
+++ b/roles/unbound/templates/unbound.conf.dna.j2
@@ -29,7 +29,10 @@ server:
     hide-identity: yes
     hide-version: yes
 
+    auto-trust-anchor-file: {{ unbound_zonedir }}/root.key
+
     prefetch: yes
+    prefetch-key: yes
     unblock-lan-zones: yes
 
 remote-control: