server:
    interface: 127.0.0.1
    interface: ::1
    interface: 172.20.20.10@53
    interface: 172.20.20.10@853
    interface: 172.20.21.2@53

    tls-service-key: {{ tls_private }}/dns.home.foo.sh.key
    tls-service-pem: {{ tls_certs }}/dns.home.foo.sh.crt
    tls-cert-bundle: {{ tls_certs }}/ca.crt

    access-control: 127.0.0.0/8 allow
    access-control: ::1 allow
    access-control: 172.20.20.0/22 allow

    extended-statistics: yes

    hide-identity: yes
    hide-version: yes

    prefetch: yes
    unblock-lan-zones: yes

remote-control:
    control-enable: yes
    control-interface: /var/run/unbound.sock

auth-zone:
    name: "home.foo.sh"
    zonefile: "/var/unbound/db/home.foo.sh"
auth-zone:
    name: "20.172.in-addr.arpa"
    zonefile: "/var/unbound/db/20.172.in-addr.arpa"