adding new unbound config files under /usr/local

usr/local/etc/unbound/root.key

@@ -0,0 +1,10 @@
+; autotrust trust anchor file
+;;id: . 1
+;;last_queried: 1771250359 ;;Mon Feb 16 08:59:19 2026
+;;last_success: 1771250359 ;;Mon Feb 16 08:59:19 2026
+;;next_probe_time: 1771292919 ;;Mon Feb 16 20:48:39 2026
+;;query_failed: 0
+;;query_interval: 43200
+;;retry_time: 8640
+.	86400	IN	DNSKEY	257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1771031738 ;;Fri Feb 13 20:15:38 2026
+.	86400	IN	DNSKEY	257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ;{id = 38696 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1771031738 ;;Fri Feb 13 20:15:38 2026

usr/local/etc/unbound/unbound.conf

@@ -0,0 +1,62 @@
+# Unbound configuration file for Debian.
+#
+# See the unbound.conf(5) man page.
+#
+# See /usr/share/doc/unbound/objectbrokerss/unbound.conf for a commented
+# reference config file.
+#
+# The following line includes additional configuration files from the
+# /etc/unbound/unbound.conf.d directory.
+    server:
+    # location of the trust anchor file that enables DNSSEC
+    auto-trust-anchor-file: "/root.key"
+    # send minimal amount of information to upstream servers to enhance privacy
+    qname-minimisation: yes
+    # the interface that is used to connect to the network (this will listen to all interfaces)
+    interface: 0.0.0.0
+    # interface: ::0
+    private-address: 192.168.0.0/16
+    private-address: 100.64.0.0/10
+
+    # addresses from the IP range that are allowed to connect to the resolver
+    access-control: 192.168.88.0/24 allow
+    # explicitly allow localhost access
+    access-control: 127.0.0.0/8 allow
+    # allow Tailnet
+    access-control: 100.64.0.0/10 allow
+    # uncomment the following line to allow Tailnet IPv6
+    # access-control: fd7a:115c:a1e0::/48 allow
+
+    access-control-view: 192.168.88.0/24 lan
+    access-control-view: 100.64.0.0/10 tailnet
+    
+    do-ip4: yes
+    do-ip6: no
+    do-udp: yes
+    do-tcp: yes
+
+view:
+  name: "lan"
+  view-first: yes
+  local-zone: "objectbrokers.com." transparent
+  local-data: "nextcloud.objectbrokers.com. A 192.168.88.231"
+  local-data: "photo.objectbrokers.com. A 192.168.88.231"
+  local-data: "gitea.objectbrokers.com. A 192.168.88.231"
+  local-data: "portainer.objectbrokers.com. A 192.168.88.231"
+  local-data: "vaultwarden.objectbrokers.com. A 192.168.88.231"
+
+view:
+  name: "tailnet"
+  view-first: yes
+  local-zone: "objectbrokers.com." transparent
+  local-data: "nextcloud.objectbrokers.com. A 100.81.165.11"
+  local-data: "photo.objectbrokers.com. A 100.81.165.11"
+  local-data: "gitea.objectbrokers.com. A 100.81.165.11"
+  local-data: "portainer.objectbrokers.com. A 100.81.165.11"
+  local-data: "vaultwarden.objectbrokers.com. A 100.81.165.11"
+
+remote-control:
+  control-enable: yes
+  control-interface: /run/unbound.ctl
+
+

usr/local/etc/unbound/unbound.conf.d/remote-control.conf

@@ -0,0 +1,5 @@
+remote-control:
+  control-enable: yes
+  # by default the control interface is is 127.0.0.1 and ::1 and port 8953
+  # it is possible to use a unix socket too
+  control-interface: /run/unbound.ctl