Allow disabling dnssec-validation

This option may be helpful in a situation that upstream DNS servers do not support DNSSEC, and BIND9 reports "Unable to fetch DNSKEY". For production deployments, it's encouraged to keep DNSSEC enabled. Change-Id: I1c28a65ff7d8063ada795b7b2e962fbfedc32c3d Closes-Bug: #1784599
2018-08-01 00:55:32 +09:00 · 2018-08-01 00:55:32 +09:00 · 8d1285104a
parent 4132f05db4
commit 8d1285104a
2 changed files with 12 additions and 0 deletions
--- a/src/config.yaml
+++ b/src/config.yaml
@ -38,3 +38,11 @@ options:
      BIND9. When using this option, ACLs should be used with
      allowed_nets and/or allowed_recursion_nets to prevent it from
      being a open resolver.
+  disable-dnssec-validation:
+    default: false
+    type: boolean
+    description: |
+      Whether or not to disable DNSSEC validation. This may be helpful
+      in a situation that upstream DNS servers do not support DNSSEC,
+      and BIND9 reports "Unable to fetch DNSKEY". For production
+      deployments, it's encouraged to keep DNSSEC enabled.
--- a/src/templates/named.conf.options
+++ b/src/templates/named.conf.options
@ -33,7 +33,11 @@ options {
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
+        {% if options.disable_dnssec_validation -%}
+        dnssec-validation no;
+        {%- else -%}
        dnssec-validation auto;
+        {%- endif %}

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };