Allow disabling dnssec-validation
This option may be helpful in a situation that upstream DNS servers do not support DNSSEC, and BIND9 reports "Unable to fetch DNSKEY". For production deployments, it's encouraged to keep DNSSEC enabled. Change-Id: I1c28a65ff7d8063ada795b7b2e962fbfedc32c3d Closes-Bug: #1784599
This commit is contained in:
parent
4132f05db4
commit
8d1285104a
|
@ -38,3 +38,11 @@ options:
|
|||
BIND9. When using this option, ACLs should be used with
|
||||
allowed_nets and/or allowed_recursion_nets to prevent it from
|
||||
being a open resolver.
|
||||
disable-dnssec-validation:
|
||||
default: false
|
||||
type: boolean
|
||||
description: |
|
||||
Whether or not to disable DNSSEC validation. This may be helpful
|
||||
in a situation that upstream DNS servers do not support DNSSEC,
|
||||
and BIND9 reports "Unable to fetch DNSKEY". For production
|
||||
deployments, it's encouraged to keep DNSSEC enabled.
|
||||
|
|
|
@ -33,7 +33,11 @@ options {
|
|||
// If BIND logs error messages about the root key being expired,
|
||||
// you will need to update your keys. See https://www.isc.org/bind-keys
|
||||
//========================================================================
|
||||
{% if options.disable_dnssec_validation -%}
|
||||
dnssec-validation no;
|
||||
{%- else -%}
|
||||
dnssec-validation auto;
|
||||
{%- endif %}
|
||||
|
||||
auth-nxdomain no; # conform to RFC1035
|
||||
listen-on-v6 { any; };
|
||||
|
|
Loading…
Reference in New Issue