Browse Source

Merge "Set minimal-responses in BIND backend configuration"

tags/13.3.0
Zuul 10 months ago
parent
commit
0f39d17135
1 changed files with 9 additions and 0 deletions
  1. 9
    0
      manifests/backend/bind9.pp

+ 9
- 0
manifests/backend/bind9.pp View File

@@ -44,6 +44,15 @@ class designate::backend::bind9 (
44 44
     order   => '20',
45 45
   }
46 46
 
47
+  # Recommended by Designate docs as a mitigation for potential cache
48
+  # poisoning attacks:
49
+  # https://docs.openstack.org/designate/queens/admin/production-guidelines.html#bind9-mitigation
50
+  concat::fragment { 'dns minimal-responses':
51
+    target  => $::dns::optionspath,
52
+    content => 'minimal-responses yes;',
53
+    order   => '21',
54
+  }
55
+
47 56
   # /var/named is root:named on RedHat and /var/cache/bind is root:bind on
48 57
   # Debian. Both groups only have read access but require write permission in
49 58
   # order to be able to use rndc addzone/delzone commands that Designate uses.

Loading…
Cancel
Save