Set minimal-responses in BIND backend configuration
This is recommended as a mitigation for a potential cache poisoning attack when using BIND with Designate. https://docs.openstack.org/designate/queens/admin/production-guidelines.html#bind9-mitigation Change-Id: I89f5b4b24558a4d8b66b2a9082fec152694e6b6a
This commit is contained in:
parent
7628ccaeff
commit
d7aa75209d
@ -44,6 +44,15 @@ class designate::backend::bind9 (
|
|||||||
order => '20',
|
order => '20',
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Recommended by Designate docs as a mitigation for potential cache
|
||||||
|
# poisoning attacks:
|
||||||
|
# https://docs.openstack.org/designate/queens/admin/production-guidelines.html#bind9-mitigation
|
||||||
|
concat::fragment { 'dns minimal-responses':
|
||||||
|
target => $::dns::optionspath,
|
||||||
|
content => 'minimal-responses yes;',
|
||||||
|
order => '21',
|
||||||
|
}
|
||||||
|
|
||||||
# /var/named is root:named on RedHat and /var/cache/bind is root:bind on
|
# /var/named is root:named on RedHat and /var/cache/bind is root:bind on
|
||||||
# Debian. Both groups only have read access but require write permission in
|
# Debian. Both groups only have read access but require write permission in
|
||||||
# order to be able to use rndc addzone/delzone commands that Designate uses.
|
# order to be able to use rndc addzone/delzone commands that Designate uses.
|
||||||
|
Loading…
Reference in New Issue
Block a user