Merge "Use native puppet-dns feature to inject some options"

2023-10-30 16:28:21 +00:00 · 2023-10-30 16:28:21 +00:00 · a5a9f7ed79
commit a5a9f7ed79
parent 4c82977fa2 0c6f536bf3
2 changed files with 11 additions and 4 deletions
--- a/manifests/bind.pp
+++ b/manifests/bind.pp
@ -24,9 +24,14 @@ class openstack_integration::bind {
    allow_recursion    => [],
    listen_on_v6       => false,
    additional_options => {
-      'listen-on'     => "port 5322 { ${listen_on}; }",
-      'listen-on-v6'  => "port 5322 { ${listen_on_v6}; }",
-      'auth-nxdomain' => 'no',
+      'listen-on'         => "port 5322 { ${listen_on}; }",
+      'listen-on-v6'      => "port 5322 { ${listen_on_v6}; }",
+      'auth-nxdomain'     => 'no',
+      'allow-new-zones'   => 'yes',
+      # Recommended by Designate docs as a mitigation for potential cache
+      # poisoning attacks:
+      # https://docs.openstack.org/designate/latest/admin/production-guidelines.html#bind9-mitigation
+      'minimal-responses' => 'yes',
    },
    controls           => {
      $bind_host => {
--- a/manifests/designate.pp
+++ b/manifests/designate.pp
@ -112,6 +112,8 @@ class openstack_integration::designate {
    mdns_hosts       => [$::openstack_integration::config::host],
    rndc_config_file => '/etc/rndc.conf',
    rndc_key_file    => $::dns::params::rndckeypath,
-    manage_pool      => true
+    manage_pool      => true,
+    # Configure bind using openstack_integration::bind
+    configure_bind   => false,
  }
 }