openstack/tripleo-heat-templates
Code Issues Proposed changes
9928adca3b
tripleo-heat-templates/environments/enable-designate.yaml
Ben Nemec c5dc8ef19a Disable recursion in Designate-managed BIND 
For security, it is best to split authoritative and recursive
nameservers.  This way a security vulnerability that only affects
one type of server won't provide an exploit for the other too.

For Designate, the managed BIND server is the authoritative one.
We can use Neutron's internal DNS server as the recursive server, or
users can point at their DNS server of choice.  To make sure our
defaults work out of the box, this change enables the Neutron
internal DNS by default and users can change that if they choose.

Since that means we no longer need recursion in BIND, we should shut
it off, which this also does.

Change-Id: I4193436fdfd05bfd641fc32b58cc9bff24310a80
2018-07-09 20:01:58 +00:00

32 lines
1.6 KiB
YAML
Raw Blame History

# *******************************************************************
# This file was created automatically by the sample environment
# generator. Developers should use `tox -e genconfig` to update it.
# Users are recommended to make changes to a copy of the file instead
# of the original, if any customizations are needed.
# *******************************************************************
# title: Enable Designate Service
# description: |
# EXPERIMENTAL: This service is not considered ready for production and
# should only be used for development and test purposes at this time.
#
# This environment enables the Designate services and provides sample
# configuration values for other services to allow them to integrate with
# Designate.
parameter_defaults:
# If True, enable the internal Neutron DNS server that provides name
# resolution between VMs. This parameter has no effect if
# NeutronDhcpAgentDnsmasqDnsServers is set.
# Type: boolean
NeutronEnableInternalDNS: True
# Comma-separated list of extensions enabled for the Neutron plugin.
# Type: comma_delimited_list
NeutronPluginExtensions: qos,port_security,dns
resource_registry:
OS::TripleO::Services::DesignateApi: ../docker/services/designate-api.yaml
OS::TripleO::Services::DesignateCentral: ../docker/services/designate-central.yaml
OS::TripleO::Services::DesignateMDNS: ../docker/services/designate-mdns.yaml
OS::TripleO::Services::DesignateProducer: ../docker/services/designate-producer.yaml
OS::TripleO::Services::DesignateWorker: ../docker/services/designate-worker.yaml
View Git Blame Copy Permalink