Skip to content

Commit

Permalink
Merge pull request ajjahn#146 from code-management/dnssec-enable
Browse files Browse the repository at this point in the history
Control whether DNS-SEC support is enabled/disabled
  • Loading branch information
solarkennedy committed Dec 10, 2015
2 parents b5ec766 + 4fddabb commit 7771114
Show file tree
Hide file tree
Showing 4 changed files with 37 additions and 2 deletions.
14 changes: 14 additions & 0 deletions manifests/server/options.pp
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,14 @@
# included). Default is "absent" on RedHat 5 (whose default bind
# package is too old to include dnssec validation), and "auto" on
# Debian and on RedHat 6 and above.
# Note: If *dnssec_enable* is set to false, this option is ignored.
#
#
# [*dnssec_enable*]
# Controls whether to enable/disable DNS-SEC support. Boolean.
# Default is false on RedHat 5 (for the same reasons as
# dnssec_validation above), and true on Debian and on RedHat 6
# and above.
#
# === Examples
#
Expand All @@ -95,6 +103,7 @@
$zone_notify = undef,
$also_notify = [],
$dnssec_validation = $dns::server::params::default_dnssec_validation,
$dnssec_enable = $dns::server::params::default_dnssec_enable,
) {
$valid_check_names = ['fail', 'warn', 'ignore']
$cfg_dir = $::dns::server::params::cfg_dir
Expand Down Expand Up @@ -139,6 +148,11 @@
fail("The dnssec_validation must be ${valid_dnssec_validation}")
}

validate_bool($dnssec_enable)
if (! $dnssec_enable) and ($dnssec_validation != undef) {
warning('dnssec_enable is false. dnssec_validation will be ignored.')
}

file { $title:
ensure => present,
owner => $::dns::server::params::owner,
Expand Down
3 changes: 3 additions & 0 deletions manifests/server/params.pp
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
$service = 'bind9'
$default_file = '/etc/default/bind9'
$default_template = 'default.debian.erb'
$default_dnssec_enable = true
$default_dnssec_validation = 'auto'
case $::operatingsystemmajrelease {
'8': {
Expand All @@ -40,8 +41,10 @@
$default_file = '/etc/sysconfig/named'
$default_template = 'default.redhat.erb'
if $::operatingsystemmajrelease =~ /^[1-5]$/ {
$default_dnssec_enable = false
$default_dnssec_validation = 'absent'
} else {
$default_dnssec_enable = true
$default_dnssec_validation = 'auto'
}
}
Expand Down
14 changes: 14 additions & 0 deletions spec/defines/dns__server__options_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -245,41 +245,55 @@
{ :osfamily => 'RedHat', :operatingsystemmajrelease => '5', :concat_basedir => '/tmp' }
end
it { should contain_file('/etc/bind/named.conf.options').without_content(/dnssec-validation/) }
it { should contain_file('/etc/bind/named.conf.options').with_content(/dnssec-enable no/) }
end

context 'default value of dnssec_validation on RedHat 6' do
let :facts do
{ :osfamily => 'RedHat', :operatingsystemmajrelease => '6', :concat_basedir => '/tmp' }
end
it { should contain_file('/etc/bind/named.conf.options').with_content(/dnssec-validation auto/) }
it { should contain_file('/etc/bind/named.conf.options').with_content(/dnssec-enable yes/) }
end

context 'default value of dnssec_validation on Debian' do
let :facts do
{ :osfamily => 'Debian', :concat_basedir => '/tmp' }
end
it { should contain_file('/etc/bind/named.conf.options').with_content(/dnssec-validation auto/) }
it { should contain_file('/etc/bind/named.conf.options').with_content(/dnssec-enable yes/) }
end

context 'passing `false` to dnssec_enable' do
let :params do
{ :dnssec_enable => false}
end
it { should contain_file('/etc/bind/named.conf.options').without_content(/dnssec-validation/) }
it { should contain_file('/etc/bind/named.conf.options').with_content(/dnssec-enable no/) }
end

context 'passing `absent` to dnssec_validation' do
let :params do
{ :dnssec_validation => 'absent' }
end
it { should contain_file('/etc/bind/named.conf.options').without_content(/dnssec-validation/) }
it { should contain_file('/etc/bind/named.conf.options').with_content(/dnssec-enable yes/) }
end

context 'passing `auto` to dnssec_validation' do
let :params do
{ :dnssec_validation => 'auto' }
end
it { should contain_file('/etc/bind/named.conf.options').with_content(/dnssec-validation auto/) }
it { should contain_file('/etc/bind/named.conf.options').with_content(/dnssec-enable yes/) }
end

context 'passing `yes` to dnssec_validation' do
let :params do
{ :dnssec_validation => 'yes' }
end
it { should contain_file('/etc/bind/named.conf.options').with_content(/dnssec-validation yes/) }
it { should contain_file('/etc/bind/named.conf.options').with_content(/dnssec-enable yes/) }
end

context 'passing `no` to dnssec_validation' do
Expand Down
8 changes: 6 additions & 2 deletions templates/named.conf.options.erb
Original file line number Diff line number Diff line change
Expand Up @@ -99,9 +99,13 @@ also-notify {
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
<% if @dnssec_validation != 'absent' -%>
<% if @dnssec_enable -%>
dnssec-enable yes;
<% if @dnssec_validation != 'absent' -%>
dnssec-validation <%= @dnssec_validation %>;
<% end -%>
<% else -%>
dnssec-enable no;
<% end -%>

auth-nxdomain no; # conform to RFC1035
};

0 comments on commit 7771114

Please sign in to comment.