Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Control whether DNS-SEC support is enabled/disabled #146

Merged
merged 5 commits into from
Dec 10, 2015
Merged

Control whether DNS-SEC support is enabled/disabled #146

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
3e2055f
dns::server::options - Add dnssec-enable option.
Dec 4, 2015
ab1cd84
dns::server::options - Disable DNS-SEC by default on RedHat5
Dec 4, 2015
eca675c
dns::server::options - Add test cases for dnssec_enable
Dec 4, 2015
31c0eea
dns::server::options - dnssec_enable default false for RedHat5
Dec 4, 2015
4fddabb
dns::server::options - Correct a typo
Dec 4, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions manifests/server/options.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,14 @@
# included). Default is "absent" on RedHat 5 (whose default bind
# package is too old to include dnssec validation), and "auto" on
# Debian and on RedHat 6 and above.
# Note: If *dnssec_enable* is set to false, this option is ignored.
#
#
# [*dnssec_enable*]
# Controls whether to enable/disable DNS-SEC support. Boolean.
# Default is false on RedHat 5 (for the same reasons as
# dnssec_validation above), and true on Debian and on RedHat 6
# and above.
#
# === Examples
#
Expand All @@ -95,6 +103,7 @@
$zone_notify = undef,
$also_notify = [],
$dnssec_validation = $dns::server::params::default_dnssec_validation,
$dnssec_enable = $dns::server::params::default_dnssec_enable,
) {
$valid_check_names = ['fail', 'warn', 'ignore']
$cfg_dir = $::dns::server::params::cfg_dir
Expand Down Expand Up @@ -139,6 +148,11 @@
fail("The dnssec_validation must be ${valid_dnssec_validation}")
}

validate_bool($dnssec_enable)
if (! $dnssec_enable) and ($dnssec_validation != undef) {
warning('dnssec_enable is false. dnssec_validation will be ignored.')
}

file { $title:
ensure => present,
owner => $::dns::server::params::owner,
Expand Down
3 changes: 3 additions & 0 deletions manifests/server/params.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
$service = 'bind9'
$default_file = '/etc/default/bind9'
$default_template = 'default.debian.erb'
$default_dnssec_enable = true
$default_dnssec_validation = 'auto'
case $::operatingsystemmajrelease {
'8': {
Expand All @@ -40,8 +41,10 @@
$default_file = '/etc/sysconfig/named'
$default_template = 'default.redhat.erb'
if $::operatingsystemmajrelease =~ /^[1-5]$/ {
$default_dnssec_enable = false
$default_dnssec_validation = 'absent'
} else {
$default_dnssec_enable = true
$default_dnssec_validation = 'auto'
}
}
Expand Down
14 changes: 14 additions & 0 deletions spec/defines/dns__server__options_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -245,41 +245,55 @@
{ :osfamily => 'RedHat', :operatingsystemmajrelease => '5', :concat_basedir => '/tmp' }
end
it { should contain_file('/etc/bind/named.conf.options').without_content(/dnssec-validation/) }
it { should contain_file('/etc/bind/named.conf.options').with_content(/dnssec-enable no/) }
end

context 'default value of dnssec_validation on RedHat 6' do
let :facts do
{ :osfamily => 'RedHat', :operatingsystemmajrelease => '6', :concat_basedir => '/tmp' }
end
it { should contain_file('/etc/bind/named.conf.options').with_content(/dnssec-validation auto/) }
it { should contain_file('/etc/bind/named.conf.options').with_content(/dnssec-enable yes/) }
end

context 'default value of dnssec_validation on Debian' do
let :facts do
{ :osfamily => 'Debian', :concat_basedir => '/tmp' }
end
it { should contain_file('/etc/bind/named.conf.options').with_content(/dnssec-validation auto/) }
it { should contain_file('/etc/bind/named.conf.options').with_content(/dnssec-enable yes/) }
end

context 'passing `false` to dnssec_enable' do
let :params do
{ :dnssec_enable => false}
end
it { should contain_file('/etc/bind/named.conf.options').without_content(/dnssec-validation/) }
it { should contain_file('/etc/bind/named.conf.options').with_content(/dnssec-enable no/) }
end

context 'passing `absent` to dnssec_validation' do
let :params do
{ :dnssec_validation => 'absent' }
end
it { should contain_file('/etc/bind/named.conf.options').without_content(/dnssec-validation/) }
it { should contain_file('/etc/bind/named.conf.options').with_content(/dnssec-enable yes/) }
end

context 'passing `auto` to dnssec_validation' do
let :params do
{ :dnssec_validation => 'auto' }
end
it { should contain_file('/etc/bind/named.conf.options').with_content(/dnssec-validation auto/) }
it { should contain_file('/etc/bind/named.conf.options').with_content(/dnssec-enable yes/) }
end

context 'passing `yes` to dnssec_validation' do
let :params do
{ :dnssec_validation => 'yes' }
end
it { should contain_file('/etc/bind/named.conf.options').with_content(/dnssec-validation yes/) }
it { should contain_file('/etc/bind/named.conf.options').with_content(/dnssec-enable yes/) }
end

context 'passing `no` to dnssec_validation' do
Expand Down
8 changes: 6 additions & 2 deletions templates/named.conf.options.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,9 +99,13 @@ also-notify {
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
<% if @dnssec_validation != 'absent' -%>
<% if @dnssec_enable -%>
dnssec-enable yes;
<% if @dnssec_validation != 'absent' -%>
dnssec-validation <%= @dnssec_validation %>;
<% end -%>
<% else -%>
dnssec-enable no;
<% end -%>

auth-nxdomain no; # conform to RFC1035
};