From 2cfcb6d073973025f73f37183a0fa21570a922df Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 5 Jul 2016 11:43:59 -0400 Subject: set domain-secure to internal domain. Without this set, dnssec will fail validation for internal domains, which should not be validated Change-Id: I8589332598fe97ad5218dd23825ac77af2d8def6 --- .../modules/site_config/manifests/caching_resolver.pp | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp index 2b08ab4c..4da13d9c 100644 --- a/puppet/modules/site_config/manifests/caching_resolver.pp +++ b/puppet/modules/site_config/manifests/caching_resolver.pp @@ -1,6 +1,8 @@ # deploy local caching resolver class site_config::caching_resolver { tag 'leap_base' + $domain = hiera('domain') + $internal_domain = $domain['internal_suffix'] # We need to make sure Package['bind9'] isn't installed because when it is, it # keeps unbound from running. Some base debian installs will install bind9, @@ -17,14 +19,15 @@ class site_config::caching_resolver { require => Package['bind9'], settings => { server => { - verbosity => '1', - interface => [ '127.0.0.1', '::1' ], - port => '53', - hide-identity => 'yes', - hide-version => 'yes', - harden-glue => 'yes', - access-control => [ '127.0.0.0/8 allow', '::1 allow' ], - module-config => '"validator iterator"' + verbosity => '1', + interface => [ '127.0.0.1', '::1' ], + port => '53', + hide-identity => 'yes', + hide-version => 'yes', + harden-glue => 'yes', + access-control => [ '127.0.0.0/8 allow', '::1 allow' ], + module-config => '"validator iterator"', + domain-insecure => $internal_domain } } } -- cgit v1.2.3