summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorZuul <zuul@review.openstack.org>2018-07-04 01:01:06 +0000
committerGerrit Code Review <review@openstack.org>2018-07-04 01:01:06 +0000
commit0f39d1713537fb7fa30b8d6856a25e95a8fdb8d3 (patch)
treeedbf8a73ddd386fae67da28584774af389f7b949
parent210ffe6c5222bc44130a45655dd4497e825d8be3 (diff)
parentd7aa75209dda69f56287f2c9436d6ac9605d70d9 (diff)
Merge "Set minimal-responses in BIND backend configuration"
-rw-r--r--manifests/backend/bind9.pp9
1 files changed, 9 insertions, 0 deletions
diff --git a/manifests/backend/bind9.pp b/manifests/backend/bind9.pp
index 2d4b465..b859bc8 100644
--- a/manifests/backend/bind9.pp
+++ b/manifests/backend/bind9.pp
@@ -44,6 +44,15 @@ class designate::backend::bind9 (
44 order => '20', 44 order => '20',
45 } 45 }
46 46
47 # Recommended by Designate docs as a mitigation for potential cache
48 # poisoning attacks:
49 # https://docs.openstack.org/designate/queens/admin/production-guidelines.html#bind9-mitigation
50 concat::fragment { 'dns minimal-responses':
51 target => $::dns::optionspath,
52 content => 'minimal-responses yes;',
53 order => '21',
54 }
55
47 # /var/named is root:named on RedHat and /var/cache/bind is root:bind on 56 # /var/named is root:named on RedHat and /var/cache/bind is root:bind on
48 # Debian. Both groups only have read access but require write permission in 57 # Debian. Both groups only have read access but require write permission in
49 # order to be able to use rndc addzone/delzone commands that Designate uses. 58 # order to be able to use rndc addzone/delzone commands that Designate uses.