diff --git a/attributes/designate_conf.rb b/attributes/designate_conf.rb
index 12e5c70..a7abf45 100644
--- a/attributes/designate_conf.rb
+++ b/attributes/designate_conf.rb
@@ -29,3 +29,4 @@ default['openstack']['dns']['conf']['keystone_authtoken']['username'] = 'designa
 default['openstack']['dns']['conf']['keystone_authtoken']['project_name'] = 'service'
 default['openstack']['dns']['conf']['keystone_authtoken']['project_domain_name'] = 'Default'
 default['openstack']['dns']['conf']['keystone_authtoken']['user_domain_name'] = 'Default'
+default['openstack']['dns']['conf']['keystone_authtoken']['keystone_authtoken.service_token_roles_required'] = 'True'
diff --git a/recipes/common.rb b/recipes/common.rb
index 77876a8..956e373 100644
--- a/recipes/common.rb
+++ b/recipes/common.rb
@@ -46,10 +46,6 @@ if node['openstack']['mq']['service_type'] == 'rabbit'
   node.default['openstack']['dns']['conf_secrets']['DEFAULT']['transport_url'] = rabbit_transport_url 'dns'
   # Note(jh): Workaround for https://bugs.launchpad.net/designate/+bug/1673403
   # Stolen from rabbit_transport_url() in openstack-common/libraries/endpoints.rb
-  mq_user = node['openstack']['mq']['dns']['rabbit']['userid']
-  node.default['openstack']['dns']['conf_secrets']['oslo_messaging_rabbit']['rabbit_userid'] = mq_user
-  node.default['openstack']['dns']['conf_secrets']['oslo_messaging_rabbit']['rabbit_password'] = get_password 'user', mq_user
-  node.default['openstack']['dns']['conf_secrets']['oslo_messaging_rabbit']['rabbit_virtual_host'] = node['openstack']['mq']['vhost']
   mq_port = node['openstack']['endpoints']['mq']['port']
   url = ''
   if node['openstack']['mq']['cluster']
@@ -61,11 +57,11 @@ if node['openstack']['mq']['service_type'] == 'rabbit'
     bind_mq_address = bind_address node['openstack']['bind_service']['mq']
     url += "#{bind_mq_address}:#{mq_port}"
   end
-  node.default['openstack']['dns']['conf_secrets']['oslo_messaging_rabbit']['rabbit_hosts'] = url
 end
 
 db_user = node['openstack']['db']['dns']['username']
 db_pass = get_password 'db', 'designate'
+sql_connection = db_uri 'dns', db_user, db_pass
 
 bind_services = node['openstack']['bind_service']['all']
 api_bind = bind_services['dns-api']
@@ -74,8 +70,9 @@ identity_endpoint = internal_endpoint 'identity'
 
 # define attributes that are needed in designate.conf
 node.default['openstack']['dns']['conf'].tap do |conf|
-  conf['service:api']['api_host'] = bind_address api_bind
-  conf['service:api']['api_port'] = api_bind['port']
+  conf['database']['connection'] = sql_connection
+  conf['listen']['api_host'] = bind_address api_bind
+  conf['listen']['api_port'] = api_bind['port']
   conf['keystone_authtoken']['auth_url'] = identity_endpoint.to_s
   conf['keystone_authtoken']['www_authenticate_uri'] = identity_endpoint.to_s
 end
diff --git a/spec/default_spec.rb b/spec/default_spec.rb
index 5fad027..d7d2a27 100644
--- a/spec/default_spec.rb
+++ b/spec/default_spec.rb
@@ -1,5 +1,3 @@
-require 'spec_helper'
-
 describe 'default recipe on Ubuntu 16.04' do
   let(:chef_run) do
     ChefSpec::ServerRunner.new do |node|