NEW: cfnetwork::dnssec option to control systemd-resolved DNSSEC

andvgal · andvgal · commit 98dfe626b82d · 2019-06-01T13:02:27.000+03:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,9 @@
 All notable changes to this project will be documented in this file. This
 project adheres to [Semantic Versioning](http://semver.org/).
 
+## (next)
+- NEW: cfnetwork::dnssec option to control systemd-resolved DNSSEC
+
 ## 1.3.0 (2019-04-14)
 - CHANGED: to allow dash in domain names
 - CHANGED: cfnetwork::ipset to also force fetching hosts
diff --git a/README.md b/README.md
@@ -310,6 +310,7 @@ anchor:
 * `hosts = undef` - arbitrary definition of custom /etc/hosts entries based on `host` type
 * `hosts_locality = 'localtion'` - either 'location' or 'pool' for static hosts selection
 * `prefer_ipv4 = true` - prefer IPv4 address resolution over IPv6
+* `dnnsec = on` - control systemd-resolved DNSSEC option
 
 ### `cfnetwork::iface` type
 
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -44,6 +44,8 @@
         $hosts_locality = 'location',
     Boolean
         $prefer_ipv4 = true,
+    Enum['on', 'allow-downgrade', 'off']
+        $dnssec = 'on',
 ) {
     include cfnetwork::sysctl
     #---
@@ -105,7 +107,8 @@
     file { '/etc/systemd/resolved.conf':
         mode    => '0644',
         content => epp('cfnetwork/resolved.conf.epp', {
-          dns_servers => $dns_servers,
+            dns_servers => $dns_servers,
+            dnssec      => $dnssec,
         }),
     }
 
diff --git a/templates/resolved.conf.epp b/templates/resolved.conf.epp
@@ -3,7 +3,7 @@
 DNS=<%= $srv %>
 <% } } -%>
 Domains=<%= $::trusted['domain'] %>
-DNSSEC=yes
+DNSSEC=<%= $dnssec %>
 Cache=yes
 
 
