nameserver: Optionally disable DNSSEC

Signed-off-by: David Galloway <david.galloway@ibm.com>

diff --git a/roles/nameserver/README.rst b/roles/nameserver/README.rst
index 56209b5766922f24ba9ddd419c8be5ff63e6f2c0..fb2bce2d0f39b86faf6c85dc1508079b46522528 100644 (file)
--- a/roles/nameserver/README.rst
+++ b/roles/nameserver/README.rst
@@ -71,6 +71,8 @@ Most variables are defined in ``roles/nameserver/defaults/main.yml`` and values
 |                                                        |                                                                                                                           |
 |                                                        |**NOTE:** Setting to "yes" will add ``allow-recursion { any; }``. See To-Do.                                               |
 +--------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------+
+|``named_conf_dnssec_validation: "no"``                  |Optionally define whether to use DNSSEC validation.                                                                        |
++--------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------+
 |::                                                      |A list of nameservers BIND should forward external DNS queries to.  This is not required but should be defined in          |
 |                                                        |``ansible/inventory/group_vars/nameserver.yml`` if desired.                                                                |
 |  named_forwarders:                                     |                                                                                                                           |

diff --git a/roles/nameserver/templates/named.conf.j2 b/roles/nameserver/templates/named.conf.j2
index b67dcd083a9d2324a57ac83106382141008df5c0..cd94016ba02808df9cc6bff258945b85f7dbccb0 100644 (file)
--- a/roles/nameserver/templates/named.conf.j2
+++ b/roles/nameserver/templates/named.conf.j2
@@ -22,7 +22,11 @@ options {
        allow-transfer          { {% for ip in named_conf_allow_axfr -%}{{ ip }}; {% endfor -%} };
 {% endif %}
 
-        listen-on-v6 { none; };
+       listen-on-v6 { none; };
+
+{% if named_conf_dnssec_validation is defined %}
+       dnssec-validation {{ named_conf_dnssec_validation }};
+{% endif %}
 
 {% if named_conf_slave is defined and named_conf_slave == true %}
        ## Slave-specific config