From: David Galloway Date: Fri, 20 Feb 2026 21:52:36 +0000 (-0500) Subject: nameserver: Optionally disable DNSSEC X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=refs%2Fpull%2F830%2Fhead;p=ceph-cm-ansible.git nameserver: Optionally disable DNSSEC Signed-off-by: David Galloway --- diff --git a/roles/nameserver/README.rst b/roles/nameserver/README.rst index 56209b57..fb2bce2d 100644 --- a/roles/nameserver/README.rst +++ b/roles/nameserver/README.rst @@ -71,6 +71,8 @@ Most variables are defined in ``roles/nameserver/defaults/main.yml`` and values | | | | |**NOTE:** Setting to "yes" will add ``allow-recursion { any; }``. See To-Do. | +--------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------+ +|``named_conf_dnssec_validation: "no"`` |Optionally define whether to use DNSSEC validation. | ++--------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------+ |:: |A list of nameservers BIND should forward external DNS queries to. This is not required but should be defined in | | |``ansible/inventory/group_vars/nameserver.yml`` if desired. | | named_forwarders: | | diff --git a/roles/nameserver/templates/named.conf.j2 b/roles/nameserver/templates/named.conf.j2 index b67dcd08..cd94016b 100644 --- a/roles/nameserver/templates/named.conf.j2 +++ b/roles/nameserver/templates/named.conf.j2 @@ -22,7 +22,11 @@ options { allow-transfer { {% for ip in named_conf_allow_axfr -%}{{ ip }}; {% endfor -%} }; {% endif %} - listen-on-v6 { none; }; + listen-on-v6 { none; }; + +{% if named_conf_dnssec_validation is defined %} + dnssec-validation {{ named_conf_dnssec_validation }}; +{% endif %} {% if named_conf_slave is defined and named_conf_slave == true %} ## Slave-specific config