From: Tom Hughes <tom@compton.nu>
Date: Tue, 7 Jan 2020 14:54:56 +0000 (+0000)
Subject: Disable DNSSEC validation at equinix
X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/1888f367640982aff79ddec33a63153b73f3291c

Disable DNSSEC validation at equinix
---

diff --git a/cookbooks/networking/attributes/default.rb b/cookbooks/networking/attributes/default.rb
index f7db87730..a98942e4b 100644
--- a/cookbooks/networking/attributes/default.rb
+++ b/cookbooks/networking/attributes/default.rb
@@ -9,3 +9,4 @@ default[:networking][:firewall][:mangle] = true
 default[:networking][:interfaces] = {}
 default[:networking][:nameservers] = []
 default[:networking][:search] = []
+default[:networking][:dnssec] = "allow-downgrade"
diff --git a/cookbooks/networking/templates/default/resolved.conf.erb b/cookbooks/networking/templates/default/resolved.conf.erb
index 035d692df..d57e78828 100644
--- a/cookbooks/networking/templates/default/resolved.conf.erb
+++ b/cookbooks/networking/templates/default/resolved.conf.erb
@@ -2,4 +2,4 @@
 DNS=<%= node[:networking][:nameservers].join(" ") %>
 FallbackDNS=1.1.1.1 9.9.9.10 8.8.8.8 2606:4700:4700::1111 2620:fe::10 2001:4860:4860::8888
 Domains=<%= node[:networking][:search].join(" ") %>
-DNSSEC=allow-downgrade
+DNSSEC=<%= node[:networking][:dnssec] %>
diff --git a/roles/equinix.rb b/roles/equinix.rb
index 5baba9ac0..9318fb2d0 100644
--- a/roles/equinix.rb
+++ b/roles/equinix.rb
@@ -4,6 +4,7 @@ description "Role applied to all servers at Equinix"
 default_attributes(
   :networking => {
     :nameservers => ["8.8.8.8", "8.8.4.4", "2001:4860:4860::8888", "2001:4860:4860::8844"],
+    :dnssec => "no",
     :roles => {
       :internal => {
         :inet => {