From 0c6f536bf36b4a79f5064ab72543f53893637039 Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <kajinamit@oss.nttdata.com>
Date: Fri, 27 Oct 2023 12:34:39 +0900
Subject: [PATCH] Use native puppet-dns feature to inject some options

... instead of directly injecting options using concat::fragment.

Change-Id: I53c6c677995a39f9cb888256c5f3451c7d92d447
---
 manifests/bind.pp      | 11 ++++++++---
 manifests/designate.pp |  4 +++-
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/manifests/bind.pp b/manifests/bind.pp
index 378ac3a7c..da3f75ad1 100644
--- a/manifests/bind.pp
+++ b/manifests/bind.pp
@@ -24,9 +24,14 @@ class openstack_integration::bind {
     allow_recursion    => [],
     listen_on_v6       => false,
     additional_options => {
-      'listen-on'     => "port 5322 { ${listen_on}; }",
-      'listen-on-v6'  => "port 5322 { ${listen_on_v6}; }",
-      'auth-nxdomain' => 'no',
+      'listen-on'         => "port 5322 { ${listen_on}; }",
+      'listen-on-v6'      => "port 5322 { ${listen_on_v6}; }",
+      'auth-nxdomain'     => 'no',
+      'allow-new-zones'   => 'yes',
+      # Recommended by Designate docs as a mitigation for potential cache
+      # poisoning attacks:
+      # https://docs.openstack.org/designate/latest/admin/production-guidelines.html#bind9-mitigation
+      'minimal-responses' => 'yes',
     },
     controls           => {
       $bind_host => {
diff --git a/manifests/designate.pp b/manifests/designate.pp
index fb4bb217a..0c89cd721 100644
--- a/manifests/designate.pp
+++ b/manifests/designate.pp
@@ -112,6 +112,8 @@ class openstack_integration::designate {
     mdns_hosts       => [$::openstack_integration::config::host],
     rndc_config_file => '/etc/rndc.conf',
     rndc_key_file    => $::dns::params::rndckeypath,
-    manage_pool      => true
+    manage_pool      => true,
+    # Configure bind using openstack_integration::bind
+    configure_bind   => false,
   }
 }