diff --git a/README.md b/README.md index 7cd89a33..f8ab7ed1 100644 --- a/README.md +++ b/README.md @@ -177,6 +177,8 @@ $manage_networkd is required if you want to reload it for new When configuring `systemd::resolved` you could set `dns_stub_resolver` to false (default) to use a *standard* `/etc/resolved.conf`, or you could set it to `true` to use the local resolver provided by `systemd-resolved`. +Systemd has introduced `DNS Over TLS` in the release 239. Currently two states are supported `no` and `opportunistic`. When enabled with `opportunistic` `systemd-resolved` will start a TCP-session to a DNS server with `DNS Over TLS` support. Note that there will be no host checking for `DNS Over TLS` due to missing implementation in `systemd-resolved`. + It is possible to configure the default ntp servers in /etc/systemd/timesyncd.conf: ```puppet diff --git a/data/common.yaml b/data/common.yaml index 13950dfb..2afcc9d6 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -8,6 +8,7 @@ systemd::domains: ~ systemd::llmnr: ~ systemd::multicast_dns: ~ systemd::dnssec: ~ +systemd::dnsovertls: false systemd::cache: false systemd::dns_stub_listener: ~ systemd::use_stub_resolver: false diff --git a/manifests/init.pp b/manifests/init.pp index 6ee55889..2a9e1bb7 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -36,6 +36,9 @@ # @param dnssec # Takes a boolean argument or "allow-downgrade". # +# @param dnsovertls +# Takes a boolean argument or "opportunistic" +# # @param cache # Takes a boolean argument. # @@ -66,26 +69,27 @@ # as the fallback NTP servers. Any per-interface NTP servers obtained from # systemd-networkd take precedence over this setting. requires puppetlabs-inifile class systemd ( - Hash[String,Hash[String, Any]] $service_limits, - Boolean $manage_resolved, - Enum['stopped','running'] $resolved_ensure, - Optional[Variant[Array[String],String]] $dns, - Optional[Variant[Array[String],String]] $fallback_dns, - Optional[Variant[Array[String],String]] $domains, - Optional[Variant[Boolean,Enum['resolve']]] $llmnr, - Optional[Variant[Boolean,Enum['resolve']]] $multicast_dns, - Optional[Variant[Boolean,Enum['allow-downgrade']]] $dnssec, - Boolean $cache, - Optional[Variant[Boolean,Enum['udp','tcp']]] $dns_stub_listener, - Boolean $use_stub_resolver, - Boolean $manage_networkd, - Enum['stopped','running'] $networkd_ensure, - Boolean $manage_timesyncd, - Enum['stopped','running'] $timesyncd_ensure, - Optional[Variant[Array,String]] $ntp_server, - Optional[Variant[Array,String]] $fallback_ntp_server, - Boolean $manage_accounting, - Hash[String,String] $accounting, + Hash[String,Hash[String, Any]] $service_limits, + Boolean $manage_resolved, + Enum['stopped','running'] $resolved_ensure, + Optional[Variant[Array[String],String]] $dns, + Optional[Variant[Array[String],String]] $fallback_dns, + Optional[Variant[Array[String],String]] $domains, + Optional[Variant[Boolean,Enum['resolve']]] $llmnr, + Optional[Variant[Boolean,Enum['resolve']]] $multicast_dns, + Optional[Variant[Boolean,Enum['allow-downgrade']]] $dnssec, + Optional[Variant[Boolean,Enum['opportunistic', 'no']]] $dnsovertls, + Boolean $cache, + Optional[Variant[Boolean,Enum['udp','tcp']]] $dns_stub_listener, + Boolean $use_stub_resolver, + Boolean $manage_networkd, + Enum['stopped','running'] $networkd_ensure, + Boolean $manage_timesyncd, + Enum['stopped','running'] $timesyncd_ensure, + Optional[Variant[Array,String]] $ntp_server, + Optional[Variant[Array,String]] $fallback_ntp_server, + Boolean $manage_accounting, + Hash[String,String] $accounting, ){ contain systemd::systemctl::daemon_reload diff --git a/manifests/resolved.pp b/manifests/resolved.pp index f34772de..7716fb8a 100644 --- a/manifests/resolved.pp +++ b/manifests/resolved.pp @@ -31,6 +31,9 @@ # @param dnssec # Takes a boolean argument or "allow-downgrade". # +# @param dnsovertls +# Takes a boolean argument or "opportunistic" or "no" +# # @param cache # Takes a boolean argument. # @@ -42,16 +45,17 @@ # as /etc/resolv.conf. When "true", it uses /var/run/systemd/resolve/stub-resolv.conf # class systemd::resolved ( - Enum['stopped','running'] $ensure = $systemd::resolved_ensure, - Optional[Variant[Array[String],String]] $dns = $systemd::dns, - Optional[Variant[Array[String],String]] $fallback_dns = $systemd::fallback_dns, - Optional[Variant[Array[String],String]] $domains = $systemd::domains, - Optional[Variant[Boolean,Enum['resolve']]] $llmnr = $systemd::llmnr, - Optional[Variant[Boolean,Enum['resolve']]] $multicast_dns = $systemd::multicast_dns, - Optional[Variant[Boolean,Enum['allow-downgrade']]] $dnssec = $systemd::dnssec, - Boolean $cache = $systemd::cache, - Optional[Variant[Boolean,Enum['udp', 'tcp']]] $dns_stub_listener = $systemd::dns_stub_listener, - Boolean $use_stub_resolver = $systemd::use_stub_resolver, + Enum['stopped','running'] $ensure = $systemd::resolved_ensure, + Optional[Variant[Array[String],String]] $dns = $systemd::dns, + Optional[Variant[Array[String],String]] $fallback_dns = $systemd::fallback_dns, + Optional[Variant[Array[String],String]] $domains = $systemd::domains, + Optional[Variant[Boolean,Enum['resolve']]] $llmnr = $systemd::llmnr, + Optional[Variant[Boolean,Enum['resolve']]] $multicast_dns = $systemd::multicast_dns, + Optional[Variant[Boolean,Enum['allow-downgrade']]] $dnssec = $systemd::dnssec, + Optional[Variant[Boolean,Enum['opportunistic', 'no']]] $dnsovertls = $systemd::dnsovertls, + Boolean $cache = $systemd::cache, + Optional[Variant[Boolean,Enum['udp', 'tcp']]] $dns_stub_listener = $systemd::dns_stub_listener, + Boolean $use_stub_resolver = $systemd::use_stub_resolver, ){ assert_private() @@ -176,6 +180,23 @@ } } + $_dnsovertls = $dnsovertls ? { + true => 'opportunistic', + false => false, + default => $dnsovertls, + } + + if $_dnsovertls { + ini_setting{ 'dnsovertls': + ensure => 'present', + value => $_dnsovertls, + setting => 'DNSOverTLS', + section => 'Resolve', + path => '/etc/systemd/resolved.conf', + notify => Service['systemd-resolved'], + } + } + $_cache = $cache ? { true => 'yes', false => 'no', diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 0bd148a5..1fbb94d9 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -40,6 +40,7 @@ it { is_expected.not_to contain_ini_setting('multicast_dns')} it { is_expected.not_to contain_ini_setting('llmnr')} it { is_expected.not_to contain_ini_setting('dnssec')} + it { is_expected.not_to contain_ini_setting('dnsovertls')} it { is_expected.not_to contain_ini_setting('cache')} it { is_expected.not_to contain_ini_setting('dns_stub_listener')} end @@ -59,6 +60,7 @@ it { is_expected.not_to contain_ini_setting('multicast_dns')} it { is_expected.not_to contain_ini_setting('llmnr')} it { is_expected.not_to contain_ini_setting('dnssec')} + it { is_expected.not_to contain_ini_setting('dnsovertls')} it { is_expected.not_to contain_ini_setting('cache')} it { is_expected.not_to contain_ini_setting('dns_stub_listener')} end @@ -72,6 +74,7 @@ :llmnr => true, :multicast_dns => false, :dnssec => false, + :dnsovertls => 'no', :cache => true, :dns_stub_listener => 'udp', }} @@ -84,6 +87,7 @@ it { is_expected.to contain_ini_setting('multicast_dns')} it { is_expected.to contain_ini_setting('llmnr')} it { is_expected.to contain_ini_setting('dnssec')} + it { is_expected.to contain_ini_setting('dnsovertls')} it { is_expected.to contain_ini_setting('cache')} it { is_expected.to contain_ini_setting('dns_stub_listener')} end