Support for DNSoverTLS

systemd-resolved supports DNSOverTLS since version 239. Current Options for this feature are: * 'opportunistic' * 'no' There will be a 'strict' or 'yes' feature in the future. Signed-off-by: Christian Rebischke <chris@nullday.de>
voxpupuli · Oct 1, 2018 · b1a8bd0 · b1a8bd0
1 parent 10cdeb6
commit b1a8bd0
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -177,6 +177,8 @@ $manage_networkd is required if you want to reload it for new
 
 When configuring `systemd::resolved` you could set `dns_stub_resolver` to false (default) to use a *standard* `/etc/resolved.conf`, or you could set it to `true` to use the local resolver provided by `systemd-resolved`.
 
+Systemd has introduced `DNS Over TLS` in the release 239. Currently two states are supported `no` and `opportunistic`. When enabled with `opportunistic` `systemd-resolved` will start a TCP-session to a DNS server with `DNS Over TLS` support. Note that there will be no host checking for `DNS Over TLS` due to missing implementation in `systemd-resolved`.
+
 It is possible to configure the default ntp servers in /etc/systemd/timesyncd.conf:
 
 ```puppet

diff --git a/data/common.yaml b/data/common.yaml
@@ -8,6 +8,7 @@ systemd::domains: ~
 systemd::llmnr: ~
 systemd::multicast_dns: ~
 systemd::dnssec: ~
+systemd::dnsovertls: false
 systemd::cache: false
 systemd::dns_stub_listener: ~
 systemd::use_stub_resolver: false

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -36,6 +36,9 @@
 # @param dnssec
 #   Takes a boolean argument or "allow-downgrade".
 #
+# @param dnsovertls
+#   Takes a boolean argument or "opportunistic"
+#
 # @param cache
 #   Takes a boolean argument.
 #
@@ -75,6 +78,7 @@
   Optional[Variant[Boolean,Enum['resolve']]]         $llmnr,
   Optional[Variant[Boolean,Enum['resolve']]]         $multicast_dns,
   Optional[Variant[Boolean,Enum['allow-downgrade']]] $dnssec,
+  Optional[Variant[Boolean,Enum['opportunistic']]]   $dnsovertls,
   Boolean                                            $cache,
   Optional[Variant[Boolean,Enum['udp','tcp']]]       $dns_stub_listener,
   Boolean                                            $use_stub_resolver,

diff --git a/manifests/resolved.pp b/manifests/resolved.pp
@@ -31,6 +31,9 @@
 # @param dnssec
 #   Takes a boolean argument or "allow-downgrade".
 #
+# @param dnsovertls
+#   Takes a boolean argument or "opportunistic"
+#
 # @param cache
 #   Takes a boolean argument.
 #
@@ -49,6 +52,7 @@
   Optional[Variant[Boolean,Enum['resolve']]] $llmnr                = $systemd::llmnr,
   Optional[Variant[Boolean,Enum['resolve']]] $multicast_dns        = $systemd::multicast_dns,
   Optional[Variant[Boolean,Enum['allow-downgrade']]] $dnssec       = $systemd::dnssec,
+  Optional[Variant[Boolean,Enum['opportunistic']]] $dnsovertls     = $systemd::dnsovertls,
   Boolean $cache                                                   = $systemd::cache,
   Optional[Variant[Boolean,Enum['udp', 'tcp']]] $dns_stub_listener = $systemd::dns_stub_listener,
   Boolean $use_stub_resolver                                       = $systemd::use_stub_resolver,
@@ -176,6 +180,23 @@
     }
   }
 
+  $_dnsovertls = $dnsovertls ? {
+    true    => 'opportunistic',
+    false   => 'no',
+    default => $dnsovertls,
+  }
+
+  if $_dnsovertls {
+    ini_setting{ 'dnsovertls':
+      ensure  => 'present',
+      value   => $_dnsovertls,
+      setting => 'DNSOverTLS',
+      section => 'Resolve',
+      path    => '/etc/systemd/resolved.conf',
+      notify  => Service['systemd-resolved'],
+    }
+  }
+
   $_cache = $cache ? {
     true    => 'yes',
     false   => 'no',