From: Grant Slater <github@firefishy.com>
Date: Mon, 22 Jul 2024 11:31:03 +0000 (+0100)
Subject: bind: explicitly dnssec and memory option
X-Git-Url: https://git.openstreetmap.org./chef.git/commitdiff_plain/ccd352f937f654318bf8a60c725bd16f64ca2d42

bind: explicitly dnssec and memory option
---

diff --git a/cookbooks/bind/templates/default/named.options.erb b/cookbooks/bind/templates/default/named.options.erb
index ac4f32303..b175b6839 100644
--- a/cookbooks/bind/templates/default/named.options.erb
+++ b/cookbooks/bind/templates/default/named.options.erb
@@ -12,5 +12,14 @@ options {
 
 	# Listen on any IPv6 interfaces
 	listen-on-v6 { any; };
+
+	# Ensure dnssec validation is enabled using embedded trust anchors
+	dnssec-validation auto;
+
+	# Set reasonably memory limit for cache
+	max-cache-size 10%;
+
+	# Ensure dnssec synth is disabled
+	synth-from-dnssec no;
 };