From ccd352f937f654318bf8a60c725bd16f64ca2d42 Mon Sep 17 00:00:00 2001
From: Grant Slater <github@firefishy.com>
Date: Mon, 22 Jul 2024 12:31:03 +0100
Subject: [PATCH] bind: explicitly dnssec and memory option

---
 cookbooks/bind/templates/default/named.options.erb | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/cookbooks/bind/templates/default/named.options.erb b/cookbooks/bind/templates/default/named.options.erb
index ac4f32303..b175b6839 100644
--- a/cookbooks/bind/templates/default/named.options.erb
+++ b/cookbooks/bind/templates/default/named.options.erb
@@ -12,5 +12,14 @@ options {
 
 	# Listen on any IPv6 interfaces
 	listen-on-v6 { any; };
+
+	# Ensure dnssec validation is enabled using embedded trust anchors
+	dnssec-validation auto;
+
+	# Set reasonably memory limit for cache
+	max-cache-size 10%;
+
+	# Ensure dnssec synth is disabled
+	synth-from-dnssec no;
 };
 
-- 
2.39.5