Make dnssec validation a configurable option. #124
Conversation
Default it to "absent" on RedHat 5 whose default bind package is too old for dnssec.
| if $dnssec_validation != undef { | ||
| $real_dnssec_validation = $dnssec_validation | ||
| } elsif $::osfamily == 'RedHat' and $::operatingsystemmajrelease == 5 { | ||
| $real_dnssec_validation = 'absent' |
There was a problem hiding this comment.
This is confusing to me. I would rather we just "fail", letting a user say one thing and then silently doing something else on a particular platform is surprising
|
I would prefer this functionality to be much simpler. I vote we just leave it default to auto and then have a check to "fail" when we are centos5 if we know it can't handle it. We don't really need the whole "$real_*" thing, I've seen that get out of hand in other modules. |
| @@ -119,6 +127,19 @@ | |||
| fail("The zone_notify must be ${valid_zone_notify}") | |||
| } | |||
|
|
|||
| $valid_dnssec_validation = ['yes', 'no', 'auto', 'absent'] | |||
| if $dnssec_validation != undef and !member($valid_dnssec_validation, $dnssec_validation) { | |||
| fail("The dnssec_validation must be ${valid_dnssec_validation}") | |||
There was a problem hiding this comment.
how about just using validate_re($dnssec_validation, '/^yes|no|auto$/')
There was a problem hiding this comment.
because i didn't know about validate_re :) i'll update to reflect that.
There was a problem hiding this comment.
Actually, I was following the pattern used several times earlier in the file. I can change this to validate_re - but should I change the previous checks that look the same?
Example:
if $check_names_master != undef and !member($valid_check_names, $check_names_master) {
fail("The check names policy check_names_master must be ${valid_check_names}")
}
|
Is your disagreement with the code itself that determines the default value, or with the general idea of having a different default value on RHEL 5.x than on other OSes? |
|
The general idea that the code does more complex things for el5. I don't think the complexity is worth it. I don't mind the validation for centos5, but even in our environment, just because we run centos 5 doesn't mean we run a version of bind that can't do dnssec. I think it is too presumptuous. The most presumptuous part is that if you say "yes" to this param, on centos 5 it won't show up at all. This is the surprising part. |
|
if you say "yes" to this param, it will be used no matter what. the first if clause says any value that's not I can rework this so that it doesn't use the "real_" variable pattern, by putting a selector into the parameters list for the default value of dnssec_validatio instead of having it undef; to me that makes the parameter list harder to read, but I can do it that way if you prefer - or I can put that check into the dns::server::params class, have that param class included here, and use that for the default. |
|
How about instead just use the params pattern? That way it can give a sane default depending on the OS, and we kind of "hide" the logic about selecting the default to params.pp (which is where modules traditionally hide per-distro logic) I see now what you are saying that the el5 logic only takes over if undef, I missed that. Yea please just move that to params and that will make it a bit easier to understand (for me) I think. |
Move the calculation for the default value of dnssec_validation into the dns::server::params class and include that class here to assign the default value of the dnssec_validation parameter; this simplifies the use of the parameter elsewhere.
Since we don't need a special meaning for `undef` anymore, we can use `undef` to signify that the option should be omitted.
|
grr, i might need to undo the last commit. i'm not sure if passing in And in either case, I can't write an rspec test for this case. |
Switch back to using 'absent' as the dnssec_validation parameter value that omits the dnssec-validation option, since using `undef` means that the parameter will take on its default value. Also, add rspec tests for all current dnssec_validation possibilities.
|
okay, switched back to "absent" to omit the If you want, I will submit separately to change the validation method used throughout the dns::server::options code to use validate_re rather than the member tests as used now; I'll do that as part of the PR to make dns::server::options a class rather than a defined type. Note that whether it's a defined type or a class, this module won't work if dns::server::options is not invoked at least once to generate |
|
True, but if this was class, we could have more control over the order in which is it parsed/generated. Hopefully that will make this module more user-friendly. (and like most other puppet modules) |
Make dnssec validation a configurable option.
|
I want to say thank you very much for the flood of PR's that you have been making. It is obvious to me (and hopefully the other contributors) that you rely on this module heavily and use it for real on a platform that the rest of use don't use (centos). I'm going to recommend making you a contributor after a few more PR's that fix these kind of issues! Thank you! (although, do you switch back and forth between darkfoxprime and jearls?) |
|
Yes, darkfoxprime is my home account and jearls is my work account. And I actually haven't quite started using the module officially yet, but I hope to soon - I'm still getting the puppet environment put together for work, but planning out how to use the different modules. And it may turn out that I don't use this module at all, if the rest of the team wants to continue managing DNS zone files directly. We'll see :) |
Default it to "absent" on RedHat 5 whose default bind package is too old for dnssec.