From e39253c6fb2888521215a495c516dcad0a02abb5 Mon Sep 17 00:00:00 2001
From: Damian Lukowski <github-commit@arcsin.de>
Date: Mon, 9 Mar 2020 09:32:14 +0100
Subject: [PATCH] Introduce several dnssec related zone options

---
 manifests/zone.pp             |  4 ++++
 spec/defines/dns_zone_spec.rb | 25 +++++++++++++++++++++++++
 templates/named.zone.erb      | 12 ++++++++++++
 3 files changed, 41 insertions(+)

diff --git a/manifests/zone.pp b/manifests/zone.pp
index cef2330d..75dfabb7 100644
--- a/manifests/zone.pp
+++ b/manifests/zone.pp
@@ -51,6 +51,10 @@
   Optional[Enum['yes', 'no', 'explicit']] $dns_notify   = undef,
   Hash[String, Hash[String, Data]] $update_policy_rules = {}, # deprecated
   Optional[Dns::UpdatePolicy] $update_policy            = undef,
+  Optional[Stdlib::Absolutepath] $key_directory         = undef,
+  Optional[Enum['yes', 'no']] $inline_signing           = undef,
+  Optional[Enum['yes', 'no']] $dnssec_secure_to_insecure  = undef,
+  Optional[Enum['allow', 'maintain', 'off']] $auto_dnssec = undef,
 ) {
 
   $_contact = pick($contact, "root.${zone}.")
diff --git a/spec/defines/dns_zone_spec.rb b/spec/defines/dns_zone_spec.rb
index ac6aaf24..79044753 100644
--- a/spec/defines/dns_zone_spec.rb
+++ b/spec/defines/dns_zone_spec.rb
@@ -427,4 +427,29 @@
     end
   end
 
+  context 'when several dnssec related parameters are set' do
+    let(:params) { {
+      :inline_signing            => 'yes',
+      :dnssec_secure_to_insecure => 'yes',
+      :key_directory             => '/etc/bind/keys',
+      :auto_dnssec               => 'maintain',
+    } }
+
+    it "should have valid zone configuration" do
+      verify_concat_fragment_exact_contents(catalogue, 'dns_zones+10__GLOBAL__example.com.dns', [
+      'zone "example.com" {',
+      '    type master;',
+      '    file "/var/named/dynamic/db.example.com";',
+      '    auto-dnssec maintain;',
+      '    dnssec-secure-to-insecure yes;',
+      '    inline-signing yes;',
+      '    key-directory "/etc/bind/keys";',
+      '    update-policy {',
+      '            grant rndc-key zonesub ANY;',
+      '    };',
+      '};',
+    ])
+    end
+  end
+
 end
diff --git a/templates/named.zone.erb b/templates/named.zone.erb
index a8ffc499..bf9c2a0e 100644
--- a/templates/named.zone.erb
+++ b/templates/named.zone.erb
@@ -22,6 +22,18 @@ zone "<%= @zone %>" {
     };
 <%   end -%>
 <% end -%>
+<% if @auto_dnssec -%>
+    auto-dnssec <%= @auto_dnssec %>;
+<% end -%>
+<% if @dnssec_secure_to_insecure -%>
+    dnssec-secure-to-insecure <%= @dnssec_secure_to_insecure %>;
+<% end -%>
+<% if @inline_signing -%>
+    inline-signing <%= @inline_signing %>;
+<% end -%>
+<% if @key_directory -%>
+    key-directory "<%= @key_directory %>";
+<% end -%>
 <% unless @zonetype == 'forward' -%>
 <% unless @allow_transfer.empty? -%>
     allow-transfer { <%= @allow_transfer.join('; ') %>; };