Document global DNS security options (#694)

* Document global DNS security options

Related changes:
* Do not create a view if externally managed.
* Allow to specify the recursion settings for public/private
  views defined by the dns-view role.

Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>

* Document public_dns_nameservers better

Also use it as the private view forwarder

Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>

playbooks/provisioning/openstack/README.md

@@ -94,6 +94,8 @@ default hostname (usually the role name) is used.
 The `public_dns_nameservers` is a list of DNS servers accessible from all
 the created Nova servers. These will be serving as your DNS forwarders for
 external FQDNs that do not belong to the cluster's DNS domain and its subdomains.
+If you're unsure what to put in here, you can try the google or opendns servers,
+but note that some organizations may be blocking them.
 
 The `openshift_use_dnsmasq` controls either dnsmasq is deployed or not.
 By default, dnsmasq is deployed and comes as the hosts' /etc/resolv.conf file
@@ -244,6 +246,18 @@ be the case for development environments. When turned off, the servers will
 be provisioned omitting the ``yum update`` command. This brings security
 implications though, and is not recommended for production deployments.
 
+##### DNS servers security options
+
+Aside from `node_ingress_cidr` restricting public access to in-stack DNS
+servers, there are following (bind/named specific) DNS security
+options available:
+
+    named_public_recursion: 'no'
+    named_private_recursion: 'yes'
+
+External DNS servers, which is not included in the 'dns' hosts group,
+are not managed. It is up to you to configure such ones.
+
 ### Configure the OpenShift parameters
 
 Finally, you need to update the DNS entry in

playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml

@@ -92,6 +92,10 @@ rhsm_register: False
 #    key_algorithm: 'hmac-md5'
 #    server: '192.168.1.2'
 
+# # Customize DNS server security options
+#named_public_recursion: 'no'
+#named_private_recursion: 'yes'
+
 
 # NOTE(shadower): Do not change this value. The Ansible user is currently
 # hardcoded to `openshift`.

roles/dns-views/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+external_nsupdate_keys: {}
+named_private_recursion: 'yes'
+named_public_recursion: 'no'

roles/dns-views/tasks/main.yml

@@ -8,18 +8,23 @@
   set_fact:
     private_named_view:
       - name: "private"
+        recursion: "{{ named_private_recursion }}"
         acl_entry: "{{ acl_list }}"
         zone:
           - dns_domain: "{{ full_dns_domain }}"
+        forwarder: "{{ public_dns_nameservers }}"
+  when: external_nsupdate_keys['private'] is undefined
 
 - name: "Generate the public view"
   set_fact:
     public_named_view:
       - name: "public"
+        recursion: "{{ named_public_recursion }}"
         zone:
           - dns_domain: "{{ full_dns_domain }}"
         forwarder: "{{ public_dns_nameservers }}"
+  when: external_nsupdate_keys['public'] is undefined
 
 - name: "Generate the final named_config_views"
   set_fact:
-    named_config_views: "{{ private_named_view + public_named_view }}"
+    named_config_views: "{{ private_named_view|default([]) + public_named_view|default([]) }}"