crypto-policies: Set ns01.iad2/ns02.iad2 to use DEFAULT:SHA1 crypto-policy

ns01 and ns02 are used by internal iad2 ssytems for dns resolution. This means bastion uses them for smtp outgoing at least. Lots of dnssec servers out there still are using SHA1 signatures, and without this the hosts will simply not resolve at all. So, until things are better we need to set these back to allow SHA1. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2023-02-02 17:42:15 -08:00 · 2023-02-02 17:42:15 -08:00 · ecce8cc965
parent 6fbab55010
commit ecce8cc965
1 changed files with 8 additions and 0 deletions
--- a/roles/base/tasks/crypto-policies.yml
+++ b/roles/base/tasks/crypto-policies.yml
@ -25,3 +25,11 @@
  tags:
  - crypto-policies
  - base/crypto-policies
+
+- name: Set crypto-policy on RHEL9 dns servers to DEFAULT:SHA1
+  command: "update-crypto-policies --set DEFAULT:SHA1"
+  when: inventory_hostname.startswith(('ns01.iad2','ns02.iad2'))
+  check_mode: no
+  tags:
+  - crypto-policies
+  - base/crypto-policies