From ecce8cc965dcb4b234b394602b0421883a102611 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Thu, 2 Feb 2023 17:42:15 -0800
Subject: [PATCH] crypto-policies: Set ns01.iad2/ns02.iad2 to use DEFAULT:SHA1
 crypto-policy

ns01 and ns02 are used by internal iad2 ssytems for dns resolution.
This means bastion uses them for smtp outgoing at least.
Lots of dnssec servers out there still are using SHA1 signatures, and
without this the hosts will simply not resolve at all.
So, until things are better we need to set these back to allow SHA1.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 roles/base/tasks/crypto-policies.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/roles/base/tasks/crypto-policies.yml b/roles/base/tasks/crypto-policies.yml
index c9390081be..a077659ef1 100644
--- a/roles/base/tasks/crypto-policies.yml
+++ b/roles/base/tasks/crypto-policies.yml
@@ -25,3 +25,11 @@
   tags:
   - crypto-policies
   - base/crypto-policies
+
+- name: Set crypto-policy on RHEL9 dns servers to DEFAULT:SHA1
+  command: "update-crypto-policies --set DEFAULT:SHA1"
+  when: inventory_hostname.startswith(('ns01.iad2','ns02.iad2'))
+  check_mode: no
+  tags:
+  - crypto-policies
+  - base/crypto-policies