From bd7f25c6ceca4028fd11226fe965cb6eaceafb83 Mon Sep 17 00:00:00 2001
From: Doug Neal <doug@neal.me.uk>
Date: Mon, 18 May 2015 17:20:18 +0100
Subject: [PATCH] Leave out dnssec-validation and dnssec-lookaside from
 named.conf when dnssec is disabled

---
 templates/named.conf.erb | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/templates/named.conf.erb b/templates/named.conf.erb
index 8fc1044..be52acd 100644
--- a/templates/named.conf.erb
+++ b/templates/named.conf.erb
@@ -21,8 +21,10 @@ options {
 	auth-nxdomain <%= @auth_nxdomain ? 'yes' : 'no' %>;
 	listen-on-v6 { any; };
 	dnssec-enable <%= @dnssec ? 'yes' : 'no' %>;
-	dnssec-validation <%= @dnssec ? 'yes' : 'no' %>;
-	dnssec-lookaside <%= @dnssec ? 'auto' : 'no' %>;
+<%- if @dnssec -%>
+	dnssec-validation yes;
+	dnssec-lookaside auto;
+<%- end -%>
 <%- if @version != '' -%>
 	version "<%= @version %>";
 <%- end -%>