diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,31 @@
 # Changelog
 
+## [15.0.0](https://github.com/theforeman/puppet-foreman_proxy/tree/15.0.0) (2020-08-07)
+
+[Full Changelog](https://github.com/theforeman/puppet-foreman_proxy/compare/14.0.2...15.0.0)
+
+**Breaking changes:**
+
+- Drop puppetca\_split\_configs parameter [\#605](https://github.com/theforeman/puppet-foreman_proxy/pull/605) ([ekohl](https://github.com/ekohl))
+- Fixes [\#30198](https://projects.theforeman.org/issues/30198) - Disable TFTP by default [\#602](https://github.com/theforeman/puppet-foreman_proxy/pull/602) ([ekohl](https://github.com/ekohl))
+
+**Implemented enhancements:**
+
+- don't fail on upcase\(\) when domain fact is undefined [\#607](https://github.com/theforeman/puppet-foreman_proxy/pull/607) ([wbclark](https://github.com/wbclark))
+
+**Fixed bugs:**
+
+- Fix tftp on RedHat 8 [\#609](https://github.com/theforeman/puppet-foreman_proxy/pull/609) ([dgoetz](https://github.com/dgoetz))
+- Improve the readability of the provided grub.cfg [\#606](https://github.com/theforeman/puppet-foreman_proxy/pull/606) ([illumino](https://github.com/illumino))
+
+## [14.0.2](https://github.com/theforeman/puppet-foreman_proxy/tree/14.0.2) (2020-06-30)
+
+[Full Changelog](https://github.com/theforeman/puppet-foreman_proxy/compare/14.0.1...14.0.2)
+
+**Fixed bugs:**
+
+- Fixes [\#30240](https://projects.theforeman.org/issues/30240) - compat with theforeman/dns 8.x [\#603](https://github.com/theforeman/puppet-foreman_proxy/pull/603) ([ekohl](https://github.com/ekohl))
+
 ## [14.0.1](https://github.com/theforeman/puppet-foreman_proxy/tree/14.0.1) (2020-06-15)
 
 [Full Changelog](https://github.com/theforeman/puppet-foreman_proxy/compare/14.0.0...14.0.1)

diff --git a/HISTORY.md b/HISTORY.md
@@ -1,3 +1,92 @@
+## [14.0.2](https://github.com/theforeman/puppet-foreman_proxy/tree/14.0.2) (2020-06-30)
+
+[Full Changelog](https://github.com/theforeman/puppet-foreman_proxy/compare/14.0.1...14.0.2)
+
+**Fixed bugs:**
+
+- Fixes [\#30240](https://projects.theforeman.org/issues/30240) - compat with theforeman/dns 8.x [\#603](https://github.com/theforeman/puppet-foreman_proxy/pull/603) ([ekohl](https://github.com/ekohl))
+
+## [14.0.1](https://github.com/theforeman/puppet-foreman_proxy/tree/14.0.1) (2020-06-15)
+
+[Full Changelog](https://github.com/theforeman/puppet-foreman_proxy/compare/14.0.0...14.0.1)
+
+**Fixed bugs:**
+
+- Fixes [\#30121](https://projects.theforeman.org/issues/30121) - Generate SSH keys in PEM format [\#600](https://github.com/theforeman/puppet-foreman_proxy/pull/600) ([adamruzicka](https://github.com/adamruzicka))
+- replace nsupdate dependency on FreeBSD [\#597](https://github.com/theforeman/puppet-foreman_proxy/pull/597) ([fraenki](https://github.com/fraenki))
+
+## [14.0.0](https://github.com/theforeman/puppet-foreman_proxy/tree/14.0.0) (2020-05-16)
+
+[Full Changelog](https://github.com/theforeman/puppet-foreman_proxy/compare/13.0.0...14.0.0)
+
+**Breaking changes:**
+
+- Use modern facts [\#586](https://github.com/theforeman/puppet-foreman_proxy/issues/586)
+- Remove old Red Hat TFTP install methods [\#590](https://github.com/theforeman/puppet-foreman_proxy/pull/590) ([ekohl](https://github.com/ekohl))
+- Move Ruby package prefix to params [\#575](https://github.com/theforeman/puppet-foreman_proxy/pull/575) ([ekohl](https://github.com/ekohl))
+- Drop group parameter on plugins [\#573](https://github.com/theforeman/puppet-foreman_proxy/pull/573) ([ekohl](https://github.com/ekohl))
+- Introduce foreman\_proxy::globals [\#572](https://github.com/theforeman/puppet-foreman_proxy/pull/572) ([ekohl](https://github.com/ekohl))
+- Remove redundant parameters [\#571](https://github.com/theforeman/puppet-foreman_proxy/pull/571) ([ekohl](https://github.com/ekohl))
+
+**Implemented enhancements:**
+
+- Switch AIO detection to use aio\_agent\_version fact [\#585](https://github.com/theforeman/puppet-foreman_proxy/issues/585)
+- Update module dependencies to allow EL8 supported versions [\#595](https://github.com/theforeman/puppet-foreman_proxy/pull/595) ([wbclark](https://github.com/wbclark))
+- Fixes [\#29213](https://projects.theforeman.org/issues/29213) - Support el8 [\#582](https://github.com/theforeman/puppet-foreman_proxy/pull/582) ([wbclark](https://github.com/wbclark))
+- add support for flatcar [\#579](https://github.com/theforeman/puppet-foreman_proxy/pull/579) ([TheKangaroo](https://github.com/TheKangaroo))
+- Allow extlib 5.x [\#578](https://github.com/theforeman/puppet-foreman_proxy/pull/578) ([mmoll](https://github.com/mmoll))
+- Declare features on SSH and Pulp modules [\#570](https://github.com/theforeman/puppet-foreman_proxy/pull/570) ([ekohl](https://github.com/ekohl))
+- Document classes using puppet-strings [\#568](https://github.com/theforeman/puppet-foreman_proxy/pull/568) ([ekohl](https://github.com/ekohl))
+- Refactor modules, plugins and providers design [\#564](https://github.com/theforeman/puppet-foreman_proxy/pull/564) ([ekohl](https://github.com/ekohl))
+- Fixes [\#29005](https://projects.theforeman.org/issues/29005) - Make IPv4 optional in proxydns [\#521](https://github.com/theforeman/puppet-foreman_proxy/pull/521) ([ekohl](https://github.com/ekohl))
+
+**Fixed bugs:**
+
+- correct needed foreman dependency [\#596](https://github.com/theforeman/puppet-foreman_proxy/pull/596) ([mmoll](https://github.com/mmoll))
+- Fixes [\#29690](https://projects.theforeman.org/issues/29690) - install shimx64.efi and shim.efi [\#592](https://github.com/theforeman/puppet-foreman_proxy/pull/592) ([lzap](https://github.com/lzap))
+- Use $f\_p::plugin::dynflow::external\_core [\#574](https://github.com/theforeman/puppet-foreman_proxy/pull/574) ([ekohl](https://github.com/ekohl))
+- Fix chef plugin listen on [\#567](https://github.com/theforeman/puppet-foreman_proxy/pull/567) ([ekohl](https://github.com/ekohl))
+
+**Closed issues:**
+
+- Smart proxy plugin packages not lining up [\#561](https://github.com/theforeman/puppet-foreman_proxy/issues/561)
+
+**Merged pull requests:**
+
+- add Ubuntu integration tests [\#577](https://github.com/theforeman/puppet-foreman_proxy/pull/577) ([mmoll](https://github.com/mmoll))
+- Update the compatibility matrix in the README [\#563](https://github.com/theforeman/puppet-foreman_proxy/pull/563) ([ekohl](https://github.com/ekohl))
+
+## [13.0.0](https://github.com/theforeman/puppet-foreman_proxy/tree/13.0.0) (2020-02-12)
+
+[Full Changelog](https://github.com/theforeman/puppet-foreman_proxy/compare/12.1.0...13.0.0)
+
+**Breaking changes:**
+
+- Fixes [\#28877](https://projects.theforeman.org/issues/28877) - Dynamically determine Pulp Puppet dir [\#558](https://github.com/theforeman/puppet-foreman_proxy/pull/558) ([ekohl](https://github.com/ekohl))
+- use pulpcore naming convention [\#556](https://github.com/theforeman/puppet-foreman_proxy/pull/556) ([wbclark](https://github.com/wbclark))
+- Drop Archlinux support [\#553](https://github.com/theforeman/puppet-foreman_proxy/pull/553) ([ekohl](https://github.com/ekohl))
+- Drop Debian 9 and Ubuntu 16.04, add Debian 10 [\#548](https://github.com/theforeman/puppet-foreman_proxy/pull/548) ([mmoll](https://github.com/mmoll))
+- Only manage ISC DHCP when using the ISC provider [\#547](https://github.com/theforeman/puppet-foreman_proxy/pull/547) ([ekohl](https://github.com/ekohl))
+- Only manage DNS for the nsupdate provider [\#545](https://github.com/theforeman/puppet-foreman_proxy/pull/545) ([ekohl](https://github.com/ekohl))
+- Drop database backends for the PowerDNS plugin [\#542](https://github.com/theforeman/puppet-foreman_proxy/pull/542) ([ekohl](https://github.com/ekohl))
+- Handle smart proxy and plugins packaged for SCL [\#538](https://github.com/theforeman/puppet-foreman_proxy/pull/538) ([ehelms](https://github.com/ehelms))
+
+**Implemented enhancements:**
+
+- Allow new major versions of modules [\#559](https://github.com/theforeman/puppet-foreman_proxy/pull/559) ([ekohl](https://github.com/ekohl))
+- Add Pulp 3 HTTP URLs [\#549](https://github.com/theforeman/puppet-foreman_proxy/pull/549) ([ekohl](https://github.com/ekohl))
+
+**Fixed bugs:**
+
+- Fixes [\#28681](https://projects.theforeman.org/issues/28681) - Listen on all dynflow IPs [\#557](https://github.com/theforeman/puppet-foreman_proxy/pull/557) ([ekohl](https://github.com/ekohl))
+- Fixes [\#28559](https://projects.theforeman.org/issues/28559) - keep default ssh args [\#554](https://github.com/theforeman/puppet-foreman_proxy/pull/554) ([ares](https://github.com/ares))
+- Fix tests by using a better IPv6 check [\#544](https://github.com/theforeman/puppet-foreman_proxy/pull/544) ([ekohl](https://github.com/ekohl))
+
+**Merged pull requests:**
+
+- provide no path for pulp3 api url [\#552](https://github.com/theforeman/puppet-foreman_proxy/pull/552) ([jlsherrill](https://github.com/jlsherrill))
+- Refactor plugin parameter handling [\#500](https://github.com/theforeman/puppet-foreman_proxy/pull/500) ([ekohl](https://github.com/ekohl))
+
 ## [12.1.0](https://github.com/theforeman/puppet-foreman_proxy/tree/12.1.0) (2019-10-25)
 
 [Full Changelog](https://github.com/theforeman/puppet-foreman_proxy/compare/12.0.1...12.1.0)

diff --git a/examples/dns.pp b/examples/dns.pp
@@ -0,0 +1,34 @@
+$directory = '/etc/foreman-proxy'
+$certificate = "${directory}/certificate.pem"
+$key = "${directory}/key.pem"
+
+# Install a proxy
+class { 'foreman_proxy':
+  puppet_group        => 'root',
+  register_in_foreman => false,
+  ssl_ca              => $certificate,
+  ssl_cert            => $certificate,
+  ssl_key             => $key,
+  dns                 => true,
+  dns_zone            => 'example.com',
+  dns_reverse         => '2.0.192.in-addr.arpa',
+}
+
+# Create the certificates - this is after the proxy because we need the user variable
+exec { 'Create certificate directory':
+  command => "mkdir -p ${directory}",
+  path    => ['/bin', '/usr/bin'],
+  creates => $directory,
+}
+-> exec { 'Generate certificate':
+  command => "openssl req -nodes -x509 -newkey rsa:2048 -subj '/CN=${facts['networking']['fqdn']}' -keyout '${key}' -out '${certificate}' -days 365",
+  path    => ['/bin', '/usr/bin'],
+  creates => $certificate,
+  umask   => '0022',
+}
+-> file { [$key, $certificate]:
+  owner  => $foreman_proxy::user,
+  group  => $foreman_proxy::user,
+  mode   => '0640',
+  before => Class['foreman_proxy::service'],
+}
diff --git a/files/grub.cfg b/files/grub.cfg
@@ -1,13 +1,13 @@
 # This file was deployed by Puppet and is under Smart Proxy control. Click on
-# "Build PXE Default" button to overwrite it. Puppet is prevented managing this
+# "Build PXE Default" button to overwrite it. Puppet is prevented from managing this
 # file by default, this can be enforced via --foreman-proxy-tftp-replace-grub2-cfg
 # foreman-installer option or Puppet parameter.
 
 insmod regexp
 
-# On Debian/Ubuntu grub2 does not have patch for loading MAC-based configs. Also due to bug
-# in RHEL 7.4 files are loaded with an extra ":" character at the end. This workarounds both
-# cases, make sure "regexp.mod" file is present on the TFTP. For more info see:
+# On Debian/Ubuntu grub2 does not have patch for loading MAC-based configs. Also, due to a bug
+# in RHEL 7.4, files are loaded with an extra ":" character at the end. This works around both
+# cases, and makes sure "regexp.mod" file is present on the TFTP server. For more info see:
 # https://bugzilla.redhat.com/show_bug.cgi?id=1370642#c70
 regexp --set=1:m1 --set=2:m2 --set=3:m3 --set=4:m4 --set=5:m5 --set=6:m6 '^([0-9a-f]{1,2})\:([0-9a-f]{1,2})\:([0-9a-f]{1,2})\:([0-9a-f]{1,2})\:([0-9a-f]{1,2})\:([0-9a-f]{1,2})' "$net_default_mac"
 mac=${m1}-${m2}-${m3}-${m4}-${m5}-${m6}

diff --git a/manifests/config.pp b/manifests/config.pp
@@ -78,10 +78,7 @@
   contain foreman_proxy::module::puppetca
   foreman_proxy::provider { ['puppetca_hostname_whitelisting', 'puppetca_token_whitelisting']:
   }
-
-  if $foreman_proxy::puppetca_split_configs {
-    foreman_proxy::provider { ['puppetca_http_api', 'puppetca_puppet_cert']:
-    }
+  foreman_proxy::provider { ['puppetca_http_api', 'puppetca_puppet_cert']:
   }
 
   contain foreman_proxy::module::realm

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -292,9 +292,6 @@
 #
 # $httpboot_listen_on::         HTTPBoot proxy to listen on https, http, or both
 #
-# $puppetca_split_configs::     Whether to split the puppetca configs. This is only supported on 1.22+.
-#                               Set to false for older versions.
-#
 # $puppetca_provider::          Whether to use puppetca_hostname_whitelisting or puppetca_token_whitelisting
 #
 # $puppetca_sign_all::          Token-whitelisting only: Whether to sign all CSRs without checking their token
@@ -331,7 +328,6 @@
   Boolean $use_sudoersd = $foreman_proxy::params::use_sudoersd,
   Boolean $use_sudoers = $foreman_proxy::params::use_sudoers,
   Boolean $puppetca = $foreman_proxy::params::puppetca,
-  Boolean $puppetca_split_configs = $foreman_proxy::params::puppetca_split_configs,
   Foreman_proxy::ListenOn $puppetca_listen_on = $foreman_proxy::params::puppetca_listen_on,
   Stdlib::Absolutepath $ssldir = $foreman_proxy::params::ssldir,
   Stdlib::Absolutepath $puppetdir = $foreman_proxy::params::puppetdir,
@@ -415,7 +411,7 @@
   Boolean $dns_managed = $foreman_proxy::params::dns_managed,
   String $dns_provider = $foreman_proxy::params::dns_provider,
   String $dns_interface = $foreman_proxy::params::dns_interface,
-  String $dns_zone = $foreman_proxy::params::dns_zone,
+  Optional[Stdlib::Fqdn] $dns_zone = $foreman_proxy::params::dns_zone,
   Optional[Variant[String, Array[String]]] $dns_reverse = $foreman_proxy::params::dns_reverse,
   String $dns_server = $foreman_proxy::params::dns_server,
   Integer[0] $dns_ttl = $foreman_proxy::params::dns_ttl,

diff --git a/manifests/params.pp b/manifests/params.pp
@@ -26,13 +26,26 @@
       $nsupdate = 'bind-utils'
 
       $tftp_root  = '/var/lib/tftpboot'
-      $tftp_syslinux_filenames = [
-        '/usr/share/syslinux/chain.c32',
-        '/usr/share/syslinux/mboot.c32',
-        '/usr/share/syslinux/menu.c32',
-        '/usr/share/syslinux/memdisk',
-        '/usr/share/syslinux/pxelinux.0',
-      ]
+      if versioncmp($facts['os']['release']['major'], '7') <= 0 {
+        $tftp_syslinux_filenames = [
+          '/usr/share/syslinux/chain.c32',
+          '/usr/share/syslinux/mboot.c32',
+          '/usr/share/syslinux/menu.c32',
+          '/usr/share/syslinux/memdisk',
+          '/usr/share/syslinux/pxelinux.0',
+        ]
+      } else {
+        $tftp_syslinux_filenames = [
+          '/usr/share/syslinux/chain.c32',
+          '/usr/share/syslinux/ldlinux.c32',
+          '/usr/share/syslinux/libcom32.c32',
+          '/usr/share/syslinux/libutil.c32',
+          '/usr/share/syslinux/mboot.c32',
+          '/usr/share/syslinux/menu.c32',
+          '/usr/share/syslinux/memdisk',
+          '/usr/share/syslinux/pxelinux.0',
+        ]
+      }
     }
     'Debian': {
       $ruby_package_prefix = 'ruby-'
@@ -182,7 +195,6 @@
 
   # puppetca settings
   $puppetca              = true
-  $puppetca_split_configs = true
   $puppetca_provider     = 'puppetca_hostname_whitelisting'
   $puppetca_listen_on    = 'https'
   $puppetca_cmd          = "${puppet_cmd} cert"
@@ -226,7 +238,7 @@
   $httpboot_listen_on = 'both'
 
   # TFTP settings - requires optional TFTP puppet module
-  $tftp                   = true
+  $tftp                   = false
   $tftp_listen_on         = 'https'
   $tftp_managed           = true
   $tftp_manage_wget       = true
@@ -276,7 +288,11 @@
   $dns_provider           = 'nsupdate'
   $dns_interface          = pick(fact('networking.primary'), 'eth0')
   $dns_zone               = $facts['networking']['domain']
-  $dns_realm              = upcase($dns_zone)
+  if $dns_zone {
+    $dns_realm            = upcase($dns_zone)
+  } else {
+    $dns_realm            = undef
+  }
   $dns_reverse            = undef
   # localhost can resolve to ipv6 which ruby doesn't handle well
   $dns_server             = '127.0.0.1'

diff --git a/manifests/proxydns.pp b/manifests/proxydns.pp
@@ -21,7 +21,7 @@
 class foreman_proxy::proxydns(
   $forwarders = $foreman_proxy::dns_forwarders,
   $interface = $foreman_proxy::dns_interface,
-  $forward_zone = $foreman_proxy::dns_zone,
+  Stdlib::Fqdn $forward_zone = $foreman_proxy::dns_zone,
   $reverse_zone = $foreman_proxy::dns_reverse,
   String $soa = $facts['networking']['fqdn'],
 ) {
@@ -58,17 +58,27 @@
     }
   }
 
+  $update_policy = {
+    'rndc-key' => {
+      'action'    => 'grant',
+      'matchtype' => 'zonesub',
+      'rr'        => 'ANY',
+    },
+  }
+
   dns::zone { $forward_zone:
-    soa     => $soa,
-    reverse => false,
-    soaip   => $ip,
-    soaipv6 => $ip6,
+    soa           => $soa,
+    reverse       => false,
+    soaip         => $ip,
+    soaipv6       => $ip6,
+    update_policy => $update_policy,
   }
 
   if $reverse {
     dns::zone { $reverse:
-      soa     => $soa,
-      reverse => true,
+      soa           => $soa,
+      reverse       => true,
+      update_policy => $update_policy,
     }
   }
 }
diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "theforeman-foreman_proxy",
-  "version": "14.0.1",
+  "version": "15.0.0",
   "author": "theforeman",
   "summary": "Foreman Smart Proxy configuration",
   "license": "GPL-3.0+",
@@ -20,7 +20,7 @@
   "dependencies": [
     {
       "name": "theforeman/dns",
-      "version_requirement": ">= 7.0.0 < 9.0.0"
+      "version_requirement": ">= 8.0.0 < 9.0.0"
     },
     {
       "name": "theforeman/dhcp",