Showing with 26 additions and 10 deletions.

+12 −0 CHANGELOG.md

+1 −1 README.md

+4 −3 REFERENCE.md

+3 −2 manifests/init.pp

+4 −2 manifests/resolved.pp

+2 −2 metadata.json
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,18 @@ All notable changes to this project will be documented in this file.
 Each new release typically also includes the latest modulesync defaults.
 These should not affect the functionality of the module.
 
+## [v3.3.0](https://github.com/voxpupuli/puppet-systemd/tree/v3.3.0) (2021-08-25)
+
+[Full Changelog](https://github.com/voxpupuli/puppet-systemd/compare/v3.2.0...v3.3.0)
+
+**Implemented enhancements:**
+
+- Add support for strict mode for DNS over TLS [\#200](https://github.com/voxpupuli/puppet-systemd/pull/200) ([wobblesprout](https://github.com/wobblesprout))
+
+**Merged pull requests:**
+
+- Allow stdlib 8.0.0 [\#213](https://github.com/voxpupuli/puppet-systemd/pull/213) ([smortex](https://github.com/smortex))
+
 ## [v3.2.0](https://github.com/voxpupuli/puppet-systemd/tree/v3.2.0) (2021-07-27)
 
 [Full Changelog](https://github.com/voxpupuli/puppet-systemd/compare/v3.1.0...v3.2.0)

diff --git a/README.md b/README.md
@@ -269,7 +269,7 @@ $manage_networkd is required if you want to reload it for new
 
 When configuring `systemd::resolved` you could set `dns_stub_resolver` to false (default) to use a *standard* `/etc/resolved.conf`, or you could set it to `true` to use the local resolver provided by `systemd-resolved`.
 
-Systemd has introduced `DNS Over TLS` in the release 239. Currently two states are supported `no` and `opportunistic`. When enabled with `opportunistic` `systemd-resolved` will start a TCP-session to a DNS server with `DNS Over TLS` support. Note that there will be no host checking for `DNS Over TLS` due to missing implementation in `systemd-resolved`.
+Systemd has introduced `DNS Over TLS` in the release 239. Currently three states are supported `yes` (since systemd 243), `opportunistic` (true) and `no` (false, default). When enabled with `yes` or `opportunistic` `systemd-resolved` will start a TCP-session to a DNS server with `DNS Over TLS` support. When enabled with `yes` (strict mode), queries will fail if the configured DNS servers do not support `DNS Over TLS`. Note that there will be no host checking for `DNS Over TLS` due to missing implementation in `systemd-resolved`.
 
 It is possible to configure the default ntp servers in `/etc/systemd/timesyncd.conf`:
 

diff --git a/REFERENCE.md b/REFERENCE.md
@@ -157,9 +157,10 @@ Takes a boolean argument or "allow-downgrade".
 
 ##### <a name="dnsovertls"></a>`dnsovertls`
 
-Data type: `Optional[Variant[Boolean,Enum['opportunistic', 'no']]]`
+Data type: `Optional[Variant[Boolean,Enum['yes', 'opportunistic', 'no']]]`
 
-Takes a boolean argument or "opportunistic"
+Takes a boolean argument or one of "yes", "opportunistic" or "no". "true" corresponds to
+"opportunistic" and "false" (default) to "no".
 
 ##### <a name="cache"></a>`cache`
 
@@ -1012,7 +1013,7 @@ Default value: `'/etc/systemd/system'`
 
 ##### <a name="content"></a>`content`
 
-Data type: `Optional[Variant[String, Sensitive[String]]]`
+Data type: `Optional[Variant[String, Sensitive[String], Deferred]]`
 
 The full content of the unit file
 

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -37,7 +37,8 @@
 #   Takes a boolean argument or "allow-downgrade".
 #
 # @param dnsovertls
-#   Takes a boolean argument or "opportunistic"
+#   Takes a boolean argument or one of "yes", "opportunistic" or "no". "true" corresponds to
+#   "opportunistic" and "false" (default) to "no".
 #
 # @param cache
 #   Takes a boolean argument or "no-negative".
@@ -127,7 +128,7 @@
   Optional[Variant[Boolean,Enum['resolve']]]             $llmnr,
   Optional[Variant[Boolean,Enum['resolve']]]             $multicast_dns,
   Optional[Variant[Boolean,Enum['allow-downgrade']]]     $dnssec,
-  Optional[Variant[Boolean,Enum['opportunistic', 'no']]] $dnsovertls,
+  Optional[Variant[Boolean,Enum['yes', 'opportunistic', 'no']]] $dnsovertls,
   Optional[Variant[Boolean,Enum['no-negative']]]         $cache,
   Optional[Variant[Boolean,Enum['udp','tcp']]]           $dns_stub_listener,
   Boolean                                                $use_stub_resolver,

diff --git a/manifests/resolved.pp b/manifests/resolved.pp
@@ -32,7 +32,8 @@
 #   Takes a boolean argument or "allow-downgrade".
 #
 # @param dnsovertls
-#   Takes a boolean argument or "opportunistic" or "no"
+#   Takes a boolean argument or one of "yes", "opportunistic" or "no". "true" corresponds to
+#   "opportunistic" and "false" (default) to "no".
 #
 # @param cache
 #   Takes a boolean argument or "no-negative".
@@ -52,7 +53,7 @@
   Optional[Variant[Boolean,Enum['resolve']]] $llmnr                  = $systemd::llmnr,
   Optional[Variant[Boolean,Enum['resolve']]] $multicast_dns          = $systemd::multicast_dns,
   Optional[Variant[Boolean,Enum['allow-downgrade']]] $dnssec         = $systemd::dnssec,
-  Optional[Variant[Boolean,Enum['opportunistic', 'no']]] $dnsovertls = $systemd::dnsovertls,
+  Optional[Variant[Boolean,Enum['yes', 'opportunistic', 'no']]] $dnsovertls = $systemd::dnsovertls,
   Optional[Variant[Boolean,Enum['no-negative']]] $cache              = $systemd::cache,
   Optional[Variant[Boolean,Enum['udp', 'tcp']]] $dns_stub_listener   = $systemd::dns_stub_listener,
   Boolean $use_stub_resolver                                         = $systemd::use_stub_resolver,
@@ -180,6 +181,7 @@
   }
 
   $_dnsovertls = $dnsovertls ? {
+    'yes'   => true,
     true    => 'opportunistic',
     false   => false,
     default => $dnsovertls,

diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "puppet-systemd",
-  "version": "3.2.0",
+  "version": "3.3.0",
   "author": "Vox Pupuli",
   "summary": "Puppet Systemd module",
   "license": "Apache-2.0",
@@ -10,7 +10,7 @@
   "dependencies": [
     {
       "name": "puppetlabs/stdlib",
-      "version_requirement": ">= 4.13.1 < 8.0.0"
+      "version_requirement": ">= 4.13.1 < 9.0.0"
     },
     {
       "name": "puppetlabs/inifile",