2022-02-21 20:41:31 +00:00
|
|
|
|
#
|
|
|
|
|
# {{ ansible_managed }}
|
|
|
|
|
#
|
|
|
|
|
|
2023-06-09 07:46:02 +00:00
|
|
|
|
{% if bind9_controls is defined and bind9_controls | length > 0 %}
|
|
|
|
|
controls {
|
|
|
|
|
{% for control in bind9_controls %}
|
|
|
|
|
inet {{ control.inet }} port {{ control.port }} allow {
|
|
|
|
|
{% for acl in control.acls %}
|
|
|
|
|
{{ acl }};
|
|
|
|
|
{% endfor %}
|
|
|
|
|
} keys {
|
|
|
|
|
{% for name in control.tsig_keys %}
|
|
|
|
|
"{{ name }}";
|
|
|
|
|
{% endfor %}
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
{% endfor %}
|
|
|
|
|
};
|
|
|
|
|
{% endif %}
|
|
|
|
|
|
2022-02-21 20:41:31 +00:00
|
|
|
|
options {
|
|
|
|
|
|
|
|
|
|
# This specifies which hosts are allowed to ask ordinary DNS questions.
|
|
|
|
|
# allow-query may also be specified in the zone statement, in which case it
|
|
|
|
|
# overrides the options allow-query statement. If not specified, the default
|
|
|
|
|
# is to allow queries from all hosts.
|
|
|
|
|
# https://bind9.readthedocs.io/en/latest/reference.html#access-control
|
|
|
|
|
{% if bind9_options.allow_query is defined and bind9_options.allow_query | length > 0 %}
|
|
|
|
|
allow-query {
|
|
|
|
|
{% for entry in bind9_options.allow_query %}
|
|
|
|
|
{{ entry }};
|
|
|
|
|
{% endfor %}
|
|
|
|
|
};
|
|
|
|
|
{% else %}
|
|
|
|
|
# allow-query {};
|
|
|
|
|
{% endif %}
|
|
|
|
|
|
|
|
|
|
# This specifies which hosts are allowed to get answers from the cache. If
|
|
|
|
|
# allow-recursion is not set, BIND checks to see if the following parameters
|
|
|
|
|
# are set, in order: allow-query-cache and allow-query (unless recursion no;
|
|
|
|
|
# is set). If neither of those parameters is set, the default (localnets;
|
|
|
|
|
# localhost;) is used.
|
|
|
|
|
# https://bind9.readthedocs.io/en/latest/reference.html#access-control
|
|
|
|
|
{% if bind9_options.allow_query_on is defined and bind9_options.allow_query_on | length > 0 %}
|
|
|
|
|
allow-query-on {
|
|
|
|
|
{% for entry in bind9_options.allow_query_on %}
|
|
|
|
|
{{ entry }};
|
|
|
|
|
{% endfor %}
|
|
|
|
|
};
|
|
|
|
|
{% else %}
|
|
|
|
|
# allow-query-on {};
|
|
|
|
|
{% endif %}
|
|
|
|
|
|
|
|
|
|
# This specifies which hosts are allowed to get answers from the cache. If
|
|
|
|
|
# allow-recursion is not set, BIND checks to see if the following parameters
|
|
|
|
|
# are set, in order: allow-query-cache and allow-query (unless recursion no;
|
|
|
|
|
# is set). If neither of those parameters is set, the default (localnets;
|
|
|
|
|
# localhost;) is used.
|
|
|
|
|
# https://bind9.readthedocs.io/en/latest/reference.html#access-control
|
|
|
|
|
{% if bind9_options.allow_query_cache is defined and bind9_options.allow_query_cache | length > 0 %}
|
|
|
|
|
allow-query-cache {
|
|
|
|
|
{% for entry in bind9_options.allow_query_cache %}
|
|
|
|
|
{{ entry }};
|
|
|
|
|
{% endfor %}
|
|
|
|
|
};
|
|
|
|
|
{% else %}
|
|
|
|
|
# allow-query-cache {};
|
|
|
|
|
{% endif %}
|
|
|
|
|
|
|
|
|
|
# This specifies which local addresses can send answers from the cache. If
|
|
|
|
|
# allow-query-cache-on is not set, then allow-recursion-on is used if set.
|
|
|
|
|
# Otherwise, the default is to allow cache responses to be sent from any
|
|
|
|
|
# address. Note: both allow-query-cache and allow-query-cache-on must be
|
|
|
|
|
# satisfied before a cache response can be sent; a client that is blocked by
|
|
|
|
|
# one cannot be allowed by the other.
|
|
|
|
|
# https://bind9.readthedocs.io/en/latest/reference.html#access-control
|
|
|
|
|
{% if bind9_options.allow_query_cache_on is defined and bind9_options.allow_query_cache_on | length > 0 %}
|
|
|
|
|
allow-query-cache-on {
|
|
|
|
|
{% for entry in bind9_options.allow_query_cache_on %}
|
|
|
|
|
{{ entry }};
|
|
|
|
|
{% endfor %}
|
|
|
|
|
};
|
|
|
|
|
{% else %}
|
|
|
|
|
# allow-query-cache-on {};
|
|
|
|
|
{% endif %}
|
|
|
|
|
|
|
|
|
|
# This specifies which hosts are allowed to receive zone transfers from the
|
|
|
|
|
# server. allow-transfer may also be specified in the zone statement, in which
|
|
|
|
|
# case it overrides the allow-transfer statement set in options or view. If
|
|
|
|
|
# not specified, the default is to allow transfers to all hosts.
|
|
|
|
|
|
|
|
|
|
# The transport level limitations can also be specified. In particular, zone
|
|
|
|
|
# transfers can be restricted to a specific port and/or DNS transport protocol
|
|
|
|
|
# by using the options port and transport. Either option can be specified; if
|
|
|
|
|
# both are used, both constraints must be satisfied in order for the transfer
|
|
|
|
|
# to be allowed. Zone transfers are currently only possible via the TCP and
|
|
|
|
|
# TLS transports.
|
|
|
|
|
{% if bind9_options.allow_recursion is defined and bind9_options.allow_recursion | length > 0 %}
|
|
|
|
|
allow-recursion {
|
|
|
|
|
{% for entry in bind9_options.allow_recursion %}
|
|
|
|
|
{{ entry }};
|
|
|
|
|
{% endfor %}
|
|
|
|
|
};
|
|
|
|
|
{% else %}
|
|
|
|
|
# allow-recursion {};
|
|
|
|
|
{% endif %}
|
|
|
|
|
|
|
|
|
|
# allow-recursion-on defines the server interface(s) from which
|
|
|
|
|
# recursive queries are accepted and can be useful where a server is
|
|
|
|
|
# multi-homed, perhaps in conjunction with a view clause. Defaults to
|
|
|
|
|
# allow-recursion-on {any;}; meaning that recursive queries are
|
|
|
|
|
# accepted on any server interface.
|
|
|
|
|
#
|
|
|
|
|
# NOTE:
|
|
|
|
|
# - The statement is only relevant if recursion yes; is present or
|
|
|
|
|
# defaulted.
|
|
|
|
|
# - The statements may be used in a view or a global options clause.
|
|
|
|
|
{% if bind9_options.allow_recursion_on is defined and bind9_options.allow_recursion_on | length > 0 %}
|
|
|
|
|
allow-recursion-on {
|
|
|
|
|
{% for entry in bind9_options.allow_recursion_on %}
|
|
|
|
|
{{ entry }};
|
|
|
|
|
{% endfor %}
|
|
|
|
|
};
|
|
|
|
|
{% else %}
|
|
|
|
|
# allow-recursion-on {};
|
|
|
|
|
{% endif %}
|
|
|
|
|
|
|
|
|
|
# allow-transfer defines a match list e.g. IP address(es) that are
|
|
|
|
|
# allowed to transfer (copy) the zone information from the server
|
|
|
|
|
# (master or slave for the zone). The default behaviour is to allow
|
|
|
|
|
# zone transfers to any host. While on its face this may seem an
|
|
|
|
|
# excessively friendly default, DNS data is essentially public (that's
|
|
|
|
|
# why its there) and the bad guys can get all of it anyway. However if
|
|
|
|
|
# the thought of anyone being able to transfer your precious zone file
|
|
|
|
|
# is repugnant, or (and this is far more significant) you are
|
|
|
|
|
# concerned about possible DoS attack initiated by XFER requests, then
|
|
|
|
|
# use the following policy.
|
|
|
|
|
#
|
|
|
|
|
# NOTE:
|
|
|
|
|
# - This statement may be used in a zone, view or global options clause.
|
|
|
|
|
{% if bind9_options.allow_transfer is defined and bind9_options.allow_transfer | length > 0 %}
|
|
|
|
|
allow-transfer {
|
|
|
|
|
{% for entry in bind9_options.allow_transfer %}
|
|
|
|
|
{{ entry }};
|
|
|
|
|
{% endfor %}
|
|
|
|
|
};
|
|
|
|
|
{% else %}
|
|
|
|
|
# allow-transfer {};
|
|
|
|
|
{% endif %}
|
|
|
|
|
|
|
|
|
|
# When set in the zone statement for a primary zone, this specifies which
|
|
|
|
|
# hosts are allowed to submit Dynamic DNS updates to that zone. The default is
|
|
|
|
|
# to deny updates from all hosts.
|
|
|
|
|
|
|
|
|
|
# Note that allowing updates based on the requestor’s IP address is insecure;
|
|
|
|
|
# see Dynamic Update Security for details.
|
|
|
|
|
{% if bind9_options.allow_update is defined and bind9_options.allow_update | length > 0 %}
|
|
|
|
|
allow-update {
|
|
|
|
|
{% for entry in bind9_options.allow_update %}
|
|
|
|
|
{{ entry }};
|
|
|
|
|
{% endfor %}
|
|
|
|
|
};
|
|
|
|
|
{% else %}
|
|
|
|
|
# allow-update {};
|
|
|
|
|
{% endif %}
|
|
|
|
|
|
|
|
|
|
# When set in the zone statement for a secondary zone, this specifies which
|
|
|
|
|
# hosts are allowed to submit Dynamic DNS updates and have them be forwarded
|
|
|
|
|
# to the primary. The default is { none; }, which means that no update
|
|
|
|
|
# forwarding is performed.
|
|
|
|
|
|
|
|
|
|
# To enable update forwarding, specify allow-update-forwarding { any; }; in
|
|
|
|
|
# the zone statement. Specifying values other than { none; } or { any; } is
|
|
|
|
|
# usually counterproductive; the responsibility for update access control
|
|
|
|
|
# should rest with the primary server, not the secondary.
|
|
|
|
|
{% if bind9_options.allow_update_forwarding is defined and bind9_options.allow_update_forwarding | length > 0 %}
|
|
|
|
|
allow-update-forwarding {
|
|
|
|
|
{% for entry in bind9_options.allow_update_forwarding %}
|
|
|
|
|
{{ entry }};
|
|
|
|
|
{% endfor %}
|
|
|
|
|
};
|
|
|
|
|
{% else %}
|
|
|
|
|
# allow-update-forwarding {};
|
|
|
|
|
{% endif %}
|
|
|
|
|
|
2022-04-04 14:00:11 +00:00
|
|
|
|
directory "{{ bind_config_directory }}";
|
2022-02-21 20:41:31 +00:00
|
|
|
|
|
2024-05-22 18:22:17 +00:00
|
|
|
|
# This accepts expired signatures when verifying DNSSEC signatures. The default is no. Setting this option to yes
|
|
|
|
|
# leaves named vulnerable to replay attacks.
|
|
|
|
|
dnssec-accept-expired {{ "yes" if bind9_options.dnssec_accept_expired else "no" }};
|
2022-02-21 20:41:31 +00:00
|
|
|
|
|
2024-05-22 18:22:17 +00:00
|
|
|
|
# Enables DNSSEC validation in named.
|
|
|
|
|
#
|
|
|
|
|
# auto: If set to auto, DNSSEC validation is enabled and a default trust anchor for the DNS root zone is used. This
|
|
|
|
|
# trust anchor is provided as part of BIND and is kept up-to-date
|
|
|
|
|
#
|
|
|
|
|
# yes: If set to yes, DNSSEC validation is enabled, but a trust anchor must be manually configured using a
|
|
|
|
|
# trust-anchors statement (or the managed-keys or trusted-keys statements, both deprecated). If trust-anchors is not
|
|
|
|
|
# configured, it is a configuration error. If trust-anchors does not include a valid root key, then validation does
|
|
|
|
|
# not take place for names which are not covered by any of the configured trust anchors.
|
|
|
|
|
#
|
|
|
|
|
# no: If set to no, DNSSEC validation is disabled.
|
|
|
|
|
#
|
|
|
|
|
# https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-dnssec-validation
|
|
|
|
|
dnssec-validation {{ bind9_options.dnssec_validation | default('auto') }};
|
2022-02-21 20:41:31 +00:00
|
|
|
|
|
|
|
|
|
{% if bind9_options.forwarders is defined and bind9_options.forwarders | length > 0 %}
|
|
|
|
|
forwarders {
|
|
|
|
|
{% for forwarder in bind9_options.forwarders %}
|
2023-01-09 16:54:49 +00:00
|
|
|
|
{% if forwarder.port is defined and forwarder.port | length > 0 %}
|
|
|
|
|
{{ forwarder.ip }} port {{ forwarder.port }};
|
|
|
|
|
{% else %}
|
|
|
|
|
{{ forwarder.ip }};
|
|
|
|
|
{% endif %}
|
2022-02-21 20:41:31 +00:00
|
|
|
|
{% endfor %}
|
|
|
|
|
};
|
|
|
|
|
{% else %}
|
|
|
|
|
# forwarders {};
|
|
|
|
|
{% endif %}
|
|
|
|
|
|
|
|
|
|
geoip-directory "/usr/share/GeoIP";
|
|
|
|
|
|
|
|
|
|
# This is the hostname the server should report via a query of the name
|
|
|
|
|
# hostname.bind with type TXT and class CHAOS. This defaults to the hostname
|
|
|
|
|
# of the machine hosting the name server, as found by the gethostname()
|
|
|
|
|
# function. The primary purpose of such queries is to identify which of a
|
|
|
|
|
# group of anycast servers is actually answering the queries. Specifying
|
|
|
|
|
# hostname none; disables processing of the queries.
|
|
|
|
|
# https://bind9.readthedocs.io/en/latest/reference.html?highlight=hostname#built-in-server-information-zones
|
|
|
|
|
hostname none;
|
|
|
|
|
|
|
|
|
|
{% if bind9_options.listen_on_ipv4 is defined and bind9_options.listen_on_ipv4 | length > 0 %}
|
|
|
|
|
listen-on port 53 {
|
|
|
|
|
{% for ip in bind9_options.listen_on_ipv4 %}
|
|
|
|
|
{{ ip }};
|
|
|
|
|
{% endfor %}
|
|
|
|
|
};
|
|
|
|
|
{% endif %}
|
|
|
|
|
|
|
|
|
|
{% if bind9_options.listen_on_ipv6 is defined and bind9_options.listen_on_ipv6 | length > 0 %}
|
|
|
|
|
listen-on-v6 port 53 {
|
|
|
|
|
{% for ip in bind9_options.listen_on_ipv6 %}
|
|
|
|
|
{{ ip }};
|
|
|
|
|
{% endfor %}
|
|
|
|
|
};
|
|
|
|
|
{% endif %}
|
|
|
|
|
|
2024-05-22 18:22:17 +00:00
|
|
|
|
# Indicates the directory where public and private DNSSEC key files are found.
|
|
|
|
|
#
|
|
|
|
|
# This is the directory where the public and private DNSSEC key files should be found when performing a dynamic update
|
|
|
|
|
# of secure zones, if different than the current working directory.
|
|
|
|
|
# https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-key-directory
|
|
|
|
|
key-directory "{{ bind9_options.key_directory }}";
|
|
|
|
|
|
2022-02-21 20:41:31 +00:00
|
|
|
|
# managed-keys-directory "/var/named/dynamic";
|
|
|
|
|
# memstatistics-file "/var/bind/named.memstats";
|
|
|
|
|
minimal-responses {{ bind9_options.minimal_responses }};
|
|
|
|
|
notify {{ bind9_options.notify }};
|
|
|
|
|
|
|
|
|
|
pid-file "/run/named/named.pid";
|
|
|
|
|
recursion {{ bind9_options.recursion }};
|
|
|
|
|
|
|
|
|
|
# statistics-file "/var/bind/named.stats";
|
|
|
|
|
|
|
|
|
|
transfer-format {{ bind9_options.transfer_format }};
|
|
|
|
|
|
|
|
|
|
# This is the version the server should report via a query of the name
|
|
|
|
|
# version.bind with type TXT and class CHAOS. The default is the real version
|
|
|
|
|
# number of this server. Specifying version none disables processing of the
|
|
|
|
|
# queries.
|
|
|
|
|
# https://bind9.readthedocs.io/en/latest/reference.html?highlight=hostname#built-in-server-information-zones
|
|
|
|
|
version none;
|
|
|
|
|
|
|
|
|
|
zone-statistics yes;
|
2023-02-19 11:19:41 +00:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
{% if bind9_statics.enabled is defined and bind9_statics.enabled is true %}
|
|
|
|
|
statistics-channels {
|
|
|
|
|
{% for channel in bind9_statics.channels %}
|
|
|
|
|
inet {{ channel.inet }} port {{ channel.port }} allow {
|
|
|
|
|
{% for acl in channel.acls %}
|
|
|
|
|
{{ acl }};
|
|
|
|
|
{% endfor %}
|
|
|
|
|
};
|
|
|
|
|
{% endfor %}
|
|
|
|
|
};
|
2023-06-09 07:46:02 +00:00
|
|
|
|
{% endif %}
|