volker.raschek/ansible-role-bind9
1
0
Fork 0
Code Issues Pull Requests Actions Projects Releases Wiki Activity

test(ubuntu): tested on ubuntu

Browse Source
This commit is contained in:
Markus Pesch
2022-04-04 16:00:11 +02:00
parent d03840b0c6
commit cd3bd685ce
9 changed files with 51 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
templates/etc/named.conf.j2 Normal file
View File

@ -0,0 +1,14 @@
#
# {{ ansible_managed }}
#
# zone "." IN {
# type hint;
# file "named.ca";
# };
include "{{ bind_config_directory }}/named.conf.acl";
include "{{ bind_config_directory }}/named.conf.logging";
include "{{ bind_config_directory }}/named.conf.options";
include "{{ bind_config_directory }}/named.conf.tsigkeys";
include "{{ bind_config_directory }}/named.conf.views";

12
templates/etc/named/named.conf.acl.j2 Normal file
View File

@ -0,0 +1,12 @@
#
# {{ ansible_managed }}
#
{% for acl in bind9_acls %}
acl "{{ acl.name }}" {
{% for permission in acl.permissions %}
{{ permission }};
{% endfor %}
};
{% endfor %}

31
templates/etc/named/named.conf.logging.j2 Normal file
View File

@ -0,0 +1,31 @@
#
# {{ ansible_managed }}
#
logging {
{% for category in bind9_logging.categories %}
category {{ category.name }} {
{% for channel in category.channels %}
{{ channel }};
{% endfor %}
};
{% endfor %}
{% for channel in bind9_logging.channels %}
channel {{ channel.name }} {
{%if channel.file.path is defined and channel.file.options is defined %}
file "{{ channel.file.path }}" {{ channel.file.options }};
{% endif %}
{%if channel.file.path is defined and channel.file.options is not defined %}
file "{{ channel.file.path }}";
{% endif %}
{%if channel.severity is defined %}
severity {{ channel.severity }};
{% endif %}
print-time yes;
};
{% endfor %}
};

233
templates/etc/named/named.conf.options.j2 Normal file
View File

@ -0,0 +1,233 @@
#
# {{ ansible_managed }}
#
options {
# This specifies which hosts are allowed to ask ordinary DNS questions.
# allow-query may also be specified in the zone statement, in which case it
# overrides the options allow-query statement. If not specified, the default
# is to allow queries from all hosts.
# https://bind9.readthedocs.io/en/latest/reference.html#access-control
{% if bind9_options.allow_query is defined and bind9_options.allow_query | length > 0 %}
allow-query {
{% for entry in bind9_options.allow_query %}
{{ entry }};
{% endfor %}
};
{% else %}
# allow-query {};
{% endif %}
# This specifies which hosts are allowed to get answers from the cache. If
# allow-recursion is not set, BIND checks to see if the following parameters
# are set, in order: allow-query-cache and allow-query (unless recursion no;
# is set). If neither of those parameters is set, the default (localnets;
# localhost;) is used.
# https://bind9.readthedocs.io/en/latest/reference.html#access-control
{% if bind9_options.allow_query_on is defined and bind9_options.allow_query_on | length > 0 %}
allow-query-on {
{% for entry in bind9_options.allow_query_on %}
{{ entry }};
{% endfor %}
};
{% else %}
# allow-query-on {};
{% endif %}
# This specifies which hosts are allowed to get answers from the cache. If
# allow-recursion is not set, BIND checks to see if the following parameters
# are set, in order: allow-query-cache and allow-query (unless recursion no;
# is set). If neither of those parameters is set, the default (localnets;
# localhost;) is used.
# https://bind9.readthedocs.io/en/latest/reference.html#access-control
{% if bind9_options.allow_query_cache is defined and bind9_options.allow_query_cache | length > 0 %}
allow-query-cache {
{% for entry in bind9_options.allow_query_cache %}
{{ entry }};
{% endfor %}
};
{% else %}
# allow-query-cache {};
{% endif %}
# This specifies which local addresses can send answers from the cache. If
# allow-query-cache-on is not set, then allow-recursion-on is used if set.
# Otherwise, the default is to allow cache responses to be sent from any
# address. Note: both allow-query-cache and allow-query-cache-on must be
# satisfied before a cache response can be sent; a client that is blocked by
# one cannot be allowed by the other.
# https://bind9.readthedocs.io/en/latest/reference.html#access-control
{% if bind9_options.allow_query_cache_on is defined and bind9_options.allow_query_cache_on | length > 0 %}
allow-query-cache-on {
{% for entry in bind9_options.allow_query_cache_on %}
{{ entry }};
{% endfor %}
};
{% else %}
# allow-query-cache-on {};
{% endif %}
# This specifies which hosts are allowed to receive zone transfers from the
# server. allow-transfer may also be specified in the zone statement, in which
# case it overrides the allow-transfer statement set in options or view. If
# not specified, the default is to allow transfers to all hosts.
# The transport level limitations can also be specified. In particular, zone
# transfers can be restricted to a specific port and/or DNS transport protocol
# by using the options port and transport. Either option can be specified; if
# both are used, both constraints must be satisfied in order for the transfer
# to be allowed. Zone transfers are currently only possible via the TCP and
# TLS transports.
{% if bind9_options.allow_recursion is defined and bind9_options.allow_recursion | length > 0 %}
allow-recursion {
{% for entry in bind9_options.allow_recursion %}
{{ entry }};
{% endfor %}
};
{% else %}
# allow-recursion {};
{% endif %}
# allow-recursion-on defines the server interface(s) from which
# recursive queries are accepted and can be useful where a server is
# multi-homed, perhaps in conjunction with a view clause. Defaults to
# allow-recursion-on {any;}; meaning that recursive queries are
# accepted on any server interface.
#
# NOTE:
# - The statement is only relevant if recursion yes; is present or
# defaulted.
# - The statements may be used in a view or a global options clause.
{% if bind9_options.allow_recursion_on is defined and bind9_options.allow_recursion_on | length > 0 %}
allow-recursion-on {
{% for entry in bind9_options.allow_recursion_on %}
{{ entry }};
{% endfor %}
};
{% else %}
# allow-recursion-on {};
{% endif %}
# allow-transfer defines a match list e.g. IP address(es) that are
# allowed to transfer (copy) the zone information from the server
# (master or slave for the zone). The default behaviour is to allow
# zone transfers to any host. While on its face this may seem an
# excessively friendly default, DNS data is essentially public (that's
# why its there) and the bad guys can get all of it anyway. However if
# the thought of anyone being able to transfer your precious zone file
# is repugnant, or (and this is far more significant) you are
# concerned about possible DoS attack initiated by XFER requests, then
# use the following policy.
#
# NOTE:
# - This statement may be used in a zone, view or global options clause.
{% if bind9_options.allow_transfer is defined and bind9_options.allow_transfer | length > 0 %}
allow-transfer {
{% for entry in bind9_options.allow_transfer %}
{{ entry }};
{% endfor %}
};
{% else %}
# allow-transfer {};
{% endif %}
# When set in the zone statement for a primary zone, this specifies which
# hosts are allowed to submit Dynamic DNS updates to that zone. The default is
# to deny updates from all hosts.
# Note that allowing updates based on the requestors IP address is insecure;
# see Dynamic Update Security for details.
{% if bind9_options.allow_update is defined and bind9_options.allow_update | length > 0 %}
allow-update {
{% for entry in bind9_options.allow_update %}
{{ entry }};
{% endfor %}
};
{% else %}
# allow-update {};
{% endif %}
# When set in the zone statement for a secondary zone, this specifies which
# hosts are allowed to submit Dynamic DNS updates and have them be forwarded
# to the primary. The default is { none; }, which means that no update
# forwarding is performed.
# To enable update forwarding, specify allow-update-forwarding { any; }; in
# the zone statement. Specifying values other than { none; } or { any; } is
# usually counterproductive; the responsibility for update access control
# should rest with the primary server, not the secondary.
{% if bind9_options.allow_update_forwarding is defined and bind9_options.allow_update_forwarding | length > 0 %}
allow-update-forwarding {
{% for entry in bind9_options.allow_update_forwarding %}
{{ entry }};
{% endfor %}
};
{% else %}
# allow-update-forwarding {};
{% endif %}
directory "{{ bind_config_directory }}";
dnssec-validation {{ bind9_options.dnssec_validation | default('no') }};
# dump-file "/var/bind/named.dump";
{% if bind9_options.forwarders is defined and bind9_options.forwarders | length > 0 %}
forwarders {
{% for forwarder in bind9_options.forwarders %}
{{ forwarder }};
{% endfor %}
};
{% else %}
# forwarders {};
{% endif %}
geoip-directory "/usr/share/GeoIP";
# This is the hostname the server should report via a query of the name
# hostname.bind with type TXT and class CHAOS. This defaults to the hostname
# of the machine hosting the name server, as found by the gethostname()
# function. The primary purpose of such queries is to identify which of a
# group of anycast servers is actually answering the queries. Specifying
# hostname none; disables processing of the queries.
# https://bind9.readthedocs.io/en/latest/reference.html?highlight=hostname#built-in-server-information-zones
hostname none;
{% if bind9_options.listen_on_ipv4 is defined and bind9_options.listen_on_ipv4 | length > 0 %}
listen-on port 53 {
{% for ip in bind9_options.listen_on_ipv4 %}
{{ ip }};
{% endfor %}
};
{% endif %}
{% if bind9_options.listen_on_ipv6 is defined and bind9_options.listen_on_ipv6 | length > 0 %}
listen-on-v6 port 53 {
{% for ip in bind9_options.listen_on_ipv6 %}
{{ ip }};
{% endfor %}
};
{% endif %}
# managed-keys-directory "/var/named/dynamic";
# memstatistics-file "/var/bind/named.memstats";
minimal-responses {{ bind9_options.minimal_responses }};
notify {{ bind9_options.notify }};
pid-file "/run/named/named.pid";
recursion {{ bind9_options.recursion }};
# statistics-file "/var/bind/named.stats";
transfer-format {{ bind9_options.transfer_format }};
# This is the version the server should report via a query of the name
# version.bind with type TXT and class CHAOS. The default is the real version
# number of this server. Specifying version none disables processing of the
# queries.
# https://bind9.readthedocs.io/en/latest/reference.html?highlight=hostname#built-in-server-information-zones
version none;
zone-statistics yes;
};

11
templates/etc/named/named.conf.tsigkeys.j2 Normal file
View File

@ -0,0 +1,11 @@
#
# {{ ansible_managed }}
#
{% for key in bind9_tsigkeys %}
key "{{ key.name }}" {
algorithm {{ key.algorithm }};
secret "{{ key.secret }}";
};
{% endfor %}

191
templates/etc/named/named.conf.views.j2 Normal file
View File

@ -0,0 +1,191 @@
#
# {{ ansible_managed }}
#
{% for view in bind9_views %}
view "{{ view.name }}" {
match-clients {
{% for clients in view.match_clients %}
{{ clients }};
{% endfor %}
};
{% for zone in view.zones %}
zone "{{ zone.origin }}" {
# Hosts which are allowed to issue queries to the server. If not specified all
# hosts are allowed to make queries (defaults to allow-query {any;};
#
# NOTE:
# - The statements may be used in a zone, view or a global options
# clause.
{% if zone.allow_query is defined and zone.allow_query | length > 0 %}
allow-query {
{% for entry in zone.allow_query %}
{{ entry }};
{% endfor %}
};
{% else %}
# allow-query {};
{% endif %}
# allow-query-on defines the server interface(s) from which queries
# are accepted and can be useful where a server is multi-homed,
# perhaps in conjunction with a view clause. Defaults to
# allow-query-on {any;};) meaning that queries are accepted on any
# server interface.
#
# NOTE:
# - The statements may be used in a zone, view or a global options
# clause.
{% if zone.allow_query_on is defined and zone.allow_query_on | length > 0 %}
allow-query {
{% for entry in zone.allow_query_on %}
{{ entry }};
{% endfor %}
};
{% else %}
# allow-query-on {};
{% endif %}
# allow-transfer defines a match list e.g. IP address(es) that are
# allowed to transfer (copy) the zone information from the server
# (master or slave for the zone). The default behavior is to allow
# zone transfers to any host. While on its face this may seem an
# excessively friendly default, DNS data is essentially public (that's
# why its there) and the bad guys can get all of it anyway. However if
# the thought of anyone being able to transfer your precious zone file
# is repugnant, or (and this is far more significant) you are
# concerned about possible DoS attack initiated by XFER requests, then
# use the following policy.
#
# NOTE:
# - This statement may be used in a zone, view or global options clause.
{% if zone.allow_transfer is defined and zone.allow_transfer | length > 0 %}
allow-transfer {
{% for entry in zone.allow_transfer %}
key {{ entry }};
{% endfor %}
};
{% else %}
# allow-transfer {};
{% endif %}
# allow-update defines an address_match_list of hosts that are allowed
# to submit dynamic updates for master zones, and thus this statement
# enables Dynamic DNS. The default in BIND 9 is to disallow updates
# from all hosts, that is, DDNS is disabled by default. This statement
# is mutually exclusive with update-policy and applies to master zones
# only. The example shows DDNS for three zones: the first disables
# DDNS explicitly, the second uses an IP-based list, and the third
# references a key clause. The allow-update in the first zone clause
# could have been omitted since it is the default behavior. Many
# people like to be cautious in case the default mode changes.
#
# NOTE:
# - This statement may be used in a zone, view or an options clause.
{% if zone.allow_update is defined and zone.allow_update | length > 0 %}
allow-update {
{% for entry in zone.allow_update %}
key {{ entry }};
{% endfor %}
};
{% else %}
# allow-update {};
{% endif %}
# allow-update-forwarding defines a match list, for instance,
# IP address(es) that are allowed to submit dynamic updates to
# a 'slave' sever for onward transmission to a 'master'.
#
# NOTE:
# - This statement may be used in zone, view or an options clause.
{% if zone.allow_update_forwarding is defined and zone.allow_update_forwarding | length > 0 %}
allow-update-forwarding {
{% for entry in zone.allow_update_forwarding %}
{{ entry }};
{% endfor %}
};
{% else %}
# allow-update-forwarding {};
{% endif %}
# Defines the file used by the zone in quoted string format, for
# instance, "slave/example.com" - or whatever convention you use. The
# file entry is mandatory for master and hint and optional - but
# highly recommended - for slave and not required for forward zones.
# The file may be an absolute path or relative to directory.
#
# NOTE:
# - If a type Slave has a file statement then any zone transfer
# will cause it to update this file. If the slave is reloaded then
# it will read this file and immediately start answering queries for
# the domain. If no file is specified it will immediately try to
# contact the Master and initiate a zone transfer. For obvious
# reasons the Slave cannot to zone queries until this zone transfer
# is complete. If the Master is not available or the Slave fails to
# contact the Master, ffor whatever reason, the zone may be left with
# no effective Authoritative Name Servers.
file "{{ bind_config_directory }}/{{ zone.file }}";
# master servers
# https://bind9.readthedocs.io/en/latest/manpages.html?highlight=masters#masters
{% if zone.masters is defined and zone.masters | length > 0 %}
masters {
{% for master in zone.masters %}
{{ master.ip }} key {{ master.tsigkey}};
{% endfor %}
};
{% else %}
# masters {};
{% endif %}
# notify behavior is applicable to both master zones (with
# 'type master;') and slave zones (with 'type slave;') and if
# set to 'yes' (the default) then, when a zone is loaded or
# changed, for example, after a zone transfer, NOTIFY messages
# are sent to the name servers defined in the NS records for
# the zone (except itself and the 'Primary Master' name server
# defined in the SOA record) and to any IPs listed in any
# also-notify statement.
#
# If set to 'no' NOTIFY messages are not sent.
# If set to 'explicit' NOTIFY is only sent to those IP(s) listed
# in an also-notify statement.
#
# NOTE:
# - This statement may be specified in zone, view clauses or in a
# global options clause.
notify yes;
# Zones configured for dynamic DNS may use this option to set the
# update method to be used for the zone serial number in the SOA
# record.
#
# With the default setting of serial-update-method increment;, the
# SOA serial number is incremented by one each time the zone is
# updated.
#
# When set to serial-update-method unixtime;, the SOA serial number
# is set to the number of seconds since the Unix epoch, unless the
# serial number is already greater than or equal to that value, in
# which case it is simply incremented by one.
#
# When set to serial-update-method date;, the new SOA serial number
# is the current date in the form “YYYYMMDD”, followed by two
# zeroes, unless the existing serial number is already greater than
# or equal to that value, in which case it is incremented by one.
{% if zone.serial_update_method is defined %}
serial-update-method {{ zone.serial_update_method }};
{% else %}
# serial-update-method [date | increment | unixtime ];
{% endif %}
type {{ zone.type }};
};
{% endfor %}
};
{% endfor %}