From e1d3d5ff7cb87cf10f364201369caa8f48f47a27 Mon Sep 17 00:00:00 2001 From: Maga Abdurakhmanov Date: Tue, 20 Dec 2016 01:47:48 +0300 Subject: [PATCH 01/25] * quote vars --- tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index e45442f..dfb2d46 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: install bind packages apt: pkg={{ item }} state={{ bind_pkg_state }} - with_items: bind_pkgs + with_items: "{{bind_pkgs}}" - name: setup zone directories file: dest={{ bind_base_zones_path }}/{{ item }} state=directory owner={{ bind_user }} group={{ bind_group }} mode=0755 @@ -27,7 +27,7 @@ - name: Copy master zone files copy: src={{ bind_masterzones_path }}/db.{{ item.name }} dest={{ bind_base_zones_path }}/{{bind_masterzones_path}} owner={{ bind_user }} group={{ bind_group }} - with_items: bind_config_master_zones + with_items: "{{bind_config_master_zones}}" notify: reload bind tags: bind-zones From f2638e7a91bb181e22f727d810d2b3c717260e60 Mon Sep 17 00:00:00 2001 From: Maga Abdurakhmanov Date: Tue, 20 Dec 2016 02:36:08 +0300 Subject: [PATCH 02/25] * quotes fixed --- tasks/main.yml | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index dfb2d46..433c334 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -4,13 +4,13 @@ with_items: "{{bind_pkgs}}" - name: setup zone directories - file: dest={{ bind_base_zones_path }}/{{ item }} state=directory owner={{ bind_user }} group={{ bind_group }} mode=0755 + file: dest="{{ bind_base_zones_path }}/{{ item }}" state=directory owner="{{ bind_user }}" group="{{ bind_group }}" mode=0755 with_items: - masters - slaves - name: setup zones - template: src=named.conf.local.{{ item }}.j2 dest={{ bind_config_basepath }}/named.conf.local.{{ item }} owner={{ bind_user }} group={{ bind_group }} mode=0600 + template: src="named.conf.local.{{ item }}.j2" dest="{{ bind_config_basepath }}/named.conf.local.{{ item }}" owner="{{ bind_user }}" group="{{ bind_group }}" mode=0600 with_items: - master - slave @@ -18,18 +18,26 @@ notify: reload bind - name: configure bind - copy: src=named.conf dest={{ bind_config_basepath }}/named.conf owner={{ bind_user }} group={{ bind_group }} mode=0600 + copy: src=named.conf dest="{{ bind_config_basepath }}/named.conf" owner="{{ bind_user }}" group="{{ bind_group }}" mode=0600 notify: restart bind - name: configure bind options - template: src=named.conf.options.j2 dest={{ bind_config_basepath }}/named.conf.options owner={{ bind_user }} group={{ bind_group }} mode=0600 + template: src=named.conf.options.j2 dest="{{ bind_config_basepath }}/named.conf.options" owner="{{ bind_user }}" group="{{ bind_group }}" mode=0600 notify: restart bind +- name: Create directory for master zone files + file: + path: "{{ bind_base_zones_path }}/{{ bind_masterzones_path }}" + mode: 0760 + state: directory + owner: "{{ bind_user }}" + group: "{{ bind_group }}" + - name: Copy master zone files - copy: src={{ bind_masterzones_path }}/db.{{ item.name }} dest={{ bind_base_zones_path }}/{{bind_masterzones_path}} owner={{ bind_user }} group={{ bind_group }} - with_items: "{{bind_config_master_zones}}" + copy: src="{{ bind_masterzones_path }}/db.{{ item.name }}" dest="{{ bind_base_zones_path }}/{{ bind_masterzones_path }}/db.{{ item.name }}" owner="{{ bind_user }}" group="{{ bind_group }}" + with_items: "{{ bind_config_master_zones }}" notify: reload bind tags: bind-zones - name: start/stop bind service - service: name={{ bind_service_name }} state={{ bind_service_state }} enabled={{ bind_service_enabled }} + service: name="{{ bind_service_name }}" state="{{ bind_service_state }}" enabled="{{ bind_service_enabled }}" From bf616971ffe009a1550317f863b24c7fd3b08b64 Mon Sep 17 00:00:00 2001 From: Georg Kahest Date: Thu, 19 Jan 2017 17:38:44 +0200 Subject: [PATCH 03/25] allow configuration of allow recursion and query cache --- defaults/main.yml | 2 ++ templates/named.conf.options.j2 | 21 +++++++++++++++++++++ 2 files changed, 23 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 6a6e3df..6c809e0 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -13,3 +13,5 @@ bind_masterzones_path: "masters" bind_slavezones_path: "slaves" bind_config_listen_on: any bind_config_allow_query: [] +bind_config_allow_recursion: [] +bind_config_allow_query_cache: [] diff --git a/templates/named.conf.options.j2 b/templates/named.conf.options.j2 index 7a1deb6..a11389b 100644 --- a/templates/named.conf.options.j2 +++ b/templates/named.conf.options.j2 @@ -59,6 +59,27 @@ options { allow-query { any; }; // This is the default {% endif %} +{% if bind_config_allow_recursion %} + allow-recursion { + {% for queries in bind_config_allow_recursion %} + {{ queries }}; + {% endfor %} + }; + {% else %} + allow-recursion { any; }; // This is the default + {% endif %} + +{% if bind_config_allow_query_cache %} + allow-query-cache { + {% for queries in bind_config_allow_query_cache %} + {{ queries }}; + {% endfor %} + }; + {% else %} + allow-query-cache { any; }; // This is the default + {% endif %} + + recursion {{ bind_config_recursion }}; // Do not provide recursive service zone-statistics yes; }; From 814782c78376209694559da5772f5ede9ddd78d0 Mon Sep 17 00:00:00 2001 From: Georg Kahest Date: Thu, 19 Jan 2017 18:21:21 +0200 Subject: [PATCH 04/25] allow configuration of acls --- defaults/main.yml | 1 + templates/named.conf.options.j2 | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 6c809e0..1198250 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -15,3 +15,4 @@ bind_config_listen_on: any bind_config_allow_query: [] bind_config_allow_recursion: [] bind_config_allow_query_cache: [] +bind_config_acls: [] diff --git a/templates/named.conf.options.j2 b/templates/named.conf.options.j2 index a11389b..a3f47ec 100644 --- a/templates/named.conf.options.j2 +++ b/templates/named.conf.options.j2 @@ -1,4 +1,10 @@ // {{ ansible_managed }} +{% for acl in bind_config_acls %} +acl "{{ acl.name }}" { +{% for entries in acl.entries %} {{ entries | indent(4) }} +{% endfor %} +}; +{% endfor %} options { directory "/var/cache/bind"; From bf16aec77410ad16aa2a44470d0e33701023a890 Mon Sep 17 00:00:00 2001 From: Georg Kahest Date: Fri, 20 Jan 2017 14:14:57 +0200 Subject: [PATCH 05/25] remove newline --- templates/named.conf.options.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/templates/named.conf.options.j2 b/templates/named.conf.options.j2 index a3f47ec..06af86a 100644 --- a/templates/named.conf.options.j2 +++ b/templates/named.conf.options.j2 @@ -85,7 +85,6 @@ options { allow-query-cache { any; }; // This is the default {% endif %} - recursion {{ bind_config_recursion }}; // Do not provide recursive service zone-statistics yes; }; From 8bab9960add57cbdb5cd911a30e009f815e3bf1e Mon Sep 17 00:00:00 2001 From: Georg Kahest Date: Tue, 31 Jan 2017 16:14:05 +0200 Subject: [PATCH 06/25] make work with ansible 2.2+ --- tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index e45442f..50b442c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: install bind packages apt: pkg={{ item }} state={{ bind_pkg_state }} - with_items: bind_pkgs + with_items: "{{ bind_pkgs }}" - name: setup zone directories file: dest={{ bind_base_zones_path }}/{{ item }} state=directory owner={{ bind_user }} group={{ bind_group }} mode=0755 @@ -27,7 +27,7 @@ - name: Copy master zone files copy: src={{ bind_masterzones_path }}/db.{{ item.name }} dest={{ bind_base_zones_path }}/{{bind_masterzones_path}} owner={{ bind_user }} group={{ bind_group }} - with_items: bind_config_master_zones + with_items: "{{ bind_config_master_zones }}" notify: reload bind tags: bind-zones From 01adcec8c8f96270a9844cf2cb6f8a54accb66bf Mon Sep 17 00:00:00 2001 From: Maga Abdurakhmanov Date: Thu, 9 Feb 2017 23:50:19 +0100 Subject: [PATCH 07/25] * default zones moved to separate file --- files/masters/db.example.com | 2 ++ files/named.conf | 33 +++------------------------------ files/named.conf.default-zones | 30 ++++++++++++++++++++++++++++++ tasks/main.yml | 6 +++++- 4 files changed, 40 insertions(+), 31 deletions(-) create mode 100644 files/named.conf.default-zones diff --git a/files/masters/db.example.com b/files/masters/db.example.com index a534853..0cee92b 100644 --- a/files/masters/db.example.com +++ b/files/masters/db.example.com @@ -1,3 +1,5 @@ +// !!!! Don't modify: this file was generated by Ansible !!!! + $TTL 4h $ORIGIN example.com. @ IN SOA ns1.example.com. hostmaster.example.com. ( diff --git a/files/named.conf b/files/named.conf index eef8b96..3caee86 100644 --- a/files/named.conf +++ b/files/named.conf @@ -1,3 +1,5 @@ +// !!!! Don't modify: this file was generated by Ansible !!!! + // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the @@ -7,37 +9,8 @@ // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; - -// prime the server with knowledge of the root servers -zone "." { - type hint; - file "/etc/bind/db.root"; -}; - -// be authoritative for the localhost forward and reverse zones, and for -// broadcast zones as per RFC 1912 - -zone "localhost" { - type master; - file "/etc/bind/db.local"; -}; - -zone "127.in-addr.arpa" { - type master; - file "/etc/bind/db.127"; -}; - -zone "0.in-addr.arpa" { - type master; - file "/etc/bind/db.0"; -}; - -zone "255.in-addr.arpa" { - type master; - file "/etc/bind/db.255"; -}; - include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.local.master"; include "/etc/bind/named.conf.local.slave"; include "/etc/bind/named.conf.local.forward"; +include "/etc/bind/named.conf.default-zones"; diff --git a/files/named.conf.default-zones b/files/named.conf.default-zones new file mode 100644 index 0000000..c508a76 --- /dev/null +++ b/files/named.conf.default-zones @@ -0,0 +1,30 @@ +// !!!! Don't modify: this file was generated by Ansible !!!! + +// prime the server with knowledge of the root servers +zone "." { + type hint; + file "/etc/bind/db.root"; +}; + +// be authoritative for the localhost forward and reverse zones, and for +// broadcast zones as per RFC 1912 + +zone "localhost" { + type master; + file "/etc/bind/db.local"; +}; + +zone "127.in-addr.arpa" { + type master; + file "/etc/bind/db.127"; +}; + +zone "0.in-addr.arpa" { + type master; + file "/etc/bind/db.0"; +}; + +zone "255.in-addr.arpa" { + type master; + file "/etc/bind/db.255"; +}; \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index 433c334..b284a3b 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -17,10 +17,14 @@ - forward notify: reload bind -- name: configure bind +- name: configure bind (named.conf) copy: src=named.conf dest="{{ bind_config_basepath }}/named.conf" owner="{{ bind_user }}" group="{{ bind_group }}" mode=0600 notify: restart bind +- name: configure bind (named.conf.default-zones) + copy: src=named.conf.default-zones dest="{{ bind_config_basepath }}/named.conf.default-zones" owner="{{ bind_user }}" group="{{ bind_group }}" mode=0600 + notify: restart bind + - name: configure bind options template: src=named.conf.options.j2 dest="{{ bind_config_basepath }}/named.conf.options" owner="{{ bind_user }}" group="{{ bind_group }}" mode=0600 notify: restart bind From e8b90be844dc297651dca2f7c61d005e26fcacff Mon Sep 17 00:00:00 2001 From: Maga Abdurakhmanov Date: Fri, 10 Feb 2017 00:09:09 +0100 Subject: [PATCH 08/25] - .local file --- files/named.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/files/named.conf b/files/named.conf index 3caee86..eec9bd5 100644 --- a/files/named.conf +++ b/files/named.conf @@ -9,7 +9,6 @@ // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; -include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.local.master"; include "/etc/bind/named.conf.local.slave"; include "/etc/bind/named.conf.local.forward"; From bf61fc9f615cc7ee338abff4822b9820e376c83b Mon Sep 17 00:00:00 2001 From: Daniel Paufler Date: Tue, 14 Mar 2017 21:33:18 +0100 Subject: [PATCH 09/25] set notify=no and adjust option alignment --- defaults/main.yml | 1 + templates/named.conf.options.j2 | 25 ++++++++++++++----------- 2 files changed, 15 insertions(+), 11 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 1198250..0f68c56 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -16,3 +16,4 @@ bind_config_allow_query: [] bind_config_allow_recursion: [] bind_config_allow_query_cache: [] bind_config_acls: [] +bind_config_notify: 'no' diff --git a/templates/named.conf.options.j2 b/templates/named.conf.options.j2 index 06af86a..47ae898 100644 --- a/templates/named.conf.options.j2 +++ b/templates/named.conf.options.j2 @@ -19,7 +19,10 @@ options { query-source address * port *; - transfer-source *; + transfer-source {{ ansible_default_ipv4.address }} port 53; + {% if ansible_default_ipv6.address is defined %} + transfer-source-v6 {{ ansible_default_ipv6.address }} port 53; + {% endif %} notify-source *; @@ -29,7 +32,7 @@ options { {% endfor %} }; - notify yes; + notify {{ bind_config_notify }}; also-notify { }; @@ -50,7 +53,7 @@ options { //dnssec-enable yes; //dnssec-validation yes; - auth-nxdomain no; # conform to RFC1035 + auth-nxdomain no; // conform to RFC1035 listen-on { {{ bind_config_listen_on }}; }; listen-on-v6 { any; }; @@ -62,29 +65,29 @@ options { {% endfor %} }; {% else %} - allow-query { any; }; // This is the default + allow-query { any; }; // This is the default {% endif %} {% if bind_config_allow_recursion %} - allow-recursion { + allow-recursion { {% for queries in bind_config_allow_recursion %} - {{ queries }}; + {{ queries }}; {% endfor %} - }; + }; {% else %} - allow-recursion { any; }; // This is the default + allow-recursion { any; }; // This is the default {% endif %} {% if bind_config_allow_query_cache %} - allow-query-cache { + allow-query-cache { {% for queries in bind_config_allow_query_cache %} {{ queries }}; {% endfor %} }; {% else %} - allow-query-cache { any; }; // This is the default + allow-query-cache { any; }; // This is the default {% endif %} - recursion {{ bind_config_recursion }}; // Do not provide recursive service + recursion {{ bind_config_recursion }}; zone-statistics yes; }; From c8739d63b469f13533f71351fb0c64617475c137 Mon Sep 17 00:00:00 2001 From: Daniel Paufler Date: Tue, 14 Mar 2017 21:33:51 +0100 Subject: [PATCH 10/25] add TSIG Support for slave zone transfer --- README.md | 17 +++++++++++++++++ templates/named.conf.local.slave.j2 | 25 +++++++++++++++++++++++-- 2 files changed, 40 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index fdfb239..b1d26d0 100644 --- a/README.md +++ b/README.md @@ -34,6 +34,23 @@ Optionally: If your nameservers acts as a secondary nameserver, here is a sample - example.net - example.org +Optionally: If your nameservers acts as a secondary nameserver, here is a sample setup with TSIG Keys: + + bind_config_slave_zones: + - name: example.net + keys: + - name: sample-key + algorithm: hmac-md5 + secret: 'phaiGouX7Soh8gee4Vee' + masters_templates: + - name: example-tmpl + servers: + - '127.0.0.1 key sample-key' + - '2001::15 key sample-key' + masters: [ 'example-templ' ] + zones: + - example.net + - example.org Optionally: If you need to forward some zones directly to another nameserver, here is a sample: diff --git a/templates/named.conf.local.slave.j2 b/templates/named.conf.local.slave.j2 index e20bad3..045d26e 100644 --- a/templates/named.conf.local.slave.j2 +++ b/templates/named.conf.local.slave.j2 @@ -1,13 +1,34 @@ ## {{ ansible_managed }} + {% for slave_zone in bind_config_slave_zones %} ######## {{ slave_zone.name }} ({{ slave_zone.zones|count }} zones) -{% for zone in slave_zone.zones %} +# TSIG Keys +{% for tsig_key in slave_zone.tsig_keys|default('') %} +key "{{ tsig_key.name }}" { + algorithm {{ tsig_key.algorithm }}; + secret "{{ tsig_key.secret }}"; +}; +{% endfor %} + +# Masters Template +{% for master in slave_zone.masters_templates|default('') %} +masters {{ master.name }} { +{% for server in master.servers %} + {{ server }}; +{% endfor %} +}; +{% endfor %} + +# Zones +{% for zone in slave_zone.zones|sort %} zone "{{ zone }}" { type slave; + notify no; file "{{bind_base_zones_path}}/{{bind_slavezones_path}}/db.{{ zone }}"; + masterfile-format text; # no bind9.9 binary format masters { {% for master in slave_zone.masters %} - {{ master }}; + {{ master }}; {% endfor %} }; }; From 122e626e6760c165e713fb9156d79d627e4b051a Mon Sep 17 00:00:00 2001 From: Daniel Paufler Date: Tue, 14 Mar 2017 21:40:06 +0100 Subject: [PATCH 11/25] adjust documentation --- README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index b1d26d0..dc72f82 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ [![Build Status](https://travis-ci.org/resmo/ansible-role-bind.png?branch=master)](https://travis-ci.org/resmo/ansible-role-bind) -# Ansible Bind Role +# Ansible Bind9 Role An ansible role for installing and managing bind, acting as primary and/or secondary nameserver. It does also copy the master zone files (`bind_masterzones_path`), but however, the zone files must exist. @@ -38,7 +38,7 @@ Optionally: If your nameservers acts as a secondary nameserver, here is a sample bind_config_slave_zones: - name: example.net - keys: + tsig_keys: - name: sample-key algorithm: hmac-md5 secret: 'phaiGouX7Soh8gee4Vee' @@ -81,7 +81,7 @@ None. - hosts: nameservers remote_user: root roles: - - { role: resmo.bind } + - { role: bind9 } ## License @@ -92,3 +92,4 @@ MIT ## Author Information René Moser +Additions by Daniel Paufler From d746775079dffbf259b24a2c32ea735db3b9dd4b Mon Sep 17 00:00:00 2001 From: Georg Kahest Date: Wed, 22 Mar 2017 13:52:42 +0200 Subject: [PATCH 12/25] zonefile directory to world readable --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index d7dc544..232d106 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -32,7 +32,7 @@ - name: Create directory for master zone files file: path: "{{ bind_base_zones_path }}/{{ bind_masterzones_path }}" - mode: 0760 + mode: 0755 state: directory owner: "{{ bind_user }}" group: "{{ bind_group }}" From 737feb31f167a49f9fea8c08060d0b2a43cc3640 Mon Sep 17 00:00:00 2001 From: Georg Kahest Date: Wed, 22 Mar 2017 13:57:44 +0200 Subject: [PATCH 13/25] update readme, follow this repos travis --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index dc72f82..809b2dc 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -[![Build Status](https://travis-ci.org/resmo/ansible-role-bind.png?branch=master)](https://travis-ci.org/resmo/ansible-role-bind) +[![Build Status](https://travis-ci.org/teadur/ansible-role-bind.png?branch=master)](https://travis-ci.org/teadur/ansible-role-bind) # Ansible Bind9 Role @@ -92,4 +92,6 @@ MIT ## Author Information René Moser + Additions by Daniel Paufler +Additions by Georg Kahest From c0ca80fe5f505e904c2bbbe191477d799b27f4e8 Mon Sep 17 00:00:00 2001 From: Georg Kahest Date: Fri, 16 Mar 2018 11:49:42 +0200 Subject: [PATCH 14/25] add querylog param, enable hardcoded logging to syslog --- templates/named.conf.options.j2 | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/templates/named.conf.options.j2 b/templates/named.conf.options.j2 index 47ae898..a950108 100644 --- a/templates/named.conf.options.j2 +++ b/templates/named.conf.options.j2 @@ -6,6 +6,20 @@ acl "{{ acl.name }}" { }; {% endfor %} +// TODO: Make me dynamic +logging { + channel default_syslog { + print-time yes; + print-category yes; + print-severity yes; + syslog daemon; + severity info; + }; + category queries { default_syslog; }; + +}; + + options { directory "/var/cache/bind"; @@ -90,4 +104,7 @@ options { recursion {{ bind_config_recursion }}; zone-statistics yes; + {% if bind_config_querylog %} + querylog {{ bind_config_querylog }}; + {% endif %} }; From 102273ee5d78ac0b1615f5f59b24053af3a54386 Mon Sep 17 00:00:00 2001 From: Georg Kahest Date: Thu, 19 Jul 2018 13:45:05 +0300 Subject: [PATCH 15/25] log dnssec to syslog --- templates/named.conf.options.j2 | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/templates/named.conf.options.j2 b/templates/named.conf.options.j2 index a950108..386e923 100644 --- a/templates/named.conf.options.j2 +++ b/templates/named.conf.options.j2 @@ -16,6 +16,7 @@ logging { severity info; }; category queries { default_syslog; }; + category dnssec { default_syslog; }; }; @@ -64,8 +65,8 @@ options { }; {% endif %} - //dnssec-enable yes; - //dnssec-validation yes; + dnssec-enable yes; + dnssec-validation yes; auth-nxdomain no; // conform to RFC1035 From 34a3838b6867c2cfd7dbca0ace953ce0a7658655 Mon Sep 17 00:00:00 2001 From: Georg Kahest Date: Thu, 19 Jul 2018 14:03:58 +0300 Subject: [PATCH 16/25] move named.conf to template, allow disabling of default zones, fix querylog default --- defaults/main.yml | 2 ++ files/named.conf | 15 --------------- tasks/main.yml | 2 +- templates/named.conf.options.j2 | 2 +- 4 files changed, 4 insertions(+), 17 deletions(-) delete mode 100644 files/named.conf diff --git a/defaults/main.yml b/defaults/main.yml index 0f68c56..c82dd4f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -17,3 +17,5 @@ bind_config_allow_recursion: [] bind_config_allow_query_cache: [] bind_config_acls: [] bind_config_notify: 'no' +bind_config_querylog: 'no' +bind_config_disable_default_zones: false diff --git a/files/named.conf b/files/named.conf deleted file mode 100644 index eec9bd5..0000000 --- a/files/named.conf +++ /dev/null @@ -1,15 +0,0 @@ -// !!!! Don't modify: this file was generated by Ansible !!!! - -// This is the primary configuration file for the BIND DNS server named. -// -// Please read /usr/share/doc/bind9/README.Debian.gz for information on the -// structure of BIND configuration files in Debian, *BEFORE* you customize -// this configuration file. -// -// If you are just adding zones, please do that in /etc/bind/named.conf.local - -include "/etc/bind/named.conf.options"; -include "/etc/bind/named.conf.local.master"; -include "/etc/bind/named.conf.local.slave"; -include "/etc/bind/named.conf.local.forward"; -include "/etc/bind/named.conf.default-zones"; diff --git a/tasks/main.yml b/tasks/main.yml index 232d106..9cd7410 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -18,7 +18,7 @@ notify: reload bind - name: configure bind (named.conf) - copy: src=named.conf dest="{{ bind_config_basepath }}/named.conf" owner="{{ bind_user }}" group="{{ bind_group }}" mode=0600 + template: src=named.conf.j2 dest="{{ bind_config_basepath }}/named.conf" owner="{{ bind_user }}" group="{{ bind_group }}" mode=0600 notify: restart bind - name: configure bind (named.conf.default-zones) diff --git a/templates/named.conf.options.j2 b/templates/named.conf.options.j2 index 386e923..5307839 100644 --- a/templates/named.conf.options.j2 +++ b/templates/named.conf.options.j2 @@ -105,7 +105,7 @@ options { recursion {{ bind_config_recursion }}; zone-statistics yes; - {% if bind_config_querylog %} + {% if bind_config_querylog == 'yes' %} querylog {{ bind_config_querylog }}; {% endif %} }; From 34601da797c679cd9362c5b6c959fc71fa6efdb7 Mon Sep 17 00:00:00 2001 From: Georg Kahest Date: Thu, 19 Jul 2018 15:44:15 +0300 Subject: [PATCH 17/25] allow configuration of bind version --- defaults/main.yml | 1 + templates/named.conf.j2 | 15 +++++++++++++++ templates/named.conf.options.j2 | 3 ++- 3 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 templates/named.conf.j2 diff --git a/defaults/main.yml b/defaults/main.yml index c82dd4f..63ff157 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -19,3 +19,4 @@ bind_config_acls: [] bind_config_notify: 'no' bind_config_querylog: 'no' bind_config_disable_default_zones: false +bind_config_version: false diff --git a/templates/named.conf.j2 b/templates/named.conf.j2 new file mode 100644 index 0000000..b1641c7 --- /dev/null +++ b/templates/named.conf.j2 @@ -0,0 +1,15 @@ +// !!!! Don't modify: this file was generated by Ansible !!!! + +// This is the primary configuration file for the BIND DNS server named. +// +// Please read /usr/share/doc/bind9/README.Debian.gz for information on the +// structure of BIND configuration files in Debian, *BEFORE* you customize +// this configuration file. +// +// If you are just adding zones, please do that in /etc/bind/named.conf.local + +include "/etc/bind/named.conf.options"; +include "/etc/bind/named.conf.local.master"; +include "/etc/bind/named.conf.local.slave"; +include "/etc/bind/named.conf.local.forward"; +{% if not bind_config_disable_default_zones %}include "/etc/bind/named.conf.default-zones";{% endif %} diff --git a/templates/named.conf.options.j2 b/templates/named.conf.options.j2 index 5307839..325cba4 100644 --- a/templates/named.conf.options.j2 +++ b/templates/named.conf.options.j2 @@ -67,7 +67,8 @@ options { dnssec-enable yes; dnssec-validation yes; - +{% if bind_config_version %} version "{{ bind_config_version }}"; +{% endif %} auth-nxdomain no; // conform to RFC1035 listen-on { {{ bind_config_listen_on }}; }; From 5153d502d1999b751b34514a59fe45c5ecfef336 Mon Sep 17 00:00:00 2001 From: Daniel Paufler Date: Sun, 30 Dec 2018 17:32:07 +0100 Subject: [PATCH 18/25] changed to present due to deprication warning --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 0f68c56..599e7c0 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,7 @@ bind_config_slave_zones: [] bind_config_forward_zones: [] bind_service_state: started bind_service_enabled: yes -bind_pkg_state: installed +bind_pkg_state: present bind_base_zones_path: "/var/lib/bind" bind_masterzones_path: "masters" bind_slavezones_path: "slaves" From 001d99dd6d8fdb7ee53254d6fa87d591c063673f Mon Sep 17 00:00:00 2001 From: Daniel Paufler Date: Sun, 30 Dec 2018 18:09:48 +0100 Subject: [PATCH 19/25] adjust acl indent --- templates/named.conf.options.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/templates/named.conf.options.j2 b/templates/named.conf.options.j2 index 325cba4..8f88aa2 100644 --- a/templates/named.conf.options.j2 +++ b/templates/named.conf.options.j2 @@ -1,7 +1,8 @@ // {{ ansible_managed }} {% for acl in bind_config_acls %} acl "{{ acl.name }}" { -{% for entries in acl.entries %} {{ entries | indent(4) }} +{% for entries in acl.entries %} + {{ entries | indent(4) }}; {% endfor %} }; {% endfor %} From 6e726a27f6bc3898d2a61b60b6cb91dd7e98fbd1 Mon Sep 17 00:00:00 2001 From: Daniel Paufler Date: Sun, 30 Dec 2018 19:43:31 +0100 Subject: [PATCH 20/25] fix broken example comment --- files/masters/db.example.com | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/files/masters/db.example.com b/files/masters/db.example.com index 0cee92b..1ae4e0c 100644 --- a/files/masters/db.example.com +++ b/files/masters/db.example.com @@ -1,5 +1,4 @@ -// !!!! Don't modify: this file was generated by Ansible !!!! - +;Ansible managed, do not edit directly $TTL 4h $ORIGIN example.com. @ IN SOA ns1.example.com. hostmaster.example.com. ( From 7e44ccc8817fe093077afc24cf9ddccd136d3f41 Mon Sep 17 00:00:00 2001 From: Daniel Paufler Date: Sun, 30 Dec 2018 19:52:42 +0100 Subject: [PATCH 21/25] add tsig support for bind-master --- defaults/main.yml | 1 + templates/named.conf.local.master.j2 | 10 ++++++++++ 2 files changed, 11 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 20e53a8..d07f08c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -2,6 +2,7 @@ bind_config_master_zones: [] bind_config_master_allow_transfer: [] bind_config_master_forwarders: [] +bind_config_master_tsig_keys: [] bind_config_recursion: "no" bind_config_slave_zones: [] bind_config_forward_zones: [] diff --git a/templates/named.conf.local.master.j2 b/templates/named.conf.local.master.j2 index fb26b21..e431f29 100644 --- a/templates/named.conf.local.master.j2 +++ b/templates/named.conf.local.master.j2 @@ -1,4 +1,14 @@ ## {{ ansible_managed }} +######## ({{ bind_config_master_zones|count }} zones) +# TSIG Keys +{% for tsig_key in bind_config_master_tsig_keys|default('') %} +key "{{ tsig_key.name }}" { + algorithm {{ tsig_key.algorithm }}; + secret "{{ tsig_key.secret }}"; +}; +{% endfor %} + +# Zones {% for master_zone in bind_config_master_zones %} zone "{{ master_zone.name }}" { From bea2aa88fe578c03b1bdab10a1675eb08f21dcc8 Mon Sep 17 00:00:00 2001 From: Daniel Paufler Date: Sun, 30 Dec 2018 19:58:28 +0100 Subject: [PATCH 22/25] adjust documentation --- README.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 809b2dc..46dd069 100644 --- a/README.md +++ b/README.md @@ -52,6 +52,11 @@ Optionally: If your nameservers acts as a secondary nameserver, here is a sample - example.net - example.org + bind_config_master_tsig_keys: + - name: sample-key + algorithm: hmac-md5 + secret: 'phaiGouX7Soh8gee4Vee' + Optionally: If you need to forward some zones directly to another nameserver, here is a sample: bind_config_forward_zones: @@ -81,7 +86,11 @@ None. - hosts: nameservers remote_user: root roles: - - { role: bind9 } + - role: bind9 + bind_base_zones_path: '/var/cache/bind' + bind_config_version: 'none' + bind_config_master_zones: [] + bind_config_slave_zones: [] ## License From 12d932553645bf867f5ad0134616e2b218443c08 Mon Sep 17 00:00:00 2001 From: Georg Kahest Date: Mon, 11 Feb 2019 05:43:13 +0200 Subject: [PATCH 23/25] allow disabling of transfer source, default to no transfer source --- defaults/main.yml | 1 + templates/named.conf.options.j2 | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index d07f08c..8dfe571 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -21,3 +21,4 @@ bind_config_notify: 'no' bind_config_querylog: 'no' bind_config_disable_default_zones: false bind_config_version: false +bind_config_transfer_source: false diff --git a/templates/named.conf.options.j2 b/templates/named.conf.options.j2 index 8f88aa2..3377cca 100644 --- a/templates/named.conf.options.j2 +++ b/templates/named.conf.options.j2 @@ -34,12 +34,12 @@ options { //query-source address * port 53; query-source address * port *; - + {% if bind_config_transfer_source %} transfer-source {{ ansible_default_ipv4.address }} port 53; {% if ansible_default_ipv6.address is defined %} transfer-source-v6 {{ ansible_default_ipv6.address }} port 53; {% endif %} - + {% endif %} notify-source *; allow-transfer { From 473dbcdf1b0ff5b246e5574d4bcfe6998e49e1c6 Mon Sep 17 00:00:00 2001 From: Georg Kahest Date: Wed, 12 May 2021 14:56:15 +0300 Subject: [PATCH 24/25] default hostname to inventory_hostname --- templates/named.conf.options.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/named.conf.options.j2 b/templates/named.conf.options.j2 index 3377cca..48ca42e 100644 --- a/templates/named.conf.options.j2 +++ b/templates/named.conf.options.j2 @@ -24,7 +24,7 @@ logging { options { directory "/var/cache/bind"; - + hostname {{ inventory_hostname }}; // If there is a firewall between you and nameservers you want // to talk to, you might need to uncomment the query-source // directive below. Previous versions of BIND always asked From 920e0ebb7ebb3d8f2d070e30fc1a5e951d781b65 Mon Sep 17 00:00:00 2001 From: Georg Kahest Date: Tue, 18 May 2021 01:58:43 +0300 Subject: [PATCH 25/25] hostname requires quotes --- templates/named.conf.options.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/named.conf.options.j2 b/templates/named.conf.options.j2 index 48ca42e..f76251f 100644 --- a/templates/named.conf.options.j2 +++ b/templates/named.conf.options.j2 @@ -24,7 +24,7 @@ logging { options { directory "/var/cache/bind"; - hostname {{ inventory_hostname }}; + hostname "{{ inventory_hostname }}"; // If there is a firewall between you and nameservers you want // to talk to, you might need to uncomment the query-source // directive below. Previous versions of BIND always asked