allow configuration of acls, allow-recursion and query-cache clauses

README.md

@@ -1,6 +1,6 @@
-[![Build Status](https://travis-ci.org/resmo/ansible-role-bind.png?branch=master)](https://travis-ci.org/resmo/ansible-role-bind)
+[![Build Status](https://travis-ci.org/teadur/ansible-role-bind.png?branch=master)](https://travis-ci.org/teadur/ansible-role-bind)
 
-# Ansible Bind Role
+# Ansible Bind9 Role
 
 An ansible role for installing and managing bind, acting as primary and/or secondary nameserver. 
 It does also copy the master zone files (`bind_masterzones_path`), but however, the zone files must exist.
@@ -34,6 +34,28 @@ Optionally: If your nameservers acts as a secondary nameserver, here is a sample
             - example.net
             - example.org
 
+Optionally: If your nameservers acts as a secondary nameserver, here is a sample setup with TSIG Keys:
+
+      bind_config_slave_zones:
+        - name: example.net
+          tsig_keys:
+            - name: sample-key
+              algorithm: hmac-md5
+              secret: 'phaiGouX7Soh8gee4Vee'
+          masters_templates:
+            - name: example-tmpl
+              servers:
+              - '127.0.0.1 key sample-key'
+              - '2001::15 key sample-key'
+          masters: [ 'example-templ' ]
+          zones:
+            - example.net
+            - example.org
+
+      bind_config_master_tsig_keys:
+         - name: sample-key
+             algorithm: hmac-md5
+             secret: 'phaiGouX7Soh8gee4Vee'
 
 Optionally: If you need to forward some zones directly to another nameserver, here is a sample:
 
@@ -64,7 +86,11 @@ None.
     - hosts: nameservers
       remote_user: root
       roles:
-         - { role: resmo.bind }
+         - role: bind9
+           bind_base_zones_path: '/var/cache/bind'
+           bind_config_version: 'none'
+           bind_config_master_zones: []
+           bind_config_slave_zones: []
 
 
 ## License
@@ -75,3 +101,6 @@ MIT
 ## Author Information
 
 René Moser <mail@renemoser.net>
+
+Additions by Daniel Paufler <dpaufler@leo34.net>
+Additions by Georg Kahest <georg@gj.ee>

defaults/main.yml

@@ -2,14 +2,23 @@
 bind_config_master_zones: []
 bind_config_master_allow_transfer: []
 bind_config_master_forwarders: []
+bind_config_master_tsig_keys: []
 bind_config_recursion: "no"
 bind_config_slave_zones: []
 bind_config_forward_zones: []
 bind_service_state: started
 bind_service_enabled: yes
-bind_pkg_state: installed
+bind_pkg_state: present
 bind_base_zones_path: "/var/lib/bind"
 bind_masterzones_path: "masters"
 bind_slavezones_path: "slaves"
 bind_config_listen_on: any
 bind_config_allow_query: []
+bind_config_allow_recursion: []
+bind_config_allow_query_cache: []
+bind_config_acls: []
+bind_config_notify: 'no'
+bind_config_querylog: 'no'
+bind_config_disable_default_zones: false
+bind_config_version: false
+bind_config_transfer_source: false

files/masters/db.example.com

@@ -1,3 +1,4 @@
+;Ansible managed, do not edit directly
 $TTL    4h
 $ORIGIN example.com.
 @           IN      SOA     ns1.example.com.    hostmaster.example.com. (

files/named.conf → files/named.conf.default-zones

@@ -1,12 +1,4 @@
-// This is the primary configuration file for the BIND DNS server named.
-//
-// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
-// structure of BIND configuration files in Debian, *BEFORE* you customize
-// this configuration file.
-//
-// If you are just adding zones, please do that in /etc/bind/named.conf.local
-
-include "/etc/bind/named.conf.options";
+// !!!! Don't modify: this file was generated by Ansible !!!!
 
 // prime the server with knowledge of the root servers
 zone "." {
@@ -35,9 +27,4 @@ zone "0.in-addr.arpa" {
 zone "255.in-addr.arpa" {
         type master;
         file "/etc/bind/db.255";
-};
-
-include "/etc/bind/named.conf.local";
-include "/etc/bind/named.conf.local.master";
-include "/etc/bind/named.conf.local.slave";
-include "/etc/bind/named.conf.local.forward";
+};

tasks/main.yml

@@ -4,32 +4,44 @@
   with_items: "{{ bind_pkgs }}"
 
 - name: setup zone directories
-  file: dest={{ bind_base_zones_path }}/{{ item }} state=directory owner={{ bind_user }} group={{ bind_group }} mode=0755
+  file: dest="{{ bind_base_zones_path }}/{{ item }}" state=directory owner="{{ bind_user }}" group="{{ bind_group }}" mode=0755
   with_items:
   - masters
   - slaves
 
 - name: setup zones
-  template: src=named.conf.local.{{ item }}.j2 dest={{ bind_config_basepath }}/named.conf.local.{{ item }} owner={{ bind_user }} group={{ bind_group }} mode=0600
+  template: src="named.conf.local.{{ item }}.j2" dest="{{ bind_config_basepath }}/named.conf.local.{{ item }}" owner="{{ bind_user }}" group="{{ bind_group }}" mode=0600
   with_items:
   - master
   - slave
   - forward
   notify: reload bind
 
-- name: configure bind
-  copy: src=named.conf dest={{ bind_config_basepath }}/named.conf owner={{ bind_user }} group={{ bind_group }} mode=0600
+- name: configure bind (named.conf)
+  template: src=named.conf.j2 dest="{{ bind_config_basepath }}/named.conf" owner="{{ bind_user }}" group="{{ bind_group }}" mode=0600
+  notify: restart bind
+
+- name: configure bind (named.conf.default-zones)
+  copy: src=named.conf.default-zones dest="{{ bind_config_basepath }}/named.conf.default-zones" owner="{{ bind_user }}" group="{{ bind_group }}" mode=0600
   notify: restart bind
 
 - name: configure bind options
-  template: src=named.conf.options.j2 dest={{ bind_config_basepath }}/named.conf.options owner={{ bind_user }} group={{ bind_group }} mode=0600
+  template: src=named.conf.options.j2 dest="{{ bind_config_basepath }}/named.conf.options" owner="{{ bind_user }}" group="{{ bind_group }}" mode=0600
   notify: restart bind
 
+- name: Create directory for master zone files
+  file: 
+    path: "{{ bind_base_zones_path }}/{{ bind_masterzones_path }}"
+    mode: 0755
+    state: directory
+    owner: "{{ bind_user }}"
+    group: "{{ bind_group }}"
+
 - name: Copy master zone files
-  copy: src={{ bind_masterzones_path }}/db.{{ item.name }} dest={{ bind_base_zones_path }}/{{bind_masterzones_path}} owner={{ bind_user }} group={{ bind_group }}
+  copy: src="{{ bind_masterzones_path }}/db.{{ item.name }}" dest="{{ bind_base_zones_path }}/{{ bind_masterzones_path }}/db.{{ item.name }}" owner="{{ bind_user }}" group="{{ bind_group }}"
   with_items: "{{ bind_config_master_zones }}"
   notify: reload bind
   tags: bind-zones
 
 - name: start/stop bind service
-  service: name={{ bind_service_name }} state={{ bind_service_state }} enabled={{ bind_service_enabled }}
+  service: name="{{ bind_service_name }}" state="{{ bind_service_state }}" enabled="{{ bind_service_enabled }}"

templates/named.conf.j2

@@ -0,0 +1,15 @@
+// !!!! Don't modify: this file was generated by Ansible !!!!
+
+// This is the primary configuration file for the BIND DNS server named.
+//
+// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
+// structure of BIND configuration files in Debian, *BEFORE* you customize
+// this configuration file.
+//
+// If you are just adding zones, please do that in /etc/bind/named.conf.local
+
+include "/etc/bind/named.conf.options";
+include "/etc/bind/named.conf.local.master";
+include "/etc/bind/named.conf.local.slave";
+include "/etc/bind/named.conf.local.forward";
+{% if not bind_config_disable_default_zones %}include "/etc/bind/named.conf.default-zones";{% endif %}

templates/named.conf.local.master.j2

@@ -1,4 +1,14 @@
 ## {{ ansible_managed }}
+######## ({{ bind_config_master_zones|count }} zones)
+# TSIG Keys
+{% for tsig_key in bind_config_master_tsig_keys|default('') %}
+key "{{ tsig_key.name }}" {
+    algorithm {{ tsig_key.algorithm }};
+    secret "{{ tsig_key.secret }}";
+};
+{% endfor %}
+
+# Zones
 
 {% for master_zone in bind_config_master_zones %}
 zone "{{ master_zone.name }}" {

templates/named.conf.local.slave.j2

@@ -1,13 +1,34 @@
 ## {{ ansible_managed }}
+
 {% for slave_zone in bind_config_slave_zones %}
 ######## {{ slave_zone.name }} ({{ slave_zone.zones|count }} zones)
-{% for zone in slave_zone.zones %}
+# TSIG Keys
+{% for tsig_key in slave_zone.tsig_keys|default('') %}
+key "{{ tsig_key.name }}" {
+    algorithm {{ tsig_key.algorithm }};
+    secret "{{ tsig_key.secret }}";
+};
+{% endfor %}
+
+# Masters Template
+{% for master in slave_zone.masters_templates|default('') %}
+masters {{ master.name }} {
+{% for server in master.servers %}
+    {{ server }};
+{% endfor %}
+};
+{% endfor %}
+
+# Zones
+{% for zone in slave_zone.zones|sort %}
 zone "{{ zone }}" {
     type slave;
+    notify no;
     file "{{bind_base_zones_path}}/{{bind_slavezones_path}}/db.{{ zone }}";
+    masterfile-format text; # no bind9.9 binary format
     masters {
 {% for master in slave_zone.masters %}
-          {{ master }};
+        {{ master }};
 {% endfor %}
     };
 };

templates/named.conf.options.j2

@@ -1,8 +1,30 @@
 // {{ ansible_managed }}
+{% for acl in bind_config_acls %}
+acl "{{ acl.name }}" {
+{% for entries in acl.entries %}
+    {{ entries | indent(4) }}; 
+{% endfor %}
+}; 
+{% endfor %}
+
+// TODO: Make me dynamic
+logging {
+      channel default_syslog {
+                print-time yes;
+                print-category yes;
+                print-severity yes;
+                syslog daemon;
+                severity info;
+        };
+        category queries { default_syslog; };
+        category dnssec { default_syslog; };
+
+};
+
 
 options {
         directory "/var/cache/bind";
-
+	hostname "{{ inventory_hostname }}";
         // If there is a firewall between you and nameservers you want
         // to talk to, you might need to uncomment the query-source
         // directive below.  Previous versions of BIND always asked
@@ -12,9 +34,12 @@ options {
         //query-source address * port 53;
 
         query-source address * port *;
-
-        transfer-source *;
-
+	{% if bind_config_transfer_source %}
+        transfer-source {{ ansible_default_ipv4.address }} port 53;
+	{% if ansible_default_ipv6.address is defined %}
+        transfer-source-v6 {{ ansible_default_ipv6.address }} port 53;
+	{% endif %}
+	{% endif %}
         notify-source *;
 
         allow-transfer {
@@ -23,7 +48,7 @@ options {
         {% endfor %}
         };
 
-        notify yes;
+        notify {{ bind_config_notify }};
 
         also-notify {
         };
@@ -41,10 +66,11 @@ options {
         };
 	{% endif %}
 
-        //dnssec-enable yes;
-        //dnssec-validation yes;
-
-        auth-nxdomain no;    # conform to RFC1035
+        dnssec-enable yes;
+        dnssec-validation yes;
+{% if bind_config_version %}        version "{{ bind_config_version }}";
+{% endif %}
+        auth-nxdomain no; // conform to RFC1035
 
         listen-on { {{ bind_config_listen_on }}; }; 
         listen-on-v6 { any; };
@@ -56,9 +82,32 @@ options {
       {% endfor %}
       };
   {% else %}
-        allow-query { any; };              // This is the default
+        allow-query { any; }; // This is the default
   {% endif %}
 
-        recursion {{ bind_config_recursion }};                      // Do not provide recursive service
+{% if bind_config_allow_recursion %}
+        allow-recursion {
+       {% for queries in bind_config_allow_recursion %}
+          {{ queries }};
+       {% endfor %}
+        };
+   {% else %}
+        allow-recursion { any; }; // This is the default
+   {% endif %}
+
+{% if bind_config_allow_query_cache %}
+        allow-query-cache {
+       {% for queries in bind_config_allow_query_cache %}
+         {{ queries }};
+       {% endfor %}
+       };
+   {% else %}
+        allow-query-cache { any; }; // This is the default
+   {% endif %}
+
+        recursion {{ bind_config_recursion }};
         zone-statistics yes;
+    {% if bind_config_querylog == 'yes' %}
+    querylog {{ bind_config_querylog }};
+    {% endif %}
 };