mirror of
https://github.com/saltstack-formulas/bind-formula.git
synced 2025-04-16 17:50:23 +00:00
112 lines
2.9 KiB
Text
112 lines
2.9 KiB
Text
|
/*
|
||
|
|
* Refer to the named.conf(5) and named(8) man pages, and the documentation
|
||
|
|
* in /usr/share/doc/bind-* for more details.
|
||
|
|
* Online versions of the documentation can be found here:
|
||
|
|
* https://kb.isc.org/article/AA-01031
|
||
|
|
*
|
||
|
|
* If you are going to set up an authoritative server, make sure you
|
||
|
|
* understand the hairy details of how DNS works. Even with simple mistakes,
|
||
|
|
* you can break connectivity for affected parties, or cause huge amounts of
|
||
|
|
* useless Internet traffic.
|
||
|
|
*/
|
||
|
|
|
||
|
|
options {
|
||
|
|
directory "{{ map.get('named_directory') }}";
|
||
|
|
pid-file "/run/named/named.pid";
|
||
|
|
|
||
|
|
bindkeys-file "/etc/bind/bind.keys";
|
||
|
|
|
||
|
|
{%- if salt['pillar.get']('bind:config:ipv6', False) %}
|
||
|
|
listen-on-v6 { {{ salt['pillar.get']('bind:config:ipv6_listen', 'any') }}; };
|
||
|
|
{%- endif %}
|
||
|
|
|
||
|
|
listen-on { 127.0.0.1; };
|
||
|
|
|
||
|
|
{%- for statement, value in salt['pillar.get']('bind:config:options', {})|dictsort -%}
|
||
|
|
{%- if value is iterable and value is not string %}
|
||
|
|
{{ statement }} {
|
||
|
|
{%- for item in value %}
|
||
|
|
{{ item }};
|
||
|
|
{%- endfor %}
|
||
|
|
};
|
||
|
|
{%- else %}
|
||
|
|
{{ statement }} {{ value }};
|
||
|
|
{%- endif %}
|
||
|
|
{%- endfor %}
|
||
|
|
};
|
||
|
|
|
||
|
|
{% for incl in salt['pillar.get']('bind:config:includes', []) %}
|
||
|
|
include "{{ incl }}";
|
||
|
|
{% endfor %}
|
||
|
|
|
||
|
|
|
||
|
|
{%- if salt['pillar.get']('bind:controls', False) %}
|
||
|
|
controls {
|
||
|
|
{%- for name, control in salt['pillar.get']('bind:controls')|dictsort if control.get('enabled', True) %}
|
||
|
|
inet {{ control.get('bind', {}).get('address', '127.0.0.1') }} port {{ control.get('bind', {}).get('port', 953) }}
|
||
|
|
{%- if control.get('allow') %}
|
||
|
|
allow {
|
||
|
|
{%- for allow in control.allow %}
|
||
|
|
{{ allow }};
|
||
|
|
{%- endfor %}
|
||
|
|
}
|
||
|
|
{%- endif %}
|
||
|
|
{%- if control.get('keys') %}
|
||
|
|
keys {
|
||
|
|
{%- for key in control.get('keys') %}
|
||
|
|
{{ key }};
|
||
|
|
{%- endfor %}
|
||
|
|
}
|
||
|
|
{%- endif %};
|
||
|
|
{%- endfor %}
|
||
|
|
|
||
|
|
};
|
||
|
|
{%- endif %}
|
||
|
|
|
||
|
|
zone "." in {
|
||
|
|
type hint;
|
||
|
|
file "/var/bind/named.cache";
|
||
|
|
};
|
||
|
|
|
||
|
|
zone "localhost" IN {
|
||
|
|
type master;
|
||
|
|
file "pri/localhost.zone";
|
||
|
|
notify no;
|
||
|
|
};
|
||
|
|
|
||
|
|
/*
|
||
|
|
* Briefly, a zone which has been declared delegation-only will be effectively
|
||
|
|
* limited to containing NS RRs for subdomains, but no actual data beyond its
|
||
|
|
* own apex (for example, its SOA RR and apex NS RRset). This can be used to
|
||
|
|
* filter out "wildcard" or "synthesized" data from NAT boxes or from
|
||
|
|
* authoritative name servers whose undelegated (in-zone) data is of no
|
||
|
|
* interest.
|
||
|
|
* See http://www.isc.org/software/bind/delegation-only for more info
|
||
|
|
*/
|
||
|
|
|
||
|
|
//zone "COM" { type delegation-only; };
|
||
|
|
//zone "NET" { type delegation-only; };
|
||
|
|
|
||
|
|
//zone "YOUR-DOMAIN.TLD" {
|
||
|
|
// type master;
|
||
|
|
// file "/var/bind/pri/YOUR-DOMAIN.TLD.zone";
|
||
|
|
// allow-query { any; };
|
||
|
|
// allow-transfer { xfer; };
|
||
|
|
//};
|
||
|
|
|
||
|
|
//zone "YOUR-SLAVE.TLD" {
|
||
|
|
// type slave;
|
||
|
|
// file "/var/bind/sec/YOUR-SLAVE.TLD.zone";
|
||
|
|
// masters { <MASTER>; };
|
||
|
|
|
||
|
|
/* Anybody is allowed to query but transfer should be controlled by the master. */
|
||
|
|
// allow-query { any; };
|
||
|
|
// allow-transfer { none; };
|
||
|
|
|
||
|
|
/* The master should be the only one who notifies the slaves, shouldn't it? */
|
||
|
|
// allow-notify { <MASTER>; };
|
||
|
|
// notify no;
|
||
|
|
//};
|
||
|
|
|
||
|
|
include "{{ map.local_config }}";
|