bind-formula/docs/README.rst

.. _readme:

bind-formula
================

|img_travis| |img_sr|

.. |img_travis| image:: https://travis-ci.com/saltstack-formulas/bind-formula.svg?branch=master
   :alt: Travis CI Build Status
   :scale: 100%
   :target: https://travis-ci.com/saltstack-formulas/bind-formula
.. |img_sr| image:: https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg
   :alt: Semantic Release
   :scale: 100%
   :target: https://github.com/semantic-release/semantic-release

A SaltStack formula that is empty. It has dummy content to help with a quick
start on a new formula and it serves as a style guide.

.. contents:: **Table of Contents**

General notes
-------------

See the full `SaltStack Formulas installation and usage instructions
<https://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html>`_.

If you are interested in writing or contributing to formulas, please pay attention to the `Writing Formula Section
<https://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html#writing-formulas>`_.

If you want to use this formula, please pay attention to the ``FORMULA`` file and/or ``git tag``,
which contains the currently released version. This formula is versioned according to `Semantic Versioning <http://semver.org/>`_.

See `Formula Versioning Section <https://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html#versioning>`_ for more details.

Contributing to this repo
-------------------------

**Commit message formatting is significant!!**

Please see `How to contribute <https://github.com/saltstack-formulas/.github/blob/master/CONTRIBUTING.rst>`_ for more details.

Available states
----------------

.. contents::
   :local:

``bind``
^^^^^^^^

Install the bind package and start the bind service.

``bind.config``
^^^^^^^^^^^^^^^

Manage the bind configuration file.

Example Pillar
--------------

.. code:: yaml

    bind:
      configured_zones:
        example.com:
          type: master
          notify: False
      available_zones:
        example.com:
          file: example.com.txt
          soa:
            ns: ns1.example.com                       # Required
            contact: hostmaster.example.com           # Required
            serial: 2017041001                        # Required
          records:                                    # Records for the zone, grouped by type
            A:
              mx1:                                    # A RR with multiple values can
                - 1.2.3.228                           # be written as an array
                - 1.2.3.229
              cat: 2.3.4.188
              rat: 1.2.3.231
              live: 1.2.3.236
      configured_views:
        myview1:
          match_clients:
            - client1
            - client2
        configured_zones:
          my.zone:
            type: master
            notify: False

See *pillar.example* for a more complete example.

Management of zone files
------------------------

`named.conf.local`
^^^^^^^^^^^^^^^^^^

<zone> entries in `named.conf.local` will point to the file declared in

* `bind:configured_zones:<zone>:file` (this takes precedence)
* `bind:available_zones:<zone>:file`

zone files
^^^^^^^^^^

The `config.sls` state will  iterate on `bind:available_zones` and manage
<zone> files for each <zone> that has bind:available_zones:<zone>:file`
declared.

* If `bind:available_zones:<zone>:records` exist, a zone file will be created
  using those records (see pillar.example for more details)
* If `bind:available_zones:<zone>:records` is **NOT** declared,
  `bind:available_zones:<zone>:file` should point to an existing zone file
  that will be **sourced** by the formula.

Using Views
^^^^^^^^^^^

Using views introduces some restrictions by the BIND server in that once you have views defined, ALL of your zones have to be served via a view. You cannot have any zones defined outside of a view. 

If you want multiple views to serve the same zone but with different record sets, follow the example in pillar-with-views.example to set this up. The key to this is the 'file' argument in the view configuration that allows you to set the view's configured_zone to a zone that you define underneath 'available_zones'. Without specifying this 'file' argument, your views cannot serve the same zone; they will instead serve a zone that matches the name of the view.
          
External zone files
^^^^^^^^^^^^^^^^^^^

To use an external tool to manage the <zone> file, simply declare the location
of the zone file in  `bind:configured_zones:<zone>:file` and **don't** add any
entry for the <zone> in  `bind:available_zones`

DNSSEC
------

The `bind` formula currently support two ways to enable DNSSEC:

* Using the `zonesigner` binary provided by `dnssec-tools` (legacy) ;
* Using internal features of `bind`.

Here is sample pillar entries to use the latter.

On the master server :

.. code:: yaml

  bind:
    lookup:
      key_directory: '/etc/bind/keys'
    config:
      options:
        dnssec-enable: 'yes'
        dnssec-validation: 'yes'
    configured_acls:
      slave_server:
        - 192.168.1.2
    configured_zones:
      domain.tld:
        file: "db.domain.tld"
        type: master
        notify: True
        allow-transfer:
          - localnets
          - localhost
          - slave_server
        allow-update: 'none'
        auto-dnssec: 'maintain'

On the slave server :

.. code:: yaml

  bind:
    config:
      options:
        dnssec-enable: 'yes'
        dnssec-validation: 'yes'
    configured_zones:
      domain.tld:
        file: "db.domain.tld.signed"
        type: slave
        masters:
          - master_server
    configured_masters:
      master_server:
        - 192.168.1.1

Notes
-----

* When using views all zones must be configured in views!

Salt Compatibility
------------------

Tested with:

* 2017.7.x
* 2018.3.x

OS Compatibility
----------------

Tested with:

* Archlinux
* CentOS 7
* Debian-8
* Debian-9
* Fedora-27
* Ubuntu-16.04
* Ubuntu-18.04


Testing
-------

Linux testing is done with ``kitchen-salt``.

``kitchen converge``
^^^^^^^^^^^^^^^^^^^^

Creates the docker instance and runs the ``template`` main state, ready for testing.

``kitchen verify``
^^^^^^^^^^^^^^^^^^

Runs the ``inspec`` tests on the actual instance.

``kitchen destroy``
^^^^^^^^^^^^^^^^^^^

Removes the docker instance.

``kitchen test``
^^^^^^^^^^^^^^^^

Runs all of the stages above in one go: i.e. ``destroy`` + ``converge`` + ``verify`` + ``destroy``.

``kitchen login``
^^^^^^^^^^^^^^^^^

Gives you SSH access to the instance for manual testing.
feat: implement an automated changelog 2019-05-18 17:52:10 +02:00			`.. _readme:`
Set up initial readme 2013-06-12 23:39:14 -04:00
feat: implement an automated changelog 2019-05-18 17:52:10 +02:00			`bind-formula`
			`================`

			`\|img_travis\| \|img_sr\|`

			`.. \|img_travis\| image:: https://travis-ci.com/saltstack-formulas/bind-formula.svg?branch=master`
			`:alt: Travis CI Build Status`
			`:scale: 100%`
			`:target: https://travis-ci.com/saltstack-formulas/bind-formula`
			`.. \|img_sr\| image:: https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg`
			`:alt: Semantic Release`
			`:scale: 100%`
			`:target: https://github.com/semantic-release/semantic-release`

			`A SaltStack formula that is empty. It has dummy content to help with a quick`
			`start on a new formula and it serves as a style guide.`

			`.. contents:: Table of Contents`

			`General notes`
			`-------------`

			See the full `SaltStack Formulas installation and usage instructions
			<https://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html>`_.
Split bind formula into two states; added map; added pillar examples 2013-09-03 15:51:19 -06:00
feat: implement an automated changelog 2019-05-18 17:52:10 +02:00			If you are interested in writing or contributing to formulas, please pay attention to the `Writing Formula Section
			<https://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html#writing-formulas>`_.
Split bind formula into two states; added map; added pillar examples 2013-09-03 15:51:19 -06:00
feat: implement an automated changelog 2019-05-18 17:52:10 +02:00			If you want to use this formula, please pay attention to the ``FORMULA`` file and/or ``git tag``,
			which contains the currently released version. This formula is versioned according to `Semantic Versioning <http://semver.org/>`_.

			See `Formula Versioning Section <https://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html#versioning>`_ for more details.

			`Contributing to this repo`
			`-------------------------`

			`Commit message formatting is significant!!`

docs(readme): update link to `CONTRIBUTING` [skip ci] 2019-10-14 11:34:26 +01:00			Please see `How to contribute <https://github.com/saltstack-formulas/.github/blob/master/CONTRIBUTING.rst>`_ for more details.
Split bind formula into two states; added map; added pillar examples 2013-09-03 15:51:19 -06:00
			`Available states`
feat: implement an automated changelog 2019-05-18 17:52:10 +02:00			`----------------`
Split bind formula into two states; added map; added pillar examples 2013-09-03 15:51:19 -06:00
			`.. contents::`
feat: implement an automated changelog 2019-05-18 17:52:10 +02:00			`:local:`
Split bind formula into two states; added map; added pillar examples 2013-09-03 15:51:19 -06:00
			``bind``
feat: implement an automated changelog 2019-05-18 17:52:10 +02:00			`^^^^^^^^`
Split bind formula into two states; added map; added pillar examples 2013-09-03 15:51:19 -06:00
			`Install the bind package and start the bind service.`

			``bind.config``
feat: implement an automated changelog 2019-05-18 17:52:10 +02:00			`^^^^^^^^^^^^^^^`
Split bind formula into two states; added map; added pillar examples 2013-09-03 15:51:19 -06:00
			`Manage the bind configuration file.`
Allow to generate zone files from pillar data 2017-07-12 08:38:07 -03:00
			`Example Pillar`
docs(readme): fix headings [skip ci] 2021-05-05 15:40:04 +01:00			`--------------`
Allow to generate zone files from pillar data 2017-07-12 08:38:07 -03:00
			`.. code:: yaml`

			`bind:`
			`configured_zones:`
			`example.com:`
			`type: master`
			`notify: False`
			`available_zones:`
			`example.com:`
			`file: example.com.txt`
			`soa:`
			`ns: ns1.example.com # Required`
			`contact: hostmaster.example.com # Required`
			`serial: 2017041001 # Required`
			`records: # Records for the zone, grouped by type`
			`A:`
			`mx1: # A RR with multiple values can`
			`- 1.2.3.228 # be written as an array`
			`- 1.2.3.229`
			`cat: 2.3.4.188`
			`rat: 1.2.3.231`
			`live: 1.2.3.236`
Update example pillar in README to better reflect basic configuration. 2015-03-22 22:10:01 +01:00			`configured_views:`
			`myview1:`
			`match_clients:`
			`- client1`
			`- client2`
			`configured_zones:`
			`my.zone:`
			`type: master`
			`notify: False`

Update link to example in README.rst pillar.example seems to have been moved to the root of the repository. Tried to make it a link but that only seems to work in Markdown, not in RST 🤷‍♂️ 2018-10-26 22:24:42 +02:00			`See pillar.example for a more complete example.`
Update documentation accordingly 2018-05-04 09:23:53 +02:00
			`Management of zone files`
docs(readme): fix headings [skip ci] 2021-05-05 15:40:04 +01:00			`------------------------`
Update documentation accordingly 2018-05-04 09:23:53 +02:00
			`named.conf.local`
docs(readme): fix headings [skip ci] 2021-05-05 15:40:04 +01:00			`^^^^^^^^^^^^^^^^^^`
Update documentation accordingly 2018-05-04 09:23:53 +02:00
			<zone> entries in `named.conf.local` will point to the file declared in

			* `bind:configured_zones:<zone>:file` (this takes precedence)
			* `bind:available_zones:<zone>:file`

			`zone files`
docs(readme): fix headings [skip ci] 2021-05-05 15:40:04 +01:00			`^^^^^^^^^^`
Update documentation accordingly 2018-05-04 09:23:53 +02:00
			The `config.sls` state will iterate on `bind:available_zones` and manage
			<zone> files for each <zone> that has bind:available_zones:<zone>:file`
			`declared.`

			* If `bind:available_zones:<zone>:records` exist, a zone file will be created
			`using those records (see pillar.example for more details)`
			* If `bind:available_zones:<zone>:records` is NOT declared,
			`bind:available_zones:<zone>:file` should point to an existing zone file
			`that will be sourced by the formula.`

Squash commits Update named.conf.local.jinja Some reorganization of the format. In the for-loop that handles configured_views: - Add if-block on lines 124-128 to allow specifying a file for your view, rather than defaulting to the name of the specified zone. This allows multiple views to serve the same zone, but use a different file. Update pillar.example Add documentation and an example on specifying the file to be used for a view, as well as documented that you should not define the top-level 'configured_zones' key when using views. Small comment update. Add comment about using ACLs and views. Create pillar-with-views.example An example of the bind pillar that defines multiple views for internal and external record sets. This doesn't include the other portion of the pillar the defines the bind config - this is zones, views and ACLs only. The config portion is not affected by this. Add more comment clarification. Add comment explaining file name requirements. The filename must match the corresponding zone name (without the .txt extension) because the config.sls jinja logic uses the filename to match to the zone when setting zone_records. It also is hardcoded to replace ".txt" with "" in order to make this match work, and so .txt extension is required for the logic to work. Update config.sls Add logic to detect a file specified in a view, and match it to a zone under available_zones to enable creating that zone file. Revert back Made a bad commit. Update with the required logic. Added an if-block to test for the file argument in the zone_data, and if found, use that view and update the zone variable to match the zone defined under available_zones. Fix variable set. Set zone based on file with the .txt extension removed. Update README.rst Add paragraph about using views. Update pillar-with-views.example Add some more comments for explanation. 2018-11-14 11:11:07 -05:00			`Using Views`
docs(readme): fix headings [skip ci] 2021-05-05 15:40:04 +01:00			`^^^^^^^^^^^`
Squash commits Update named.conf.local.jinja Some reorganization of the format. In the for-loop that handles configured_views: - Add if-block on lines 124-128 to allow specifying a file for your view, rather than defaulting to the name of the specified zone. This allows multiple views to serve the same zone, but use a different file. Update pillar.example Add documentation and an example on specifying the file to be used for a view, as well as documented that you should not define the top-level 'configured_zones' key when using views. Small comment update. Add comment about using ACLs and views. Create pillar-with-views.example An example of the bind pillar that defines multiple views for internal and external record sets. This doesn't include the other portion of the pillar the defines the bind config - this is zones, views and ACLs only. The config portion is not affected by this. Add more comment clarification. Add comment explaining file name requirements. The filename must match the corresponding zone name (without the .txt extension) because the config.sls jinja logic uses the filename to match to the zone when setting zone_records. It also is hardcoded to replace ".txt" with "" in order to make this match work, and so .txt extension is required for the logic to work. Update config.sls Add logic to detect a file specified in a view, and match it to a zone under available_zones to enable creating that zone file. Revert back Made a bad commit. Update with the required logic. Added an if-block to test for the file argument in the zone_data, and if found, use that view and update the zone variable to match the zone defined under available_zones. Fix variable set. Set zone based on file with the .txt extension removed. Update README.rst Add paragraph about using views. Update pillar-with-views.example Add some more comments for explanation. 2018-11-14 11:11:07 -05:00
			`Using views introduces some restrictions by the BIND server in that once you have views defined, ALL of your zones have to be served via a view. You cannot have any zones defined outside of a view.`

			`If you want multiple views to serve the same zone but with different record sets, follow the example in pillar-with-views.example to set this up. The key to this is the 'file' argument in the view configuration that allows you to set the view's configured_zone to a zone that you define underneath 'available_zones'. Without specifying this 'file' argument, your views cannot serve the same zone; they will instead serve a zone that matches the name of the view.`

Update documentation accordingly 2018-05-04 09:23:53 +02:00			`External zone files`
docs(readme): fix headings [skip ci] 2021-05-05 15:40:04 +01:00			`^^^^^^^^^^^^^^^^^^^`
Update documentation accordingly 2018-05-04 09:23:53 +02:00
			`To use an external tool to manage the <zone> file, simply declare the location`
			of the zone file in `bind:configured_zones:<zone>:file` and don't add any
			entry for the <zone> in `bind:available_zones`
Add support for views. 2015-03-22 22:07:22 +01:00
Add support for inline-signing, see #64 for details 2018-06-06 13:53:28 +02:00			`DNSSEC`
docs(readme): fix headings [skip ci] 2021-05-05 15:40:04 +01:00			`------`
Add support for inline-signing, see #64 for details 2018-06-06 13:53:28 +02:00
			The `bind` formula currently support two ways to enable DNSSEC:

			* Using the `zonesigner` binary provided by `dnssec-tools` (legacy) ;
			* Using internal features of `bind`.

			`Here is sample pillar entries to use the latter.`

			`On the master server :`

			`.. code:: yaml`

fix formatting for yaml blocks 2018-09-26 12:48:36 +02:00			`bind:`
			`lookup:`
			`key_directory: '/etc/bind/keys'`
			`config:`
			`options:`
			`dnssec-enable: 'yes'`
			`dnssec-validation: 'yes'`
			`configured_acls:`
			`slave_server:`
			`- 192.168.1.2`
			`configured_zones:`
			`domain.tld:`
			`file: "db.domain.tld"`
			`type: master`
			`notify: True`
			`allow-transfer:`
			`- localnets`
			`- localhost`
			`- slave_server`
			`allow-update: 'none'`
			`auto-dnssec: 'maintain'`
Add support for inline-signing, see #64 for details 2018-06-06 13:53:28 +02:00
			`On the slave server :`

			`.. code:: yaml`

fix formatting for yaml blocks 2018-09-26 12:48:36 +02:00			`bind:`
			`config:`
			`options:`
			`dnssec-enable: 'yes'`
			`dnssec-validation: 'yes'`
			`configured_zones:`
			`domain.tld:`
			`file: "db.domain.tld.signed"`
			`type: slave`
			`masters:`
			`- master_server`
			`configured_masters:`
			`master_server:`
			`- 192.168.1.1`
Add support for inline-signing, see #64 for details 2018-06-06 13:53:28 +02:00
Add support for views. 2015-03-22 22:07:22 +01:00			`Notes`
docs(readme): fix headings [skip ci] 2021-05-05 15:40:04 +01:00			`-----`
Add support for views. 2015-03-22 22:07:22 +01:00
			`* When using views all zones must be configured in views!`
Add basic testing scaffold, with travis support 2018-05-26 18:54:26 -03:00
			`Salt Compatibility`
docs(readme): fix headings [skip ci] 2021-05-05 15:40:04 +01:00			`------------------`
Add basic testing scaffold, with travis support 2018-05-26 18:54:26 -03:00
			`Tested with:`

			`* 2017.7.x`
			`* 2018.3.x`

			`OS Compatibility`
docs(readme): fix headings [skip ci] 2021-05-05 15:40:04 +01:00			`----------------`
Add basic testing scaffold, with travis support 2018-05-26 18:54:26 -03:00
			`Tested with:`

			`* Archlinux`
			`* CentOS 7`
			`* Debian-8`
			`* Debian-9`
			`* Fedora-27`
			`* Ubuntu-16.04`
			`* Ubuntu-18.04`
feat: implement an automated changelog 2019-05-18 17:52:10 +02:00

			`Testing`
			`-------`

			Linux testing is done with ``kitchen-salt``.

			``kitchen converge``
			`^^^^^^^^^^^^^^^^^^^^`

			Creates the docker instance and runs the ``template`` main state, ready for testing.

			``kitchen verify``
			`^^^^^^^^^^^^^^^^^^`

			Runs the ``inspec`` tests on the actual instance.

			``kitchen destroy``
			`^^^^^^^^^^^^^^^^^^^`

			`Removes the docker instance.`

			``kitchen test``
			`^^^^^^^^^^^^^^^^`

			Runs all of the stages above in one go: i.e. ``destroy`` + ``converge`` + ``verify`` + ``destroy``.

			``kitchen login``
			`^^^^^^^^^^^^^^^^^`

			`Gives you SSH access to the instance for manual testing.`