diff --git a/bind/config.sls b/bind/config.sls index e054bf2..bad7c27 100644 --- a/bind/config.sls +++ b/bind/config.sls @@ -22,7 +22,7 @@ bind_restart: file.managed: - user: {{ salt['pillar.get']('bind:config:user', map.user) }} - group: {{ salt['pillar.get']('bind:config:group', map.group) }} - - mode: 644 + - mode: {{ salt['pillar.get']('bind:config:log_mode', map.log_mode) }} - require: - file: {{ map.log_dir }} @@ -67,7 +67,7 @@ bind_local_config: - watch_in: - service: bind -{% if grains['os_family'] != 'Arch' %} +{% if grains['os_family'] not in ['Arch', 'FreeBSD'] %} bind_default_config: file.managed: - name: {{ map.default_config }} diff --git a/bind/files/freebsd/named.conf b/bind/files/freebsd/named.conf new file mode 100644 index 0000000..79d63c6 --- /dev/null +++ b/bind/files/freebsd/named.conf @@ -0,0 +1,392 @@ +// $FreeBSD: head/dns/bind99/files/named.conf.in 382109 2015-03-24 15:22:51Z mat $ +// +// Refer to the named.conf(5) and named(8) man pages, and the documentation +// in /usr/local/share/doc/bind for more details. +// +// If you are going to set up an authoritative server, make sure you +// understand the hairy details of how DNS works. Even with +// simple mistakes, you can break connectivity for affected parties, +// or cause huge amounts of useless Internet traffic. + +options { + // All file and path names are relative to the chroot directory, + // if any, and should be fully qualified. + directory "/usr/local/etc/namedb/working"; + pid-file "/var/run/named/pid"; + dump-file "/var/dump/named_dump.db"; + statistics-file "/var/stats/named.stats"; + + auth-nxdomain no; # conform to RFC1035 + +// If you have IPv6 enabled on this system, uncomment this option for +// use as a local resolver. To give access to the network, specify +// an IPv6 address, or the keyword "any". +// listen-on-v6 { ::1; }; + +// These zones are already covered by the empty zones listed below. +// If you remove the related empty zones below, comment these lines out. + disable-empty-zone "255.255.255.255.IN-ADDR.ARPA"; + disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; + disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; + +// If you've got a DNS server around at your upstream provider, enter +// its IP address here, and enable the line below. This will make you +// benefit from its cache, thus reduce overall DNS traffic in the Internet. +/* + forwarders { + 127.0.0.1; + }; +*/ + +// If the 'forwarders' clause is not empty the default is to 'forward first' +// which will fall back to sending a query from your local server if the name +// servers in 'forwarders' do not have the answer. Alternatively you can +// force your name server to never initiate queries of its own by enabling the +// following line: +// forward only; + +// If you wish to have forwarding configured automatically based on +// the entries in /etc/resolv.conf, uncomment the following line and +// set named_auto_forward=yes in /etc/rc.conf. You can also enable +// named_auto_forward_only (the effect of which is described above). +// include "/usr/local/etc/namedb/auto_forward.conf"; + + /* + Modern versions of BIND use a random UDP port for each outgoing + query by default in order to dramatically reduce the possibility + of cache poisoning. All users are strongly encouraged to utilize + this feature, and to configure their firewalls to accommodate it. + + AS A LAST RESORT in order to get around a restrictive firewall + policy you can try enabling the option below. Use of this option + will significantly reduce your ability to withstand cache poisoning + attacks, and should be avoided if at all possible. + + Replace NNNNN in the example with a number between 49160 and 65530. + */ + // query-source address * port NNNNN; + +{%- if salt['pillar.get']('bind:config:ipv6', False) %} + listen-on-v6 { {{ salt['pillar.get']('bind:config:ipv6_listen', 'any') }}; }; +{%- endif -%} + +{#- Allow inclusion of arbitrary statements #} +{%- for statement, value in salt['pillar.get']('bind:config:options', {}).items() -%} + {%- if value is iterable and value is not string %} + {{ statement }} { + {%- for item in value %} + {{ item }}; + {%- endfor %} + }; + {%- else %} + {{ statement }} {{ value }}; + {%- endif %} +{%- endfor %} +}; + +{%- if salt['pillar.get']('bind:config:default_zones', False) and not salt['pillar.get']('bind:configured_views', False) %} +// If you enable a local name server, don't forget to enter 127.0.0.1 +// first in your /etc/resolv.conf so this server will be queried. +// Also, make sure to enable it in /etc/rc.conf. + +// The traditional root hints mechanism. Use this, OR the slave zones below. +zone "." { type hint; file "/usr/local/etc/namedb/named.root"; }; + +/* Slaving the following zones from the root name servers has some + significant advantages: + 1. Faster local resolution for your users + 2. No spurious traffic will be sent from your network to the roots + 3. Greater resilience to any potential root server failure/DDoS + + On the other hand, this method requires more monitoring than the + hints file to be sure that an unexpected failure mode has not + incapacitated your server. Name servers that are serving a lot + of clients will benefit more from this approach than individual + hosts. Use with caution. + + To use this mechanism, uncomment the entries below, and comment + the hint zone above. + + As documented at http://dns.icann.org/services/axfr/ these zones: + "." (the root), ARPA, IN-ADDR.ARPA, IP6.ARPA, and ROOT-SERVERS.NET + are available for AXFR from these servers on IPv4 and IPv6: + xfr.lax.dns.icann.org, xfr.cjr.dns.icann.org +*/ +/* +zone "." { + type slave; + file "/usr/local/etc/namedb/slave/root.slave"; + masters { + 192.5.5.241; // F.ROOT-SERVERS.NET. + }; + notify no; +}; +zone "arpa" { + type slave; + file "/usr/local/etc/namedb/slave/arpa.slave"; + masters { + 192.5.5.241; // F.ROOT-SERVERS.NET. + }; + notify no; +}; +*/ + +/* Serving the following zones locally will prevent any queries + for these zones leaving your network and going to the root + name servers. This has two significant advantages: + 1. Faster local resolution for your users + 2. No spurious traffic will be sent from your network to the roots +*/ +// RFCs 1912, 5735 and 6303 (and BCP 32 for localhost) +zone "localhost" { type master; file "/usr/local/etc/namedb/master/localhost-forward.db"; }; +zone "127.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/localhost-reverse.db"; }; +zone "255.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; + +// RFC 1912-style zone for IPv6 localhost address (RFC 6303) +zone "0.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/localhost-reverse.db"; }; + +// "This" Network (RFCs 1912, 5735 and 6303) +zone "0.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; + +{%- if salt['pillar.get']('bind:config:empty_private_networks', True) %} +// Private Use Networks (RFCs 1918, 5735 and 6303) +zone "10.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "16.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "17.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "18.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "19.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "20.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "21.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "22.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "23.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "24.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "25.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "26.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "27.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "28.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "29.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "30.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "31.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "168.192.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +{% endif %} + +// Shared Address Space (RFC 6598) +zone "64.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "65.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "66.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "67.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "68.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "69.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "70.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "71.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "72.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "73.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "74.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "75.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "76.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "77.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "78.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "79.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "80.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "81.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "82.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "83.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "84.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "85.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "86.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "87.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "88.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "89.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "90.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "91.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "92.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "93.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "94.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "95.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "96.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "97.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "98.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "99.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "100.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "101.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "102.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "103.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "104.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "105.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "106.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "107.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "108.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "109.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "110.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "111.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "112.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "113.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "114.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "115.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "116.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "117.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "118.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "119.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "120.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "121.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "122.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "123.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "124.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "125.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "126.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "127.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; + +// Link-local/APIPA (RFCs 3927, 5735 and 6303) +zone "254.169.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; + +// IETF protocol assignments (RFCs 5735 and 5736) +zone "0.0.192.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; + +// TEST-NET-[1-3] for Documentation (RFCs 5735, 5737 and 6303) +zone "2.0.192.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "100.51.198.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "113.0.203.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; + +// IPv6 Example Range for Documentation (RFCs 3849 and 6303) +zone "8.b.d.0.1.0.0.2.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; + +// Domain Names for Documentation and Testing (BCP 32) +zone "test" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "example" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "invalid" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "example.com" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "example.net" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "example.org" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; + +// Router Benchmark Testing (RFCs 2544 and 5735) +zone "18.198.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "19.198.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; + +// IANA Reserved - Old Class E Space (RFC 5735) +zone "240.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "241.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "242.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "243.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "244.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "245.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "246.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "247.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "248.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "249.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "250.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "251.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "252.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "253.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "254.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; + +// IPv6 Unassigned Addresses (RFC 4291) +zone "1.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "3.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "4.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "5.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "6.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "7.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "8.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "9.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "a.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "b.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "c.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "d.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "e.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "0.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "1.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "2.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "3.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "4.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "5.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "6.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "7.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "8.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "9.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "a.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "b.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "0.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "1.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "2.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "3.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "4.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "5.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "6.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "7.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; + +// IPv6 ULA (RFCs 4193 and 6303) +zone "c.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "d.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; + +// IPv6 Link Local (RFCs 4291 and 6303) +zone "8.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "9.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "a.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "b.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; + +// IPv6 Deprecated Site-Local Addresses (RFCs 3879 and 6303) +zone "c.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "d.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "e.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "f.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; + +// IP6.INT is Deprecated (RFC 4159) +zone "ip6.int" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; + +// NB: Do not use the IP addresses below, they are faked, and only +// serve demonstration/documentation purposes! +// +// Example slave zone config entries. It can be convenient to become +// a slave at least for the zone your own domain is in. Ask +// your network administrator for the IP address of the responsible +// master name server. +// +// Do not forget to include the reverse lookup zone! +// This is named after the first bytes of the IP address, in reverse +// order, with ".IN-ADDR.ARPA" appended, or ".IP6.ARPA" for IPv6. +// +// Before starting to set up a master zone, make sure you fully +// understand how DNS and BIND work. There are sometimes +// non-obvious pitfalls. Setting up a slave zone is usually simpler. +// +// NB: Don't blindly enable the examples below. :-) Use actual names +// and addresses instead. + +/* An example dynamic zone +key "exampleorgkey" { + algorithm hmac-md5; + secret "sf87HJqjkqh8ac87a02lla=="; +}; +zone "example.org" { + type master; + allow-update { + key "exampleorgkey"; + }; + file "/usr/local/etc/namedb/dynamic/example.org"; +}; +*/ + +/* Example of a slave reverse zone +zone "1.168.192.in-addr.arpa" { + type slave; + file "/usr/local/etc/namedb/slave/1.168.192.in-addr.arpa"; + masters { + 192.168.1.1; + }; +}; +*/ +{% endif %} + +include "{{ map.local_config }}"; +{%- if 'keys' in salt['pillar.get']('bind') %} +{% for key,args in salt['pillar.get']('bind:keys', {}).items() -%} +key "{{ key }}" { + algorithm {{ args['algorithm'] | default('HMAC-MD5.SIG-ALG.REG.INT') }}; + secret "{{ args['secret'] }}"; +}; +{% endfor %} +{% endif %} +{%- for incl in salt['pillar.get']('bind:config:includes', []) %} +include "{{ incl }}"; +{% endfor %} + diff --git a/bind/files/freebsd/named.conf.local b/bind/files/freebsd/named.conf.local new file mode 100644 index 0000000..2e2f8ae --- /dev/null +++ b/bind/files/freebsd/named.conf.local @@ -0,0 +1,105 @@ +# vim: sts=2 ts=2 sw=2 et ai +// +// Do any local configuration here +// + +// Consider adding the 1918 zones here, if they are not used in your +// organization +//include "/etc/bind/zones.rfc1918"; + +{%- macro zone(key, args, file, masters) %} +zone "{{ key }}" { + type {{ args['type'] }}; + {% if args['type'] == 'forward' -%} + {% if args['forward'] is defined -%} + forward {{ args['forward'] }}; + {%- endif %} + forwarders { + {% for forwarder in args.forwarders -%} + {{ forwarder }}; + {%- endfor %} + }; + {% else -%} + {% if args['dnssec'] is defined and args['dnssec'] -%} + file "{{ map.named_directory }}/{{ file }}.signed"; + {% else -%} + file "{{ map.named_directory }}/{{ file }}"; + {%- endif %} + {%- if args['allow-update'] is defined %} + allow-update { {{args['allow-update']}}; }; + {%- endif %} + {%- if args.update_policy is defined %} + update-policy { + {%- for policy in args.update_policy %} + {{ policy }}; + {%- endfor %} + }; + {%- endif %} + {%- if args['allow-transfer'] is defined %} + allow-transfer { {{ args.get('allow-transfer', []) | join('; ') }}; }; + {%- endif %} + {%- if args['also-notify'] is defined %} + also-notify { {{ args.get('also-notify', []) | join('; ') }}; }; + {%- endif %} + {%- if args['type'] == "master" -%} + {% if args['notify'] %} + notify yes; + {% else %} + notify no; + {%- endif -%} + {% else %} + notify no; + masters { {{ masters }} }; + {%- endif %} + {%- endif %} +}; +{%- endmacro %} + +{%- if salt['pillar.get']('bind:configured_views', {}) is not defined %} +include "{{ map.default_zones_config }}"; +{%- endif %} + +{% for key, args in salt['pillar.get']('bind:configured_zones', {}).items() -%} +{%- set file = salt['pillar.get']("bind:available_zones:" + key + ":file") %} +{%- set masters = salt['pillar.get']("bind:available_zones:" + key + ":masters") %} +{{ zone(key, args, file, masters) }} +{% endfor %} + +{% for view, view_data in salt['pillar.get']('bind:configured_views', {}).items() %} + +view {{ view }} { +{%- if view == 'default' %} + include "{{ map.default_zones_config }}"; +{%- endif %} + +match-clients { +{%- for acl in view_data.get('match_clients', {}) %} + {{ acl }}; +{%- endfor %} +}; + +{% for key, args in view_data.get('configured_zones', {}).items() -%} +{%- set file = salt['pillar.get']("bind:available_zones:" + key + ":file") %} +{%- set masters = salt['pillar.get']("bind:available_zones:" + key + ":masters") %} + {{ zone(key, args, file, masters) }} +{%- endfor %} +}; +{%- endfor %} + +{% if salt['pillar.get']("bind:use_querylog", False) %} +logging { + channel "querylog" { + file "{{ map.log_dir }}/query.log"; + print-time yes; + }; + category queries { querylog; }; +}; +{% endif %} + +{%- for name, data in salt['pillar.get']('bind:configured_acls', {}).items() %} +acl {{ name }} { + {%- for d in data %} + {{ d }}; + {%- endfor %} +}; +{%- endfor %} diff --git a/bind/files/freebsd/tty1.eu-empty-private-networks.conf b/bind/files/freebsd/tty1.eu-empty-private-networks.conf new file mode 100644 index 0000000..04bc154 --- /dev/null +++ b/bind/files/freebsd/tty1.eu-empty-private-networks.conf @@ -0,0 +1,16 @@ +zone "16.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "17.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "18.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "19.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "20.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "21.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "22.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "23.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "24.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "25.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "26.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "27.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "28.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "29.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "30.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "31.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; diff --git a/bind/map.jinja b/bind/map.jinja index af4ac55..e3e6b1b 100644 --- a/bind/map.jinja +++ b/bind/map.jinja @@ -12,6 +12,7 @@ 'default_zones_config': '/etc/bind/named.conf.default-zones', 'named_directory': '/var/cache/bind/zones', 'log_dir': '/var/log/bind9', + 'log_mode': '644', 'user': 'root', 'group': 'bind', 'mode': '644' @@ -26,6 +27,7 @@ 'default_config': '/etc/sysconfig/named', 'named_directory': '/var/named/data', 'log_dir': '/var/log/named', + 'log_mode': '640', 'user': 'root', 'group': 'named', 'mode': '640' @@ -39,10 +41,25 @@ 'local_config': '/etc/named.conf.local', 'named_directory': '/var/named', 'log_dir': '/var/log/named', + 'log_mode': '640', 'user': 'root', 'group': 'named', 'mode': '640' }, + 'FreeBSD': { + 'pkgs': ['bind99'], + 'service': 'named', + 'config_source_dir': 'bind/files/freebsd', + 'zones_source_dir': 'zones', + 'config': '/usr/local/etc/namedb/named.conf', + 'local_config': '/usr/local/etc/namedb/named.conf.local', + 'named_directory': '/usr/local/etc/namedb/working', + 'log_dir': '/var/log/named', + 'log_mode': '660', + 'user': 'root', + 'group': 'bind', + 'mode': '640' + }, }, merge=salt['grains.filter_by']({ 'jessie': { 'pkgs': ['bind9', 'bind9utils'], diff --git a/pillar.example b/pillar.example index e5f387c..f11b3dc 100644 --- a/pillar.example +++ b/pillar.example @@ -29,7 +29,7 @@ bind: # (ipv4: 4, ipv6: 6). Omitting this reverts to # binds default of both. -# Debian based systems +# Debian and FreeBSD based systems default_zones: True # If set to True, the default-zones configuration # will be enabled. Defaults to False.