From 48ba120d455537ade79acdd0474f10c6a49f4fbc Mon Sep 17 00:00:00 2001 From: Uwe Kretschmer Date: Thu, 3 Mar 2016 09:51:39 +0100 Subject: [PATCH 1/2] Fixed condition to include key_config. Added possibility to include default-zones on Debian systems. --- bind/files/debian/named.conf | 10 +++++++--- pillar.example | 12 ++++++++---- 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/bind/files/debian/named.conf b/bind/files/debian/named.conf index aa8432a..275a204 100644 --- a/bind/files/debian/named.conf +++ b/bind/files/debian/named.conf @@ -1,13 +1,17 @@ // This is the primary configuration file for the BIND DNS server named. // -// Please read /usr/share/doc/bind9/README.Debian.gz for information on the -// structure of BIND configuration files in Debian, *BEFORE* you customize +// Please read /usr/share/doc/bind9/README.Debian.gz for information on the +// structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "{{ map.options_config }}"; include "{{ map.local_config }}"; -{%- if salt['pillar.get']('bind:keys', {}) is defined %} +{%- if 'keys' in salt['pillar.get']('bind') %} include "{{ map.key_config }}"; {% endif %} +{%- if salt['pillar.get']('bind:config:default_zones', False) %} +include "{{ map.default_zones_config }}"; +{% endif %} + diff --git a/pillar.example b/pillar.example index 948bece..bab6530 100644 --- a/pillar.example +++ b/pillar.example @@ -13,8 +13,12 @@ bind: options: allow-recursion: '{ any; };' # Never include this on a public resolver - # force bind to serve only one IP protocol (ipv4: 4, ipv6: 6). omitting this reverts to binds default of both. - protocol: 4 + # force bind to serve only one IP protocol (ipv4: 4, ipv6: 6). omitting this reverts to binds default of both. + protocol: 4 + + # For Debian based systems: + # If set to True, the default-zones configuration will be enabled. Defaults to False. + default_zones: True bind: keys: @@ -29,7 +33,7 @@ bind: notify: False allow-transfer: - 1.1.1.1 - - 2.2.2.2 + - 2.2.2.2 dynamic.domain.com: type: master allow-update: "key core_dhcp" @@ -38,7 +42,7 @@ bind: type: forward forwarders: - 10.9.8.7 - - 10.9.8.5 + - 10.9.8.5 configured_views: myview1: match_clients: From bf6a0625e706010bc86c4086d0bd6e1dd7f7c8b8 Mon Sep 17 00:00:00 2001 From: Uwe Kretschmer Date: Thu, 3 Mar 2016 10:01:56 +0100 Subject: [PATCH 2/2] Changed hard coded file path to dynamic value. Added possibility to set ACLs via pillar. --- bind/files/debian/named.conf.local | 12 ++++++++++-- pillar.example | 4 ++++ 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/bind/files/debian/named.conf.local b/bind/files/debian/named.conf.local index 0077de8..5f2c20f 100644 --- a/bind/files/debian/named.conf.local +++ b/bind/files/debian/named.conf.local @@ -18,9 +18,9 @@ zone "{{ key }}" { }; {% else -%} {% if args['dnssec'] is defined and args['dnssec'] -%} - file "zones/{{ file }}.signed"; + file "{{ map.named_directory }}/{{ file }}.signed"; {% else -%} - file "zones/{{ file }}"; + file "{{ map.named_directory }}/{{ file }}"; {%- endif %} {% if args['allow-update'] is defined -%} @@ -90,3 +90,11 @@ logging { }; category queries { querylog; }; }; + +{%- for name, data in salt['pillar.get']('bind:configured_acls', {}).items() %} +acl {{ name }} { + {%- for d in data %} + {{ d }}; + {%- endfor %} +}; +{%- endfor %} diff --git a/pillar.example b/pillar.example index bab6530..91cde93 100644 --- a/pillar.example +++ b/pillar.example @@ -54,6 +54,10 @@ bind: notify: False update_policy: - "grant core_dhcp name dns_entry_allowed_to_update. ANY" + configured_acls: + my_net: + - 127.0.0.0/8 + - 10.20.0.0/16 bind: available_zones: