# -*- coding: utf-8 -*- # vim: ft=yaml --- # Note - Each section beginning with 'bind:' below represents a different way you may configure # pillars for bind. When configuring your pillar(s), you may use any combination of subsections, # but salt will not merge sections with the same heading. ### Overrides for the defaults specified by ### ### map.jinja ### bind: lookup: pkgs: - bind # Need to install service: named # Service name zones_source_dir: bind/zonedata # Take zonefiles from `salt://bind/zonedata` # instead of `salt://zones` ### General config options ### bind: lookup: key_directory: '/etc/bind/keys' # Key directory (needed to use auto-dnssec) key_algorithm: RSASHA256 # Algorithm when using auto-dnssec key_algorithm_field: '008' # See http://www.bind9.net/dns-sec-algorithm-numbers key_size: 4096 # Key size config: tmpl: salt://bind/files/debian/named.conf # Template we'd like to use (not implemented?) user: root # File & Directory user group: named # File & Directory group mode: 640 # File & Directory mode enable_logging: true # Enable basic query logging use_extensive_logging: # Enable extensive config for logging. Partial example. For proposed settings please refer to channel: # https://kb.isc.org/article/AA-01526/0/BIND-Logging-some-basic-recommendations.html default_log: file: default size: '200m' # size of a individual file (default 20m) versions: '10' # how many files will be stored (default 3) print-time: true print-category: true print-severity: true severity: info queries_log: file: queries print-time: true print-category: true print-severity: true severity: info query-errors_log: file: query-errors print-time: true print-category: true print-severity: true severity: dynamic default_syslog: print-time: true print-category: true print-severity: true syslog: daemon severity: info default_debug: file: named.run print-time: true print-category: true print-severity: true severity: info category: default: - default_syslog - default_debug - default_log config: - default_syslog - default_debug - default_log network: - default_syslog - default_debug - default_log general: - default_syslog - default_debug - default_log queries: - queries_log query-errors: - query-errors_log options: allow-recursion: '{ any; }' # Never include this on a public resolver # RedHat defaults, needed to generate default config file listen-on: 'port 53 { 127.0.0.1; }' listen-on-v6: 'port 53 { ::1; }' allow-query: '{ localhost; }' recursion: 'yes' dnssec-enable: 'yes' dnssec-validation: 'yes' # End RedHat defaults protocol: 4 # Force bind to serve only one IP protocol # (ipv4: 4, ipv6: 6). Omitting this reverts to # binds default of both. # Debian and FreeBSD based systems default_zones: true # If set to true, the default-zones configuration # will be enabled. Defaults to false. includes: # Include any additional configuration file(s) in - /some/additional/named.conf # named.conf # Debian based systems optional configs bind: config: options: querylog: 'yes' # Enable query logs, by default is disabled in map.jinja (yes,no) rndc_client: # Generate rndc.conf file it uses previously defined keys options: default: server: localhost port: 953 key: my_default_key server: '127.0.0.1': key: dns_key 'localhost': key: dns_key '8.8.8.8': key: my_default_key controls: # If you define controls then you also should configure rndc_client local: enabled: true bind: address: 127.0.0.1 port: 953 allow: - 127.0.0.1 keys: - core_dhcp myip4: enabled: true bind: address: 10.161.161.168 port: 953 allow: - 10.161.161.168 - my_net keys: - core_dhcp statistics: # Enable statistics-channel local: enabled: true bind: address: 127.0.0.1 port: 8053 allow: - 127.0.0.1 myip4: enabled: true bind: address: 10.161.161.168 port: 8123 allow: - 10.161.64.168 - my_net configured_zones: # Debian based systems can have zones using only configured_zones sub.domain.com: # This zone will be copied from zones_source_dir file: sub.domain.com # You can optionally specify name of a file here. type: master # Yo don't have define zone again in available_zones. # This feature is backward compatibile and only available in debian notify: false # if type master you need specify notify true/false managed: true # Set this to false if you don't want Salt to manage this zone file # If this parameter is set to true or is not set at all, the zone will be managed through salt sub2.domain.com: file: sub2.domain.com type: master notify: true allow-query: - any allow-transfer: - my_net allow-update: 'none' also-notify: - 1.2.3.4 - 1.2.3.3 zone-statistics: true # Enable detailed statistics for zone. You need enable statistics first test.zone.com: file: test.zone.com type: slave notify: false masters: - my_dns_masters # You can specify masters by using name test.zone2.com: # Zone definied in default style of this formula type: slave # You need specify all info inside available_zones notify: false configured_masters: # Configure master dns my_dns_masters: - 10.10.20.20 - 10.10.30.30 available_zones: # Configuration required in default style test.zone2.com: file: test.zone2.com # You are required specify file name here masters: # As also masters if you have slave type zone - 10.167.73.21 - 10.174.60.44 # End Debian based systems features # on SUSE include the forwarders.conf file generated by netconfig(8) bind: config: include_forwarders: true ### Keys, Zones, ACLs and Views ### bind: keys: "core_dhcp": # The name for our key secret: "YourSecretKey" # The key its self configured_zones: sub.domain.com: # First domain zone type: master # We're the master of this zone notify: false # Don't notify any NS RRs of any changes to zone also-notify: # Do notify these IP addresses (pointless as - 1.1.1.1 # notify has been set to no) - 2.2.2.2 # If using views, do not define configured_zones # at this indentation level - define it using the sub-key # of your view under configured_views. sub.domain2.com: # Domain zone with DNSSEC type: master # We're the master of this zone notify: false # Don't notify any NS RRs of any changes to zone dnssec: true # Create and manage signed zonefile with zonesigner # You will have to install dnssec-tools by hand # on many distributions sub.domain3.com: # Domain zone with DNSSEC type: master # We're the master of this zone notify: false # Don't notify any NS RRs of any changes to zone auto-dnssec: 'maintain' # Bind will create and manage the signed zonefile # itself, we only have to provide the clear zone 1.168.192.in-addr.arpa: # Reverse lookup for local IPs type: master # As above notify: false # As above allow-transfer: # As above - 1.1.1.1 - 2.2.2.2 dynamic.domain.com: # Our ddns zone type: master # As above allow-update: "key core_dhcp" # Who we allow updates from (refers to above key) notify: true # Notify NS RRs of changes sub.anotherdomain.com: # Another domain zone type: forward # This time it's a forwarding zone forwarders: # Where we need to forward requests to - 10.9.8.7 - 10.9.8.5 sub.forwardonlydomain.com: # Forwarding only domain type: forward # As above forward: only # We don't want the server to do any resulving forwarders: # As above (but with different IPs) - 10.9.8.8 - 10.9.8.9 configured_views: myview1: # First (and only) view match_clients: # The clients we wish to match - client1 - client2 configured_zones: # Zones that our view is applicable to my.zone: # We've defined a new zone in here type: master file: example.com.txt # Optional: specify the zone file to be used for this view, # otherwise it will default to the file matching the name of the zone that you # specify here (which must match a zone under 'available_zones'. # The file name must match what you have entered for 'file' in the zone under # 'available_zones'. # This allows you to define multiple views that serve the same zone, but # serve a different record set in each. # If doing this, you need to configure the zones and their record sets # underneath the 'available_zones' section. notify: false update_policy: # A given update policy - "grant core_dhcp name dns_entry_allowed_to_update. ANY" configured_acls: # And now for some ACLs my_net: # Our ACL's name - 127.0.0.0/8 # And the applicable IP addresses - 10.20.0.0/16 # If using views, you need to create an ACL per view to differentiate # who accesses the view, and then specify the appropriate ACL name under # the 'match_clients' sub-key of your view. ### Define zone records in pillar ### bind: available_zones: example.com: file: example.com.txt soa: # Declare the SOA RRs for the zone ns: ns1.example.com # Required contact: hostmaster.example.com # Required serial: 2017041001 # Required # serial: auto # Alternatively, autoupdate serial on each change class: IN # Optional. Default: IN refresh: 8600 # Optional. Default: 12h retry: 900 # Optional. Default: 15m expiry: 86000 # Optional. Default: 2w nxdomain: 500 # Optional. Default: 1m ttl: 8600 # Optional. Not set by default records: # Records for the zone, grouped by type A: mx1: # A RR with multiple values can - 1.2.3.228 # be written as an array - 1.2.3.229 cat: 2.3.4.188 rat: 1.2.3.231 live: 1.2.3.236 NS: '@': - rat - cat CNAME: ftp: cat.example.com. www: cat.example.com. mail: mx1.example.com. smtp: mx1.example.com. TXT: # Complex records can be expressed as strings '@': - '"some_value"' - '"v=spf1 mx a ip4:1.2.3.4 ~all"' _dmarc: '"v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; fo=1:d:s; adkim=r; aspf=r; pct=100; ri=86400"' 3.2.1.in-addr.arpa: # auto-generated reverse zone file: example.com.rev.txt soa: # Declare the SOA RRs for the zone ns: ns1.example.com # Required contact: hostmaster.example.com # Required serial: auto # autoupdate serial on each change class: IN # Optional. Default: IN refresh: 8600 # Optional. Default: 12h retry: 900 # Optional. Default: 15m expiry: 86000 # Optional. Default: 2w nxdomain: 500 # Optional. Default: 1m ttl: 8600 # Optional. Not set by default records: # Records for the zone, grouped by type NS: '@': ns1.example.com. generate_reverse: # take all A records from example.com that are in 1.2.3.0/24 subnet net: 1.2.3.0/24 # and generate reverse records for them for_zones: - example.com # example.com is a zone defined in pillar, see above # for_zones: # - any # generate reverse record for any zone ### Externally defined Zones ### bind: available_zones: sub.domain.org: file: db.sub.domain.org # DB file containing our zone masters: # Masters of this zone - 192.168.0.1