mirror of
https://github.com/saltstack-formulas/bind-formula.git
synced 2025-04-07 04:51:40 +00:00
378 lines
16 KiB
YAML
378 lines
16 KiB
YAML
# -*- coding: utf-8 -*-
|
|
# vim: ft=yaml
|
|
---
|
|
# Note - Each section beginning with 'bind:' below represents a different way you may configure
|
|
# pillars for bind. When configuring your pillar(s), you may use any combination of subsections,
|
|
# but salt will not merge sections with the same heading.
|
|
|
|
|
|
### Overrides for the defaults specified by ###
|
|
### map.jinja ###
|
|
bind:
|
|
lookup:
|
|
pkgs:
|
|
- bind # Need to install
|
|
service: named # Service name
|
|
|
|
zones_source_dir: bind/zonedata # Take zonefiles from `salt://bind/zonedata`
|
|
# instead of `salt://zones`
|
|
|
|
|
|
### General config options ###
|
|
bind:
|
|
lookup:
|
|
key_directory: '/etc/bind/keys' # Key directory (needed to use auto-dnssec)
|
|
key_algorithm: RSASHA256 # Algorithm when using auto-dnssec
|
|
key_algorithm_field: '008' # See http://www.bind9.net/dns-sec-algorithm-numbers
|
|
key_size: 4096 # Key size
|
|
|
|
config:
|
|
tmpl: salt://bind/files/debian/named.conf # Template we'd like to use (not implemented?)
|
|
user: root # File & Directory user
|
|
group: named # File & Directory group
|
|
mode: 640 # File & Directory mode
|
|
enable_logging: true # Enable basic query logging
|
|
use_extensive_logging: # Enable extensive config for logging. Partial example. For proposed settings please refer to
|
|
channel: # https://kb.isc.org/article/AA-01526/0/BIND-Logging-some-basic-recommendations.html
|
|
default_log:
|
|
file: default
|
|
size: '200m' # size of a individual file (default 20m)
|
|
versions: '10' # how many files will be stored (default 3)
|
|
print-time: true
|
|
print-category: true
|
|
print-severity: true
|
|
severity: info
|
|
queries_log:
|
|
file: queries
|
|
print-time: true
|
|
print-category: true
|
|
print-severity: true
|
|
severity: info
|
|
query-errors_log:
|
|
file: query-errors
|
|
print-time: true
|
|
print-category: true
|
|
print-severity: true
|
|
severity: dynamic
|
|
default_syslog:
|
|
print-time: true
|
|
print-category: true
|
|
print-severity: true
|
|
syslog: daemon
|
|
severity: info
|
|
default_debug:
|
|
file: named.run
|
|
print-time: true
|
|
print-category: true
|
|
print-severity: true
|
|
severity: info
|
|
category:
|
|
default:
|
|
- default_syslog
|
|
- default_debug
|
|
- default_log
|
|
config:
|
|
- default_syslog
|
|
- default_debug
|
|
- default_log
|
|
network:
|
|
- default_syslog
|
|
- default_debug
|
|
- default_log
|
|
general:
|
|
- default_syslog
|
|
- default_debug
|
|
- default_log
|
|
queries:
|
|
- queries_log
|
|
query-errors:
|
|
- query-errors_log
|
|
|
|
options:
|
|
allow-recursion: '{ any; }' # Never include this on a public resolver
|
|
# RedHat defaults, needed to generate default config file
|
|
listen-on: 'port 53 { 127.0.0.1; }'
|
|
listen-on-v6: 'port 53 { ::1; }'
|
|
allow-query: '{ localhost; }'
|
|
recursion: 'yes'
|
|
dnssec-enable: 'yes'
|
|
dnssec-validation: 'yes'
|
|
# End RedHat defaults
|
|
protocol: 4 # Force bind to serve only one IP protocol
|
|
# (ipv4: 4, ipv6: 6). Omitting this reverts to
|
|
# binds default of both.
|
|
|
|
# Debian and FreeBSD based systems
|
|
default_zones: true # If set to true, the default-zones configuration
|
|
# will be enabled. Defaults to false.
|
|
|
|
includes: # Include any additional configuration file(s) in
|
|
- /some/additional/named.conf # named.conf
|
|
|
|
# Debian based systems optional configs
|
|
bind:
|
|
config:
|
|
options:
|
|
querylog: 'yes' # Enable query logs, by default is disabled in map.jinja (yes,no)
|
|
|
|
rndc_client: # Generate rndc.conf file it uses previously defined keys
|
|
options:
|
|
default:
|
|
server: localhost
|
|
port: 953
|
|
key: my_default_key
|
|
server:
|
|
'127.0.0.1':
|
|
key: dns_key
|
|
'localhost':
|
|
key: dns_key
|
|
'8.8.8.8':
|
|
key: my_default_key
|
|
|
|
controls: # If you define controls then you also should configure rndc_client
|
|
local:
|
|
enabled: true
|
|
bind:
|
|
address: 127.0.0.1
|
|
port: 953
|
|
allow:
|
|
- 127.0.0.1
|
|
keys:
|
|
- core_dhcp
|
|
myip4:
|
|
enabled: true
|
|
bind:
|
|
address: 10.161.161.168
|
|
port: 953
|
|
allow:
|
|
- 10.161.161.168
|
|
- my_net
|
|
keys:
|
|
- core_dhcp
|
|
|
|
statistics: # Enable statistics-channel
|
|
local:
|
|
enabled: true
|
|
bind:
|
|
address: 127.0.0.1
|
|
port: 8053
|
|
allow:
|
|
- 127.0.0.1
|
|
myip4:
|
|
enabled: true
|
|
bind:
|
|
address: 10.161.161.168
|
|
port: 8123
|
|
allow:
|
|
- 10.161.64.168
|
|
- my_net
|
|
|
|
configured_zones: # Debian based systems can have zones using only configured_zones
|
|
sub.domain.com: # This zone will be copied from zones_source_dir
|
|
file: sub.domain.com # You can optionally specify name of a file here.
|
|
type: master # Yo don't have define zone again in available_zones.
|
|
# This feature is backward compatibile and only available in debian
|
|
notify: false # if type master you need specify notify true/false
|
|
managed: true # Set this to false if you don't want Salt to manage this zone file
|
|
# If this parameter is set to true or is not set at all, the zone will be managed through salt
|
|
|
|
sub2.domain.com:
|
|
file: sub2.domain.com
|
|
type: master
|
|
notify: true
|
|
allow-query:
|
|
- any
|
|
allow-transfer:
|
|
- my_net
|
|
allow-update: 'none'
|
|
also-notify:
|
|
- 1.2.3.4
|
|
- 1.2.3.3
|
|
zone-statistics: true # Enable detailed statistics for zone. You need enable statistics first
|
|
|
|
test.zone.com:
|
|
file: test.zone.com
|
|
type: slave
|
|
notify: false
|
|
masters:
|
|
- my_dns_masters # You can specify masters by using name
|
|
|
|
test.zone2.com: # Zone definied in default style of this formula
|
|
type: slave # You need specify all info inside available_zones
|
|
notify: false
|
|
|
|
|
|
configured_masters: # Configure master dns
|
|
my_dns_masters:
|
|
- 10.10.20.20
|
|
- 10.10.30.30
|
|
|
|
|
|
available_zones: # Configuration required in default style
|
|
test.zone2.com:
|
|
file: test.zone2.com # You are required specify file name here
|
|
masters: # As also masters if you have slave type zone
|
|
- 10.167.73.21
|
|
- 10.174.60.44
|
|
|
|
# End Debian based systems features
|
|
|
|
# on SUSE include the forwarders.conf file generated by netconfig(8)
|
|
bind:
|
|
config:
|
|
include_forwarders: true
|
|
|
|
|
|
### Keys, Zones, ACLs and Views ###
|
|
bind:
|
|
keys:
|
|
"core_dhcp": # The name for our key
|
|
secret: "YourSecretKey" # The key its self
|
|
|
|
configured_zones:
|
|
sub.domain.com: # First domain zone
|
|
type: master # We're the master of this zone
|
|
notify: false # Don't notify any NS RRs of any changes to zone
|
|
also-notify: # Do notify these IP addresses (pointless as
|
|
- 1.1.1.1 # notify has been set to no)
|
|
- 2.2.2.2 # If using views, do not define configured_zones
|
|
# at this indentation level - define it using the sub-key
|
|
# of your view under configured_views.
|
|
|
|
sub.domain2.com: # Domain zone with DNSSEC
|
|
type: master # We're the master of this zone
|
|
notify: false # Don't notify any NS RRs of any changes to zone
|
|
dnssec: true # Create and manage signed zonefile with zonesigner
|
|
# You will have to install dnssec-tools by hand
|
|
# on many distributions
|
|
|
|
sub.domain3.com: # Domain zone with DNSSEC
|
|
type: master # We're the master of this zone
|
|
notify: false # Don't notify any NS RRs of any changes to zone
|
|
auto-dnssec: 'maintain' # Bind will create and manage the signed zonefile
|
|
# itself, we only have to provide the clear zone
|
|
|
|
1.168.192.in-addr.arpa: # Reverse lookup for local IPs
|
|
type: master # As above
|
|
notify: false # As above
|
|
allow-transfer: # As above
|
|
- 1.1.1.1
|
|
- 2.2.2.2
|
|
|
|
dynamic.domain.com: # Our ddns zone
|
|
type: master # As above
|
|
allow-update: "key core_dhcp" # Who we allow updates from (refers to above key)
|
|
notify: true # Notify NS RRs of changes
|
|
|
|
sub.anotherdomain.com: # Another domain zone
|
|
type: forward # This time it's a forwarding zone
|
|
forwarders: # Where we need to forward requests to
|
|
- 10.9.8.7
|
|
- 10.9.8.5
|
|
|
|
sub.forwardonlydomain.com: # Forwarding only domain
|
|
type: forward # As above
|
|
forward: only # We don't want the server to do any resulving
|
|
forwarders: # As above (but with different IPs)
|
|
- 10.9.8.8
|
|
- 10.9.8.9
|
|
|
|
configured_views:
|
|
myview1: # First (and only) view
|
|
match_clients: # The clients we wish to match
|
|
- client1
|
|
- client2
|
|
configured_zones: # Zones that our view is applicable to
|
|
my.zone: # We've defined a new zone in here
|
|
type: master
|
|
file: example.com.txt # Optional: specify the zone file to be used for this view,
|
|
# otherwise it will default to the file matching the name of the zone that you
|
|
# specify here (which must match a zone under 'available_zones'.
|
|
# The file name must match what you have entered for 'file' in the zone under
|
|
# 'available_zones'.
|
|
# This allows you to define multiple views that serve the same zone, but
|
|
# serve a different record set in each.
|
|
# If doing this, you need to configure the zones and their record sets
|
|
# underneath the 'available_zones' section.
|
|
notify: false
|
|
update_policy: # A given update policy
|
|
- "grant core_dhcp name dns_entry_allowed_to_update. ANY"
|
|
|
|
configured_acls: # And now for some ACLs
|
|
my_net: # Our ACL's name
|
|
- 127.0.0.0/8 # And the applicable IP addresses
|
|
- 10.20.0.0/16 # If using views, you need to create an ACL per view to differentiate
|
|
# who accesses the view, and then specify the appropriate ACL name under
|
|
# the 'match_clients' sub-key of your view.
|
|
|
|
### Define zone records in pillar ###
|
|
bind:
|
|
available_zones:
|
|
example.com:
|
|
file: example.com.txt
|
|
soa: # Declare the SOA RRs for the zone
|
|
ns: ns1.example.com # Required
|
|
contact: hostmaster.example.com # Required
|
|
serial: 2017041001 # Required
|
|
# serial: auto # Alternatively, autoupdate serial on each change
|
|
class: IN # Optional. Default: IN
|
|
refresh: 8600 # Optional. Default: 12h
|
|
retry: 900 # Optional. Default: 15m
|
|
expiry: 86000 # Optional. Default: 2w
|
|
nxdomain: 500 # Optional. Default: 1m
|
|
ttl: 8600 # Optional. Not set by default
|
|
records: # Records for the zone, grouped by type
|
|
A:
|
|
mx1: # A RR with multiple values can
|
|
- 1.2.3.228 # be written as an array
|
|
- 1.2.3.229
|
|
cat: 2.3.4.188
|
|
rat: 1.2.3.231
|
|
live: 1.2.3.236
|
|
NS:
|
|
'@':
|
|
- rat
|
|
- cat
|
|
CNAME:
|
|
ftp: cat.example.com.
|
|
www: cat.example.com.
|
|
mail: mx1.example.com.
|
|
smtp: mx1.example.com.
|
|
TXT: # Complex records can be expressed as strings
|
|
'@':
|
|
- '"some_value"'
|
|
- '"v=spf1 mx a ip4:1.2.3.4 ~all"'
|
|
_dmarc: '"v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; fo=1:d:s; adkim=r; aspf=r; pct=100; ri=86400"'
|
|
|
|
|
|
3.2.1.in-addr.arpa: # auto-generated reverse zone
|
|
file: example.com.rev.txt
|
|
soa: # Declare the SOA RRs for the zone
|
|
ns: ns1.example.com # Required
|
|
contact: hostmaster.example.com # Required
|
|
serial: auto # autoupdate serial on each change
|
|
class: IN # Optional. Default: IN
|
|
refresh: 8600 # Optional. Default: 12h
|
|
retry: 900 # Optional. Default: 15m
|
|
expiry: 86000 # Optional. Default: 2w
|
|
nxdomain: 500 # Optional. Default: 1m
|
|
ttl: 8600 # Optional. Not set by default
|
|
records: # Records for the zone, grouped by type
|
|
NS:
|
|
'@':
|
|
ns1.example.com.
|
|
generate_reverse: # take all A records from example.com that are in 1.2.3.0/24 subnet
|
|
net: 1.2.3.0/24 # and generate reverse records for them
|
|
for_zones:
|
|
- example.com # example.com is a zone defined in pillar, see above
|
|
|
|
# for_zones:
|
|
# - any # generate reverse record for any zone
|
|
|
|
### Externally defined Zones ###
|
|
bind:
|
|
available_zones:
|
|
sub.domain.org:
|
|
file: db.sub.domain.org # DB file containing our zone
|
|
masters: # Masters of this zone
|
|
- 192.168.0.1
|