saltstack-formulas/bind-formula
1
0
Fork 0
mirror of https://github.com/saltstack-formulas/bind-formula.git synced 2025-04-16 01:30:22 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
bind-formula/pillar.example
Vladimir Nadvornik 5039e09dad Optionally include generated forwarders.conf
2018-06-18 16:23:05 +02:00

317 lines
12 KiB
Text
Raw Blame History

# Note - Each section beginning with 'bind:' below represents a different way you may configure
pillars for bind. When configuring your pillar(s), you may use any combination of subsections,
but salt will not merge sections with the same heading.
### Overrides for the defaults specified by ###
### map.jinja ###
bind:
lookup:
pkgs:
- bind # Need to install
service: named # Service name
zones_source_dir: bind/zonedata # Take zonefiles from `salt://bind/zonedata`
# instead of `salt://zones`
### General config options ###
bind:
config:
tmpl: salt://bind/files/debian/named.conf # Template we'd like to use (not implemented?)
user: root # File & Directory user
group: named # File & Directory group
mode: 640 # File & Directory mode
enable_logging: true # Enable basic query logging
use_extensive_logging: # Enable extensive config for logging. Partial example. For proposed settings please refer to
channel: # https://kb.isc.org/article/AA-01526/0/BIND-Logging-some-basic-recommendations.html
default_log:
file: default
size: '200m' # size of a individual file (default 20m)
versions: '10' # how many files will be stored (default 3)
print-time: yes
print-category: yes
print-severity: yes
severity: info
queries_log:
file: queries
print-time: yes
print-category: yes
print-severity: yes
severity: info
query-errors_log:
file: query-errors
print-time: yes
print-category: yes
print-severity: yes
severity: dynamic
default_syslog:
print-time: yes
print-category: yes
print-severity: yes
syslog: daemon
severity: info
default_debug:
file: named.run
print-time: yes
print-category: yes
print-severity: yes
severity: info
category:
default:
- default_syslog
- default_debug
- default_log
config:
- default_syslog
- default_debug
- default_log
network:
- default_syslog
- default_debug
- default_log
general:
- default_syslog
- default_debug
- default_log
queries:
- queries_log
query-errors:
- query-errors_log
options:
allow-recursion: '{ any; }' # Never include this on a public resolver
# RedHat defaults, needed to generate default config file
listen-on: 'port 53 { 127.0.0.1; }'
listen-on-v6: 'port 53 { ::1; }'
allow-query: '{ localhost; }'
recursion: 'yes'
dnssec-enable: 'yes'
dnssec-validation: 'yes'
# End RedHat defaults
protocol: 4 # Force bind to serve only one IP protocol
# (ipv4: 4, ipv6: 6). Omitting this reverts to
# binds default of both.
# Debian and FreeBSD based systems
default_zones: True # If set to True, the default-zones configuration
# will be enabled. Defaults to False.
includes: # Include any additional configuration file(s) in
- /some/additional/named.conf # named.conf
# Debian based systems optional configs
bind:
config:
options:
querylog: 'yes' # Enable query logs, by default is disabled in map.jinja (yes,no)
rndc_client: # Generate rndc.conf file it uses previously defined keys
options:
default:
server: localhost
port: 953
key: my_default_key
server:
'127.0.0.1':
key: dns_key
'localhost':
key: dns_key
'8.8.8.8':
key: my_default_key
controls: # If you define controls then you also should configure rndc_client
local:
enabled: true
bind:
address: 127.0.0.1
port: 953
allow:
- 127.0.0.1
keys:
- core_dhcp
myip4:
enabled: true
bind:
address: 10.161.161.168
port: 953
allow:
- 10.161.161.168
- my_net
keys:
- core_dhcp
statistics: # Enable statistics-channel
local:
enabled: true
bind:
address: 127.0.0.1
port: 8053
allow:
- 127.0.0.1
myip4:
enabled: true
bind:
address: 10.161.161.168
port: 8123
allow:
- 10.161.64.168
- my_net
configured_zones: # Debian based systems can have zones using only configured_zones
sub.domain.com: # This zone will be copied from zones_source_dir
file: sub.domain.com # You can optionally specify name of a file here.
type: master # Yo don't have define zone again in available_zones.
# This feature is backward compatibile and only available in debian
notify: False # if type master you need specify notify True/False
sub2.domain.com:
file: sub2.domain.com
type: master
notify: True
allow-query:
- any
allow-transfer:
- my_net
allow-update: 'none'
also-notify:
- 1.2.3.4
- 1.2.3.3
zone-statistics: yes # Enable detailed statistics for zone. You need enable statistics first
test.zone.com:
file: test.zone.com
type: slave
notify: False
masters:
- my_dns_masters # You can specify masters by using name
test.zone2.com: # Zone definied in default style of this formula
type: slave # You need specify all info inside available_zones
notify: False
configured_masters: # Configure master dns
my_dns_masters:
- 10.10.20.20
- 10.10.30.30
available_zones: # Configuration required in default style
test.zone2.com:
file: test.zone2.com # You are required specify file name here
masters: # As also masters if you have slave type zone
- 10.167.73.21
- 10.174.60.44
# End Debian based systems features
# on SUSE include the forwarders.conf file generated by netconfig(8)
bind:
config:
include_forwarders: True
### Keys, Zones, ACLs and Views ###
bind:
keys:
"core_dhcp": # The name for our key
secret: "YourSecretKey" # The key its self
configured_zones:
sub.domain.com: # First domain zone
type: master # We're the master of this zone
notify: False # Don't notify any NS RRs of any changes to zone
also-notify: # Do notify these IP addresses (pointless as
- 1.1.1.1 # notify has been set to no)
- 2.2.2.2
1.168.192.in-addr.arpa: # Reverse lookup for local IPs
type: master # As above
notify: False # As above
allow-transfer: # As above
- 1.1.1.1
- 2.2.2.2
dynamic.domain.com: # Our ddns zone
type: master # As above
allow-update: "key core_dhcp" # Who we allow updates from (refers to above key)
notify: True # Notify NS RRs of changes
sub.anotherdomain.com: # Another domain zone
type: forward # This time it's a forwarding zone
forwarders: # Where we need to forward requests to
- 10.9.8.7
- 10.9.8.5
sub.forwardonlydomain.com: # Forwarding only domain
type: forward # As above
forward: only # We don't want the server to do any resulving
forwarders: # As above (but with different IPs)
- 10.9.8.8
- 10.9.8.9
configured_views:
myview1: # First (and only) view
match_clients: # The clients we wish to match
- client1
- client2
configured_zones: # Zones that our view is applicable to
my.zone: # We've defined a new zone in here
type: master
notify: False
update_policy: # A given update policy
- "grant core_dhcp name dns_entry_allowed_to_update. ANY"
configured_acls: # And now for some ACLs
my_net: # Our ACL's name
- 127.0.0.0/8 # And the applicable IP addresses
- 10.20.0.0/16
### Define zone records in pillar ###
bind:
available_zones:
example.com:
file: example.com.txt
soa: # Declare the SOA RRs for the zone
ns: ns1.example.com # Required
contact: hostmaster.example.com # Required
serial: 2017041001 # Required
# serial: auto # Alternatively, autoupdate serial on each change
class: IN # Optional. Default: IN
refresh: 8600 # Optional. Default: 12h
retry: 900 # Optional. Default: 15m
expiry: 86000 # Optional. Default: 2w
nxdomain: 500 # Optional. Default: 1m
ttl: 8600 # Optional. Not set by default
records: # Records for the zone, grouped by type
A:
mx1: # A RR with multiple values can
- 1.2.3.228 # be written as an array
- 1.2.3.229
cat: 2.3.4.188
rat: 1.2.3.231
live: 1.2.3.236
NS:
'@':
- rat
- cat
CNAME:
ftp: cat.example.com.
www: cat.example.com.
mail: mx1.example.com.
smtp: mx1.example.com.
TXT: # Complex records can be expressed as strings
'@':
- '"some_value"'
- '"v=spf1 mx a ip4:1.2.3.4 ~all"'
_dmarc: '"v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; fo=1:d:s; adkim=r; aspf=r; pct=100; ri=86400"'
### Externally defined Zones ###
bind:
available_zones:
sub.domain.org:
file: db.sub.domain.org # DB file containing our zone
masters: # Masters of this zone
- 192.168.0.1
Reference in a new issue View git blame Copy permalink