From b331e235101c34c1f145854e07cd4a5ffa36429e Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Wed, 9 Mar 2016 19:01:05 +0100 Subject: [PATCH] Completing Bind options --- bind/conf.sls | 21 +++++++++ bind/dirs.sls | 5 +- bind/files/named.conf.options | 87 +++++++++++++++++++++++++++++++++++ bind/rndc.sls | 14 +++--- 4 files changed, 120 insertions(+), 7 deletions(-) create mode 100644 bind/files/named.conf.options diff --git a/bind/conf.sls b/bind/conf.sls index 7424403..00dd568 100644 --- a/bind/conf.sls +++ b/bind/conf.sls @@ -25,6 +25,27 @@ bind-conf_log: - file: bind-etc-dir - file: /var/log/bind +bind-keys-file: + file.exists: + - name: {{ etc_dir }}/bind.keys + - require: + - file: bind-etc-dir + +bind-conf_options: + file.managed: + - name: {{ etc_dir }}/named.conf.options + - source: salt://bind/files/named.conf.options + - user: root + - group: root + - mode: 644 + - template: jinja + - backup: minion + - require: + - file: bind-etc-dir + - file: bind-home-dir + - file: bind-keys-file + - file: bind-rndc-key + bind-conf_local: file.managed: - name: {{ etc_dir }}/named.conf.local diff --git a/bind/dirs.sls b/bind/dirs.sls index 6448caa..339fbb8 100644 --- a/bind/dirs.sls +++ b/bind/dirs.sls @@ -59,10 +59,13 @@ bind-home-dir: - user: bind-user - file: /var/log/bind -/etc/bind/dnssec: +bind-dnssec-dir: file.directory: + - name: {{ etc_dir }}/dnssec - user: root - group: root - dir_mode: 700 - makedirs: True + - require: + - file: bind-etc-dir diff --git a/bind/files/named.conf.options b/bind/files/named.conf.options new file mode 100644 index 0000000..8fae130 --- /dev/null +++ b/bind/files/named.conf.options @@ -0,0 +1,87 @@ +{%- set home_dir = salt['pillar.get']('bind:home-dir', '/var/cache/bind') -%} +{%- set etc_dir = salt['pillar.get']('bind:etc-dir', '/etc/bind') -%} +//############################################################### +//# Bind9-Konfigurationsdatei for general options +//# /etc/bind/named.conf.options +//# +//# Host {{ grains['fqdn'] }} +//# +//############################################################### + + +//############################################################### +//# Allgemeine Optionen + +options { + + directory "{{ home_dir }}"; + + // If there is a firewall between you and nameservers you want + // to talk to, you may need to fix the firewall to allow multiple + // ports to talk. See http://www.kb.cert.org/vuls/id/800113 + + // If your ISP provided one or more IP addresses for stable + // nameservers, you probably want to use them as forwarders. + // Uncomment the following block, and insert the addresses replacing + // the all-0's placeholder. + + // forwarders { + // 0.0.0.0; + // }; + + /* https://www.isc.org/solutions/dlv >=bind-9.7.x only */ + //bindkeys-file "/etc/bind/bind.keys"; + + listen-on-v6 { any; }; + listen-on { any; }; + + allow-notify { + allow-notify; + }; + + allow-recursion { + allow-recursion; + }; + + //======================================================================== + // If BIND logs error messages about the root key being expired, + // you will need to update your keys. See https://www.isc.org/bind-keys + //======================================================================== + //dnssec-enable yes; + dnssec-validation auto; + + /* + * As of bind 9.8.0: + * "If the root key provided has expired, + * named will log the expiration and validation will not work." + */ + //dnssec-validation auto; + + /* if you have problems and are behind a firewall: */ + //query-source address * port 53; + + // pid-file "/var/run/named/named.pid"; + + version "none"; + +}; + +// Managed Keys +include "{{ etc_dir }}/bind.keys"; + +//############################################################### +//# Kontrollkanäle für RNDC + +include "{{ etc_dir }}/rndc.key"; + +controls { + inet 127.0.0.1 port 953 allow { + 127.0.0.1; + ::1/128; + } keys { + "rndc-key"; + }; +}; + + +# vim: ts=4 filetype=named noai diff --git a/bind/rndc.sls b/bind/rndc.sls index d8152b7..082c733 100644 --- a/bind/rndc.sls +++ b/bind/rndc.sls @@ -1,7 +1,9 @@ {%- set dnssec = salt['pillar.get']('bind:dnssec', {}) -%} +{%- set etc_dir = salt['pillar.get']('bind:etc-dir', '/etc/bind') -%} -/etc/bind/rndc.key: +bind-rndc-key: file.managed: + - name: {{ etc_dir }}/rndc.key - source: salt://bind/files/rndc.key - user: bind - group: bind @@ -9,13 +11,13 @@ - template: jinja - backup: minion - require: - - file: /etc/bind + - file: bind-etc-dir - group: bind-group - user: bind-user rndc-keyfile-public: file.managed: - - name: /etc/bind/dnssec/K{{ dnssec.rndc.name }}.+{{ dnssec.rndc.algo_nr }}+{{ dnssec.rndc.footprint }}.key + - name: {{ etc_dir }}/dnssec/K{{ dnssec.rndc.name }}.+{{ dnssec.rndc.algo_nr }}+{{ dnssec.rndc.footprint }}.key - source: salt://bind/files/rndc.public - user: root - group: root @@ -23,11 +25,11 @@ rndc-keyfile-public: - template: jinja - backup: minion - require: - - file: /etc/bind/dnssec + - file: bind-dnssec-dir rndc-keyfile-private: file.managed: - - name: /etc/bind/dnssec/K{{ dnssec.rndc.name }}.+{{ dnssec.rndc.algo_nr }}+{{ dnssec.rndc.footprint }}.private + - name: {{ etc_dir }}/dnssec/K{{ dnssec.rndc.name }}.+{{ dnssec.rndc.algo_nr }}+{{ dnssec.rndc.footprint }}.private - source: salt://bind/files/rndc.private - user: root - group: root @@ -35,5 +37,5 @@ rndc-keyfile-private: - template: jinja - backup: minion - require: - - file: /etc/bind/dnssec + - file: bind-dnssec-dir -- 2.39.5