dns: refs #8552 - Main approche - final touch

roles/ns/defaults/main.yml

@@ -7,6 +7,7 @@ bind_packages:
   - dnsutils
   - python3-pycurl
 bind_config_templates:
+  - { src: 'named.conf.j2', dest: '/etc/bind/named.conf', mode: 'u=rw,g=r,o=r' }
   - { src: 'named.conf.master.j2', dest: '/etc/bind/named.conf.master', mode: 'u=rw,g=r,o=r' }
   - { src: 'named.conf.local.j2',  dest: '/etc/bind/named.conf.local',  mode: 'u=rw,g=r,o=r' }
   - { src: 'named.conf.slave.j2', dest: '/etc/bind/named.conf.slave', mode: 'u=rw,g=r,o=r' }
@@ -17,8 +18,8 @@ bind_config_templates:
   - { src: 'dhcp.key', dest: '/etc/bind/keys/dhcp.key', mode: 'u=rw,g=r,o=' }
 directory:
   - { path: '/root/scripts', owner: 'root', group: 'root', mode: 'u=rwx,g=rx,o=rx' }
-  - { path: '/etc/bind/keys', owner: 'root', group: 'bind', mode: 'u=rwx,g=rs,o=rx' }
-  - { path: '/root/scripts/switch-isp', owner: 'root', group: 'bind', mode: 'u=rwx,g=rs,o=rx' }
+  - { path: '/etc/bind/keys', owner: 'root', group: 'bind', mode: 'u=rwx,g=rxs,o=rx' }
+  - { path: '/root/scripts/switch-isp', owner: 'root', group: 'bind', mode: 'u=rwx,g=rxs,o=rx' }
 required_files:
   - { src: 'delete.ns', dest: '/root/scripts/switch-isp', owner: 'root', group: 'bind', mode: 'u=rw,g=rw,o=r' }
   - { src: 'isp1.ns', dest: '/root/scripts/switch-isp', owner: 'root', group: 'bind', mode: 'u=rw,g=rw,o=r' }

roles/ns/templates/named.conf.j2

@@ -0,0 +1,16 @@
+// This is the primary configuration file for the BIND DNS server named.
+//
+// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
+// structure of BIND configuration files in Debian, *BEFORE* you customize 
+// this configuration file.
+//
+// If you are just adding zones, please do that in /etc/bind/named.conf.local
+
+#include "/etc/bind/named.conf.options";
+include "/etc/bind/named.conf.local";
+{% if bind_is_master %}
+include "/etc/bind/named.conf.master";
+{% else %}
+include "/etc/bind/named.conf.slave";
+{% endif %}
+#include "/etc/bind/named.conf.default-zones";

roles/ns/templates/named.conf.local.j2

@@ -1,20 +1,30 @@
-{% for path in bind_key_includes %}
-include "{{ path }}";
-{% endfor %}
+include "/etc/bind/rndc.key";
+include "/etc/bind/keys/wan.key";
+include "/etc/bind/keys/lan.key";
+include "/etc/bind/keys/certbot.key";
+include "/etc/bind/keys/dhcp.key";
 
-{% for server in bind_bogus_servers %}
-server {{ server }} { bogus yes; };
-{% endfor %}
+server fe80::/16 { bogus yes; };
 
-{% for acl_name, networks in bind_acls.items() %}
-acl {{ acl_name }} {
-  {% for net in networks %}
-  {{ net }};
-  {% endfor %}
-};
-{% endfor %}
+acl lan {
+    10.0.0.0/8;
+    172.16.0.0/12;
+    192.168.0.0/16;
+  };
+  
+acl rfc5735 {
+    0.0.0.0/8;
+    169.254.0.0/16;
+    192.0.0.0/24;
+    192.0.2.0/24;
+    192.88.99.0/24;
+    198.18.0.0/15;
+    198.51.100.0/24;
+    203.0.113.0/24;
+    224.0.0.0/4;
+    240.0.0.0/4;
+  };
 
 controls {
-	inet {{ bind_controls["inet"] }} allow { {{ bind_controls["allow"] | join('; ') }}; } keys { {{ bind_controls["keys"] | map('regex_replace', '^(.*)$', '"\\1"') | join('; ') }}; };
+	inet * allow { localhost; lan; } keys { "rndc-key"; };
 };
-

roles/ns/templates/named.conf.master.j2

@@ -1,9 +1,9 @@
 options {
-    directory "{{ bind_cache_dir }}";
-    max-cache-size {{ bind_max_cache_size }};
+    directory "/var/cache/bind";
+    max-cache-size 500m;
     auth-nxdomain no;
     listen-on-v6 { none; };
-    version "{{ bind_version }}";
+    version "DNS";
     allow-update { none; };
     blackhole { rfc5735; };
 
@@ -15,16 +15,22 @@ options {
 };
 
 view "lan" {
-    match-clients {
-    {% for item in bind_match_clients_lan %}
+        match-clients {
+        {% for item in key_match_clients_lan_master if item.startswith("!key") %}
+          {{ item }};
+          {% endfor %}
+{% for item in acl_match_clients %}
         {{ item }};
-    {% endfor %}
-    };
+          {% endfor %}
+{% for item in key_match_clients_lan_master if not item.startswith("!key") %}
+        {{ item }};
+          {% endfor %}
+};
 
     recursion yes;
     allow-recursion { any; };
     empty-zones-enable yes;
-    notify {{ bind_notify_lan | default('yes') }};
+    notify yes;
 
     include "/etc/bind/named.conf.default-zones";
 
@@ -45,7 +51,7 @@ view "wan" {
     allow-query-cache { none; };
     empty-zones-enable no;
 
-    notify {{ bind_notify_wan }};
+    notify explicit;
 
     also-notify {
     {% for entry in bind_also_notify %}

roles/ns/templates/named.conf.slave.j2

@@ -1,16 +1,15 @@
 options {
-    directory "{{ bind_cache_dir }}";
-
-    max-cache-size {{ bind_max_cache_size }};
+    directory "/var/cache/bind";
+    max-cache-size 500m;
     auth-nxdomain no;
     listen-on-v6 { none; };
-    version "{{ bind_version }}";
+    version "DNS";
     allow-update { none; };
     blackhole { rfc5735; };
 
-    notify {{ bind_slave_notify }};
+    notify no;
     allow-transfer { none; };
-    masterfile-format {{ bind_masterfile_format }};
+    masterfile-format text;
 };
 
 masters master-ips {
@@ -20,11 +19,17 @@ masters master-ips {
 };
 
 view "lan" {
-    match-clients {
-    {% for item in bind_match_clients_lan %}
+        match-clients {
+        {% for item in key_match_clients_lan_master if item.startswith("!key") %}
+          {{ item }};
+          {% endfor %}
+{% for item in acl_match_clients %}
         {{ item }};
-    {% endfor %}
-    };
+          {% endfor %}
+{% for item in key_match_clients_lan_slave if not item.startswith("!key") %}
+        {{ item }};
+          {% endfor %}
+};
 
     recursion yes;
     allow-recursion { any; };