diff --git a/roles/ns/defaults/main.yml b/roles/ns/defaults/main.yml index f0be459..528f6c4 100644 --- a/roles/ns/defaults/main.yml +++ b/roles/ns/defaults/main.yml @@ -7,6 +7,7 @@ bind_packages: - dnsutils - python3-pycurl bind_config_templates: + - { src: 'named.conf.j2', dest: '/etc/bind/named.conf', mode: 'u=rw,g=r,o=r' } - { src: 'named.conf.master.j2', dest: '/etc/bind/named.conf.master', mode: 'u=rw,g=r,o=r' } - { src: 'named.conf.local.j2', dest: '/etc/bind/named.conf.local', mode: 'u=rw,g=r,o=r' } - { src: 'named.conf.slave.j2', dest: '/etc/bind/named.conf.slave', mode: 'u=rw,g=r,o=r' } @@ -17,8 +18,8 @@ bind_config_templates: - { src: 'dhcp.key', dest: '/etc/bind/keys/dhcp.key', mode: 'u=rw,g=r,o=' } directory: - { path: '/root/scripts', owner: 'root', group: 'root', mode: 'u=rwx,g=rx,o=rx' } - - { path: '/etc/bind/keys', owner: 'root', group: 'bind', mode: 'u=rwx,g=rs,o=rx' } - - { path: '/root/scripts/switch-isp', owner: 'root', group: 'bind', mode: 'u=rwx,g=rs,o=rx' } + - { path: '/etc/bind/keys', owner: 'root', group: 'bind', mode: 'u=rwx,g=rxs,o=rx' } + - { path: '/root/scripts/switch-isp', owner: 'root', group: 'bind', mode: 'u=rwx,g=rxs,o=rx' } required_files: - { src: 'delete.ns', dest: '/root/scripts/switch-isp', owner: 'root', group: 'bind', mode: 'u=rw,g=rw,o=r' } - { src: 'isp1.ns', dest: '/root/scripts/switch-isp', owner: 'root', group: 'bind', mode: 'u=rw,g=rw,o=r' } diff --git a/roles/ns/templates/named.conf.j2 b/roles/ns/templates/named.conf.j2 new file mode 100644 index 0000000..32e13f7 --- /dev/null +++ b/roles/ns/templates/named.conf.j2 @@ -0,0 +1,16 @@ +// This is the primary configuration file for the BIND DNS server named. +// +// Please read /usr/share/doc/bind9/README.Debian.gz for information on the +// structure of BIND configuration files in Debian, *BEFORE* you customize +// this configuration file. +// +// If you are just adding zones, please do that in /etc/bind/named.conf.local + +#include "/etc/bind/named.conf.options"; +include "/etc/bind/named.conf.local"; +{% if bind_is_master %} +include "/etc/bind/named.conf.master"; +{% else %} +include "/etc/bind/named.conf.slave"; +{% endif %} +#include "/etc/bind/named.conf.default-zones"; diff --git a/roles/ns/templates/named.conf.local.j2 b/roles/ns/templates/named.conf.local.j2 index 45ac42f..09a8935 100644 --- a/roles/ns/templates/named.conf.local.j2 +++ b/roles/ns/templates/named.conf.local.j2 @@ -1,20 +1,30 @@ -{% for path in bind_key_includes %} -include "{{ path }}"; -{% endfor %} +include "/etc/bind/rndc.key"; +include "/etc/bind/keys/wan.key"; +include "/etc/bind/keys/lan.key"; +include "/etc/bind/keys/certbot.key"; +include "/etc/bind/keys/dhcp.key"; -{% for server in bind_bogus_servers %} -server {{ server }} { bogus yes; }; -{% endfor %} +server fe80::/16 { bogus yes; }; -{% for acl_name, networks in bind_acls.items() %} -acl {{ acl_name }} { - {% for net in networks %} - {{ net }}; - {% endfor %} -}; -{% endfor %} +acl lan { + 10.0.0.0/8; + 172.16.0.0/12; + 192.168.0.0/16; + }; + +acl rfc5735 { + 0.0.0.0/8; + 169.254.0.0/16; + 192.0.0.0/24; + 192.0.2.0/24; + 192.88.99.0/24; + 198.18.0.0/15; + 198.51.100.0/24; + 203.0.113.0/24; + 224.0.0.0/4; + 240.0.0.0/4; + }; controls { - inet {{ bind_controls["inet"] }} allow { {{ bind_controls["allow"] | join('; ') }}; } keys { {{ bind_controls["keys"] | map('regex_replace', '^(.*)$', '"\\1"') | join('; ') }}; }; + inet * allow { localhost; lan; } keys { "rndc-key"; }; }; - diff --git a/roles/ns/templates/named.conf.master.j2 b/roles/ns/templates/named.conf.master.j2 index 814c5a8..dc63834 100644 --- a/roles/ns/templates/named.conf.master.j2 +++ b/roles/ns/templates/named.conf.master.j2 @@ -1,9 +1,9 @@ options { - directory "{{ bind_cache_dir }}"; - max-cache-size {{ bind_max_cache_size }}; + directory "/var/cache/bind"; + max-cache-size 500m; auth-nxdomain no; listen-on-v6 { none; }; - version "{{ bind_version }}"; + version "DNS"; allow-update { none; }; blackhole { rfc5735; }; @@ -15,16 +15,22 @@ options { }; view "lan" { - match-clients { - {% for item in bind_match_clients_lan %} + match-clients { + {% for item in key_match_clients_lan_master if item.startswith("!key") %} + {{ item }}; + {% endfor %} +{% for item in acl_match_clients %} {{ item }}; - {% endfor %} - }; + {% endfor %} +{% for item in key_match_clients_lan_master if not item.startswith("!key") %} + {{ item }}; + {% endfor %} +}; recursion yes; allow-recursion { any; }; empty-zones-enable yes; - notify {{ bind_notify_lan | default('yes') }}; + notify yes; include "/etc/bind/named.conf.default-zones"; @@ -45,7 +51,7 @@ view "wan" { allow-query-cache { none; }; empty-zones-enable no; - notify {{ bind_notify_wan }}; + notify explicit; also-notify { {% for entry in bind_also_notify %} diff --git a/roles/ns/templates/named.conf.slave.j2 b/roles/ns/templates/named.conf.slave.j2 index b4078b1..c1142a1 100644 --- a/roles/ns/templates/named.conf.slave.j2 +++ b/roles/ns/templates/named.conf.slave.j2 @@ -1,16 +1,15 @@ options { - directory "{{ bind_cache_dir }}"; - - max-cache-size {{ bind_max_cache_size }}; + directory "/var/cache/bind"; + max-cache-size 500m; auth-nxdomain no; listen-on-v6 { none; }; - version "{{ bind_version }}"; + version "DNS"; allow-update { none; }; blackhole { rfc5735; }; - notify {{ bind_slave_notify }}; + notify no; allow-transfer { none; }; - masterfile-format {{ bind_masterfile_format }}; + masterfile-format text; }; masters master-ips { @@ -20,11 +19,17 @@ masters master-ips { }; view "lan" { - match-clients { - {% for item in bind_match_clients_lan %} + match-clients { + {% for item in key_match_clients_lan_master if item.startswith("!key") %} + {{ item }}; + {% endfor %} +{% for item in acl_match_clients %} {{ item }}; - {% endfor %} - }; + {% endfor %} +{% for item in key_match_clients_lan_slave if not item.startswith("!key") %} + {{ item }}; + {% endfor %} +}; recursion yes; allow-recursion { any; };