diff --git a/manifests/init.pp b/manifests/init.pp index b6822a1..f0c8d24 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -18,50 +18,64 @@ # class bind ( - $package_name = $::bind::params::package_name, - $config_file = $::bind::params::config_file, - $template = 'bind/configfile.erb', - $template_local = $::bind::params::template_local, $acl = [], - $listen_on = undef, - $listen_on_v6 = undef, - $directory = undef, - $dump_file = undef, - $statistics_file = undef, - $memstatistics_file = undef, $allow_query = undef, + $allow_recursion = undef, $allow_update = undef, $allow_transfer = undef, + $auth_nxdomain = undef, + $bindkeys_file = undef, $blackhole = undef, - $recursion = undef, - $allow_recursion = undef, + $cleaning_interval = undef, + $config_file = $::bind::params::config_file, + $directory = undef, $dnssec_enable = undef, $dnssec_validation = undef, - $bindkeys_file = undef, + $dump_file = undef, + $enable = true, + $ensure = 'running', + $interface_interval = undef, + $template = 'bind/configfile.erb', + $listen_on = undef, + $listen_on_v6 = undef, + $logging = undef, + $logging_config = undef, $managed_keys_directory = undef, + $max_ncache_ttl = undef, + $memstatistics_file = undef, + $nnotify = undef, + $package_name = $::bind::params::package_name, $pid_file = undef, + $recursion = undef, $session_keyfile = undef, - $auth_nxdomain = undef, - $version = undef, $server_id = undef, - $cleaning_interval = undef, - $interface_interval = undef, - $max_ncache_ttl = undef, - $nnotify = undef, - $logging = undef, + $service_name = $::bind::params::service_name, + $statistics_file = undef, + $sysconfig_params = ['OPTIONS="-4"'], + $version = undef, $zone = [], $include = [], ) inherits ::bind::params { - package { $package_name: ensure => installed } + package { $package_name: + ensure => installed + } file { $config_file: - require => Package[$package_name], backup => '.backup', content => template($template), + require => Package[$package_name], + } + service { $service_name: + enable => $enable, + ensure => $ensure, + require => [ Package[$package_name], File[$config_file] ], } - if $::osfamily == 'RedHat' { - service { 'named': - require => Package[$package_name], - enable => true, + if $sysconfig_params { + $params = join($sysconfig_params, "\n") + file { '/etc/sysconfig/named': + ensure => file, + owner => 'root', + group => 'root', + content => $params } } } diff --git a/manifests/params.pp b/manifests/params.pp index e68fbfa..1a0cd2d 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -4,11 +4,13 @@ $config_file = '/etc/named.conf' $zonedir = '/var/named/' $zonegroup = 'named' + $service_name = 'named' } elsif $::osfamily == 'Debian' { $package_name = [ 'bind9' ] $config_file = '/etc/bind/named.conf' $zonedir = '/etc/bind/zones/' $zonegroup = 'bind' + $service_name = 'bind9' } } diff --git a/manifests/zone_file.pp b/manifests/zone_file.pp index b4d3b54..479fa60 100644 --- a/manifests/zone_file.pp +++ b/manifests/zone_file.pp @@ -1,18 +1,18 @@ define bind::zone_file ( - $package_name = $::bind::params::package_name, - $template = 'bind/zone_file.erb', - $zonedir = $::bind::params::zonedir, - $zonegroup = $::bind::params::zonegroup, - $file_name = undef, - $nameserver = undef, - $admin = undef, - $ttl = undef, - $serial = undef, - $refresh = undef, - $retry = undef, - $expire = undef, - $minimum = undef, - $records = [], + $package_name = $::bind::params::package_name, + $template = 'bind/zone_file.erb', + $zonedir = $::bind::params::zonedir, + $zonegroup = $::bind::params::zonegroup, + $file_name = undef, + $nameserver = undef, + $admin = undef, + $ttl = undef, + $serial = undef, + $refresh = undef, + $retry = undef, + $expire = undef, + $minimum = undef, + $records = [], ) { include bind::params if ! defined(File[$zonedir]) { diff --git a/templates/configfile.erb b/templates/configfile.erb index 5ce533a..c44c189 100644 --- a/templates/configfile.erb +++ b/templates/configfile.erb @@ -9,25 +9,25 @@ acl <%= key %> { <% end -%> options { <% if @listen_on -%> - listen-on <%= @listen_on %>; + listen-on <%= @listen_on %>; <% end -%> <% if @listen_on_v6 -%> - listen-on-v6 <%= @listen_on_v6 %>; + listen-on-v6 <%= @listen_on_v6 %>; <% end -%> <% if @directory -%> - directory <%= @directory %>; + directory <%= @directory %>; <% end -%> <% if @dump_file -%> - dump-file <%= @dump_file %>; + dump-file <%= @dump_file %>; <% end -%> <% if @statistics_file -%> - statistics-file <%= @statistics_file %>; + statistics-file <%= @statistics_file %>; <% end -%> <% if @memstatistics_file -%> - memstatistics-file <%= @memstatistics_file %>; + memstatistics-file <%= @memstatistics_file %>; <% end -%> <% if @allow_query -%> - allow-query <%= @allow_query %>; + allow-query <%= @allow_query %>; <% end -%> <% if @allow_update -%> allow-update <%= @allow_update %>; @@ -39,70 +39,74 @@ options { blackhole <%= @blackhole %>; <% end -%> - /* - - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - - If you are building a RECURSIVE (caching) DNS server, you need to enable - recursion. - - If your recursive DNS server has a public IP address, you MUST enable access - control to limit queries to your legitimate users. Failing to do so will - cause your server to become part of large scale DNS amplification - attacks. Implementing BCP38 within your network would greatly - reduce such attack surface - */ + /* + - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. + - If you are building a RECURSIVE (caching) DNS server, you need to enable + recursion. + - If your recursive DNS server has a public IP address, you MUST enable access + control to limit queries to your legitimate users. Failing to do so will + cause your server to become part of large scale DNS amplification + attacks. Implementing BCP38 within your network would greatly + reduce such attack surface + */ <% if @recursion -%> - recursion <%= @recursion %>; + recursion <%= @recursion %>; <% end -%> <% if @allow_recursion -%> - allow-recursion <%= @allow_recursion %> + allow-recursion <%= @allow_recursion %> <% end -%> <% if @dnssec_enable -%> - dnssec-enable <%= @dnssec_enable %>; + dnssec-enable <%= @dnssec_enable %>; <% end -%> <% if @dnssec_validation -%> - dnssec-validation <%= @dnssec_validation %>; + dnssec-validation <%= @dnssec_validation %>; <% end -%> <% if @bindkeys_file -%> - bindkeys-file <%= @bindkeys_file %>; + bindkeys-file <%= @bindkeys_file %>; <% end -%> <% if @managed_keys_directory -%> - managed-keys-directory <%= @managed_keys_directory %>; + managed-keys-directory <%= @managed_keys_directory %>; <% end -%> <% if @pid_file -%> - pid-file <%= @pid_file %>; + pid-file <%= @pid_file %>; <% end -%> <% if @session_keyfile -%> - session-keyfile <%= @session_keyfile %>; + session-keyfile <%= @session_keyfile %>; <% end -%> <% if @auth_nxdomain -%> - auth-nxdomain <%= @auth_nxdomain %>; + auth-nxdomain <%= @auth_nxdomain %>; <% end -%> <% if @version -%> - version <%= @version %>; + version <%= @version %>; <% end -%> <% if @server_id -%> - server-id <%= @server_id %>; + server-id <%= @server_id %>; <% end -%> <% if @cleaning_interval -%> - cleaning-interval <%= @cleaning_interval %>; + cleaning-interval <%= @cleaning_interval %>; <% end -%> <% if @interface_interval -%> - interface-interval <%= @interface_interval %>; + interface-interval <%= @interface_interval %>; <% end -%> <% if @max_ncache_ttl -%> - max-ncache-ttl <%= @max_ncache_ttl %>; + max-ncache-ttl <%= @max_ncache_ttl %>; <% end -%> <% if @nnotify -%> - notify <%= @nnotify %>; + notify <%= @nnotify %>; <% end -%> }; <% if @logging -%> +<% if @logging_config -%> +<%= @logging_config %> +<% else -%> logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; +<% end -%> <% end -%> <% if !@zone.empty? -%> <% @zone.each do |key,value| -%> diff --git a/templates/zone_file.erb b/templates/zone_file.erb index 6fc65fc..4d8f1c2 100644 --- a/templates/zone_file.erb +++ b/templates/zone_file.erb @@ -1,11 +1,11 @@ $TTL <% if @ttl -%><%= @ttl %><% else -%>1D<% end -%> @ IN SOA <% if @nameserver -%><%= @nameserver %><% else -%>@<% end -%> <% if @admin -%><%= @admin %><% else -%>rname.invalid.<% end -%> ( - <% if @serial -%><%= @serial %><% else -%>0<% end -%> ; serial - <% if @refresh -%><%= @refresh %><% else -%>1D<% end -%> ; refresh - <% if @retry -%><%= @retry %><% else -%>1H<% end -%> ; retry - <% if @expire -%><%= @expire %><% else -%>1W<% end -%> ; expire - <% if @minimum -%><%= @minimum %><% else -%>3H<% end -%> ) ; minimum + <% if @serial -%><%= @serial %><% else -%>0<% end -%> ; serial + <% if @refresh -%><%= @refresh %><% else -%>1D<% end -%> ; refresh + <% if @retry -%><%= @retry %><% else -%>1H<% end -%> ; retry + <% if @expire -%><%= @expire %><% else -%>1W<% end -%> ; expire + <% if @minimum -%><%= @minimum %><% else -%>3H<% end -%> ) ; minimum <% if !@records.empty? -%> <% @records.each do |record| -%> <%= record %>