From cbb7db1a67e990d1ee6f34f78b357f6fdf855c51 Mon Sep 17 00:00:00 2001 From: Carl Garner Date: Thu, 8 Mar 2018 09:55:56 +0000 Subject: [PATCH 01/28] Allow specifying a transfer-format --- manifests/server.pp | 21 +++++++++++---------- templates/server.erb | 3 +++ 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/manifests/server.pp b/manifests/server.pp index 0bf9412..392c9b8 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -1,16 +1,17 @@ # ex: syntax=puppet si ts=4 sw=4 et define bind::server ( - $bogus = false, - $edns = true, - $key = undef, - $transfers = undef, + $bogus = false, + $edns = true, + $key = undef, + $transfers = undef, + $transfer_format = undef, ) { - include ::bind + include ::bind - concat::fragment { "bind-server-${name}": - order => 10, - target => "${::bind::confdir}/servers.conf", - content => template('bind/server.erb'), - } + concat::fragment { "bind-server-${name}": + order => 10, + target => "${::bind::confdir}/servers.conf", + content => template('bind/server.erb'), + } } diff --git a/templates/server.erb b/templates/server.erb index 6e2499d..8e38405 100644 --- a/templates/server.erb +++ b/templates/server.erb @@ -7,4 +7,7 @@ server <%= @name %> { <%- if @transfers -%> transfers <%= @transfers %>; <%- end -%> +<%- if @transfer_format -%> + transfer-format <%= @transfer_format %>; +<%- end -%> }; From 42decb44e51766f958f550b29965c0775e20c0a5 Mon Sep 17 00:00:00 2001 From: Carl Garner Date: Thu, 8 Mar 2018 10:21:56 +0000 Subject: [PATCH 02/28] Add transfer_format to zone and view --- manifests/view.pp | 1 + manifests/zone.pp | 1 + templates/view.erb | 3 +++ templates/zone.conf.erb | 3 +++ 4 files changed, 8 insertions(+) diff --git a/manifests/view.pp b/manifests/view.pp index c5fc9ad..1de4696 100644 --- a/manifests/view.pp +++ b/manifests/view.pp @@ -19,6 +19,7 @@ $empty_zones = '', $order = '10', $minimal_responses = false, + $transfer_format = undef, ) { $confdir = $::bind::confdir $default_zones_include = $::bind::default_zones_include diff --git a/manifests/zone.pp b/manifests/zone.pp index dd51ecf..36a8931 100644 --- a/manifests/zone.pp +++ b/manifests/zone.pp @@ -20,6 +20,7 @@ $forward = '', $source = '', $forwarders_port = 53, + $transfer_format = undef, ) { # where there is a zone, there is a server include ::bind diff --git a/templates/view.erb b/templates/view.erb index 6478900..39aa911 100644 --- a/templates/view.erb +++ b/templates/view.erb @@ -69,6 +69,9 @@ view "<%= @name %>" { <%- end -%> }; <%- end -%> +<%- if @transfer_format -%> + transfer-format <%= @transfer_format %>; +<%- end -%> <%- if @empty_zones != '' -%> empty-zones-enable <%= @empty_zones ? 'yes' : 'no' %>; <%- end -%> diff --git a/templates/zone.conf.erb b/templates/zone.conf.erb index 8a36dd7..99176d4 100644 --- a/templates/zone.conf.erb +++ b/templates/zone.conf.erb @@ -80,4 +80,7 @@ zone "<%= @_domain %>" { <%- end -%> }; <%- end -%> +<%- if @transfer_format -%> + transfer-format <%= @transfer_format %>; +<%- end -%> }; From 50b1280c511ae95c0d594d65429486e0f016a50e Mon Sep 17 00:00:00 2001 From: Carl Garner Date: Thu, 8 Mar 2018 10:23:28 +0000 Subject: [PATCH 03/28] Add transfer_format to global options --- manifests/init.pp | 1 + templates/named.conf.erb | 3 +++ 2 files changed, 4 insertions(+) diff --git a/manifests/init.pp b/manifests/init.pp index 395ec92..7bc7b2a 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -12,6 +12,7 @@ $include_local = false, $tkey_gssapi_credential = undef, $tkey_domain = undef, + $transfer_format = undef, ) inherits bind::defaults { File { diff --git a/templates/named.conf.erb b/templates/named.conf.erb index a69f4ef..9116c87 100644 --- a/templates/named.conf.erb +++ b/templates/named.conf.erb @@ -48,6 +48,9 @@ options { <%- if @tkey_domain -%> tkey-domain "<%= @tkey_domain %>"; <%- end -%> +<%- if @transfer_format -%> + transfer-format <%= @transfer_format %>; +<%- end -%> }; <%- if @include_local -%> From 762f7e6ecfadae172dbd47f910dbeee776e955dc Mon Sep 17 00:00:00 2001 From: Carl Garner Date: Thu, 8 Mar 2018 10:28:30 +0000 Subject: [PATCH 04/28] Add check_names to zone configuration --- manifests/zone.pp | 5 +++++ templates/zone.conf.erb | 3 +++ 2 files changed, 8 insertions(+) diff --git a/manifests/zone.pp b/manifests/zone.pp index 36a8931..b702cee 100644 --- a/manifests/zone.pp +++ b/manifests/zone.pp @@ -21,6 +21,7 @@ $source = '', $forwarders_port = 53, $transfer_format = undef, + $check_names = undef, ) { # where there is a zone, there is a server include ::bind @@ -82,6 +83,10 @@ fail("source may only be provided for bind::zone resources with zone_type 'master' or 'hint'") } + unless !($check_names != '' and ! member(['warn', 'fail', 'ignore', $check_names])) { + fail("check_names must be 'warn', 'fail' or 'ignore'") + } + $zone_file_mode = $zone_type ? { 'master' => $dynamic ? { true => 'init', diff --git a/templates/zone.conf.erb b/templates/zone.conf.erb index 99176d4..d11e864 100644 --- a/templates/zone.conf.erb +++ b/templates/zone.conf.erb @@ -83,4 +83,7 @@ zone "<%= @_domain %>" { <%- if @transfer_format -%> transfer-format <%= @transfer_format %>; <%- end -%> +<%- if @check_names -%> + check-names <%= @check_names %>; +<%- end -%> }; From 5e0a3aa0b14366490b8f0fb4650544bcc82dae53 Mon Sep 17 00:00:00 2001 From: Carl Garner Date: Thu, 8 Mar 2018 10:35:46 +0000 Subject: [PATCH 05/28] Add check_names to view and global configuration --- manifests/init.pp | 2 ++ manifests/view.pp | 2 ++ templates/named.conf.erb | 3 +++ templates/view.erb | 3 +++ 4 files changed, 10 insertions(+) diff --git a/manifests/init.pp b/manifests/init.pp index 7bc7b2a..5be5cdb 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -13,6 +13,8 @@ $tkey_gssapi_credential = undef, $tkey_domain = undef, $transfer_format = undef, + $check_names_type = undef, #master, slave or response + $check_names_handling = undef, #warn, fail or ignore ) inherits bind::defaults { File { diff --git a/manifests/view.pp b/manifests/view.pp index 1de4696..2e471ed 100644 --- a/manifests/view.pp +++ b/manifests/view.pp @@ -20,6 +20,8 @@ $order = '10', $minimal_responses = false, $transfer_format = undef, + $check_names_type = undef, #master, slave or response + $check_names_handling = undef, #warn, fail or ignore ) { $confdir = $::bind::confdir $default_zones_include = $::bind::default_zones_include diff --git a/templates/named.conf.erb b/templates/named.conf.erb index 9116c87..f67b709 100644 --- a/templates/named.conf.erb +++ b/templates/named.conf.erb @@ -51,6 +51,9 @@ options { <%- if @transfer_format -%> transfer-format <%= @transfer_format %>; <%- end -%> +<%- if @check_names_type != '' and @check_names_handling != '' -%> + check-names <%= @check_names_type %> <%= @check_names_handling %>; +<%- end -%> }; <%- if @include_local -%> diff --git a/templates/view.erb b/templates/view.erb index 39aa911..196b33c 100644 --- a/templates/view.erb +++ b/templates/view.erb @@ -72,6 +72,9 @@ view "<%= @name %>" { <%- if @transfer_format -%> transfer-format <%= @transfer_format %>; <%- end -%> +<%- if @check_names_type != '' and @check_names_handling != '' -%> + check-names <%= @check_names_type %> <%= @check_names_handling %>; +<%- end -%> <%- if @empty_zones != '' -%> empty-zones-enable <%= @empty_zones ? 'yes' : 'no' %>; <%- end -%> From 5d48e216927325a02265994fa8bf5e73f8e28ab7 Mon Sep 17 00:00:00 2001 From: Carl Garner Date: Thu, 8 Mar 2018 11:00:23 +0000 Subject: [PATCH 06/28] Square brace in wrong place --- manifests/zone.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/zone.pp b/manifests/zone.pp index b702cee..2f817de 100644 --- a/manifests/zone.pp +++ b/manifests/zone.pp @@ -83,7 +83,7 @@ fail("source may only be provided for bind::zone resources with zone_type 'master' or 'hint'") } - unless !($check_names != '' and ! member(['warn', 'fail', 'ignore', $check_names])) { + unless !($check_names != '' and ! member(['warn', 'fail', 'ignore'], $check_names)) { fail("check_names must be 'warn', 'fail' or 'ignore'") } From f7e23ce199d0a9e1ab05ef8f35c523aa3a0317d1 Mon Sep 17 00:00:00 2001 From: Carl Garner Date: Thu, 8 Mar 2018 11:15:42 +0000 Subject: [PATCH 07/28] Alter defaults and tests for content --- manifests/zone.pp | 4 ++-- templates/zone.conf.erb | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/manifests/zone.pp b/manifests/zone.pp index 2f817de..e182fb4 100644 --- a/manifests/zone.pp +++ b/manifests/zone.pp @@ -20,8 +20,8 @@ $forward = '', $source = '', $forwarders_port = 53, - $transfer_format = undef, - $check_names = undef, + $transfer_format = '', + $check_names = '', ) { # where there is a zone, there is a server include ::bind diff --git a/templates/zone.conf.erb b/templates/zone.conf.erb index d11e864..42ffafc 100644 --- a/templates/zone.conf.erb +++ b/templates/zone.conf.erb @@ -80,10 +80,10 @@ zone "<%= @_domain %>" { <%- end -%> }; <%- end -%> -<%- if @transfer_format -%> +<%- if @transfer_format and @transfer_format != '' -%> transfer-format <%= @transfer_format %>; <%- end -%> -<%- if @check_names -%> +<%- if @check_names and @check_names != ''-%> check-names <%= @check_names %>; <%- end -%> }; From 511f670043c5ac9a8576a2b321bb8ff591575ba6 Mon Sep 17 00:00:00 2001 From: Carl Garner Date: Thu, 8 Mar 2018 11:29:51 +0000 Subject: [PATCH 08/28] Alter defaults and tests for content on views --- manifests/view.pp | 6 +++--- templates/view.erb | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/manifests/view.pp b/manifests/view.pp index 2e471ed..9ac4bdc 100644 --- a/manifests/view.pp +++ b/manifests/view.pp @@ -19,9 +19,9 @@ $empty_zones = '', $order = '10', $minimal_responses = false, - $transfer_format = undef, - $check_names_type = undef, #master, slave or response - $check_names_handling = undef, #warn, fail or ignore + $transfer_format = '', + $check_names_type = '', #master, slave or response + $check_names_handling = '', #warn, fail or ignore ) { $confdir = $::bind::confdir $default_zones_include = $::bind::default_zones_include diff --git a/templates/view.erb b/templates/view.erb index 196b33c..b474742 100644 --- a/templates/view.erb +++ b/templates/view.erb @@ -69,7 +69,7 @@ view "<%= @name %>" { <%- end -%> }; <%- end -%> -<%- if @transfer_format -%> +<%- if @transfer_format and @transfer_format != '' -%> transfer-format <%= @transfer_format %>; <%- end -%> <%- if @check_names_type != '' and @check_names_handling != '' -%> From 24b16511820b07cfa4f5724482982450a532f9a8 Mon Sep 17 00:00:00 2001 From: Carl Garner Date: Thu, 5 Apr 2018 12:59:28 +0100 Subject: [PATCH 09/28] Change undef to '' for template --- manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 5be5cdb..de2edd8 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -13,8 +13,8 @@ $tkey_gssapi_credential = undef, $tkey_domain = undef, $transfer_format = undef, - $check_names_type = undef, #master, slave or response - $check_names_handling = undef, #warn, fail or ignore + $check_names_type = '', #master, slave or response + $check_names_handling = '', #warn, fail or ignore ) inherits bind::defaults { File { From 40900514bc9f8362c398d68a977fb28a402e8bb1 Mon Sep 17 00:00:00 2001 From: Carl Garner Date: Thu, 12 Apr 2018 08:24:16 +0100 Subject: [PATCH 10/28] Allow specifying options for files, allowing bind to rotate it's own logs - could probably be done a bit neater --- manifests/logging/channel.pp | 1 + templates/logging_channel.erb | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/manifests/logging/channel.pp b/manifests/logging/channel.pp index db0a5cd..05f4143 100644 --- a/manifests/logging/channel.pp +++ b/manifests/logging/channel.pp @@ -4,6 +4,7 @@ $destination = 'file', $file_path = $::bind::defaults::logdir, $file_name = '', + $file_options = '', $syslog_facility = '', $severity = '', $print_category = true, diff --git a/templates/logging_channel.erb b/templates/logging_channel.erb index e20e5a7..4e2c93c 100644 --- a/templates/logging_channel.erb +++ b/templates/logging_channel.erb @@ -1,7 +1,7 @@ channel <%= @name %> { <%- case @destination -%> <%- when "file" -%> - file "<%= @file_path %>/<%= @file_name %>"; + file "<%= @file_path %>/<%= @file_name %>" <%= @file_options %>; <%- when "syslog" -%> syslog <%= @syslog_facility %>; <%- when "stderr" -%> From 9db0907be67cc9814cc86614699f2e2980e89fd0 Mon Sep 17 00:00:00 2001 From: Carl Garner Date: Fri, 3 Aug 2018 15:01:57 +0100 Subject: [PATCH 11/28] Helpful when changes are actually saved --- manifests/init.pp | 17 +++-------------- 1 file changed, 3 insertions(+), 14 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index bdec7b3..037e84e 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -18,20 +18,9 @@ # NOTE: we need to be able to override this parameter when declaring class, # especially when not using hiera (i.e. when using Foreman as ENC): $default_zones_include = $::bind::defaults::default_zones_include, - $forwarders = undef, - $forward = undef, - $dnssec = undef, - $filter_ipv6 = undef, - $version = undef, - $statistics_port = undef, - $auth_nxdomain = undef, - $include_default_zones = true, - $include_local = false, - $tkey_gssapi_credential = undef, - $tkey_domain = undef, - $transfer_format = undef, - $check_names_type = '', #master, slave or response - $check_names_handling = '', #warn, fail or ignore + $transfer_format = undef, + $check_names_type = '', #master, slave or response + $check_names_handling = '', #warn, fail or ignore ) inherits bind::defaults { if $chroot and !$::bind::defaults::chroot_supported { fail('Chroot for bind is not supported on your OS') From 6a1c27fe505ac1438855a9bf91e8557a452c9ddd Mon Sep 17 00:00:00 2001 From: Carl Garner Date: Mon, 20 Aug 2018 09:22:58 +0100 Subject: [PATCH 12/28] Use the source if it's set --- templates/zone.conf.erb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/templates/zone.conf.erb b/templates/zone.conf.erb index 42ffafc..e9dc9d2 100644 --- a/templates/zone.conf.erb +++ b/templates/zone.conf.erb @@ -11,8 +11,12 @@ zone "<%= @_domain %>" { <%- end -%> file "<%= @cachedir %>/<%= @name %>/<%= @zone_file %>.signed"; <%- elsif %w(init managed allowed).include? @zone_file_mode -%> +<%- if @source and @source != '' -%> + file "<%= @source %>"; +<%- else -%> file "<%= @cachedir %>/<%= @name %>/<%= @zone_file %>"; <%- end -%> +<%- end -%> <%- if %w(master slave).include? @zone_type if (@ns_notify == 'explicit') -%> notify explicit; From e6728ef0c5c7ef2d8130feb68959401a435bbc73 Mon Sep 17 00:00:00 2001 From: Carl Garner Date: Tue, 23 Oct 2018 11:18:01 +0100 Subject: [PATCH 13/28] Attempt service checks before restarting bind --- manifests/init.pp | 233 ++++++++++++++++++++++++---------------------- manifests/zone.pp | 2 +- 2 files changed, 121 insertions(+), 114 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 037e84e..e02bf70 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,136 +1,143 @@ # ex: syntax=puppet si ts=4 sw=4 et class bind ( - $forwarders = undef, - $forward = undef, - $dnssec = undef, - $filter_ipv6 = undef, - $version = undef, - $statistics_port = undef, - $auth_nxdomain = undef, - $include_default_zones = true, - $include_local = false, - $tkey_gssapi_credential = undef, - $tkey_domain = undef, - $chroot = false, - $chroot_class = $::bind::defaults::chroot_class, - $chroot_dir = $::bind::defaults::chroot_dir, - # NOTE: we need to be able to override this parameter when declaring class, - # especially when not using hiera (i.e. when using Foreman as ENC): - $default_zones_include = $::bind::defaults::default_zones_include, - $transfer_format = undef, - $check_names_type = '', #master, slave or response - $check_names_handling = '', #warn, fail or ignore + $forwarders = undef, + $forward = undef, + $dnssec = undef, + $filter_ipv6 = undef, + $version = undef, + $statistics_port = undef, + $auth_nxdomain = undef, + $include_default_zones = true, + $include_local = false, + $tkey_gssapi_credential = undef, + $tkey_domain = undef, + $chroot = false, + $chroot_class = $::bind::defaults::chroot_class, + $chroot_dir = $::bind::defaults::chroot_dir, + # NOTE: we need to be able to override this parameter when declaring class, + # especially when not using hiera (i.e. when using Foreman as ENC): + $default_zones_include = $::bind::defaults::default_zones_include, + $transfer_format = undef, + $check_names_type = '', #master, slave or response + $check_names_handling = '', #warn, fail or ignore ) inherits bind::defaults { - if $chroot and !$::bind::defaults::chroot_supported { - fail('Chroot for bind is not supported on your OS') - } - File { - ensure => present, - owner => 'root', - group => $::bind::defaults::bind_group, - mode => '0644', - require => Package['bind'], - notify => Service['bind'], - } + if $chroot and !$::bind::defaults::chroot_supported { + fail('Chroot for bind is not supported on your OS') + } + File { + ensure => present, + owner => 'root', + group => $::bind::defaults::bind_group, + mode => '0644', + require => Package['bind'], + notify => Exec['bind-config-test'], + } - include ::bind::updater + include ::bind::updater - package { 'bind': - ensure => latest, - name => $::bind::defaults::bind_package, - } + package { 'bind': + ensure => latest, + name => $::bind::defaults::bind_package, + } - if $chroot and $::bind::defaults::chroot_class { - # When using a dedicated chroot class, service declaration is dedicated to this class - class { $::bind::defaults::chroot_class : } - } + if $chroot and $::bind::defaults::chroot_class { + # When using a dedicated chroot class, service declaration is dedicated to this class + class { $::bind::defaults::chroot_class: } + } - if $dnssec { - file { '/usr/local/bin/dnssec-init': - ensure => present, - owner => 'root', - group => 'root', - mode => '0755', - source => 'puppet:///modules/bind/dnssec-init', - } + if $dnssec { + file { '/usr/local/bin/dnssec-init': + ensure => present, + owner => 'root', + group => 'root', + mode => '0755', + source => 'puppet:///modules/bind/dnssec-init', } + } - # rndc only supports HMAC-MD5 - bind::key { 'rndc-key': - algorithm => 'hmac-md5', - secret_bits => '512', - keydir => $bind::defaults::confdir, - keyfile => 'rndc.key', - include => false, - } + # rndc only supports HMAC-MD5 + bind::key { 'rndc-key': + algorithm => 'hmac-md5', + secret_bits => '512', + keydir => $bind::defaults::confdir, + keyfile => 'rndc.key', + include => false, + } - file { '/usr/local/bin/rndc-helper': - ensure => present, - owner => 'root', - group => 'root', - mode => '0755', - content => template('bind/rndc-helper.erb'), - } + file { '/usr/local/bin/rndc-helper': + ensure => present, + owner => 'root', + group => 'root', + mode => '0755', + content => template('bind/rndc-helper.erb'), + } - file { "${::bind::defaults::confdir}/zones": - ensure => directory, - mode => '2755', - } + file { "${::bind::defaults::confdir}/zones": + ensure => directory, + mode => '2755', + } - file { $::bind::defaults::namedconf: - content => template('bind/named.conf.erb'), - } + file { $::bind::defaults::namedconf: + content => template('bind/named.conf.erb'), + } - if $include_default_zones and $::bind::defaults::default_zones_source { - file { $default_zones_include: - source => $::bind::defaults::default_zones_source, - } + if $include_default_zones and $::bind::defaults::default_zones_source { + file { $default_zones_include: + source => $::bind::defaults::default_zones_source, } + } - class { '::bind::keydir': - keydir => "${::bind::defaults::confdir}/keys", - } + class { '::bind::keydir': + keydir => "${::bind::defaults::confdir}/keys", + } - concat { [ - "${::bind::defaults::confdir}/acls.conf", - "${::bind::defaults::confdir}/keys.conf", - "${::bind::defaults::confdir}/views.conf", - "${::bind::defaults::confdir}/servers.conf", - "${::bind::defaults::confdir}/logging.conf", - "${::bind::defaults::confdir}/view-mappings.txt", - "${::bind::defaults::confdir}/domain-mappings.txt", - ]: - owner => 'root', - group => $::bind::defaults::bind_group, - mode => '0644', - warn => true, - require => Package['bind'], - notify => Service['bind'], - } + concat { [ + "${::bind::defaults::confdir}/acls.conf", + "${::bind::defaults::confdir}/keys.conf", + "${::bind::defaults::confdir}/views.conf", + "${::bind::defaults::confdir}/servers.conf", + "${::bind::defaults::confdir}/logging.conf", + "${::bind::defaults::confdir}/view-mappings.txt", + "${::bind::defaults::confdir}/domain-mappings.txt", + ]: + owner => 'root', + group => $::bind::defaults::bind_group, + mode => '0644', + warn => true, + require => Package['bind'], + notify => Exec['bind-config-test'], + } - concat::fragment { 'bind-logging-header': - order => '00-header', - target => "${::bind::defaults::confdir}/logging.conf", - content => "logging {\n"; - } + concat::fragment { 'bind-logging-header': + order => '00-header', + target => "${::bind::defaults::confdir}/logging.conf", + content => "logging {\n"; + } + + concat::fragment { 'bind-logging-footer': + order => '99-footer', + target => "${::bind::defaults::confdir}/logging.conf", + content => "};\n"; + } - concat::fragment { 'bind-logging-footer': - order => '99-footer', - target => "${::bind::defaults::confdir}/logging.conf", - content => "};\n"; + # DO NOT declare a bind service when chrooting bind with bind::chroot::package class, + # because it needs another dedicated chrooted-bind service (i.e. named-chroot on RHEL) + # AND it also needs $::bind::defaults::bind_service being STOPPED and DISABLED. + if !$chroot or ($chroot and $::bind::defaults::chroot_class == 'bind::chroot::manual') { + exec { 'bind-config-test': + path => '/usr/sbin', + command => "named-checkconf ${::bind::defaults::namedconf} > ${::bind::defaults::confdir}/named-checkconf.output 2>&1", + refreshonly => true, + notify => Service['bind'], } - # DO NOT declare a bind service when chrooting bind with bind::chroot::package class, - # because it needs another dedicated chrooted-bind service (i.e. named-chroot on RHEL) - # AND it also needs $::bind::defaults::bind_service being STOPPED and DISABLED. - if !$chroot or ($chroot and $::bind::defaults::chroot_class == 'bind::chroot::manual') { - service { 'bind': - ensure => running, - name => $::bind::defaults::bind_service, - enable => true, - hasrestart => true, - hasstatus => true, - } + service { 'bind': + ensure => running, + name => $::bind::defaults::bind_service, + enable => true, + hasrestart => true, + hasstatus => true, } + } } diff --git a/manifests/zone.pp b/manifests/zone.pp index e182fb4..ff3c138 100644 --- a/manifests/zone.pp +++ b/manifests/zone.pp @@ -161,7 +161,7 @@ group => $bind_group, mode => '0644', content => template('bind/zone.conf.erb'), - notify => Service['bind'], + notify => Exec['bind-config-test'], require => Package['bind'], } From e39457005a3d7d7375c2512ddff698a014b56bb1 Mon Sep 17 00:00:00 2001 From: Carl Garner Date: Mon, 8 Jul 2019 10:44:01 +0100 Subject: [PATCH 14/28] Add geoip-directory support --- manifests/init.pp | 1 + templates/named.conf.erb | 3 +++ 2 files changed, 4 insertions(+) diff --git a/manifests/init.pp b/manifests/init.pp index e02bf70..908bedc 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -21,6 +21,7 @@ $transfer_format = undef, $check_names_type = '', #master, slave or response $check_names_handling = '', #warn, fail or ignore + $geoip_directory = undef, ) inherits bind::defaults { if $chroot and !$::bind::defaults::chroot_supported { fail('Chroot for bind is not supported on your OS') diff --git a/templates/named.conf.erb b/templates/named.conf.erb index f67b709..ff31f85 100644 --- a/templates/named.conf.erb +++ b/templates/named.conf.erb @@ -54,6 +54,9 @@ options { <%- if @check_names_type != '' and @check_names_handling != '' -%> check-names <%= @check_names_type %> <%= @check_names_handling %>; <%- end -%> +<%- if @geoip_directory and @geoip_directory != '' -%> + geoip-directory "@geoip_directory"; +<%- end -%> }; <%- if @include_local -%> From 440f2eb56e90ed9f4b45327354e53a563a0dea12 Mon Sep 17 00:00:00 2001 From: Carl Garner Date: Mon, 8 Jul 2019 10:52:28 +0100 Subject: [PATCH 15/28] ACL geoip support --- manifests/acl.pp | 2 ++ templates/acl.erb | 5 +++++ 2 files changed, 7 insertions(+) diff --git a/manifests/acl.pp b/manifests/acl.pp index 3737d94..40a2cc5 100644 --- a/manifests/acl.pp +++ b/manifests/acl.pp @@ -2,6 +2,8 @@ define bind::acl ( $addresses, + $geoip_type = undef, + $geoip_location = undef, ) { concat::fragment { "bind-acl-${name}": diff --git a/templates/acl.erb b/templates/acl.erb index 7400909..2fdad29 100644 --- a/templates/acl.erb +++ b/templates/acl.erb @@ -3,4 +3,9 @@ acl <%= @name %> { <%- Array(@addresses).each do |address| -%> <%= address %>; <%- end -%> +<%- if @geoip_type and @geoip_location and @geoip_type == 'city' -%> + geoip @geoip_type "@geoip_location"; +<%- else if @geoip_type and @geoip_location -%> + geoip @geoip_type @geoip_location; +<%- end -%> }; From b710b69078f82e84fb70bab15a5a4cbc7a7c5553 Mon Sep 17 00:00:00 2001 From: Carl Garner Date: Mon, 8 Jul 2019 13:33:04 +0100 Subject: [PATCH 16/28] rogue semicolon --- templates/acl.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/acl.erb b/templates/acl.erb index 2fdad29..fc9002b 100644 --- a/templates/acl.erb +++ b/templates/acl.erb @@ -8,4 +8,4 @@ acl <%= @name %> { <%- else if @geoip_type and @geoip_location -%> geoip @geoip_type @geoip_location; <%- end -%> -}; +} \ No newline at end of file From 846ce4cd080d48b19900991fb5b921da90bc31c5 Mon Sep 17 00:00:00 2001 From: Carl Garner Date: Mon, 8 Jul 2019 13:35:28 +0100 Subject: [PATCH 17/28] variable wrapping --- templates/acl.erb | 6 +++--- templates/named.conf.erb | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/templates/acl.erb b/templates/acl.erb index fc9002b..1eb0aa6 100644 --- a/templates/acl.erb +++ b/templates/acl.erb @@ -4,8 +4,8 @@ acl <%= @name %> { <%= address %>; <%- end -%> <%- if @geoip_type and @geoip_location and @geoip_type == 'city' -%> - geoip @geoip_type "@geoip_location"; + geoip <%= @geoip_type %> "<%= @geoip_location %>"; <%- else if @geoip_type and @geoip_location -%> - geoip @geoip_type @geoip_location; + geoip <%= @geoip_type %> <%= @geoip_location %>; <%- end -%> -} \ No newline at end of file +}; \ No newline at end of file diff --git a/templates/named.conf.erb b/templates/named.conf.erb index ff31f85..3c43399 100644 --- a/templates/named.conf.erb +++ b/templates/named.conf.erb @@ -55,7 +55,7 @@ options { check-names <%= @check_names_type %> <%= @check_names_handling %>; <%- end -%> <%- if @geoip_directory and @geoip_directory != '' -%> - geoip-directory "@geoip_directory"; + geoip-directory "<%= @geoip_directory %>"; <%- end -%> }; <%- if @include_local -%> From b59f0dc06e0adc8633e7715fe3cd39e9dce97a36 Mon Sep 17 00:00:00 2001 From: Carl Garner Date: Mon, 8 Jul 2019 14:29:28 +0100 Subject: [PATCH 18/28] change else if to elsif --- templates/acl.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/acl.erb b/templates/acl.erb index 1eb0aa6..0fb23fc 100644 --- a/templates/acl.erb +++ b/templates/acl.erb @@ -5,7 +5,7 @@ acl <%= @name %> { <%- end -%> <%- if @geoip_type and @geoip_location and @geoip_type == 'city' -%> geoip <%= @geoip_type %> "<%= @geoip_location %>"; -<%- else if @geoip_type and @geoip_location -%> +<%- elsif @geoip_type and @geoip_location -%> geoip <%= @geoip_type %> <%= @geoip_location %>; <%- end -%> -}; \ No newline at end of file +}; From 8bdff4be9da4eda41dd03e36dc485a85d3b4d5cd Mon Sep 17 00:00:00 2001 From: Carl Garner Date: Fri, 12 Jul 2019 14:58:31 +0100 Subject: [PATCH 19/28] Allow us to disable deploying a cache file --- manifests/zone.pp | 1 + templates/zone.conf.erb | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/manifests/zone.pp b/manifests/zone.pp index ff3c138..4d897d5 100644 --- a/manifests/zone.pp +++ b/manifests/zone.pp @@ -22,6 +22,7 @@ $forwarders_port = 53, $transfer_format = '', $check_names = '', + $deploy_file = true, ) { # where there is a zone, there is a server include ::bind diff --git a/templates/zone.conf.erb b/templates/zone.conf.erb index e9dc9d2..bd36b33 100644 --- a/templates/zone.conf.erb +++ b/templates/zone.conf.erb @@ -10,7 +10,7 @@ zone "<%= @_domain %>" { key-directory "<%= @cachedir %>/<%= @name %>"; <%- end -%> file "<%= @cachedir %>/<%= @name %>/<%= @zone_file %>.signed"; -<%- elsif %w(init managed allowed).include? @zone_file_mode -%> +<%- elsif %w(init managed allowed).include? @zone_file_mode and @deploy_file -%> <%- if @source and @source != '' -%> file "<%= @source %>"; <%- else -%> From b2edf9f3b0b409603e92c0175f3e21e82ddfeed7 Mon Sep 17 00:00:00 2001 From: Carl Garner Date: Tue, 16 Jul 2019 10:07:04 +0100 Subject: [PATCH 20/28] Allow specifying of in-view to allow zone duplicating across views --- manifests/zone.pp | 1 + templates/zone.conf.erb | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/manifests/zone.pp b/manifests/zone.pp index 4d897d5..cc11ebe 100644 --- a/manifests/zone.pp +++ b/manifests/zone.pp @@ -23,6 +23,7 @@ $transfer_format = '', $check_names = '', $deploy_file = true, + $in_view = undef, ) { # where there is a zone, there is a server include ::bind diff --git a/templates/zone.conf.erb b/templates/zone.conf.erb index bd36b33..1f844ad 100644 --- a/templates/zone.conf.erb +++ b/templates/zone.conf.erb @@ -1,6 +1,9 @@ # This file managed by puppet - changes will be lost zone "<%= @_domain %>" { +<%- if @in_view and @in_view != '' -%> + in-view "<%= @in_view %>"; +<%- else -%> type <%= @zone_type %>; <%- if @dnssec -%> auto-dnssec maintain; @@ -90,4 +93,5 @@ zone "<%= @_domain %>" { <%- if @check_names and @check_names != ''-%> check-names <%= @check_names %>; <%- end -%> +<%- end -%> }; From adfcc8c2cc6b140e39a5be673097c0d273045e6a Mon Sep 17 00:00:00 2001 From: Carl Garner Date: Tue, 16 Jul 2019 10:07:04 +0100 Subject: [PATCH 21/28] Allow passing an array into the ACL definition --- manifests/zone.pp | 1 + templates/acl.erb | 6 ++++++ templates/zone.conf.erb | 4 ++++ 3 files changed, 11 insertions(+) diff --git a/manifests/zone.pp b/manifests/zone.pp index 4d897d5..cc11ebe 100644 --- a/manifests/zone.pp +++ b/manifests/zone.pp @@ -23,6 +23,7 @@ $transfer_format = '', $check_names = '', $deploy_file = true, + $in_view = undef, ) { # where there is a zone, there is a server include ::bind diff --git a/templates/acl.erb b/templates/acl.erb index 0fb23fc..13912bc 100644 --- a/templates/acl.erb +++ b/templates/acl.erb @@ -6,6 +6,12 @@ acl <%= @name %> { <%- if @geoip_type and @geoip_location and @geoip_type == 'city' -%> geoip <%= @geoip_type %> "<%= @geoip_location %>"; <%- elsif @geoip_type and @geoip_location -%> + <%- if @geoip_location.is_a?(Array) -%> + <%- Array(@geoip_location).each do |geo_loc| -%> + geoip <%= @geoip_type %> <%= geo_loc %>; + <%- end %-> + <%- else -%> geoip <%= @geoip_type %> <%= @geoip_location %>; + <%- end -%> <%- end -%> }; diff --git a/templates/zone.conf.erb b/templates/zone.conf.erb index bd36b33..1f844ad 100644 --- a/templates/zone.conf.erb +++ b/templates/zone.conf.erb @@ -1,6 +1,9 @@ # This file managed by puppet - changes will be lost zone "<%= @_domain %>" { +<%- if @in_view and @in_view != '' -%> + in-view "<%= @in_view %>"; +<%- else -%> type <%= @zone_type %>; <%- if @dnssec -%> auto-dnssec maintain; @@ -90,4 +93,5 @@ zone "<%= @_domain %>" { <%- if @check_names and @check_names != ''-%> check-names <%= @check_names %>; <%- end -%> +<%- end -%> }; From e11c99c1326f4eae0f63b2719bf007455265b1e1 Mon Sep 17 00:00:00 2001 From: Carl Garner Date: Wed, 17 Jul 2019 12:25:02 +0100 Subject: [PATCH 22/28] What sort of language doesn't have else? --- templates/acl.erb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/templates/acl.erb b/templates/acl.erb index 13912bc..68e2403 100644 --- a/templates/acl.erb +++ b/templates/acl.erb @@ -10,7 +10,8 @@ acl <%= @name %> { <%- Array(@geoip_location).each do |geo_loc| -%> geoip <%= @geoip_type %> <%= geo_loc %>; <%- end %-> - <%- else -%> + <%- end -%> + <%- if @geoip_location.is_a?(String) -%> geoip <%= @geoip_type %> <%= @geoip_location %>; <%- end -%> <%- end -%> From f32a43768a2e0d033db4f4e7129eb2602540ef71 Mon Sep 17 00:00:00 2001 From: Carl Garner Date: Wed, 17 Jul 2019 12:41:47 +0100 Subject: [PATCH 23/28] inverted close --- templates/acl.erb | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/templates/acl.erb b/templates/acl.erb index 68e2403..44ef74c 100644 --- a/templates/acl.erb +++ b/templates/acl.erb @@ -9,9 +9,8 @@ acl <%= @name %> { <%- if @geoip_location.is_a?(Array) -%> <%- Array(@geoip_location).each do |geo_loc| -%> geoip <%= @geoip_type %> <%= geo_loc %>; - <%- end %-> - <%- end -%> - <%- if @geoip_location.is_a?(String) -%> + <%- end -%> + <%- else -%> geoip <%= @geoip_type %> <%= @geoip_location %>; <%- end -%> <%- end -%> From 7a6d900319dceaa85f80258d0102d66934a59ff4 Mon Sep 17 00:00:00 2001 From: Carl Garner Date: Wed, 17 Jul 2019 14:18:53 +0100 Subject: [PATCH 24/28] Updates to improve geo capabilities --- manifests/init.pp | 33 ++++++++++++++++++--------------- manifests/view.pp | 1 + manifests/zone.pp | 28 ++++++++++++++++++++-------- templates/view.erb | 3 +++ 4 files changed, 42 insertions(+), 23 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 908bedc..229cc26 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -66,21 +66,24 @@ include => false, } - file { '/usr/local/bin/rndc-helper': - ensure => present, - owner => 'root', - group => 'root', - mode => '0755', - content => template('bind/rndc-helper.erb'), - } - - file { "${::bind::defaults::confdir}/zones": - ensure => directory, - mode => '2755', - } - - file { $::bind::defaults::namedconf: - content => template('bind/named.conf.erb'), + file { + '/usr/local/bin/rndc-helper': + ensure => present, + owner => 'root', + group => 'root', + mode => '0755', + content => template('bind/rndc-helper.erb'), + ; + "${::bind::defaults::confdir}/zones": + ensure => directory, + mode => '2755', + ; + "${::bind::defaults::confdir}/zones/geo": + ensure => directory, + mode => '2755', + ; + $::bind::defaults::namedconf: + content => template('bind/named.conf.erb'), } if $include_default_zones and $::bind::defaults::default_zones_source { diff --git a/manifests/view.pp b/manifests/view.pp index 9ac4bdc..4a4e57f 100644 --- a/manifests/view.pp +++ b/manifests/view.pp @@ -22,6 +22,7 @@ $transfer_format = '', $check_names_type = '', #master, slave or response $check_names_handling = '', #warn, fail or ignore + $geo_zones = [], ) { $confdir = $::bind::confdir $default_zones_include = $::bind::default_zones_include diff --git a/manifests/zone.pp b/manifests/zone.pp index cc11ebe..db7fdb7 100644 --- a/manifests/zone.pp +++ b/manifests/zone.pp @@ -157,14 +157,26 @@ } } - file { "${::bind::confdir}/zones/${name}.conf": - ensure => present, - owner => 'root', - group => $bind_group, - mode => '0644', - content => template('bind/zone.conf.erb'), - notify => Exec['bind-config-test'], - require => Package['bind'], + if $in_view != undef { + file { "${::bind::confdir}/zones/geo/${name}.conf": + ensure => present, + owner => 'root', + group => $bind_group, + mode => '0644', + content => template('bind/zone.conf.erb'), + notify => Exec['bind-config-test'], + require => Package['bind'], + } + } else { + file { "${::bind::confdir}/zones/${name}.conf": + ensure => present, + owner => 'root', + group => $bind_group, + mode => '0644', + content => template('bind/zone.conf.erb'), + notify => Exec['bind-config-test'], + require => Package['bind'], + } } concat::fragment { "bind-zone-mapping-${name}": diff --git a/templates/view.erb b/templates/view.erb index b474742..04fc2c8 100644 --- a/templates/view.erb +++ b/templates/view.erb @@ -108,4 +108,7 @@ view "<%= @name %>" { <%- Array(@zones).each do |zone| -%> include "<%= @confdir %>/zones/<%= zone %>.conf"; <%- end -%> +<%- Array(@geo_zones).each do |geo_zone| -%> + include "<%= @confdir %>/zones/geo/<%= geo_zone %>.conf"; +<%- end -%> }; From b2b788a1a89a89dabfdc879194f7a8acdbbaf990 Mon Sep 17 00:00:00 2001 From: Carl Garner Date: Wed, 17 Jul 2019 15:22:41 +0100 Subject: [PATCH 25/28] Try directory cleaning Better geo management --- manifests/init.pp | 4 ++++ manifests/zone.pp | 6 +++--- templates/zone.conf.erb | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 229cc26..f5e50ca 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -77,10 +77,14 @@ "${::bind::defaults::confdir}/zones": ensure => directory, mode => '2755', + purge => true, + force => true, ; "${::bind::defaults::confdir}/zones/geo": ensure => directory, mode => '2755', + purge => true, + force => true, ; $::bind::defaults::namedconf: content => template('bind/named.conf.erb'), diff --git a/manifests/zone.pp b/manifests/zone.pp index db7fdb7..f9422b9 100644 --- a/manifests/zone.pp +++ b/manifests/zone.pp @@ -23,7 +23,7 @@ $transfer_format = '', $check_names = '', $deploy_file = true, - $in_view = undef, + $in_view = '', ) { # where there is a zone, there is a server include ::bind @@ -157,8 +157,8 @@ } } - if $in_view != undef { - file { "${::bind::confdir}/zones/geo/${name}.conf": + if $in_view != '' { + file { "${::bind::confdir}/zones/geo/${_domain}.conf": ensure => present, owner => 'root', group => $bind_group, diff --git a/templates/zone.conf.erb b/templates/zone.conf.erb index 1f844ad..e426542 100644 --- a/templates/zone.conf.erb +++ b/templates/zone.conf.erb @@ -1,7 +1,7 @@ # This file managed by puppet - changes will be lost zone "<%= @_domain %>" { -<%- if @in_view and @in_view != '' -%> +<%- if @in_view != '' -%> in-view "<%= @in_view %>"; <%- else -%> type <%= @zone_type %>; From 9e592c4dde560d048f2f18a18f5c06dd590470c6 Mon Sep 17 00:00:00 2001 From: Carl Garner Date: Thu, 18 Jul 2019 12:06:05 +0100 Subject: [PATCH 26/28] revert to namevar --- manifests/zone.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/zone.pp b/manifests/zone.pp index f9422b9..7e20b60 100644 --- a/manifests/zone.pp +++ b/manifests/zone.pp @@ -158,7 +158,7 @@ } if $in_view != '' { - file { "${::bind::confdir}/zones/geo/${_domain}.conf": + file { "${::bind::confdir}/zones/geo/${name}.conf": ensure => present, owner => 'root', group => $bind_group, From ebeeb5076ba8018d0dac811034ba46832ffa5597 Mon Sep 17 00:00:00 2001 From: Carl Garner Date: Wed, 25 Mar 2020 20:12:20 +0000 Subject: [PATCH 27/28] change dnssec-lookaside from auto to no to prevent issues --- metadata.json | 2 +- templates/named.conf.erb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/metadata.json b/metadata.json index 8c8e9c1..a43b7bf 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "inkblot-bind", - "version": "7.4.0", + "version": "7.4.0-a", "author": "inkblot", "license": "Apache-2.0", "summary": "ISC BIND name server", diff --git a/templates/named.conf.erb b/templates/named.conf.erb index 3c43399..799102a 100644 --- a/templates/named.conf.erb +++ b/templates/named.conf.erb @@ -34,7 +34,7 @@ options { <%- end -%> <%- if @dnssec -%> dnssec-validation yes; - dnssec-lookaside auto; + dnssec-lookaside no; <%- if @isc_bind_keys -%> bindkeys-file "<%= @isc_bind_keys %>"; <%- end -%> From aa79d42607280715ce05ec2d014da91891612fcc Mon Sep 17 00:00:00 2001 From: Carl Garner Date: Wed, 25 Mar 2020 20:21:02 +0000 Subject: [PATCH 28/28] remove the dnssec-lookaside option to future proof --- templates/named.conf.erb | 1 - 1 file changed, 1 deletion(-) diff --git a/templates/named.conf.erb b/templates/named.conf.erb index 799102a..fd44098 100644 --- a/templates/named.conf.erb +++ b/templates/named.conf.erb @@ -34,7 +34,6 @@ options { <%- end -%> <%- if @dnssec -%> dnssec-validation yes; - dnssec-lookaside no; <%- if @isc_bind_keys -%> bindkeys-file "<%= @isc_bind_keys %>"; <%- end -%>