From 3ba546a3091a3cfd509f2cc133b5bc467f9bf55f Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 25 Apr 2020 18:44:25 +0200 Subject: [PATCH] [bind authoritative] Revert to debian conf --- .../templates/bind/named.conf.local.j2 | 4 ++ .../templates/bind/named.conf.options.j2 | 66 +++++-------------- 2 files changed, 21 insertions(+), 49 deletions(-) diff --git a/roles/bind-authoritative/templates/bind/named.conf.local.j2 b/roles/bind-authoritative/templates/bind/named.conf.local.j2 index 1b002267..09653cd1 100644 --- a/roles/bind-authoritative/templates/bind/named.conf.local.j2 +++ b/roles/bind-authoritative/templates/bind/named.conf.local.j2 @@ -1,5 +1,9 @@ {{ ansible_header | comment(decoration='// ') }} +// Consider adding the 1918 zones here, if they are not used in your +// organization +//include "/etc/bind/zones.rfc1918"; + {% if not bind.master %} {% for zone in bind.zones %} zone "{{ zone }}" { diff --git a/roles/bind-authoritative/templates/bind/named.conf.options.j2 b/roles/bind-authoritative/templates/bind/named.conf.options.j2 index 7138794d..1b0c09ac 100644 --- a/roles/bind-authoritative/templates/bind/named.conf.options.j2 +++ b/roles/bind-authoritative/templates/bind/named.conf.options.j2 @@ -1,58 +1,26 @@ {{ ansible_header | comment(decoration='// ') }} -// Listes d'acces -acl "isolement" { 10.52.0.0/16; }; -acl "accueil" { 10.51.0.0/16; }; -acl "switches" { 10.231.100.0/24; }; -acl "event" { 10.231.137.0/24; 2a0c:700:0:10::/64; }; -acl "fil-new" { 10.54.1.0/24; 10.54.2.0/23; 10.54.4.0/22; 10.54.8.0/21; 10.54.16.0/21; 10.54.24.0/23; 10.54.0.0/24; 2a0c:700:0:21::/64; }; -acl "wifi-new" { 10.53.1.0/24; 10.53.2.0/23; 10.53.4.0/22; 10.53.8.0/21; 10.53.16.0/22; 10.53.20.0/24; 10.53.0.0/24; 10.53.21.0/24; 10.53.22.0/23; 10.53.24.0/23; 2a0c:700:0:22::/64; }; -acl "crans" { 2a0c:700:0:1::/64; 138.231.137.0/24; 138.231.138.0/23; 138.231.140.0/22; 185.230.77.0/24; 2a0c:700:0:21::/64; 2a0c:700:0:23::/64; 185.230.78.0/24; 185.230.76.0/24; 2a0c:700:0:22::/64; 138.231.136.0/24; }; -acl "cransadm" { 2a0c:700:0:2::/64; 10.231.136.0/24; }; -acl "bornes" { fd01:240:fe3d:3::/64; 10.231.148.0/24; }; options { - directory "/var/cache/bind"; + directory "/var/cache/bind"; - // If there is a firewall between you and nameservers you want - // to talk to, you may need to fix the firewall to allow multiple - // ports to talk. See http://www.kb.cert.org/vuls/id/800113 + // If there is a firewall between you and nameservers you want + // to talk to, you may need to fix the firewall to allow multiple + // ports to talk. See http://www.kb.cert.org/vuls/id/800113 - // If your ISP provided one or more IP addresses for stable - // nameservers, you probably want to use them as forwarders. - // Uncomment the following block, and insert the addresses replacing - // the all-0's placeholder. + // If your ISP provided one or more IP addresses for stable + // nameservers, you probably want to use them as forwarders. + // Uncomment the following block, and insert the addresses replacing + // the all-0's placeholder. - // forwarders { - // 0.0.0.0; - // }; + // forwarders { + // 0.0.0.0; + // }; - //======================================================================== - // If BIND logs error messages about the root key being expired, - // you will need to update your keys. See https://www.isc.org/bind-keys - //======================================================================== + //======================================================================== + // If BIND logs error messages about the root key being expired, + // you will need to update your keys. See https://www.isc.org/bind-keys + //======================================================================== + dnssec-validation auto; - - allow-query-cache { 127.0.0.1; crans; cransadm; bornes; }; - allow-recursion { 127.0.0.1; crans; cransadm; bornes; }; - notify no; - allow-transfer { "none"; }; - recursive-clients 5000; - allow-query { any; }; - auth-nxdomain no; # conform to RFC1035 - - listen-on { any; }; - listen-on-v6 { any; }; - - dnssec-enable no; - dnssec-validation no; -}; -logging{ - // Remove "REFUSED unexpected RCODE resolving" from the logfile - category lame-servers { null; }; -}; -// to allow for rndc flush -include "/etc/bind/rndc.key"; - -controls { - inet 127.0.0.1 allow { 127.0.0.1; } keys { "key"; }; + listen-on-v6 { any; }; };