From ac79e09f57e5a007fd1be55e6121a885172d79f6 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 27 Apr 2020 14:32:32 +0200 Subject: [PATCH] [bind] factorize allow-transfer and notify --- .../templates/bind/named.conf.local.j2 | 69 ++++++------------- .../templates/bind/named.conf.options.j2 | 26 ++++++- 2 files changed, 44 insertions(+), 51 deletions(-) diff --git a/roles/bind-authoritative/templates/bind/named.conf.local.j2 b/roles/bind-authoritative/templates/bind/named.conf.local.j2 index 41c26b7a..c5c2b89b 100644 --- a/roles/bind-authoritative/templates/bind/named.conf.local.j2 +++ b/roles/bind-authoritative/templates/bind/named.conf.local.j2 @@ -14,66 +14,48 @@ key "certbot_challenge." { // Let's Encrypt Challenge DNS-01 zone zone "_acme-challenge.crans.org" { - {% if is_master -%} +{% if is_master %} type master; - allow-transfer { - {% for ip in slaves_ipv4 -%} - {{ ip }}; - {% endfor -%} - {% for ip in slaves_ipv6 -%} - {{ ip }}; - {% endfor -%} - }; notify yes; update-policy { grant certbot_challenge. name _acme-challenge.crans.org. txt; }; - {% else -%} +{% else %} type slave; masters { - {% for ip in masters_ipv4 -%} +{% for ip in masters_ipv4 %} {{ ip }}; - {% endfor -%} - {% for ip in masters_ipv6 -%} +{% endfor -%} +{% for ip in masters_ipv6 %} {{ ip }}; - {% endfor -%} +{% endfor %} }; - allow-transfer { "none"; }; notify no; - {% endif -%} +{% endif %} file "bak._acme-challenge.crans.org"; }; // Crans zones {% for zone in bind.zones|sort %} zone "{{ zone }}" { - {% if is_master -%} +{% if is_master %} type master; // Apparmor: Need to ln -s /var/cache/bind/generated /var/local/re2o-services/dns/generated file "generated/dns.{{ zone }}.zone"; - allow-transfer { - {% for ip in slaves_ipv4 -%} - {{ ip }}; - {% endfor -%} - {% for ip in slaves_ipv6 -%} - {{ ip }}; - {% endfor -%} - }; notify yes; - {% else -%} +{% else %} type slave; file "bak.{{ zone }}"; masters { - {% for ip in masters_ipv4 -%} +{% for ip in masters_ipv4 %} {{ ip }}; - {% endfor -%} - {% for ip in masters_ipv6 -%} +{% endfor %} +{% for ip in masters_ipv6 %} {{ ip }}; - {% endfor -%} +{% endfor %} }; - allow-transfer { "none"; }; notify no; -{% endif -%} +{% endif %} }; {% endfor %} @@ -81,33 +63,24 @@ zone "{{ zone }}" { // Crans reverse zones {% for zone in bind.reverse %} zone "{{ zone }}" { - {% if is_master -%} +{% if is_master %} type master; // Apparmor: Need to ln -s /var/cache/bind/generated /var/local/re2o-services/dns/generated file "generated/dns.{{ zone }}.zone"; - allow-transfer { - {% for ip in slaves_ipv4 -%} - {{ ip }}; - {% endfor -%} - {% for ip in slaves_ipv6 -%} - {{ ip }}; - {% endfor -%} - }; notify yes; - {% else -%} +{% else %} type slave; file "bak.{{ zone }}"; masters { - {% for ip in masters_ipv4 -%} +{% for ip in masters_ipv4 %} {{ ip }}; - {% endfor -%} - {% for ip in masters_ipv6 -%} +{% endfor %} +{% for ip in masters_ipv6 %} {{ ip }}; - {% endfor -%} +{% endfor %} }; - allow-transfer { "none"; }; notify no; -{% endif -%} +{% endif %} }; {% endfor %} diff --git a/roles/bind-authoritative/templates/bind/named.conf.options.j2 b/roles/bind-authoritative/templates/bind/named.conf.options.j2 index 8ebc5935..90f9eddb 100644 --- a/roles/bind-authoritative/templates/bind/named.conf.options.j2 +++ b/roles/bind-authoritative/templates/bind/named.conf.options.j2 @@ -27,9 +27,29 @@ options { // Disable recursion on authoritative DNS server recursion no; - // Disallow zone transfert by default - allow-transfer { none; }; - // Hide version from clients version "not currently available"; + +{% if is_master %} + allow-transfer { +{% for ip in slaves_ipv4 %} + {{ ip }}; +{% endfor %} +{% for ip in slaves_ipv6 %} + {{ ip }}; +{% endfor %} + }; + + also-notify { +{% for ip in slaves_ipv4 %} + {{ ip }}; +{% endfor %} +{% for ip in slaves_ipv6 %} + {{ ip }}; +{% endfor %} + }; +{% else %} + // Disallow zone transfert by default + allow-transfer { none; }; +{% endif %} };