Bind configuration

network.yml

@@ -42,6 +42,7 @@
     bind:
       master: false
       master_ip: 10.231.136.118
+      dnssec: false
       zones:
         - crans.org
         - crans.eu

roles/bind-authoritative/tasks/main.yml

@@ -9,11 +9,15 @@
 
 - name: Deploy Bind9 configuration
   template:
-    src: bind/named.conf.local
+    src: bind/{{ item }}.j2
-    dest: /etc/bind/named.conf.local
+    dest: /etc/bind/{{ item }}
     mode: 0644
     owner: root
     group: bind
+  loop:
+    - named.conf
+    - named.conf.local
+    - named.conf.options
 
 - name: Reload Bind9
   systemd:

roles/bind-authoritative/templates/bind/named.conf.j2

@@ -0,0 +1,16 @@
+{{ ansible_header | comment(decoration='// ') }}
+
+// This is the primary configuration file for the BIND DNS server named.
+//
+// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
+// structure of BIND configuration files in Debian, *BEFORE* you customize
+// this configuration file.
+//
+// If you are just adding zones, please do that in /etc/bind/named.conf.local
+
+{% if bind.dnssec %}
+include "/etc/bind/bind.keys";
+{% endif %}
+include "/etc/bind/named.conf.options";
+include "/etc/bind/named.conf.local";
+include "/etc/bind/named.conf.default-zones";

roles/bind-authoritative/templates/bind/named.conf.options.j2

@@ -0,0 +1,58 @@
+{{ ansible_header | comment(decoration='// ') }}
+
+// Listes d'acces
+acl "isolement" { 10.52.0.0/16; };
+acl "accueil" { 10.51.0.0/16; };
+acl "switches" { 10.231.100.0/24; };
+acl "event" { 10.231.137.0/24; 2a0c:700:0:10::/64; };
+acl "fil-new" { 10.54.1.0/24; 10.54.2.0/23; 10.54.4.0/22; 10.54.8.0/21; 10.54.16.0/21; 10.54.24.0/23; 10.54.0.0/24; 2a0c:700:0:21::/64; };
+acl "wifi-new" { 10.53.1.0/24; 10.53.2.0/23; 10.53.4.0/22; 10.53.8.0/21; 10.53.16.0/22; 10.53.20.0/24; 10.53.0.0/24; 10.53.21.0/24; 10.53.22.0/23; 10.53.24.0/23; 2a0c:700:0:22::/64; };
+acl "crans" { 2a0c:700:0:1::/64; 138.231.137.0/24; 138.231.138.0/23; 138.231.140.0/22; 185.230.77.0/24; 2a0c:700:0:21::/64; 2a0c:700:0:23::/64; 185.230.78.0/24; 185.230.76.0/24; 2a0c:700:0:22::/64; 138.231.136.0/24; };
+acl "cransadm" { 2a0c:700:0:2::/64; 10.231.136.0/24; };
+acl "bornes" { fd01:240:fe3d:3::/64; 10.231.148.0/24; };
+options {
+    directory "/var/cache/bind";
+
+    // If there is a firewall between you and nameservers you want
+    // to talk to, you may need to fix the firewall to allow multiple
+    // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
+
+    // If your ISP provided one or more IP addresses for stable
+    // nameservers, you probably want to use them as forwarders.
+    // Uncomment the following block, and insert the addresses replacing
+    // the all-0's placeholder.
+
+    // forwarders {
+    // 	0.0.0.0;
+    // };
+
+    //========================================================================
+    // If BIND logs error messages about the root key being expired,
+    // you will need to update your keys.  See https://www.isc.org/bind-keys
+    //========================================================================
+
+
+    allow-query-cache { 127.0.0.1; crans; cransadm; bornes; };
+    allow-recursion { 127.0.0.1; crans; cransadm; bornes; };
+    notify no;
+    allow-transfer { "none"; };
+    recursive-clients 5000;
+    allow-query { any; };
+    auth-nxdomain no; # conform to RFC1035
+
+    listen-on { any; };
+    listen-on-v6 { any; };
+
+    dnssec-enable no;
+    dnssec-validation no;
+};
+logging{
+    // Remove "REFUSED unexpected RCODE resolving" from the logfile
+    category lame-servers { null; };
+};
+// to allow for rndc flush
+include "/etc/bind/rndc.key";
+
+controls {
+    inet 127.0.0.1 allow { 127.0.0.1; } keys { "key"; };
+};