bind9 ===== A feature-complete ansible role for installing and configuring bind9. The purpose of this role is to fully template out the entire official bind9 configuration file format. What the role does: - Fully configures named.conf - Checks that the config is valid - Loads the config into bind What the role does not do: - Manage your zones and records - Maintain every aspect of bind (rndc config, etc) - Auto-generate and manage your secrets Bugs ---- Or, as I call them "happy accidents". * If you need a variable to be 0 or null, you need to define it as `var: '0'` or `var: 'null'`, otherwise jinja will assume you want it to be empty/null. Normal integers would be defined as `var: 1`, letting jinja type it as an integer. * If a named configuration option has the name 'key' or 'keys', it will be referenced as 'keyname' or 'keylist' respectively. key/keys are reserved values in most languages. Role Variables -------------- bind configuration is set through the various bind9_*_config parameters. These are, in order of precedence: 1. bind9_default_config 2. bind9_group_config 3. bind9_leaf_config 4. bind9_host_config All these configuration parameters are merged in a way where each successing config supercedes the previous one at a config-file level. To illustrate: ``` bind9_default_config: - name: named.conf.options options: recursion: true bind9_group_config: - name: named.conf.options options: recursion: false notify: primary-only - name: named.conf.local zone: - name: "." type: mirror bind9_leaf_config: - name: named.conf.local zone: - name: "." type: hint file: /etc/share/dns/root.hints ``` The resulting precedence and overwriting of variables will result in the following bind9_config passed to the configuration generator: ``` bind9_config: - name: named.conf.options options: recursion: false - name: named.conf.local zone: - name: "." type: hint file: /etc/share/dns/root.hints ``` The `named.conf.options` block in `bind9_default_config` got completely overwritten by the `bind9_group_config`, and the `bind9_leaf_config` completely overwrote `named.conf.local`, however, `named.conf.options` was left intact after merging with `bind9_leaf_config`. Dependencies ------------ A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. Example Playbook ---------------- Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: - hosts: servers roles: - { role: username.rolename, x: 42 } License ------- BSD Author Information ------------------ An optional section for the role authors to include contact information, or a website (HTML is not allowed). ``` options: forwarders: - 1.1.1.1 - 1.0.0.1 fetches_per_server: 200 fail prefetch: 4 10 version: none hostname: l33t.h4x0r avoid_v4_udp_ports: - "range 5132 5232" - "range 1337 31337" servfail_ttl: 0 allow_notify: - 10.0.0.0/8 allow_query: - "!10.0.2.1" - 0/0 blackhole: - 192.168.0.0/16 allow_recursion: [] empty_server: "empty.server.string" dns64_server: "server.name" dns64_contact: "dak.keepit.com" directory: "{{ bind9_cachedir }}" key_directory: "{{ bind9_cachedir }}/keys" statistics_file: "{{ bind9_cachedir }}/named.stats" rrset_order: - type: A name: foo.isc.org order: random - type: AAAA name: foo.isc.org order: cyclic - name: bar.isc.org order: random - name: "*.bar.isc.org" order: random - name: "*.baz.isc.org" order: cyclic response_policy: zones: - zone: smorg.bop max_policy_ttl: 30S min_update_interval: 30S policy: disabled add_soa: true log: true recursive_only: false nsip_enable: true nsdname_enable: true max_policy_ttl: 30S min_update_interval: 30S min_ns_dots: 2 add_soa: false break_dnssec: false nsip_wait_recurse: true nsdname_wait_recurse: true qname_wait_recurse: true recursive_only: true nsip_enable: true nsdname_enable: true dnsrps_enable: false dnsrps_options: - simple - item - list response_padding: block_size: 4096 addresses: - 0/0 rate_limit: all_per_second: 0 errors_per_second: 0 responses_per_second: 0 referrals_per_second: 0 nodata_per_second: 0 nxdomains_per_second: 0 ipv4_prefix_length: 24 ipv6_prefix_length: 54 max_table_size: 20000 min_table_size: 500 qps_scale: 250 slip: 2 window: 15 log_only: true exempt_clients: - 192.168.0.1 - 10.20.30.40 query_source_v6: address: "*" port: "*" dscp: 42 parental_source_v6: address: "*" port: "*" dscp: 42 notify_source_v6: address: "*" notify_source: address: "*" listen_on: - port: 53 addresses: - 0.0.0.0 - port: 5353 dscp: 42 addresses: - 0.0.0.0 - 127.0.0.1 listen_on_v6: - port: 5353 dscp: 42 addresses: - "::" - "de:ad::be:ef" dialup: false minimal_responses: true zone_statistics: full ixfr_from_differences: master dual_stack_servers: port: 4492 addresses: - address: hostname.com port: 4421 dscp: 42 - address: 10.128.128.182 - address: de:ad::be:ef dnstap: - type: auth - type: client log: response - type: resolver log: query dnstap_output: output_type: file output_file: /tmp/dnstap size: 10M versions: 200 suffix: increment - name: named.conf.local acl: localstuff: - 10.0.0.0/8 - 192.168.0.0/16 - 172.16.0.0/12 external: - 185.181.220.77 - "!0.0.0.0/0" controls: - type: inet address: 127.0.0.1 port: 533 allow: - 127.0.0.0/8 - "!127.13.37.1" readonly: false - type: inet address: 10.20.30.40 allow: - 100.0.0.0/8 view: - name: recursive-view match_clients: - localstuff match_destinations: - remote match-recursive-only: true options: transfer_source: address: 0.0.0.0 port: '*' dscp: 42 allow_recursion: - localstuff zones: - name: google.com type: forward forward: only forwarders: - 1.1.1.1 - 1.0.0.1 dnssec_policy: - name: mypolicy keylist: - role: ksk key_directory: true lifetime: unlimited algorithm: rsasha256 keysize: 2048 - role: zsk lifetime: P30D algorithm: 8 - role: csk lifetime: P6MT12H3M15S algorithm: ecdsa256 max_zone_ttl: P4D parent_ds_ttl: P14D nsec3param: iterations: '0' optout: false salt_length: '0' dyndb: - name: sample driver: example.so parameters: - example.nil. arpa. - example2.nil. arpa. http: - name: dohconf endpoints: - /dns-query - /dns - /query listener_clients: 4 streams_per_connection: 1024 keylist: - name: certbot. algorithm: hmac-sha512 secret: "agyMWst4ZcbhGKqGuR6Pjgz1KJSHdcM0s5tz06n+ZxpfZYVWP67E2cr7Mru+HQRLl7HEBE5Zl4vS3S+SA4kXrA==" - name: certbot2. algorithm: hmac-sha512 secret: "agyMWst4ZcbhGKqGuR6Pjgz1KJSHdcM0s5tz06n+ZxpfZYVWP67E2cr7Mru+HQRLl7HEBE5Zl4vS3S+SA4kXrA==" logging: categories: - name: default channels: - default_syslog - default_debug - tv2 - dr1 - name: unmatched channels: - tv3 channels: - name: tv2 buffered: true file: name: /var/log/named.log versions: 7 size: 20m suffix: increment print_category: false print_severity: false print_time: iso8601-utc severity: info - name: tv3 'null': true - name: dr1 syslog: daemon - name: kanalkobenhavn stderr: true severity: debug 3 parental_agents: - name: parents port: 53353 dscp: 42 addresses: - address: 10.20.30.40 port: 53 key: certbot. - address: 20.30.40.50 port: 53 - address: 30.40.50.60 key: certbot2. - address: 40.50.60.70 - name: notparents addresses: - address: 10.20.30.40 - address: 30.40.50.60 - address: 40.50.60.70 primaries: - name: parents port: 53353 dscp: 42 addresses: - address: 10.20.30.40 port: 53 key: certbot. - address: 20.30.40.50 port: 53 - address: 30.40.50.60 key: certbot2. - address: 40.50.60.70 - name: notparents addresses: - address: 10.20.30.40 - address: 30.40.50.60 - address: 40.50.60.70 tls: - name: certbot cert_file: /etc/ssl/private/snakeoil.pem key_file: /etc/ssl/private/snakeoil.key dhparam_file: /etc/ssl/dhparam.pem ca_file: /etc/ssl/certs/ca-certificates.crt remote_hostname: yourhostname ciphers: HIGH:!aNULL:!MD5:!SHA1:!SHA256:!SHA384 protocols: - TLSv1.2 - TLSv1.3 prefer_server_ciphers: true session_tickets: true trust_anchors: - name: . type: initial-key flags: 257 protocol: 3 algorithm: 8 key: "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=" - name: hugs.dk type: static-ds flags: 64335 protocol: 7 algorithm: 2 key: "D6AAECB1BA13D51F072A229C957ACADEA18118FB17DA2DC7D45A963428091372" server: - prefix: 1.1.1.1 bogus: false edns: true tcp_only: false tcp_keepalive: false edns_version: '0' padding: '0' transfers: '0' keyname: certbot. query_source: address: "*" port: "*" statistics_channels: - address: 0.0.0.0 port: 8080 allow: - 0/0 - name: named.conf.zones backup: false zones: - name: "_acme-challenge.hugs.dk" type: master file: master/_acme-challenge.hugs.dk.zone allow_query: - any dnssec_policy: default inline_signing: true serial_update_method: date update_policy: - permission: grant identity: certbot. ruletype: name name: _acme-challenge.hugs.dk types: txt - name: forward.net type: forward forwarders: port: 53 addresses: - address: 1.1.1.1 port: 53 dscp: 42 - address: 4.2.2.4 port: 53 - name: stub.com type: static-stub allow_query: - any server_addresses: - 1.1.1.1 - 8.8.8.8 zone_statistics: full - name: example.com type: slave allow_query: - 127.0.0.1 - 10.0.0.1 - 128.15.14.13 allow_query_on: - 127.0.0.1 primaries: port: 5522 dscp: 42 addresses: - address: 127.0.0.1 port: 55222 - address: 10.20.30.40 - name: smorg.bop type: slave primaries: addresses: - address: 127.0.0.1 allow_query: - 15.14.13.12 - 10.20.30.40 - 28.25.23.24 - "!10.13.14.15" forwarders: port: 53 dscp: 42 addresses: - address: 127.0.0.1 port: 53 dscp: 42 - address: 10.20.30.40 port: 53 - address: 20.30.40.50 - address: 30.40.50.60 port: 53 allow_transfer: port: 5522 transport: tls addresses: - 192.168.122.1 also_notify: port: 5523 dscp: 42 addresses: - address: 127.0.0.1 port: 5523 - address: 127.0.0.2 auto-dnssec: allow dnskey_sig_validity: 0 dnssec-dnskey-kskonly: true dnssec_loadkeys_interval: 0 file: "string" forward: first inline_signing: true ixfr_from_differences: true masterfile_format: raw masterfile_style: full max_ixfr_ratio: unlimited max_journal_size: default max_records: 0 max_transfer_idle_out: 0 max_transfer_time_out: 0 notify: true notify_delay: '0' notify_to_soa: false parental_agents: port: 44332 dscp: 42 addresses: - address: 127.0.0.1 port: 53 sig_signing_nodes: '0' sig_signing_signatures: '0' sig_signing_type: 65281 zero_no_soa_ttl: true zone_statistics: full ```