dustin
/
configpolicy
1
1
Fork 0
Code Issues Releases Activity

roles/named: Support managing zones 

The *named* role now supports generating configuration for authoritative
DNS zones and DNSSEC keys. Zones are defined by populating the
`named_zones` variable with a list of objects describing the zone. Zone
properties can include:

* `name`: The DNS domain name
* `type`: The zone type, defaults to `master`
* `allow_update`: A list of hosts/networks or DNSSEC key names (which
  must be specified as an object with a `key` property)
* `update_policy`: A list of BIND update policy statements
* `ttl`: The default (minimum) TTL for the zone
* `origin`: The authoritative name server for the zone
* `refresh`, `retry`, `expire`: Record cache timeout values
* `default_records`: A list of default records, defined as objects with
  the following properties:
  * `name`: The RR name
  * `type`: The RR type (default: `A`)
  * `value`: The RR value

Zone files will be created in `/var/named/dynamic`. Existing zone files
will **not** be overwritten; management of zone records is done using
`nsupdate` or similar.
jenkins-master
Dustin 2018-02-20 16:00:55 -06:00
parent 7144701787
commit 0629a063bc
5 changed files with 67 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
roles/named/defaults/main.yml
View File

@ -14,3 +14,8 @@ named_dnssec: true
named_dnssec_validation: true named_dnssec_validation: true
named_global_include: [] named_global_include: []
named_options_include: '{{ named_default_options_include }}' named_options_include: '{{ named_default_options_include }}'
named_zones: []
named_default_ttl: 3600
named_default_refresh: 900
named_default_retry: 600
named_default_expire: 86400

20
roles/named/tasks/main.yml
View File

@ -13,6 +13,26 @@
tags: tags:
- install - install
- name: ensure zones are configured
template:
src: named.zones.j2
dest: /etc/named.zones
mode: '0640'
owner: root
group: named
validate: named-checkconf %s
notify: reload named
- name: ensure zone files exist
template:
src: zone.j2
dest: /var/named/dynamic/{{ item.zone }}.zone
mode: '0640'
owner: root
group: named
force: no
with_items: '{{ named_zones }}'
notify: reload named
- name: ensure named is configured - name: ensure named is configured
template: template:
src: named.conf.j2 src: named.conf.j2

1
roles/named/templates/named.conf.j2
View File

@ -65,6 +65,7 @@ zone "." IN {
include "/etc/named.rfc1912.zones"; include "/etc/named.rfc1912.zones";
include "/etc/named.root.key"; include "/etc/named.root.key";
include "/etc/named.zones";
{% for path in named_global_include %} {% for path in named_global_include %}
include "{{ path }}"; include "{{ path }}";
{% endfor %} {% endfor %}

26
roles/named/templates/named.zones.j2 Normal file
View File

@ -0,0 +1,26 @@
// Zone configuration for ISC BIND
{% for zone in named_zones %}
zone "{{ zone.zone }}" {
type {{ zone.type|d('master') }};
file "dynamic/{{ zone.zone }}.zone";
{% if zone.allow_update|d %}
allow-update {
{% for auth in zone.allow_update %}
{% if auth.key is defined %}
key {{ auth.key }};
{% else %}
{{ auth }};
{% endif %}
{% endfor %}
};
{% endif %}
{% if zone.update_policy|d %}
update-policy {
{% for auth in zone.update_policy %}
{{ auth }};
{% endfor %}
};
{% endif %}
};
{% endfor %}

15
roles/named/templates/zone.j2 Normal file
View File

@ -0,0 +1,15 @@
$TTL {{ item.ttl|d(named_default_ttl) }}
@ IN SOA {{ item.origin|d(ansible_fqdn + '.') }} {{ item.contact|d('hostmaster.{}.'.format(item.zone)) }} (
{{ ansible_date_time.year }}{{ ansible_date_time.month }}{{ ansible_date_time.day }}00
{{ item.refresh|d(named_default_refresh) }}
{{ item.retry|d(named_default_retry) }}
{{ item.expire|d(named_default_expire) }}
{{ item.ttl|d(named_default_ttl) }}
)
IN NS {{ item.origin|d(ansible_fqdn + '.') }}
{% if item.default_records is defined %}
{% for rr in item.default_records %}
{{ rr.name }} IN {{ rr.type|d('A') }} {{ rr.value }}
{% endfor %}
{% endif %}