roles/named: Implement response policy zones

BIND response policy zones (RPZ) support provides a mechanism for overriding the responses to DNS queries based on a wide range of criteria. In the simplest form, a response policy zone can be used to provide different responses to different clients, or "block" some DNS names. For the Pyrocufflink and related networks, I plan to use an RPZ to implement ad/tracker blocking. The goal will be to generate an RPZ definition from a collection of host lists (e.g. those used by uBlock Origin) periodically. This commit introduces basic support for RPZ configuration in the *named* role. It can be activated by providing a list of "response policy" definitions (e.g. `zone "name"`) in the `named_response_policy` variable, and defining the corresponding zones in `named_zones`.
2020-09-04 20:47:48 -05:00
parent 44404950c1
commit 84313601ef
4 changed files with 16 additions and 2 deletions
--- a/roles/named/tasks/main.yml
+++ b/roles/named/tasks/main.yml
@@ -35,7 +35,7 @@
 - name: ensure zone files exist
  template:
    src: zone.j2
-    dest: /var/named/dynamic/{{ item.zone }}.zone
+    dest: /var/named/{{ item.zone_file|d('dynamic/' + item.zone + '.zone') }}
    mode: '0640'
    owner: root
    group: named