From 2e8002153ab14153f71387d01f7b1789e29dec37 Mon Sep 17 00:00:00 2001 From: b4ldr Date: Mon, 16 Mar 2015 13:11:03 +0000 Subject: [PATCH 01/25] add keys support --- manifests/server/conf.pp | 10 ++++++++++ templates/named.conf.erb | 10 ++++++++++ 2 files changed, 20 insertions(+) diff --git a/manifests/server/conf.pp b/manifests/server/conf.pp index 1f11132fc..70988af68 100644 --- a/manifests/server/conf.pp +++ b/manifests/server/conf.pp @@ -54,6 +54,9 @@ # $zones: # Hash of managed zones and their configuration. The key is the zone name # and the value is an array of config lines. Default: empty +# $tsig: +# Hash of managed tsig keys and their configuration. The key is the tsig keys name +# and the value is an array of config lines. Default: empty # $includes: # Array of absolute paths to named.conf include files. Default: empty # @@ -76,6 +79,12 @@ # 'masters { mymasters; }', # ], # } +# keys => { +# 'example.org-tsig' => [ +# 'algorithm hmac-md5', +# 'secret "aaabbbcccddd"', +# ], +# } # } # define bind::server::conf ( @@ -105,6 +114,7 @@ $dnssec_validation = 'yes', $dnssec_lookaside = 'auto', $zones = {}, + $keys = {}, $includes = [], $views = {}, ) { diff --git a/templates/named.conf.erb b/templates/named.conf.erb index bce153ce2..5462d7952 100644 --- a/templates/named.conf.erb +++ b/templates/named.conf.erb @@ -11,6 +11,16 @@ acl <%= key %> { <% end -%> }; +<% end -%> +<% end -%> +<% if !@keys.empty? -%> +<% @keys.sort_by {|key, value| key}.each do |key,value| -%> +key "<%= key %>" { +<% value.each do |line| -%> + <%= line %>; +<% end -%> +}; + <% end -%> <% end -%> <% if !@masters.empty? -%> From 60eec50bd981fac69f2b815a35a57829dc6042bb Mon Sep 17 00:00:00 2001 From: "Merali, Imran" Date: Mon, 15 Jun 2015 12:22:38 -0400 Subject: [PATCH 02/25] Adjusting named.conf template to fix a bug whereby a view without a view-specific zone will skip global zones (which is problematic in use cases where one needs a global view containing only the global zones). --- templates/named.conf.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/named.conf.erb b/templates/named.conf.erb index bce153ce2..9f9e0dd59 100644 --- a/templates/named.conf.erb +++ b/templates/named.conf.erb @@ -127,6 +127,7 @@ view "<%= key %>" { <% end -%> }; +<% end -%> <% end -%> <% if !@zones.empty? -%> /* Global zones */ @@ -137,7 +138,6 @@ view "<%= key %>" { <% end -%> }; -<% end -%> <% end -%> <% end -%> }; From e14e6cc6eb315abbae53b1fbc4fde33f7813ceb1 Mon Sep 17 00:00:00 2001 From: Matthias Saou Date: Mon, 19 Oct 2015 11:14:48 +0200 Subject: [PATCH 03/25] Fix service name on RHEL7+ with chroot (#56, @arrjay) + cosmetic updates --- ChangeLog => CHANGELOG.md | 28 +++++++++++++----------- manifests/init.pp | 45 ++++++++++++++++++++++++--------------- manifests/package.pp | 3 +-- manifests/server.pp | 9 ++++---- manifests/server/conf.pp | 6 +++--- manifests/server/file.pp | 1 - manifests/service.pp | 12 +++++------ 7 files changed, 58 insertions(+), 46 deletions(-) rename ChangeLog => CHANGELOG.md (81%) diff --git a/ChangeLog b/CHANGELOG.md similarity index 81% rename from ChangeLog rename to CHANGELOG.md index 572f96056..53bbba470 100644 --- a/ChangeLog +++ b/CHANGELOG.md @@ -1,55 +1,57 @@ -2014-05-12 - 0.5.1 +* Fix service name on RHEL7+ with chroot (#56, @arrjay). + +#### 2014-05-12 - 0.5.1 * Add FreeBSD support (#26, @fessoga5). -2014-03-14 - 0.5.0 +#### 2014-03-14 - 0.5.0 * Manage zonedir from server::file, for parent directory (#23, Dougal Scott). * Add support for extra_options (#22, Joseph Swick). * Add support for $hostname, $server_id (#21, @b4ldr). * Disable root hint and rfc1912 zones when not recursive (#21, @b4ldr). -2013-11-26 - 0.4.2 +#### 2013-11-26 - 0.4.2 * Add support for managed-keys-directory (#19, Sean Edge). * Add support for full service restart instead of reload (#19, Sean Edge). -2013-10-15 - 0.4.1 +#### 2013-10-15 - 0.4.1 * Add support for views (thanks to Sean Edge). -2013-07-17 - 0.4.0 +#### 2013-07-17 - 0.4.0 * Merge changes by Sebastian Cole. * Move parameters into a new bind::params class. * Make the service and package classes possible to use separately. * Cosmetic cleanups. * Update README examples. -2013-04-19 - 0.3.2 +#### 2013-04-19 - 0.3.2 * Use @varname syntax in templates to silence puppet 3.2 warnings. -2013-04-10 - 0.3.1 +#### 2013-04-10 - 0.3.1 * Add support for $allow_transfer. * Add support for $ensure on server::file, enabling clean zone file removal. -2013-03-08 - 0.3.0 +#### 2013-03-08 - 0.3.0 * Change to 2 space indent. * Major update to the README and use markdown. * Minor cosmetic cleanups. * Change default for $chroot to false, SELinux is sufficient on RHEL5+. -2012-12-18 - 0.2.5 +#### 2012-12-18 - 0.2.5 * Change the SELinux type of the log directory back to the original. -2012-09-19 - 0.2.4 +#### 2012-09-19 - 0.2.4 * Update README to make the main example more useful. * Support $source_base for easy inclusion of multiple zone files as-is. -2012-07-17 - 0.2.3 +#### 2012-07-17 - 0.2.3 * Add support for "include" lines in named.conf. -2012-06-22 - 0.2.2 +#### 2012-06-22 - 0.2.2 * Add support for a few new configuration values in the main template. * Require package for files, for the usual parent directory to exist. * Minot updates to the README. -2012-04-23 - 0.2.1 +#### 2012-04-23 - 0.2.1 * Clean up the module to match current puppetlabs guidelines. * Force hash sorting in the template for puppet 2.7+ compatibility. diff --git a/manifests/init.pp b/manifests/init.pp index 1753b2dd7..e1ea6bab3 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -18,37 +18,48 @@ class bind ( $chroot = false, $service_reload = true, + $servicename = $::bind::params::servicename, $packagenameprefix = $::bind::params::packagenameprefix, + $binduser = $::bind::params::binduser, + $bindgroup = $::bind::params::bindgroup, ) inherits ::bind::params { - # Main package and service - $packagenamesuffix = $chroot ? { - true => '-chroot', - false => '', + # Chroot differences + if $chroot == true { + $packagenamesuffix = '-chroot' + # Different service name with chroot on RHEL7+) + if $::osfamily == 'RedHat' and + versioncmp($::operatingsystemrelease, '7') >= 0 { + $servicenamesuffix = '-chroot' + } else { + $servicenamesuffix = '' + } + $bindlogdir = '/var/named/chroot/var/log/named' + } else { + $packagenamesuffix = '' + $servicenamesuffix = '' + $bindlogdir = '/var/log/named' } - class { 'bind::package': + + # Main package and service + class { '::bind::package': packagenameprefix => $packagenameprefix, packagenamesuffix => $packagenamesuffix, } - class { 'bind::service': - servicename => $servicename, + class { '::bind::service': + servicename => "${servicename}${servicenamesuffix}" service_reload => $service_reload, } # We want a nice log file which the package doesn't provide a location for - $bindlogdir = $chroot ? { - true => '/var/named/chroot/var/log/named', - false => '/var/log/named', - } file { $bindlogdir: - require => Class['bind::package'], - ensure => directory, - owner => $::bind::params::binduser, - group => $::bind::params::bindgroup, + ensure => 'directory', + owner => $binduser, + group => $bindgroup, mode => '0770', seltype => 'var_log_t', - before => Class['bind::service'], + require => Class['::bind::package'], + before => Class['::bind::service'], } } - diff --git a/manifests/package.pp b/manifests/package.pp index af145c7c6..a7a23457f 100644 --- a/manifests/package.pp +++ b/manifests/package.pp @@ -5,7 +5,6 @@ $packagenamesuffix = '', ) inherits ::bind::params { - package { "${packagenameprefix}${packagenamesuffix}": ensure => installed } + package { "${packagenameprefix}${packagenamesuffix}": ensure => 'installed' } } - diff --git a/manifests/server.pp b/manifests/server.pp index 3cee8041b..3c1b5a1e8 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -4,11 +4,12 @@ # class bind::server ( $chroot = false, - $packagenameprefix = $bind::params::packagenameprefix -) inherits bind::params { - class { 'bind': + $packagenameprefix = $::bind::params::packagenameprefix, +) inherits ::bind::params { + + class { '::bind': chroot => $chroot, packagenameprefix => $packagenameprefix, } -} +} diff --git a/manifests/server/conf.pp b/manifests/server/conf.pp index 1f11132fc..f9c86b7c3 100644 --- a/manifests/server/conf.pp +++ b/manifests/server/conf.pp @@ -44,7 +44,8 @@ # $check_names: # Array of check-names strings. Example: [ 'master ignore' ]. Default: empty # $extra_options: -# Hash for any additional options that must go in the 'options' declaration. Default: empty +# Hash for any additional options that must go in the 'options' declaration. +# Default: empty # $dnssec_enable: # Enable DNSSEC support. Default: 'yes' # $dnssec_validation: @@ -111,9 +112,8 @@ # Everything is inside a single template file { $title: - notify => Class['bind::service'], + notify => Class['::bind::service'], content => template('bind/named.conf.erb'), } } - diff --git a/manifests/server/file.pp b/manifests/server/file.pp index e84cb922d..dc59b203a 100644 --- a/manifests/server/file.pp +++ b/manifests/server/file.pp @@ -76,4 +76,3 @@ } } - diff --git a/manifests/service.pp b/manifests/service.pp index f85fdf146..db91cb70c 100644 --- a/manifests/service.pp +++ b/manifests/service.pp @@ -1,8 +1,8 @@ # Class: bind::service # class bind::service ( - $servicename = $::bind::params::servicename, - $service_reload = true, + $servicename, + $service_reload, ) inherits ::bind::params { if $service_reload { @@ -11,11 +11,11 @@ } } - service { $servicename : - require => Class['bind::package'], - hasstatus => true, + service { $servicename: + ensure => 'running', enable => true, - ensure => running, + hasstatus => true, + require => Class['bind::package'], } } From efcecd2e430b8e06ef5fec3572f79349ba023766 Mon Sep 17 00:00:00 2001 From: Matthias Saou Date: Mon, 19 Oct 2015 11:20:34 +0200 Subject: [PATCH 04/25] Fix typo in service --- LICENSE | 2 +- manifests/init.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/LICENSE b/LICENSE index 49a6e5c40..03f436059 100644 --- a/LICENSE +++ b/LICENSE @@ -1,4 +1,4 @@ -Copyright (C) 2011-2013 Matthias Saou +Copyright (C) 2011-2015 Matthias Saou Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/manifests/init.pp b/manifests/init.pp index e1ea6bab3..12a45581b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -47,7 +47,7 @@ packagenamesuffix => $packagenamesuffix, } class { '::bind::service': - servicename => "${servicename}${servicenamesuffix}" + servicename => "${servicename}${servicenamesuffix}", service_reload => $service_reload, } From 037c267d469fb2d83a06f735bd400c0c567437c7 Mon Sep 17 00:00:00 2001 From: Matthias Saou Date: Tue, 2 Feb 2016 09:49:39 +0100 Subject: [PATCH 05/25] Change to metadata.json, update CHANGELOG and release 0.5.2 --- CHANGELOG.md | 4 ++++ LICENSE | 2 +- Modulefile | 8 -------- metadata.json | 36 ++++++++++++++++++++++++++++++++++++ 4 files changed, 41 insertions(+), 9 deletions(-) delete mode 100644 Modulefile create mode 100644 metadata.json diff --git a/CHANGELOG.md b/CHANGELOG.md index 53bbba470..9f97cc2a5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,8 @@ +#### 2016-02-02 - 0.5.2 * Fix service name on RHEL7+ with chroot (#56, @arrjay). +* Fix named.conf template bug related to views (#59, @imerali). +* Add TSIG keys support (#54, @b4ldr). +* Replace Modulefile with metadata.json. #### 2014-05-12 - 0.5.1 * Add FreeBSD support (#26, @fessoga5). diff --git a/LICENSE b/LICENSE index 03f436059..374dc484d 100644 --- a/LICENSE +++ b/LICENSE @@ -1,4 +1,4 @@ -Copyright (C) 2011-2015 Matthias Saou +Copyright (C) 2011-2016 Matthias Saou Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/Modulefile b/Modulefile deleted file mode 100644 index 2ea17128d..000000000 --- a/Modulefile +++ /dev/null @@ -1,8 +0,0 @@ -name 'thias-bind' -version '0.5.1' -source 'git://github.com/thias/puppet-bind' -author 'Matthias Saou' -license 'Apache 2.0' -summary 'BIND DNS server module' -description "Install and enable a BIND DNS server, create and manage DNS zone files." -project_page 'https://github.com/thias/puppet-bind' diff --git a/metadata.json b/metadata.json new file mode 100644 index 000000000..6c2a47f07 --- /dev/null +++ b/metadata.json @@ -0,0 +1,36 @@ +{ + "name": "thias-bind", + "version": "0.5.2", + "author": "Matthias Saou", + "license": "Apache-2.0", + "summary": "BIND DNS server module", + "source": "git://github.com/thias/puppet-bind", + "project_page": "https://github.com/thias/puppet-bind", + "issues_url": "https://github.com/thias/puppet-bind/issues", + "tags": [ "bind", "named", "dns" ], + "operatingsystem_support": [ + { + "operatingsystem": "RedHat", + "operatingsystemrelease": [ "5", "6", "7" ] + }, + { + "operatingsystem": "CentOS", + "operatingsystemrelease": [ "5", "6", "7" ] + }, + { + "operatingsystem": "Debian", + "operatingsystemrelease": [ "6", "7", "8" ] + }, + { + "operatingsystem": "Ubuntu", + "operatingsystemrelease": [ "12", "14" ] + } + ], + "requirements": [ + { + "name": "puppet", + "version_requirement": ">=2.7.20 <4.1.0" + } + ], + "dependencies": [] +} From b94199e332f01c9126b929d87adae4e292e1f5b4 Mon Sep 17 00:00:00 2001 From: Matthias Saou Date: Thu, 2 Feb 2017 15:00:21 +0000 Subject: [PATCH 06/25] Fix undefined variable warning and release 0.5.3 --- CHANGELOG.md | 3 +++ manifests/server/file.pp | 9 +++++++-- metadata.json | 4 ++-- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9f97cc2a5..766d47a00 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +#### 2017-02-02 - 0.5.3 +* Fix undefined variable warning. + #### 2016-02-02 - 0.5.2 * Fix service name on RHEL7+ with chroot (#56, @arrjay). * Fix named.conf template bug related to views (#59, @imerali). diff --git a/manifests/server/file.pp b/manifests/server/file.pp index dc59b203a..9468a93c9 100644 --- a/manifests/server/file.pp +++ b/manifests/server/file.pp @@ -48,8 +48,13 @@ $bindgroup = $::bind::params::bindgroup } - if $source { $zone_source = $source } - if $source_base { $zone_source = "${source_base}${title}" } + if $source { + $zone_source = $source + } elsif $source_base { + $zone_source = "${source_base}${title}" + } else { + $zone_source = undef + } if ! defined(File[$zonedir]) { file { $zonedir: diff --git a/metadata.json b/metadata.json index 6c2a47f07..0e7eb6fd5 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "thias-bind", - "version": "0.5.2", + "version": "0.5.3", "author": "Matthias Saou", "license": "Apache-2.0", "summary": "BIND DNS server module", @@ -29,7 +29,7 @@ "requirements": [ { "name": "puppet", - "version_requirement": ">=2.7.20 <4.1.0" + "version_requirement": ">=2.7.20 <5.0.0" } ], "dependencies": [] From 61b2f1cd44fce61965bcec6cf26867791b9bb4f4 Mon Sep 17 00:00:00 2001 From: Warren Powell Date: Sun, 19 Mar 2017 15:07:39 +1300 Subject: [PATCH 07/25] Added support for configuring forward mode --- manifests/server/conf.pp | 3 +++ templates/named.conf.erb | 3 +++ 2 files changed, 6 insertions(+) diff --git a/manifests/server/conf.pp b/manifests/server/conf.pp index 14fcbc1fc..956056925 100644 --- a/manifests/server/conf.pp +++ b/manifests/server/conf.pp @@ -22,6 +22,8 @@ # $hostname: # Hostname returned for hostname.bind TXT in CHAOS. Set to 'none' to disable. # Default: undef, bind internal default +# $forward: +# Specific forwarding mode forward ( first | only );. Default: undef, empty # $server_id: # ID returned for id.server TXT in CHAOS. Default: undef, empty # $version: @@ -99,6 +101,7 @@ $directory = '/var/named', $managed_keys_directory = undef, $hostname = undef, + $forward = undef, $server_id = undef, $version = undef, $dump_file = '/var/named/data/cache_dump.db', diff --git a/templates/named.conf.erb b/templates/named.conf.erb index 8d0c47155..4ce23b0f8 100644 --- a/templates/named.conf.erb +++ b/templates/named.conf.erb @@ -42,6 +42,9 @@ options { <% end -%> <% if !@forwarders.empty? -%> forwarders { <%= @forwarders.join("; ") %>; }; +<% end -%> +<% if @forward -%> + forward "<%= @forward %>"; <% end -%> directory "<%= @directory %>"; <% if @managed_keys_directory -%> From 99a647baabfc707b76afb8e1df25befe606e363e Mon Sep 17 00:00:00 2001 From: Warren Powell Date: Sun, 19 Mar 2017 22:22:45 +1300 Subject: [PATCH 08/25] Removed quotes around froward parameter --- templates/named.conf.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/named.conf.erb b/templates/named.conf.erb index 4ce23b0f8..f5cdf4e97 100644 --- a/templates/named.conf.erb +++ b/templates/named.conf.erb @@ -44,7 +44,7 @@ options { forwarders { <%= @forwarders.join("; ") %>; }; <% end -%> <% if @forward -%> - forward "<%= @forward %>"; + forward <%= @forward %>; <% end -%> directory "<%= @directory %>"; <% if @managed_keys_directory -%> From 1994d42e89fb35e9fd657b9f6738cd4013bc1c1c Mon Sep 17 00:00:00 2001 From: Simon Peeters Date: Fri, 23 Feb 2018 16:41:17 +0100 Subject: [PATCH 09/25] fix minor issue in doccumentation of `$keys` parameter --- manifests/server/conf.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/server/conf.pp b/manifests/server/conf.pp index 14fcbc1fc..2c625acb5 100644 --- a/manifests/server/conf.pp +++ b/manifests/server/conf.pp @@ -55,7 +55,7 @@ # $zones: # Hash of managed zones and their configuration. The key is the zone name # and the value is an array of config lines. Default: empty -# $tsig: +# $keys: # Hash of managed tsig keys and their configuration. The key is the tsig keys name # and the value is an array of config lines. Default: empty # $includes: From d70ce17952b781c38fed8aade52c5ccb52765aa4 Mon Sep 17 00:00:00 2001 From: Adria Date: Wed, 14 Mar 2018 12:13:27 +0100 Subject: [PATCH 10/25] add zone file validation --- manifests/server/file.pp | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/manifests/server/file.pp b/manifests/server/file.pp index 9468a93c9..0e8d97ed7 100644 --- a/manifests/server/file.pp +++ b/manifests/server/file.pp @@ -6,6 +6,8 @@ # Parameters: # $zonedir: # Directory where to store the zone file. Default: '/var/named' +# $zonename: +# Zone name to be used when validating the zone. Default: same as title # $owner: # Zone file user owner. Default: 'root' # $group: @@ -30,6 +32,7 @@ # define bind::server::file ( $zonedir = '/var/named', + $zonename = $title, $owner = 'root', $group = undef, $mode = '0640', @@ -66,15 +69,16 @@ } file { "${zonedir}/${title}": - ensure => $ensure, - owner => $owner, - group => $bindgroup, - mode => $mode, - source => $zone_source, - content => $content, - notify => Class['::bind::service'], + ensure => $ensure, + owner => $owner, + group => $bindgroup, + mode => $mode, + source => $zone_source, + content => $content, + validate_cmd => "/usr/sbin/named-checkzone ${zonename} %", + notify => Class['::bind::service'], # For the parent directory - require => [ + require => [ Class['::bind::package'], File[$zonedir], ], From 1c9dbfc8fe1b16c3406f9ff01cf9dc02faf0057c Mon Sep 17 00:00:00 2001 From: Matthias Saou Date: Mon, 23 Apr 2018 18:13:15 +0200 Subject: [PATCH 11/25] Fix hint and rfc1912 zones on Debian (#61, #83) --- manifests/params.pp | 8 ++++++++ manifests/server/conf.pp | 5 +++++ templates/named.conf.erb | 4 ++-- 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/manifests/params.pp b/manifests/params.pp index 58f9b0bc4..1cce10b7c 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -8,24 +8,32 @@ $servicename = 'named' $binduser = 'root' $bindgroup = 'named' + $file_hint = 'named.ca' + $file_rfc1912 = '/etc/named.rfc1912.zones' } 'Debian': { $packagenameprefix = 'bind9' $servicename = 'bind9' $binduser = 'bind' $bindgroup = 'bind' + $file_hint = '/etc/bind/db.root' + $file_rfc1912 = '/etc/bind/named.conf.default-zones' } 'Freebsd': { $packagenameprefix = 'bind910' $servicename = 'named' $binduser = 'bind' $bindgroup = 'bind' + $file_hint = 'named.ca' + $file_rfc1912 = '/etc/named.rfc1912.zones' } default: { $packagenameprefix = 'bind' $servicename = 'named' $binduser = 'root' $bindgroup = 'named' + $file_hint = 'named.ca' + $file_rfc1912 = '/etc/named.rfc1912.zones' } } diff --git a/manifests/server/conf.pp b/manifests/server/conf.pp index 2c625acb5..ed77905da 100644 --- a/manifests/server/conf.pp +++ b/manifests/server/conf.pp @@ -120,6 +120,11 @@ $views = {}, ) { + # OS Defaults + include '::bind::params' + $file_hint = $::bind::params::file_hint + $file_rfc1912 = $::bind::params::file_rfc1912 + # Everything is inside a single template file { $title: notify => Class['::bind::service'], diff --git a/templates/named.conf.erb b/templates/named.conf.erb index 8d0c47155..8bcf7261e 100644 --- a/templates/named.conf.erb +++ b/templates/named.conf.erb @@ -157,7 +157,7 @@ view "<%= key %>" { <% if @recursion == 'yes' -%> zone "." IN { type hint; - file "named.ca"; + file "<%= @file_hint %>"; }; <% end -%> @@ -172,7 +172,7 @@ zone "<%= key %>" IN { <% end -%> <% end -%> <% if @recursion == 'yes' -%> -include "/etc/named.rfc1912.zones"; +include "<%= @file_hint %>"; <% end -%> <% end -%><%# end no views -%> <% if !@includes.empty? -%> From 0df4147164f8e719fc77e9d97e4fb4bffbc25505 Mon Sep 17 00:00:00 2001 From: Matthias Saou Date: Mon, 23 Apr 2018 18:47:36 +0200 Subject: [PATCH 12/25] Fix server::conf and package ordering (#71, @skrivy) --- manifests/server/conf.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/server/conf.pp b/manifests/server/conf.pp index 7e3fef74e..7944be2ee 100644 --- a/manifests/server/conf.pp +++ b/manifests/server/conf.pp @@ -132,6 +132,7 @@ file { $title: notify => Class['::bind::service'], content => template('bind/named.conf.erb'), + require => Class['::bind::package'], } } From d795fc605de37c2a3e26360344e22d255095066f Mon Sep 17 00:00:00 2001 From: Matthias Saou Date: Mon, 23 Apr 2018 18:53:37 +0200 Subject: [PATCH 13/25] Make sure zonedir gets created after bind::package (#55, @jamesbouressa) --- manifests/server/file.pp | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/manifests/server/file.pp b/manifests/server/file.pp index 0e8d97ed7..a8794ec84 100644 --- a/manifests/server/file.pp +++ b/manifests/server/file.pp @@ -61,10 +61,11 @@ if ! defined(File[$zonedir]) { file { $zonedir: - ensure => directory, - owner => $owner, - group => $bindgroup, - mode => $dirmode, + ensure => 'directory', + owner => $owner, + group => $bindgroup, + mode => $dirmode, + require => Class['::bind::package'], } } From 2c1e5647100b54bf70435b5f4779aa56baeae32e Mon Sep 17 00:00:00 2001 From: Matthias Saou Date: Tue, 24 Apr 2018 11:18:48 +0200 Subject: [PATCH 14/25] Update CHANGELOG --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 766d47a00..dda1eb593 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,9 @@ +* Add zone file validation (#91, @forgodssake). +* Fix hint and rfc1912 zones on Debian (#61, #83). +* Add support for configuring forward mode (#73, @warrenpnz). +* Fix server::conf and package ordering (#71, @skrivy). +* Make sure zonedir gets created after bind::package (#55, @jamesbouressa). + #### 2017-02-02 - 0.5.3 * Fix undefined variable warning. From 6b6f3822a5269d3b262a513ca3bca36624158b46 Mon Sep 17 00:00:00 2001 From: Matthias Saou Date: Wed, 25 Apr 2018 13:33:24 +0000 Subject: [PATCH 15/25] Fix copy/paste error --- templates/named.conf.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/named.conf.erb b/templates/named.conf.erb index 3ae9c17ec..39cd72b8c 100644 --- a/templates/named.conf.erb +++ b/templates/named.conf.erb @@ -175,7 +175,7 @@ zone "<%= key %>" IN { <% end -%> <% end -%> <% if @recursion == 'yes' -%> -include "<%= @file_hint %>"; +include "<%= @file_rfc1912 %>"; <% end -%> <% end -%><%# end no views -%> <% if !@includes.empty? -%> From e4d6ef8bc2b589a3639823764cb8b83ca60f3d96 Mon Sep 17 00:00:00 2001 From: Matthias Saou Date: Wed, 25 Apr 2018 13:37:48 +0000 Subject: [PATCH 16/25] Include a disclaimer in the README --- README.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/README.md b/README.md index 9f7f9690e..62c5613cd 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,15 @@ # puppet-bind +## Disclaimer + +This module has been created when Puppet classes did not support parameters. +It shows. Tests and Debian/Ubuntu support are external contributions and are +not as actively maintained as they should be. + +The primary focus of this module has always been Enterprise Linux (RHEL, CentOS +and other clones), and it works fine on releases as far back as RHEL5, although +the latest RHEL release is always recommended. + ## Overview Install and enable a BIND DNS server, manage its main configuration and install From 013ccd28bfa92fc496310f424e86089c3261a43a Mon Sep 17 00:00:00 2001 From: Matthias Saou Date: Mon, 21 Jan 2019 10:41:42 +0100 Subject: [PATCH 17/25] Release 0.5.4 --- CHANGELOG.md | 1 + metadata.json | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dda1eb593..e7d8fb0e5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,4 @@ +#### 2019-01-21 - 0.5.4 * Add zone file validation (#91, @forgodssake). * Fix hint and rfc1912 zones on Debian (#61, #83). * Add support for configuring forward mode (#73, @warrenpnz). diff --git a/metadata.json b/metadata.json index 0e7eb6fd5..7fafb7078 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "thias-bind", - "version": "0.5.3", + "version": "0.5.4", "author": "Matthias Saou", "license": "Apache-2.0", "summary": "BIND DNS server module", @@ -29,7 +29,7 @@ "requirements": [ { "name": "puppet", - "version_requirement": ">=2.7.20 <5.0.0" + "version_requirement": ">=2.7.20 <7.0.0" } ], "dependencies": [] From a4c91dbc72ba5fd11e9a484971016208ce418fce Mon Sep 17 00:00:00 2001 From: Vincent Tamet Date: Tue, 11 May 2021 17:55:07 +0200 Subject: [PATCH 18/25] change zone file validation to fail in case of problem (Goal is to not load bad zones) --- manifests/server/file.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/server/file.pp b/manifests/server/file.pp index a8794ec84..291d17fe5 100644 --- a/manifests/server/file.pp +++ b/manifests/server/file.pp @@ -76,7 +76,7 @@ mode => $mode, source => $zone_source, content => $content, - validate_cmd => "/usr/sbin/named-checkzone ${zonename} %", + validate_cmd => "/usr/sbin/named-checkzone -k fail -m fail -M fail -n fail -r fail -S fail -T warn -W warn ${zonename} %", notify => Class['::bind::service'], # For the parent directory require => [ From b754c831bd02afba5d609364c345f08e4fd70d73 Mon Sep 17 00:00:00 2001 From: Matthias Saou Date: Wed, 30 Jun 2021 11:08:34 +0000 Subject: [PATCH 19/25] Support $replace on bind::server::file, useful for ddns base zones --- CHANGELOG.md | 3 +++ manifests/server/file.pp | 2 ++ 2 files changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e7d8fb0e5..ea82791bf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +* Improve zone validation (#110, @osgpcq). +* Support $replace on bind::server::file, useful for ddns base zones. + #### 2019-01-21 - 0.5.4 * Add zone file validation (#91, @forgodssake). * Fix hint and rfc1912 zones on Debian (#61, #83). diff --git a/manifests/server/file.pp b/manifests/server/file.pp index 291d17fe5..70ce2c8cb 100644 --- a/manifests/server/file.pp +++ b/manifests/server/file.pp @@ -41,6 +41,7 @@ $source_base = undef, $content = undef, $ensure = undef, + $replace = undef, ) { include '::bind::params' @@ -76,6 +77,7 @@ mode => $mode, source => $zone_source, content => $content, + replace => $replace, validate_cmd => "/usr/sbin/named-checkzone -k fail -m fail -M fail -n fail -r fail -S fail -T warn -W warn ${zonename} %", notify => Class['::bind::service'], # For the parent directory From 5cf463e200d27f5ecb7640a713034e7312150e75 Mon Sep 17 00:00:00 2001 From: Matthias Saou Date: Wed, 30 Jun 2021 13:42:08 +0000 Subject: [PATCH 20/25] Fix bindkeys-file on RHEL8 --- CHANGELOG.md | 1 + manifests/params.pp | 8 ++++++++ manifests/server/conf.pp | 1 + templates/named.conf.erb | 2 +- 4 files changed, 11 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ea82791bf..b0aecd3cc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,6 @@ * Improve zone validation (#110, @osgpcq). * Support $replace on bind::server::file, useful for ddns base zones. +* Fix bindkeys-file on RHEL8. #### 2019-01-21 - 0.5.4 * Add zone file validation (#91, @forgodssake). diff --git a/manifests/params.pp b/manifests/params.pp index 1cce10b7c..17a0caf29 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -10,6 +10,11 @@ $bindgroup = 'named' $file_hint = 'named.ca' $file_rfc1912 = '/etc/named.rfc1912.zones' + if versioncmp($::operatingsystemrelease, '8') >= 0 { + $file_bindkeys = '/etc/named.root.key' + } else { + $file_bindkeys = '/etc/named.iscdlv.key' + } } 'Debian': { $packagenameprefix = 'bind9' @@ -18,6 +23,7 @@ $bindgroup = 'bind' $file_hint = '/etc/bind/db.root' $file_rfc1912 = '/etc/bind/named.conf.default-zones' + $file_bindkeys = '/etc/named.iscdlv.key' } 'Freebsd': { $packagenameprefix = 'bind910' @@ -26,6 +32,7 @@ $bindgroup = 'bind' $file_hint = 'named.ca' $file_rfc1912 = '/etc/named.rfc1912.zones' + $file_bindkeys = '/etc/named.iscdlv.key' } default: { $packagenameprefix = 'bind' @@ -34,6 +41,7 @@ $bindgroup = 'named' $file_hint = 'named.ca' $file_rfc1912 = '/etc/named.rfc1912.zones' + $file_bindkeys = '/etc/named.iscdlv.key' } } diff --git a/manifests/server/conf.pp b/manifests/server/conf.pp index 7944be2ee..bfd1f2268 100644 --- a/manifests/server/conf.pp +++ b/manifests/server/conf.pp @@ -127,6 +127,7 @@ include '::bind::params' $file_hint = $::bind::params::file_hint $file_rfc1912 = $::bind::params::file_rfc1912 + $file_bindkeys = $::bind::params::file_bindkeys # Everything is inside a single template file { $title: diff --git a/templates/named.conf.erb b/templates/named.conf.erb index 39cd72b8c..621e6897d 100644 --- a/templates/named.conf.erb +++ b/templates/named.conf.erb @@ -98,7 +98,7 @@ options { dnssec-lookaside <%= @dnssec_lookaside %>; /* Path to ISC DLV key */ - bindkeys-file "/etc/named.iscdlv.key"; + bindkeys-file "<%= @file_bindkeys %>"; }; logging { From 69b48d9e89ca05c94621f73dfce140fb7acb2b48 Mon Sep 17 00:00:00 2001 From: Matthias Saou Date: Wed, 30 Jun 2021 13:43:06 +0000 Subject: [PATCH 21/25] Release 0.5.5 --- CHANGELOG.md | 1 + metadata.json | 8 ++++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b0aecd3cc..b7ed0ad85 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,4 @@ +#### 2021-06-30 - 0.5.5 * Improve zone validation (#110, @osgpcq). * Support $replace on bind::server::file, useful for ddns base zones. * Fix bindkeys-file on RHEL8. diff --git a/metadata.json b/metadata.json index 7fafb7078..7955cd425 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "thias-bind", - "version": "0.5.4", + "version": "0.5.5", "author": "Matthias Saou", "license": "Apache-2.0", "summary": "BIND DNS server module", @@ -11,11 +11,11 @@ "operatingsystem_support": [ { "operatingsystem": "RedHat", - "operatingsystemrelease": [ "5", "6", "7" ] + "operatingsystemrelease": [ "5", "6", "7", "8" ] }, { "operatingsystem": "CentOS", - "operatingsystemrelease": [ "5", "6", "7" ] + "operatingsystemrelease": [ "5", "6", "7", "8" ] }, { "operatingsystem": "Debian", @@ -29,7 +29,7 @@ "requirements": [ { "name": "puppet", - "version_requirement": ">=2.7.20 <7.0.0" + "version_requirement": ">=2.7.20 <8.0.0" } ], "dependencies": [] From fbe56671ea42604280622c421eb681e39f9316fe Mon Sep 17 00:00:00 2001 From: Matthias Saou Date: Thu, 7 Sep 2023 17:04:30 +0000 Subject: [PATCH 22/25] Change zone dirmode from 750 to 770 because recent bind 9 requires write --- CHANGELOG.md | 2 ++ manifests/server/file.pp | 2 +- metadata.json | 4 ++-- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b7ed0ad85..877697d45 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,5 @@ +* Change zone dirmode from 750 to 770 because recent bind 9 requires write. + #### 2021-06-30 - 0.5.5 * Improve zone validation (#110, @osgpcq). * Support $replace on bind::server::file, useful for ddns base zones. diff --git a/manifests/server/file.pp b/manifests/server/file.pp index 70ce2c8cb..f58bb3d4e 100644 --- a/manifests/server/file.pp +++ b/manifests/server/file.pp @@ -36,7 +36,7 @@ $owner = 'root', $group = undef, $mode = '0640', - $dirmode = '0750', + $dirmode = '0770', $source = undef, $source_base = undef, $content = undef, diff --git a/metadata.json b/metadata.json index 7955cd425..9d5aa52cd 100644 --- a/metadata.json +++ b/metadata.json @@ -11,11 +11,11 @@ "operatingsystem_support": [ { "operatingsystem": "RedHat", - "operatingsystemrelease": [ "5", "6", "7", "8" ] + "operatingsystemrelease": [ "5", "6", "7", "8", "9" ] }, { "operatingsystem": "CentOS", - "operatingsystemrelease": [ "5", "6", "7", "8" ] + "operatingsystemrelease": [ "5", "6", "7", "8", "9" ] }, { "operatingsystem": "Debian", From 9f829308c19325d8c1b4c3f872c64b5ec9401919 Mon Sep 17 00:00:00 2001 From: Matthias Saou Date: Thu, 7 Sep 2023 19:05:36 +0200 Subject: [PATCH 23/25] Release 0.5.6 --- CHANGELOG.md | 1 + metadata.json | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 877697d45..826723028 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,4 @@ +#### 2023-09-07 - 0.5.6 * Change zone dirmode from 750 to 770 because recent bind 9 requires write. #### 2021-06-30 - 0.5.5 diff --git a/metadata.json b/metadata.json index 9d5aa52cd..1bd80c7a9 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "thias-bind", - "version": "0.5.5", + "version": "0.5.6", "author": "Matthias Saou", "license": "Apache-2.0", "summary": "BIND DNS server module", From 1dcae35dc74be37c6346981b078a72253903517b Mon Sep 17 00:00:00 2001 From: Robert Sauber Date: Tue, 7 Nov 2023 15:51:49 -0800 Subject: [PATCH 24/25] Add support for Ubuntu --- manifests/params.pp | 6 +++++- templates/named.conf.erb | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/manifests/params.pp b/manifests/params.pp index 17a0caf29..b0b1d65a8 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -21,8 +21,12 @@ $servicename = 'bind9' $binduser = 'bind' $bindgroup = 'bind' - $file_hint = '/etc/bind/db.root' $file_rfc1912 = '/etc/bind/named.conf.default-zones' + if $::operatingsystem == 'Ubuntu' { + $file_hint = false + } else { + $file_hint = '/etc/bind/db.root' + } $file_bindkeys = '/etc/named.iscdlv.key' } 'Freebsd': { diff --git a/templates/named.conf.erb b/templates/named.conf.erb index 621e6897d..71401a361 100644 --- a/templates/named.conf.erb +++ b/templates/named.conf.erb @@ -157,7 +157,7 @@ view "<%= key %>" { <% end -%> <% else -%><%# end views, start no views -%> -<% if @recursion == 'yes' -%> +<% if @recursion == 'yes' && @file_hint -%> zone "." IN { type hint; file "<%= @file_hint %>"; From d2dc7b35650e80e6bbd961b2eb6f068754814a50 Mon Sep 17 00:00:00 2001 From: Robert Sauber Date: Tue, 9 Jan 2024 15:35:06 -0800 Subject: [PATCH 25/25] Re-add apparmor config --- manifests/server/conf.pp | 10 +++++++ templates/usr.sbin.named.erb | 51 ++++++++++++++++++++++++++++++++++++ 2 files changed, 61 insertions(+) create mode 100644 templates/usr.sbin.named.erb diff --git a/manifests/server/conf.pp b/manifests/server/conf.pp index bfd1f2268..2c8a481e8 100644 --- a/manifests/server/conf.pp +++ b/manifests/server/conf.pp @@ -129,6 +129,16 @@ $file_rfc1912 = $::bind::params::file_rfc1912 $file_bindkeys = $::bind::params::file_bindkeys + service { 'apparmor': + ensure => 'running', + enable => 'true', + } + + file { '/etc/apparmor.d/usr.sbin.named': + notify => Service['apparmor'], + content => template('bind/usr.sbin.named.erb'), + } + # Everything is inside a single template file { $title: notify => Class['::bind::service'], diff --git a/templates/usr.sbin.named.erb b/templates/usr.sbin.named.erb new file mode 100644 index 000000000..b128b39be --- /dev/null +++ b/templates/usr.sbin.named.erb @@ -0,0 +1,51 @@ +# vim:syntax=apparmor +# Last Modified: Fri Jun 1 16:43:22 2007 +#include + +/usr/sbin/named { + #include + #include + + capability net_bind_service, + capability setgid, + capability setuid, + capability sys_chroot, + capability sys_resource, + + # /etc/bind should be read-only for bind + # /var/lib/bind is for dynamically updated zone (and journal) files. + # /var/cache/bind is for slave/stub data, since we're not the origin of it. + # See /usr/share/doc/bind9/README.Debian.gz + /etc/bind/** rw, + /var/named/** rw, + /var/lib/bind/** rw, + /var/lib/bind/ rw, + /var/cache/bind/** rw, + /var/cache/bind/ rw, + + # gssapi + /etc/krb5.keytab kr, + /etc/bind/krb5.keytab kr, + + # ssl + /etc/ssl/openssl.cnf r, + + # dnscvsutil package + /var/lib/dnscvsutil/compiled/** rw, + + /proc/net/if_inet6 r, + /proc/*/net/if_inet6 r, + /usr/sbin/named mr, + /{,var/}run/named/named.pid w, + /{,var/}run/named/session.key w, + # support for resolvconf + /{,var/}run/named/named.options r, + + # some people like to put logs in /var/log/named/ instead of having + # syslog do the heavy lifting. + /var/log/named/** rw, + /var/log/named/ rw, + + # Site-specific additions and overrides. See local/README for details. + #include +}