--- /dev/null
+{%- set home_dir = salt['pillar.get']('bind:home-dir', '/var/cache/bind') -%}
+{%- set etc_dir = salt['pillar.get']('bind:etc-dir', '/etc/bind') -%}
+//###############################################################
+//# Bind9-Konfigurationsdatei for general options
+//# /etc/bind/named.conf.options
+//#
+//# Host {{ grains['fqdn'] }}
+//#
+//###############################################################
+
+
+//###############################################################
+//# Allgemeine Optionen
+
+options {
+
+ directory "{{ home_dir }}";
+
+ // If there is a firewall between you and nameservers you want
+ // to talk to, you may need to fix the firewall to allow multiple
+ // ports to talk. See http://www.kb.cert.org/vuls/id/800113
+
+ // If your ISP provided one or more IP addresses for stable
+ // nameservers, you probably want to use them as forwarders.
+ // Uncomment the following block, and insert the addresses replacing
+ // the all-0's placeholder.
+
+ // forwarders {
+ // 0.0.0.0;
+ // };
+
+ /* https://www.isc.org/solutions/dlv >=bind-9.7.x only */
+ //bindkeys-file "/etc/bind/bind.keys";
+
+ listen-on-v6 { any; };
+ listen-on { any; };
+
+ allow-notify {
+ allow-notify;
+ };
+
+ allow-recursion {
+ allow-recursion;
+ };
+
+ //========================================================================
+ // If BIND logs error messages about the root key being expired,
+ // you will need to update your keys. See https://www.isc.org/bind-keys
+ //========================================================================
+ //dnssec-enable yes;
+ dnssec-validation auto;
+
+ /*
+ * As of bind 9.8.0:
+ * "If the root key provided has expired,
+ * named will log the expiration and validation will not work."
+ */
+ //dnssec-validation auto;
+
+ /* if you have problems and are behind a firewall: */
+ //query-source address * port 53;
+
+ // pid-file "/var/run/named/named.pid";
+
+ version "none";
+
+};
+
+// Managed Keys
+include "{{ etc_dir }}/bind.keys";
+
+//###############################################################
+//# Kontrollkanäle für RNDC
+
+include "{{ etc_dir }}/rndc.key";
+
+controls {
+ inet 127.0.0.1 port 953 allow {
+ 127.0.0.1;
+ ::1/128;
+ } keys {
+ "rndc-key";
+ };
+};
+
+
+# vim: ts=4 filetype=named noai
{%- set dnssec = salt['pillar.get']('bind:dnssec', {}) -%}
+{%- set etc_dir = salt['pillar.get']('bind:etc-dir', '/etc/bind') -%}
-/etc/bind/rndc.key:
+bind-rndc-key:
file.managed:
+ - name: {{ etc_dir }}/rndc.key
- source: salt://bind/files/rndc.key
- user: bind
- group: bind
- template: jinja
- backup: minion
- require:
- - file: /etc/bind
+ - file: bind-etc-dir
- group: bind-group
- user: bind-user
rndc-keyfile-public:
file.managed:
- - name: /etc/bind/dnssec/K{{ dnssec.rndc.name }}.+{{ dnssec.rndc.algo_nr }}+{{ dnssec.rndc.footprint }}.key
+ - name: {{ etc_dir }}/dnssec/K{{ dnssec.rndc.name }}.+{{ dnssec.rndc.algo_nr }}+{{ dnssec.rndc.footprint }}.key
- source: salt://bind/files/rndc.public
- user: root
- group: root
- template: jinja
- backup: minion
- require:
- - file: /etc/bind/dnssec
+ - file: bind-dnssec-dir
rndc-keyfile-private:
file.managed:
- - name: /etc/bind/dnssec/K{{ dnssec.rndc.name }}.+{{ dnssec.rndc.algo_nr }}+{{ dnssec.rndc.footprint }}.private
+ - name: {{ etc_dir }}/dnssec/K{{ dnssec.rndc.name }}.+{{ dnssec.rndc.algo_nr }}+{{ dnssec.rndc.footprint }}.private
- source: salt://bind/files/rndc.private
- user: root
- group: root
- template: jinja
- backup: minion
- require:
- - file: /etc/bind/dnssec
+ - file: bind-dnssec-dir
projects / salt / states.git / commitdiff