nameserver: Add support for BIND slave nameservers

Signed-off-by: David Galloway <dgallowa@redhat.com>

diff --git a/roles/nameserver/README.rst b/roles/nameserver/README.rst
index 63f1b539e19615a7d73488365f6a9f7255e5c910..3314daac7163cc147a80c5e373a053fb44ea8f2d 100644 (file)
--- a/roles/nameserver/README.rst
+++ b/roles/nameserver/README.rst
@@ -1,7 +1,7 @@
 nameserver
 ==========
 
-This role is used to set up and configure a very basic **internal** BIND DNS master server.
+This role is used to set up and configure a very basic **internal** BIND DNS server.
 
 This role has only been tested on CentOS 7.2 using BIND9.
 
@@ -71,6 +71,20 @@ Most variables are defined in ``roles/nameserver/defaults/main.yml`` and values
 |                                                        |                                                                                                                           |
 |                                                        |**NOTE:** Setting to "yes" will add ``allow-recursion { any; }``. See To-Do.                                               |
 +--------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------+
+|``named_conf_slave: true``                              |Will configure the server as a DNS slave if true.  This variable is not required but should be set to true in the hostvars |
+|                                                        |if desired.                                                                                                                |
+|                                                        |                                                                                                                           |
+|                                                        |**NOTE:** You must also set ``named_conf_master`` if ``named_conf_slave`` is true.  See below.                             |
++--------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------+
+|``named_conf_master: "1.2.3.4"``                        |Specifies the master server's IP which zones should be transferred from.  Define in hostvars.                              |
++--------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------+
+|::                                                      |A list of hosts or subnets you want to allow zone transfers to.  This variable is not required but should be defined in    |
+|                                                        |hostvars if you wish.  BIND allows AXFR transfers to anywhere by default.                                                  |
+|  named_conf_allow_axfr:                                |                                                                                                                           |
+|    - localhost                                         |See http://www.zytrax.com/books/dns/ch7/xfer.html#allow-transfer.                                                          |
+|    - 1.2.3.4                                           |                                                                                                                           |
+|                                                        |                                                                                                                           |
++--------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------+
 |``ddns_keys: {}``                                       |A dictionary defining each Dynamic DNS zone's authorized key.  See **Dynamic DNS** below.  Defined in an encrypted file in |
 |                                                        |the secrets repo                                                                                                           |
 +--------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------+
@@ -196,6 +210,8 @@ The records task will not modify the ddns.example.com zone file.
 
 For our upstream test lab's purposes, this allows us to combine static and dynamic records in our ``front.sepia.ceph.com`` domain so teuthology_'s ``lab_domain`` variable can remain unchanged.
 
+This role also configures DNS slaves to accept DDNS updates and will forward them to the master using the ``allow-update-forwarding`` parameter in ``/etc/named.conf``.  This is particularly useful in our Sepia lab since our master server can't send ``NOTIFY`` messages directly to the slave.
+
 **NOTE:** Reverse zone Dynamic DNS is not supported at this time.
 
 Tags

diff --git a/roles/nameserver/tasks/main.yml b/roles/nameserver/tasks/main.yml
index 4c8d436ddcb0ed0f7147c2693280e052939007ed..a7a1715b14770780d34bcb7993e6c42c9b55673a 100644 (file)
--- a/roles/nameserver/tasks/main.yml
+++ b/roles/nameserver/tasks/main.yml
@@ -32,3 +32,5 @@
 - include: records.yml
   tags:
     - records
+  when: (named_conf_slave is undefined) or
+        (named_conf_slave is defined and named_conf_slave == false)

diff --git a/roles/nameserver/templates/named.conf.j2 b/roles/nameserver/templates/named.conf.j2
index 5b17d8152ea7daca2aa8a689de0d8367cb00ebd7..f850df9252be31dc89cbdeb1ca449f9bfc1a007d 100644 (file)
--- a/roles/nameserver/templates/named.conf.j2
+++ b/roles/nameserver/templates/named.conf.j2
@@ -15,6 +15,20 @@ options {
 {% if named_conf_recursion == "yes" %}
        allow-recursion         { any; };
 {% endif %}
+{% if named_conf_allow_axfr is defined %}
+       allow-transfer          { {% for ip in named_conf_allow_axfr -%}{{ ip }}; {% endfor -%} };
+{% endif %}
+
+{% if named_conf_slave is defined and named_conf_slave == true %}
+       ## Slave-specific config
+       # Set these in case named_conf_soa vars are lower than the BIND default.
+       # Forces refresh and retries at the specified intervals.
+       min-refresh-time        {{ named_conf_soa_refresh }};
+       max-refresh-time        {{ named_conf_soa_refresh }};
+       min-retry-time          {{ named_conf_soa_retry }};
+       max-retry-time          {{ named_conf_soa_retry }};
+       notify                  master-only;
+{% endif %}
 };
 
 logging {
@@ -41,11 +55,20 @@ key "{{ key }}" {
 # Forward zones
 {% for key, zone in named_domains.iteritems() %}
 zone "{{ key }}" {
+{% if named_conf_slave is defined and named_conf_slave == true %}
+       type    slave;
+       file    "{{ named_conf_dir }}/slaves/{{ key }}";
+       masters { {{ named_conf_master }}; };
+{% if zone.dynamic == true %}
+       allow-update-forwarding { key "{{ key }}"; };
+{% endif %}
+{% else %}
        type    master;
        file    "{{ named_conf_zones_path }}/{{ key }}";
 {% if zone.dynamic == true %}
        allow-update { key "{{ key }}"; };
 {% endif %}
+{% endif %}
 };
 
 {% endfor %}
@@ -56,8 +79,14 @@ zone "{{ key }}" {
 {% for reverse in zone.reverse %}
 {% set octet1,octet2,octet3 = reverse.split('.') %}
 zone "{{ octet3 }}.{{ octet2 }}.{{ octet1 }}.in-addr.arpa" {
+{% if named_conf_slave is defined and named_conf_slave == true %}
+       type    slave;
+       file    "{{ named_conf_dir }}/slaves/{{ reverse }}";
+       masters { {{ named_conf_master }}; };
+{% else %}
        type    master;
        file    "{{ named_conf_zones_path }}/{{ reverse }}";
+{% endif %}
 };
 
 {% endfor %}