From 2c20d27d68cbe87a318455737e1805b2eb5271f4 Mon Sep 17 00:00:00 2001 From: David Galloway Date: Tue, 3 Jan 2017 18:57:31 -0500 Subject: [PATCH] nameserver: Add support for BIND slave nameservers Signed-off-by: David Galloway --- roles/nameserver/README.rst | 18 ++++++++++++++- roles/nameserver/tasks/main.yml | 2 ++ roles/nameserver/templates/named.conf.j2 | 29 ++++++++++++++++++++++++ 3 files changed, 48 insertions(+), 1 deletion(-) diff --git a/roles/nameserver/README.rst b/roles/nameserver/README.rst index 63f1b539..3314daac 100644 --- a/roles/nameserver/README.rst +++ b/roles/nameserver/README.rst @@ -1,7 +1,7 @@ nameserver ========== -This role is used to set up and configure a very basic **internal** BIND DNS master server. +This role is used to set up and configure a very basic **internal** BIND DNS server. This role has only been tested on CentOS 7.2 using BIND9. @@ -71,6 +71,20 @@ Most variables are defined in ``roles/nameserver/defaults/main.yml`` and values | | | | |**NOTE:** Setting to "yes" will add ``allow-recursion { any; }``. See To-Do. | +--------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------+ +|``named_conf_slave: true`` |Will configure the server as a DNS slave if true. This variable is not required but should be set to true in the hostvars | +| |if desired. | +| | | +| |**NOTE:** You must also set ``named_conf_master`` if ``named_conf_slave`` is true. See below. | ++--------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------+ +|``named_conf_master: "1.2.3.4"`` |Specifies the master server's IP which zones should be transferred from. Define in hostvars. | ++--------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------+ +|:: |A list of hosts or subnets you want to allow zone transfers to. This variable is not required but should be defined in | +| |hostvars if you wish. BIND allows AXFR transfers to anywhere by default. | +| named_conf_allow_axfr: | | +| - localhost |See http://www.zytrax.com/books/dns/ch7/xfer.html#allow-transfer. | +| - 1.2.3.4 | | +| | | ++--------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------+ |``ddns_keys: {}`` |A dictionary defining each Dynamic DNS zone's authorized key. See **Dynamic DNS** below. Defined in an encrypted file in | | |the secrets repo | +--------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------+ @@ -196,6 +210,8 @@ The records task will not modify the ddns.example.com zone file. For our upstream test lab's purposes, this allows us to combine static and dynamic records in our ``front.sepia.ceph.com`` domain so teuthology_'s ``lab_domain`` variable can remain unchanged. +This role also configures DNS slaves to accept DDNS updates and will forward them to the master using the ``allow-update-forwarding`` parameter in ``/etc/named.conf``. This is particularly useful in our Sepia lab since our master server can't send ``NOTIFY`` messages directly to the slave. + **NOTE:** Reverse zone Dynamic DNS is not supported at this time. Tags diff --git a/roles/nameserver/tasks/main.yml b/roles/nameserver/tasks/main.yml index 4c8d436d..a7a1715b 100644 --- a/roles/nameserver/tasks/main.yml +++ b/roles/nameserver/tasks/main.yml @@ -32,3 +32,5 @@ - include: records.yml tags: - records + when: (named_conf_slave is undefined) or + (named_conf_slave is defined and named_conf_slave == false) diff --git a/roles/nameserver/templates/named.conf.j2 b/roles/nameserver/templates/named.conf.j2 index 5b17d815..f850df92 100644 --- a/roles/nameserver/templates/named.conf.j2 +++ b/roles/nameserver/templates/named.conf.j2 @@ -15,6 +15,20 @@ options { {% if named_conf_recursion == "yes" %} allow-recursion { any; }; {% endif %} +{% if named_conf_allow_axfr is defined %} + allow-transfer { {% for ip in named_conf_allow_axfr -%}{{ ip }}; {% endfor -%} }; +{% endif %} + +{% if named_conf_slave is defined and named_conf_slave == true %} + ## Slave-specific config + # Set these in case named_conf_soa vars are lower than the BIND default. + # Forces refresh and retries at the specified intervals. + min-refresh-time {{ named_conf_soa_refresh }}; + max-refresh-time {{ named_conf_soa_refresh }}; + min-retry-time {{ named_conf_soa_retry }}; + max-retry-time {{ named_conf_soa_retry }}; + notify master-only; +{% endif %} }; logging { @@ -41,11 +55,20 @@ key "{{ key }}" { # Forward zones {% for key, zone in named_domains.iteritems() %} zone "{{ key }}" { +{% if named_conf_slave is defined and named_conf_slave == true %} + type slave; + file "{{ named_conf_dir }}/slaves/{{ key }}"; + masters { {{ named_conf_master }}; }; +{% if zone.dynamic == true %} + allow-update-forwarding { key "{{ key }}"; }; +{% endif %} +{% else %} type master; file "{{ named_conf_zones_path }}/{{ key }}"; {% if zone.dynamic == true %} allow-update { key "{{ key }}"; }; {% endif %} +{% endif %} }; {% endfor %} @@ -56,8 +79,14 @@ zone "{{ key }}" { {% for reverse in zone.reverse %} {% set octet1,octet2,octet3 = reverse.split('.') %} zone "{{ octet3 }}.{{ octet2 }}.{{ octet1 }}.in-addr.arpa" { +{% if named_conf_slave is defined and named_conf_slave == true %} + type slave; + file "{{ named_conf_dir }}/slaves/{{ reverse }}"; + masters { {{ named_conf_master }}; }; +{% else %} type master; file "{{ named_conf_zones_path }}/{{ reverse }}"; +{% endif %} }; {% endfor %} -- 2.47.3