From 2815d016a52823fe9daa3fd718b804fca4559a92 Mon Sep 17 00:00:00 2001 From: colonelpanik Date: Thu, 30 Dec 2021 05:40:03 -0800 Subject: [PATCH 1/5] Allow a simple override to allow the logging directive to be user supplied --- manifests/init.pp | 1 + templates/configfile.erb | 68 +++++++++++++++++++++------------------- 2 files changed, 37 insertions(+), 32 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index b6822a1..f640ac4 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -49,6 +49,7 @@ $max_ncache_ttl = undef, $nnotify = undef, $logging = undef, + $logging_config = undef, $zone = [], $include = [], ) inherits ::bind::params { diff --git a/templates/configfile.erb b/templates/configfile.erb index 5ce533a..c44c189 100644 --- a/templates/configfile.erb +++ b/templates/configfile.erb @@ -9,25 +9,25 @@ acl <%= key %> { <% end -%> options { <% if @listen_on -%> - listen-on <%= @listen_on %>; + listen-on <%= @listen_on %>; <% end -%> <% if @listen_on_v6 -%> - listen-on-v6 <%= @listen_on_v6 %>; + listen-on-v6 <%= @listen_on_v6 %>; <% end -%> <% if @directory -%> - directory <%= @directory %>; + directory <%= @directory %>; <% end -%> <% if @dump_file -%> - dump-file <%= @dump_file %>; + dump-file <%= @dump_file %>; <% end -%> <% if @statistics_file -%> - statistics-file <%= @statistics_file %>; + statistics-file <%= @statistics_file %>; <% end -%> <% if @memstatistics_file -%> - memstatistics-file <%= @memstatistics_file %>; + memstatistics-file <%= @memstatistics_file %>; <% end -%> <% if @allow_query -%> - allow-query <%= @allow_query %>; + allow-query <%= @allow_query %>; <% end -%> <% if @allow_update -%> allow-update <%= @allow_update %>; @@ -39,70 +39,74 @@ options { blackhole <%= @blackhole %>; <% end -%> - /* - - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - - If you are building a RECURSIVE (caching) DNS server, you need to enable - recursion. - - If your recursive DNS server has a public IP address, you MUST enable access - control to limit queries to your legitimate users. Failing to do so will - cause your server to become part of large scale DNS amplification - attacks. Implementing BCP38 within your network would greatly - reduce such attack surface - */ + /* + - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. + - If you are building a RECURSIVE (caching) DNS server, you need to enable + recursion. + - If your recursive DNS server has a public IP address, you MUST enable access + control to limit queries to your legitimate users. Failing to do so will + cause your server to become part of large scale DNS amplification + attacks. Implementing BCP38 within your network would greatly + reduce such attack surface + */ <% if @recursion -%> - recursion <%= @recursion %>; + recursion <%= @recursion %>; <% end -%> <% if @allow_recursion -%> - allow-recursion <%= @allow_recursion %> + allow-recursion <%= @allow_recursion %> <% end -%> <% if @dnssec_enable -%> - dnssec-enable <%= @dnssec_enable %>; + dnssec-enable <%= @dnssec_enable %>; <% end -%> <% if @dnssec_validation -%> - dnssec-validation <%= @dnssec_validation %>; + dnssec-validation <%= @dnssec_validation %>; <% end -%> <% if @bindkeys_file -%> - bindkeys-file <%= @bindkeys_file %>; + bindkeys-file <%= @bindkeys_file %>; <% end -%> <% if @managed_keys_directory -%> - managed-keys-directory <%= @managed_keys_directory %>; + managed-keys-directory <%= @managed_keys_directory %>; <% end -%> <% if @pid_file -%> - pid-file <%= @pid_file %>; + pid-file <%= @pid_file %>; <% end -%> <% if @session_keyfile -%> - session-keyfile <%= @session_keyfile %>; + session-keyfile <%= @session_keyfile %>; <% end -%> <% if @auth_nxdomain -%> - auth-nxdomain <%= @auth_nxdomain %>; + auth-nxdomain <%= @auth_nxdomain %>; <% end -%> <% if @version -%> - version <%= @version %>; + version <%= @version %>; <% end -%> <% if @server_id -%> - server-id <%= @server_id %>; + server-id <%= @server_id %>; <% end -%> <% if @cleaning_interval -%> - cleaning-interval <%= @cleaning_interval %>; + cleaning-interval <%= @cleaning_interval %>; <% end -%> <% if @interface_interval -%> - interface-interval <%= @interface_interval %>; + interface-interval <%= @interface_interval %>; <% end -%> <% if @max_ncache_ttl -%> - max-ncache-ttl <%= @max_ncache_ttl %>; + max-ncache-ttl <%= @max_ncache_ttl %>; <% end -%> <% if @nnotify -%> - notify <%= @nnotify %>; + notify <%= @nnotify %>; <% end -%> }; <% if @logging -%> +<% if @logging_config -%> +<%= @logging_config %> +<% else -%> logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; +<% end -%> <% end -%> <% if !@zone.empty? -%> <% @zone.each do |key,value| -%> From a019aea92e057d72d5d9ff5696762a13bf1720c1 Mon Sep 17 00:00:00 2001 From: colonelpanik Date: Thu, 30 Dec 2021 07:23:11 -0800 Subject: [PATCH 2/5] Fix multi-distro support and unused param that throws errors --- manifests/init.pp | 14 +++++++------- manifests/params.pp | 2 ++ templates/zone_file.erb | 10 +++++----- 3 files changed, 14 insertions(+), 12 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index f640ac4..9847104 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -19,9 +19,9 @@ class bind ( $package_name = $::bind::params::package_name, + $service_name = $::bind::params::service_name, $config_file = $::bind::params::config_file, $template = 'bind/configfile.erb', - $template_local = $::bind::params::template_local, $acl = [], $listen_on = undef, $listen_on_v6 = undef, @@ -53,16 +53,16 @@ $zone = [], $include = [], ) inherits ::bind::params { - package { $package_name: ensure => installed } + package { $package_name: + ensure => installed + } file { $config_file: require => Package[$package_name], backup => '.backup', content => template($template), } - if $::osfamily == 'RedHat' { - service { 'named': - require => Package[$package_name], - enable => true, - } + service { $service_name: + require => [ Package[$package_name], File[$config_file] ] + enable => true, } } diff --git a/manifests/params.pp b/manifests/params.pp index e68fbfa..1a0cd2d 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -4,11 +4,13 @@ $config_file = '/etc/named.conf' $zonedir = '/var/named/' $zonegroup = 'named' + $service_name = 'named' } elsif $::osfamily == 'Debian' { $package_name = [ 'bind9' ] $config_file = '/etc/bind/named.conf' $zonedir = '/etc/bind/zones/' $zonegroup = 'bind' + $service_name = 'bind9' } } diff --git a/templates/zone_file.erb b/templates/zone_file.erb index 6fc65fc..4d8f1c2 100644 --- a/templates/zone_file.erb +++ b/templates/zone_file.erb @@ -1,11 +1,11 @@ $TTL <% if @ttl -%><%= @ttl %><% else -%>1D<% end -%> @ IN SOA <% if @nameserver -%><%= @nameserver %><% else -%>@<% end -%> <% if @admin -%><%= @admin %><% else -%>rname.invalid.<% end -%> ( - <% if @serial -%><%= @serial %><% else -%>0<% end -%> ; serial - <% if @refresh -%><%= @refresh %><% else -%>1D<% end -%> ; refresh - <% if @retry -%><%= @retry %><% else -%>1H<% end -%> ; retry - <% if @expire -%><%= @expire %><% else -%>1W<% end -%> ; expire - <% if @minimum -%><%= @minimum %><% else -%>3H<% end -%> ) ; minimum + <% if @serial -%><%= @serial %><% else -%>0<% end -%> ; serial + <% if @refresh -%><%= @refresh %><% else -%>1D<% end -%> ; refresh + <% if @retry -%><%= @retry %><% else -%>1H<% end -%> ; retry + <% if @expire -%><%= @expire %><% else -%>1W<% end -%> ; expire + <% if @minimum -%><%= @minimum %><% else -%>3H<% end -%> ) ; minimum <% if !@records.empty? -%> <% @records.each do |record| -%> <%= record %> From 2468ea9960029964946295a078da465b0c90dff4 Mon Sep 17 00:00:00 2001 From: colonelpanik Date: Thu, 30 Dec 2021 07:38:36 -0800 Subject: [PATCH 3/5] Fix syntax error and reorder require to bottom for neatness --- manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 9847104..62996ae 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -57,12 +57,12 @@ ensure => installed } file { $config_file: - require => Package[$package_name], backup => '.backup', content => template($template), + require => Package[$package_name], } service { $service_name: - require => [ Package[$package_name], File[$config_file] ] enable => true, + require => [ Package[$package_name], File[$config_file] ], } } From 4a31082116b1178f4036f8088e5c89bde5a772cf Mon Sep 17 00:00:00 2001 From: colonelpanik Date: Mon, 10 Jan 2022 05:21:19 -0800 Subject: [PATCH 4/5] Add params to ensure named running --- manifests/init.pp | 47 ++++++++++++++++++++++-------------------- manifests/zone_file.pp | 28 ++++++++++++------------- 2 files changed, 39 insertions(+), 36 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 62996ae..cbafca2 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -18,38 +18,40 @@ # class bind ( - $package_name = $::bind::params::package_name, - $service_name = $::bind::params::service_name, - $config_file = $::bind::params::config_file, - $template = 'bind/configfile.erb', $acl = [], - $listen_on = undef, - $listen_on_v6 = undef, - $directory = undef, - $dump_file = undef, - $statistics_file = undef, - $memstatistics_file = undef, $allow_query = undef, + $allow_recursion = undef, $allow_update = undef, $allow_transfer = undef, + $auth_nxdomain = undef, + $bindkeys_file = undef, $blackhole = undef, - $recursion = undef, - $allow_recursion = undef, + $cleaning_interval = undef, + $config_file = $::bind::params::config_file, + $directory = undef, $dnssec_enable = undef, $dnssec_validation = undef, - $bindkeys_file = undef, + $dump_file = undef, + $enable = true, + $ensure = 'running', + $interface_interval = undef, + $template = 'bind/configfile.erb', + $listen_on = undef, + $listen_on_v6 = undef, + $logging = undef, + $logging_config = undef, $managed_keys_directory = undef, + $max_ncache_ttl = undef, + $memstatistics_file = undef, + $nnotify = undef, + $package_name = $::bind::params::package_name, $pid_file = undef, + $recursion = undef, $session_keyfile = undef, - $auth_nxdomain = undef, - $version = undef, $server_id = undef, - $cleaning_interval = undef, - $interface_interval = undef, - $max_ncache_ttl = undef, - $nnotify = undef, - $logging = undef, - $logging_config = undef, + $service_name = $::bind::params::service_name, + $statistics_file = undef, + $version = undef, $zone = [], $include = [], ) inherits ::bind::params { @@ -62,7 +64,8 @@ require => Package[$package_name], } service { $service_name: - enable => true, + enable => $enable, + ensure => $ensure, require => [ Package[$package_name], File[$config_file] ], } } diff --git a/manifests/zone_file.pp b/manifests/zone_file.pp index b4d3b54..479fa60 100644 --- a/manifests/zone_file.pp +++ b/manifests/zone_file.pp @@ -1,18 +1,18 @@ define bind::zone_file ( - $package_name = $::bind::params::package_name, - $template = 'bind/zone_file.erb', - $zonedir = $::bind::params::zonedir, - $zonegroup = $::bind::params::zonegroup, - $file_name = undef, - $nameserver = undef, - $admin = undef, - $ttl = undef, - $serial = undef, - $refresh = undef, - $retry = undef, - $expire = undef, - $minimum = undef, - $records = [], + $package_name = $::bind::params::package_name, + $template = 'bind/zone_file.erb', + $zonedir = $::bind::params::zonedir, + $zonegroup = $::bind::params::zonegroup, + $file_name = undef, + $nameserver = undef, + $admin = undef, + $ttl = undef, + $serial = undef, + $refresh = undef, + $retry = undef, + $expire = undef, + $minimum = undef, + $records = [], ) { include bind::params if ! defined(File[$zonedir]) { From 8bb98ff2446c5793e46acf04eb80b0435684d3bb Mon Sep 17 00:00:00 2001 From: colonelpanik Date: Tue, 11 Jan 2022 13:26:35 -0800 Subject: [PATCH 5/5] Allow some sysconfig params to be passed in and disable v6 by default --- manifests/init.pp | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/manifests/init.pp b/manifests/init.pp index cbafca2..f0c8d24 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -51,6 +51,7 @@ $server_id = undef, $service_name = $::bind::params::service_name, $statistics_file = undef, + $sysconfig_params = ['OPTIONS="-4"'], $version = undef, $zone = [], $include = [], @@ -68,4 +69,13 @@ ensure => $ensure, require => [ Package[$package_name], File[$config_file] ], } + if $sysconfig_params { + $params = join($sysconfig_params, "\n") + file { '/etc/sysconfig/named': + ensure => file, + owner => 'root', + group => 'root', + content => $params + } + } }