- Description
- Setup - The basics of getting started with bind
- Usage - Configuration options and additional functionality
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
This module manages the BIND Name Server on Debian and Ubuntu. The module supports setting up a Caching Name Server or an Authoritative Name Server using primary and secondary zones.
The module manages the named
process and related service files. It also managed the configuration and zone files. On Debian and Ubuntu these files are below the /etc/bind
, /var/lib/bind
and /var/cache/bind
directories. The module uses a multi-level directory tree below /var/lib/bind
and /var/cache/bind
to separate primary and secondary zone files.
The module uses the stdlib
and concat
modules. It is tested on Debian and Ubuntu using Puppet 8.
Set up a caching name server on localhost:
class { 'bind':
listen_on => [ '127.0.0.1', ],
listen_on_v6 => [ 'none', ],
allow_query => [ 'localhost', ],
allow_query_cache => [ 'localhost', ],
allow_recursion => [ 'localhost', ],
}
Or with hiera
bind::listen_on: 127.0.0.1
bind::listen_on_v6: none
bind::allow_query: localhost
bind::allow_query_cache: localhost
bind::allow_recursion: localhost
Set up a caching name server that provides recursive name resolution for a local subnet:
class { 'bind':
allow_query => [ 'localhost', 'lan', ],
allow_query_cache => [ 'localhost', 'lan', ],
allow_recursion => [ 'localhost', 'lan', ],
}
bind::acl { 'lan':
address_match_list => [ '192.168.10.0/24' ],
}
Or with hiera
bind::allow_query:
- localhost
- lan
bind::allow_query_cache:
- localhost
- lan
bind::allow_recursion:
- localhost
- lan
bind::acls:
lan:
address_match_list: 192.168.10.0/24
Set up a caching name server that provides recursive name resolution for a local subnet and uses forwarders:
class { 'bind':
allow_query => [ 'localhost', '10/8', ],
allow_query_cache => [ 'localhost', '10/8', ],
allow_recursion => [ 'localhost', '10/8', ],
forwarders => [ '10.0.0.53', '10.1.1.53', ],
}
Or with hiera
bind::allow_query:
- localhost
- 10/8
bind::allow_query_cache:
- localhost
- 10/8
bind::allow_recursion:
- localhost
- 10/8
bind::forwarders:
- 10.0.0.53
- 10.1.1.53
Add a primary zone for the example.com
domain and manage the zone file using Puppet:
bind::zone::primary { 'example.com':
source => 'puppet:///modules/profile/dns/example.com.zone',
}
Or with hiera
bind::zone::primaries:
example.com:
source: 'puppet:///modules/profile/dns/example.com.zone'
The zone file will be managed on the server as /var/lib/bind/primary/com/example/db.example.com
. This tree structure is better than a flat directory structure if many zones will be managed by the server.
Add a primary zone for the example.com
domain and allow dynamic updates using a generated key called nsupdate
:
bind::key { 'nsupdate':
secret => 'TopSecret',
keyfile => '/etc/bind/nsupdate.key',
}
bind::zone::primary { 'example.com':
update_policy => ['grant nsupdate zonesub any'],
content => epp("profile/dynamic-zone-template.epp", $params),
}
Or with hiera
bind::keys:
nsupdate:
secret: TopSecret
keyfile: /etc/bind/nsupdate.key
bind::zone::primaries:
example.com:
update_policy: grant nsupdate zonesub any
content: 'epp("profile/dynamic-zone-template.epp", $params)'
If the zone file /var/lib/bind/primary/com/example/db.example.com
does not exist on the name server, a new file will be created using the specified template. After that the file content can not be managed by Puppet as named
will periodically need to update the zone file when processing dynamic updates. The source
or content
parameters are ignored in this case.
Manual updates to the zone file will have to be done locally on the name server. Remember that you need to use rndc freeze example.com
and rndc thaw example.com
when editing the zone file manually.
Create a new DNSSEC policy named standard
with a Combined Signing Key (CSK) and use the policy to create a DNSSEC signed zone:
bind::dnssec_policy { 'standard':
csk_lifetime => 'unlimited',
csk_algorithm => 'ecdsap256sha256',
}
bind::zone::primary { 'example.net':
dnssec_policy => 'standard',
inline_signing => true,
source => 'puppet:///modules/profile/dns/example.net.zone',
}
Or with hiera
bind::dnssec_policies:
standard:
csk_lifetime: unlimited
csk_algorithm: ecdsap256sha256
bind::zone::primaries:
example.net:
dnssec_policy: standard
inline_signing: true
source: 'puppet:///modules/profile/dns/example.net.zone'
}
DNSSEC policies are available with Bind 9.16 and later.
The view internal
allow recursive DNS resolution for all hosts on the local network.
bind::view { 'internal':
match_clients => [ 'localnets', ],
allow_query => [ 'localnets', ],
allow_recursion => [ 'localnets', ],
recursion => true,
order => '10',
}
Or with hiera
bind::views:
internal:
match_clients: localnets
allow_query: localnets
allow_recursion: localnets
recursion: true
order: 10
The view external
is for all other hosts and should only be used for your primary or secondary zones.
bind::view { 'external':
match_clients => [ 'any', ],
allow_query => [ 'any', ],
recursion => false,
localhost_forward_enable => false,
localhost_reverse_enable => false,
order => '20',
}
Or with hiera
bind::views:
external:
match_clients: any
allow_query: any
recursion: false
localhost_forward_enable: false
localhost_reverse_enable: false
order: 20
The defined types bind::zone::primary
and bind::zone::secondary
can be used to add zones to this view.
See REFERENCE.md
Not all BIND features are currently implemented as I started with the options I needed myself. Some options are not yet available and features like DNSSEC are not well tested.
Creating DNSSEC keys manually using the dnssec_key
type with automatic rollover is discouraged. The defined type bind::dnssec_policy
should be used instead.
You may open Github issues for this module if you need additional options currently not available.
Feel free to send pull requests for new features.