78 lines
2.3 KiB
Puppet
78 lines
2.3 KiB
Puppet
# == Class designate::backend::bind9
|
|
#
|
|
# Configure bind9 as backend
|
|
#
|
|
# == Parameters
|
|
#
|
|
# [*rndc_config_file*]
|
|
# (optional) Location of the rndc configuration file.
|
|
# Defaults to '/etc/rndc.conf'
|
|
#
|
|
# [*rndc_key_file*]
|
|
# (optional) Location of the rndc key file.
|
|
# Defaults to '/etc/rndc.key'
|
|
#
|
|
# [*rndc_host*]
|
|
# (optional) Host running DNS service.
|
|
# Defaults to '127.0.0.1'
|
|
#
|
|
# [*rndc_port*]
|
|
# (optional) Port to use for dns service on rndc_host.
|
|
# Defaults to '953'
|
|
#
|
|
# [*rndc_controls*]
|
|
# (optional) Hash defining controls configuration for rndc.
|
|
# Defaults to undef, which uses the puppet-dns default
|
|
#
|
|
class designate::backend::bind9 (
|
|
$rndc_host = '127.0.0.1',
|
|
$rndc_port = '953',
|
|
$rndc_config_file = '/etc/rndc.conf',
|
|
$rndc_key_file = '/etc/rndc.key',
|
|
$rndc_controls = undef,
|
|
) {
|
|
|
|
include ::designate::deps
|
|
include ::designate
|
|
if $rndc_controls {
|
|
class { '::dns':
|
|
controls => $rndc_controls,
|
|
}
|
|
} else {
|
|
include ::dns
|
|
}
|
|
|
|
designate_config {
|
|
'backend:bind9/rndc_host' : value => $rndc_host;
|
|
'backend:bind9/rndc_port' : value => $rndc_port;
|
|
'backend:bind9/rndc_config_file' : value => $rndc_config_file;
|
|
'backend:bind9/rndc_key_file' : value => $rndc_key_file;
|
|
}
|
|
|
|
concat::fragment { 'dns allow-new-zones':
|
|
target => $::dns::optionspath,
|
|
content => 'allow-new-zones yes;',
|
|
order => '20',
|
|
}
|
|
|
|
# Recommended by Designate docs as a mitigation for potential cache
|
|
# poisoning attacks:
|
|
# https://docs.openstack.org/designate/queens/admin/production-guidelines.html#bind9-mitigation
|
|
concat::fragment { 'dns minimal-responses':
|
|
target => $::dns::optionspath,
|
|
content => 'minimal-responses yes;',
|
|
order => '21',
|
|
}
|
|
|
|
# /var/named is root:named on RedHat and /var/cache/bind is root:bind on
|
|
# Debian. Both groups only have read access but require write permission in
|
|
# order to be able to use rndc addzone/delzone commands that Designate uses.
|
|
# NOTE(bnemec): ensure_resource is to avoid a chicken and egg problem with
|
|
# removing this from puppet-openstack-integration. Once that has been done
|
|
# the ensure_resource wrapper could be removed.
|
|
ensure_resource('file', $::dns::params::vardir, {
|
|
mode => 'g+w',
|
|
require => Package[$::dns::params::dns_server_package]
|
|
})
|
|
}
|