Enable recursion when requested by forwarders or users

Forwarders do not work unless recursion is enabled. Also, allow users to set recursion explicitly when they want BIND9 set up by the charm to act as a full-service resolver. Documentation has been updated to warn users to set ACLs when enabling forwarders or recursion to avoid it from being a open resolver. Change-Id: I53d53decbbae12e0b743aa34421d63a5a5c892f1 Closes-Bug: #1776952 Co-Authored-By: Pedro <pedro.guimaraes@canonical.com>
2018-07-23 11:24:54 +09:00 · 2018-07-23 11:24:54 +09:00 · 4132f05db4
parent af9f3e79b5
commit 4132f05db4
3 changed files with 79 additions and 6 deletions
--- a/src/README.md
+++ b/src/README.md
@ -10,6 +10,29 @@ designate-bind relies on designate charm.
    juju deploy designate
    juju add-relation designate designate-bind

+## Recursion and forwarders
+
+By default, this charm only resolves names in zones managed by
+Designate. You can optionally enable recursion or forwarders to resolve
+names outside of Designate, such as google.com or archive.ubuntu.com.
+
+Recursion and forwarders should be enabled with extra care. You should
+also enable ACLs with allowed_nets and/or allowed_recursion_nets.
+Otherwise, the DNS server may be open for anyone which could be used for
+some attacks as an open resolver.
+
+For example, when you want to allow DNS clients in local networks only,
+and use 8.8.8.8 and 8.8.4.4 as upstream DNS servers, You can set charm
+options like:
+
+    juju config designate-bind allowed_nets='10.0.0.0/8;172.16.0.0/12;192.168.0.0/16'
+    juju config designate-bind forwarders='8.8.8.8;8.8.4.4'
+
+Or if you want to use BIND9 set up by the charm as a full-service resolver, set the following options for example:
+
+    juju config designate-bind allowed_nets='10.0.0.0/8;172.16.0.0/12;192.168.0.0/16'
+    juju config designate-bind recursion=true
+
 # Network Space support

 This charm supports the use of Juju Network Spaces, allowing the charm
--- a/src/config.yaml
+++ b/src/config.yaml
@ -3,10 +3,38 @@ options:
    default: ""
    type: string
    description: |
-      String containing a list of allowed networks, separated by semicolons: e.g., "10.172.0.0/16;10.10.0.0/18"
+      String containing a list of allowed networks of hosts for DNS
+      queries, separated by semicolons: e.g.,
+      "10.0.0.0/8;172.16.0.0/12;192.168.0.0/16". The option is
+      equivalent to "allow-query" in BIND9. If not specified, the
+      default is to allow queries from all hosts.
+  allowed_recursion_nets:
+    default: ""
+    type: string
+    description: |
+      String containing a list of allowed networks of hosts for
+      recursive queries through the designate-bind servers, spearated by
+      semicolons: e.g., "10.0.0.0/8;172.16.0.0/12;192.168.0.0/16". The
+      option is equivalent to "allow-recursion" in BIND9. If
+      allowed_recursion_nets is not set then allowed_nets is used if
+      set, otherwise any will be set to allow recursive queries from all
+      hosts.
  forwarders:
    default: ""
    type: string
    description: |
-      String containing a list of forwarders, separated by semicolons: e.g., "8.8.8.8;10.1.1.1"
-
+      String containing a list of forwarders, separated by semicolons:
+      e.g., "8.8.8.8;8.8.4.4". As non-empty forwarders option implies
+      recursion, recursive queries will be enabled regardless of the
+      value set in the recursion option. When using this option, ACLs
+      should be used with allowed_nets and/or allowed_recursion_nets to
+      prevent it from being a open resolver.
+  recursion:
+    default: false
+    type: boolean
+    description: |
+      Whether or not to enable recursive queries with BIND9 itself to be
+      installed by the charm. The option is equivalent to "recursion" in
+      BIND9. When using this option, ACLs should be used with
+      allowed_nets and/or allowed_recursion_nets to prevent it from
+      being a open resolver.
--- a/src/templates/named.conf.options
+++ b/src/templates/named.conf.options
@ -2,8 +2,14 @@
 acl allow_query {
        {{ options.allowed_nets }};
 };
+{%- endif %}
+
+{% if options.allowed_recursion_nets -%}
+acl allow_recursion {
+        {{ options.allowed_recursion_nets }};
+};
+{%- endif %}

-{% endif -%}
 options {
        directory "/var/cache/bind";

@ -20,7 +26,9 @@ options {
        forwarders {
            {{ options.forwarders }};
        };
-        {% endif -%}
+        forward only;
+        {%- endif %}
+
        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
@ -31,11 +39,25 @@ options {
        listen-on-v6 { any; };
        allow-new-zones yes;
        request-ixfr no;
+        {% if options.forwarders or options.recursion -%}
+        recursion yes;
+
+        {% if options.allowed_recursion_nets -%}
+        allow-recursion { allow_recursion; };
+        {% elif options.allowed_nets -%}
+        allow-recursion { allow_query; };
+        {% else -%}
+        allow-recursion { any; };
+        {% endif -%}
+
+        {% else -%}
        recursion no;
+        {% endif -%}
+
        statistics-file "/var/cache/bind/named.stats";
        zone-statistics yes;
        allow-notify { {{ dns_backend.control_ips }}; };
        {% if options.allowed_nets -%}
        allow-query { allow_query; };
-        {% endif -%}
+        {%- endif %}
 };