unkinben/puppet-bind
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'root-zone-naming' into 6.0-prerelease

Browse Source
This commit is contained in:
Nate Riffe 2016-01-29 07:52:45 -06:00
commit 31cc2ada68
3 changed files with 16 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
files/dnssec-init
View File

@ -6,13 +6,14 @@ DOMAIN="$3"
KEY_DIRECTORY="${4:-${CACHEDIR}/${NAME}}" KEY_DIRECTORY="${4:-${CACHEDIR}/${NAME}}"
RANDOM_DEVICE="$5" RANDOM_DEVICE="$5"
NSEC3_SALT="$6" NSEC3_SALT="$6"
ZONE_FILE="$7"
PATH=/bin:/sbin:/usr/bin:/usr/sbin PATH=/bin:/sbin:/usr/bin:/usr/sbin
dnssec-keygen -a RSASHA256 -b 1024 -r "${RANDOM_DEVICE}" -K "${KEY_DIRECTORY}" "${DOMAIN}" dnssec-keygen -a RSASHA256 -b 1024 -r "${RANDOM_DEVICE}" -K "${KEY_DIRECTORY}" "${DOMAIN}"
dnssec-keygen -a RSASHA256 -b 2048 -r "${RANDOM_DEVICE}" -f KSK -K "${KEY_DIRECTORY}" "${DOMAIN}" dnssec-keygen -a RSASHA256 -b 2048 -r "${RANDOM_DEVICE}" -f KSK -K "${KEY_DIRECTORY}" "${DOMAIN}"
if [ $NSEC3_SALT != '' ]; then if [ $NSEC3_SALT != '' ]; then
dnssec-signzone -S -u -3 ${NSEC3_SALT} -d "${CACHEDIR}" -K "${KEY_DIRECTORY}" -o "${DOMAIN}" "${CACHEDIR}/${NAME}/${DOMAIN}" dnssec-signzone -S -u -3 ${NSEC3_SALT} -d "${CACHEDIR}" -K "${KEY_DIRECTORY}" -o "${DOMAIN}" "${CACHEDIR}/${NAME}/${ZONE_FILE}"
else else
dnssec-signzone -S -d "${CACHEDIR}" -K "${KEY_DIRECTORY}" -o "${DOMAIN}" "${CACHEDIR}/${NAME}/${DOMAIN}" dnssec-signzone -S -d "${CACHEDIR}" -K "${KEY_DIRECTORY}" -o "${DOMAIN}" "${CACHEDIR}/${NAME}/${ZONE_FILE}"
fi fi

17
manifests/zone.pp
View File

@ -31,6 +31,10 @@ define bind::zone (
$include_default_zones = $::bind::include_default_zones $include_default_zones = $::bind::include_default_zones
$_domain = pick($domain, $name) $_domain = pick($domain, $name)
$zone_file = $_domain ? {
'.' => 'root',
default => $_domain
}
if $include_default_zones and $default_zones_warning and member(['.', 'localhost', '127.in-addr.arpa', '0.in-addr.arpa', '255.in-addr.arpa'], $_domain) { if $include_default_zones and $default_zones_warning and member(['.', 'localhost', '127.in-addr.arpa', '0.in-addr.arpa', '255.in-addr.arpa'], $_domain) {
warning("The bind module will include a default definition for zone \"${_domain}\" starting in version 6.0.0. Please see https://github.com/inkblot/puppet-bind/blob/master/DEFAULT_ZONES.md for more information about how this will affect your configuration.") warning("The bind module will include a default definition for zone \"${_domain}\" starting in version 6.0.0. Please see https://github.com/inkblot/puppet-bind/blob/master/DEFAULT_ZONES.md for more information about how this will affect your configuration.")
@ -93,7 +97,7 @@ define bind::zone (
} }
if member(['init', 'managed'], $zone_file_mode) { if member(['init', 'managed'], $zone_file_mode) {
file { "${cachedir}/${name}/${_domain}": file { "${cachedir}/${name}/${zone_file}":
ensure => present, ensure => present,
owner => $bind_user, owner => $bind_user,
group => $bind_group, group => $bind_group,
@ -110,7 +114,7 @@ define bind::zone (
user => $bind_user, user => $bind_user,
refreshonly => true, refreshonly => true,
require => Service['bind'], require => Service['bind'],
subscribe => File["${cachedir}/${name}/${_domain}"], subscribe => File["${cachedir}/${name}/${zone_file}"],
} }
} }
} elsif $zone_file_mode == 'absent' { } elsif $zone_file_mode == 'absent' {
@ -122,18 +126,19 @@ define bind::zone (
if $dnssec { if $dnssec {
exec { "dnssec-keygen-${name}": exec { "dnssec-keygen-${name}":
command => "/usr/local/bin/dnssec-init '${cachedir}' '${name}'\ command => "/usr/local/bin/dnssec-init '${cachedir}' '${name}'\
'${_domain}' '${key_directory}' '${random_device}' '${nsec3_salt}'", '${_domain}' '${key_directory}' '${random_device}' '${nsec3_salt}'\
'${zone_file}'",
cwd => $cachedir, cwd => $cachedir,
user => $bind_user, user => $bind_user,
creates => "${cachedir}/${name}/${_domain}.signed", creates => "${cachedir}/${name}/${zone_file}.signed",
timeout => 0, # crypto is hard timeout => 0, # crypto is hard
require => [ require => [
File['/usr/local/bin/dnssec-init'], File['/usr/local/bin/dnssec-init'],
File["${cachedir}/${name}/${_domain}"] File["${cachedir}/${name}/${zone_file}"]
], ],
} }
file { "${cachedir}/${name}/${_domain}.signed": file { "${cachedir}/${name}/${zone_file}.signed":
owner => $bind_user, owner => $bind_user,
group => $bind_group, group => $bind_group,
mode => '0644', mode => '0644',

4
templates/zone.conf.erb
View File

@ -9,9 +9,9 @@ zone "<%= @_domain %>" {
<%- else -%> <%- else -%>
key-directory "<%= @cachedir %>/<%= @name %>"; key-directory "<%= @cachedir %>/<%= @name %>";
<%- end -%> <%- end -%>
file "<%= @cachedir %>/<%= @name %>/<%= @_domain %>.signed"; file "<%= @cachedir %>/<%= @name %>/<%= @zone_file %>.signed";
<%- elsif %w(init managed allowed).include? @zone_file_mode -%> <%- elsif %w(init managed allowed).include? @zone_file_mode -%>
file "<%= @cachedir %>/<%= @name %>/<%= @_domain %>"; file "<%= @cachedir %>/<%= @name %>/<%= @zone_file %>";
<%- end -%> <%- end -%>
<%- if %w(master slave).include? @zone_type -%> <%- if %w(master slave).include? @zone_type -%>
notify <%= @ns_notify ? 'yes' : 'no' %>; notify <%= @ns_notify ? 'yes' : 'no' %>;