From 019aefac22ce56e6c19c3a3fd5bc0cf08a29fdbe Mon Sep 17 00:00:00 2001 From: Nate Riffe Date: Tue, 5 May 2015 11:52:51 -0500 Subject: [PATCH 1/3] Allow response records from other sections DNS queries for delegation records to poorly constructed zones won't have answers, but they will have authority. Also, +nosearch --- lib/puppet/type/dns_rr.rb | 6 ++++++ lib/puppet/type/resource_record.rb | 6 ++++++ lib/puppet_bind/provider/nsupdate.rb | 8 ++++++-- 3 files changed, 18 insertions(+), 2 deletions(-) diff --git a/lib/puppet/type/dns_rr.rb b/lib/puppet/type/dns_rr.rb index bb8fc6b..333e45b 100644 --- a/lib/puppet/type/dns_rr.rb +++ b/lib/puppet/type/dns_rr.rb @@ -51,6 +51,12 @@ Puppet::Type.newtype(:dns_rr) do defaultto 'localhost' end + newparam(:query_section) do + desc 'The DNS response section to check for existing record values' + defaultto 'answer' + newvalues 'answer', 'authority', 'additional' + end + newparam(:keyname) do desc 'Keyname for the TSIG key used to update the record' defaultto 'update' diff --git a/lib/puppet/type/resource_record.rb b/lib/puppet/type/resource_record.rb index ca1bb55..2b080c4 100644 --- a/lib/puppet/type/resource_record.rb +++ b/lib/puppet/type/resource_record.rb @@ -37,6 +37,12 @@ Puppet::Type.newtype(:resource_record) do defaultto 'localhost' end + newparam(:query_section) do + desc 'The DNS response section to check for existing record values' + defaultto 'answer' + newvalues 'answer', 'authority', 'additional' + end + newparam(:keyname) do desc 'Keyname for the TSIG key used to update the record' defaultto 'update' diff --git a/lib/puppet_bind/provider/nsupdate.rb b/lib/puppet_bind/provider/nsupdate.rb index 746bfc6..cd7749b 100644 --- a/lib/puppet_bind/provider/nsupdate.rb +++ b/lib/puppet_bind/provider/nsupdate.rb @@ -86,6 +86,10 @@ module PuppetBind resource[:zone] end + def query_section + resource[:query_section] + end + def keyname resource[:keyname] end @@ -109,9 +113,9 @@ module PuppetBind def query unless @query if keyed? - dig_text = dig("@#{server}", '+noall', '+answer', name, type, '-c', rrclass, '-y', tsig_param) + dig_text = dig("@#{server}", '+noall', '+nosearch', "+#{query_section}", name, type, '-c', rrclass, '-y', tsig_param) else - dig_text = dig("@#{server}", '+noall', '+answer', name, type, '-c', rrclass) + dig_text = dig("@#{server}", '+noall', '+nosearch', "+#{query_section}", name, type, '-c', rrclass) end @query = dig_text.lines.map do |line| linearray = line.chomp.split(/\s+/, 5) From ce0dada818a5fea95d44b90fd5a27c54af9b0a33 Mon Sep 17 00:00:00 2001 From: Nate Riffe Date: Tue, 5 May 2015 12:40:22 -0500 Subject: [PATCH 2/3] Also supply +norecurse This should be universal, since we are explicitly querying the server where we'll apply a change via nsupdate, therefore it must be an authority. --- lib/puppet_bind/provider/nsupdate.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/puppet_bind/provider/nsupdate.rb b/lib/puppet_bind/provider/nsupdate.rb index cd7749b..c37a72d 100644 --- a/lib/puppet_bind/provider/nsupdate.rb +++ b/lib/puppet_bind/provider/nsupdate.rb @@ -113,9 +113,9 @@ module PuppetBind def query unless @query if keyed? - dig_text = dig("@#{server}", '+noall', '+nosearch', "+#{query_section}", name, type, '-c', rrclass, '-y', tsig_param) + dig_text = dig("@#{server}", '+noall', '+nosearch', '+norecurse', "+#{query_section}", name, type, '-c', rrclass, '-y', tsig_param) else - dig_text = dig("@#{server}", '+noall', '+nosearch', "+#{query_section}", name, type, '-c', rrclass) + dig_text = dig("@#{server}", '+noall', '+nosearch', '+norecurse', "+#{query_section}", name, type, '-c', rrclass) end @query = dig_text.lines.map do |line| linearray = line.chomp.split(/\s+/, 5) From 1f36024194d9ea4663c1fa4e0bd41351ad2cce56 Mon Sep 17 00:00:00 2001 From: Nate Riffe Date: Tue, 5 May 2015 13:01:25 -0500 Subject: [PATCH 3/3] Document the query_section parameter --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 708b092..7c88898 100644 --- a/README.md +++ b/README.md @@ -257,6 +257,10 @@ the same nameserver. `server` defaults to "localhost" and need not be specified. The value may be either a hostname or IP address. +`query_section` indicates the section of the DNS response to check for existing +record values. It must be one of `answer`, `authority`, or `additional`. +Defaults to: `answer` + `keyname` defaults to "update" and need not be specified. This parameter specifies the name of a TSIG key to be used to authenticate the update. The resource only uses a TSIG key if a `secret` is specified.