From 80e3e6e55cff3bd287318485875f44bbcee3aa8e Mon Sep 17 00:00:00 2001 From: Trevor Smith Date: Thu, 19 Mar 2015 13:35:55 -0400 Subject: [PATCH 1/6] change has_zone_file to false for the stub zone type as stub zones will create their own file based on results from the master servers for that zone --- manifests/zone.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/zone.pp b/manifests/zone.pp index 6522960..b6633e9 100644 --- a/manifests/zone.pp +++ b/manifests/zone.pp @@ -28,7 +28,7 @@ define bind::zone ( 'master' => true, 'slave' => true, 'hint' => true, - 'stub' => true, + 'stub' => false, default => false, } @@ -79,7 +79,7 @@ define bind::zone ( } } } - + file { "${bind::confdir}/zones/${name}.conf": ensure => present, owner => 'root', From 015f7174cc49743e17d11c299187945fea0eb7a2 Mon Sep 17 00:00:00 2001 From: Trevor Smith Date: Thu, 19 Mar 2015 13:39:04 -0400 Subject: [PATCH 2/6] add logic to prevent the notify option being included in the zone file for stub zones --- templates/zone.conf.erb | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/zone.conf.erb b/templates/zone.conf.erb index 207bf68..9c44b41 100644 --- a/templates/zone.conf.erb +++ b/templates/zone.conf.erb @@ -14,6 +14,7 @@ zone "<%= @_domain %>" { <%- else -%> file "<%= @cachedir %>/<%= @name %>/<%= @_domain %>"; <%- end -%> +<%- unless @zone_type == 'stub' -%> notify <%= @ns_notify ? 'yes' : 'no' %>; <%- if @also_notify and @also_notify != '' -%> also-notify { From 13723a72cfce80d6798ce9e3a60f0ce664b87854 Mon Sep 17 00:00:00 2001 From: Trevor Smith Date: Thu, 19 Mar 2015 13:44:16 -0400 Subject: [PATCH 3/6] add closing block --- templates/zone.conf.erb | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/zone.conf.erb b/templates/zone.conf.erb index 9c44b41..98a4fcf 100644 --- a/templates/zone.conf.erb +++ b/templates/zone.conf.erb @@ -16,6 +16,7 @@ zone "<%= @_domain %>" { <%- end -%> <%- unless @zone_type == 'stub' -%> notify <%= @ns_notify ? 'yes' : 'no' %>; +<%- end -%> <%- if @also_notify and @also_notify != '' -%> also-notify { <%- Array(@also_notify).each do |server| -%> From 55922e89743b980100a0b45e08efde3d75a231d4 Mon Sep 17 00:00:00 2001 From: Trevor Smith Date: Thu, 19 Mar 2015 13:49:59 -0400 Subject: [PATCH 4/6] change has_zone_file back to true for the stub zone type and add logic to prevent the file from being created by puppet --- manifests/zone.pp | 75 ++++++++++++++++++++++++----------------------- 1 file changed, 38 insertions(+), 37 deletions(-) diff --git a/manifests/zone.pp b/manifests/zone.pp index b6633e9..f3932d7 100644 --- a/manifests/zone.pp +++ b/manifests/zone.pp @@ -28,7 +28,7 @@ define bind::zone ( 'master' => true, 'slave' => true, 'hint' => true, - 'stub' => false, + 'stub' => true, default => false, } @@ -38,44 +38,45 @@ define bind::zone ( } else { $_source = 'puppet:///modules/bind/db.empty' } - - file { "${cachedir}/${name}": - ensure => directory, - owner => $bind::params::bind_user, - group => $bind::params::bind_group, - mode => '0755', - require => Package['bind'], - } - - file { "${cachedir}/${name}/${_domain}": - ensure => present, - owner => $bind::params::bind_user, - group => $bind::params::bind_group, - mode => '0644', - replace => false, - source => $_source, - audit => [ content ], - } - - if $dnssec { - exec { "dnssec-keygen-${name}": - command => "/usr/local/bin/dnssec-init '${cachedir}' '${name}'\ - '${_domain}' '${key_directory}'", - cwd => $cachedir, - user => $bind::params::bind_user, - creates => "${cachedir}/${name}/${_domain}.signed", - timeout => 0, # crypto is hard - require => [ - File['/usr/local/bin/dnssec-init'], - File["${cachedir}/${name}/${_domain}"] - ], + unless $zone_type == 'stub' { + file { "${cachedir}/${name}": + ensure => directory, + owner => $bind::params::bind_user, + group => $bind::params::bind_group, + mode => '0755', + require => Package['bind'], } - file { "${cachedir}/${name}/${_domain}.signed": - owner => $bind::params::bind_user, - group => $bind::params::bind_group, - mode => '0644', - audit => [ content ], + file { "${cachedir}/${name}/${_domain}": + ensure => present, + owner => $bind::params::bind_user, + group => $bind::params::bind_group, + mode => '0644', + replace => false, + source => $_source, + audit => [ content ], + } + + if $dnssec { + exec { "dnssec-keygen-${name}": + command => "/usr/local/bin/dnssec-init '${cachedir}' '${name}'\ + '${_domain}' '${key_directory}'", + cwd => $cachedir, + user => $bind::params::bind_user, + creates => "${cachedir}/${name}/${_domain}.signed", + timeout => 0, # crypto is hard + require => [ + File['/usr/local/bin/dnssec-init'], + File["${cachedir}/${name}/${_domain}"] + ], + } + + file { "${cachedir}/${name}/${_domain}.signed": + owner => $bind::params::bind_user, + group => $bind::params::bind_group, + mode => '0644', + audit => [ content ], + } } } } From 22caf612ba67d502ff6e331dd6a1c879ee13ab3e Mon Sep 17 00:00:00 2001 From: Trevor Smith Date: Thu, 19 Mar 2015 18:05:17 -0400 Subject: [PATCH 5/6] move the check for the stub zone type to ensure the cachedir is created --- manifests/zone.pp | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/manifests/zone.pp b/manifests/zone.pp index f3932d7..83e852c 100644 --- a/manifests/zone.pp +++ b/manifests/zone.pp @@ -38,15 +38,15 @@ define bind::zone ( } else { $_source = 'puppet:///modules/bind/db.empty' } - unless $zone_type == 'stub' { - file { "${cachedir}/${name}": - ensure => directory, - owner => $bind::params::bind_user, - group => $bind::params::bind_group, - mode => '0755', - require => Package['bind'], - } + file { "${cachedir}/${name}": + ensure => directory, + owner => $bind::params::bind_user, + group => $bind::params::bind_group, + mode => '0755', + require => Package['bind'], + } + unless $zone_type == 'stub' { file { "${cachedir}/${name}/${_domain}": ensure => present, owner => $bind::params::bind_user, From f7864200146b953d40330a7bd4fc262f8367e38b Mon Sep 17 00:00:00 2001 From: Nate Riffe Date: Sun, 22 Mar 2015 17:42:44 -0500 Subject: [PATCH 6/6] Tighten up the timing in db.empty stub and slave zones need to be overwritten with data from their master server in a reasonable timeframe. Drop all of the intervals in the db.empty SOA down to sub-minute values to speed convergence. --- files/db.empty | 8 +++---- manifests/zone.pp | 59 +++++++++++++++++++++++------------------------ 2 files changed, 33 insertions(+), 34 deletions(-) diff --git a/files/db.empty b/files/db.empty index ae446f5..e0c5f90 100644 --- a/files/db.empty +++ b/files/db.empty @@ -1,9 +1,9 @@ $TTL 86400 @ IN SOA localhost. root.localhost. ( 1 ; Serial - 604800 ; Refresh - 86400 ; Retry - 2419200 ; Expire - 86400 ) ; Negative Cache TTL + 60 ; Refresh + 30 ; Retry + 300 ; Expire + 10 ) ; Negative Cache TTL ; @ IN NS localhost. diff --git a/manifests/zone.pp b/manifests/zone.pp index 83e852c..6522960 100644 --- a/manifests/zone.pp +++ b/manifests/zone.pp @@ -38,6 +38,7 @@ define bind::zone ( } else { $_source = 'puppet:///modules/bind/db.empty' } + file { "${cachedir}/${name}": ensure => directory, owner => $bind::params::bind_user, @@ -46,41 +47,39 @@ define bind::zone ( require => Package['bind'], } - unless $zone_type == 'stub' { - file { "${cachedir}/${name}/${_domain}": - ensure => present, - owner => $bind::params::bind_user, - group => $bind::params::bind_group, - mode => '0644', - replace => false, - source => $_source, - audit => [ content ], + file { "${cachedir}/${name}/${_domain}": + ensure => present, + owner => $bind::params::bind_user, + group => $bind::params::bind_group, + mode => '0644', + replace => false, + source => $_source, + audit => [ content ], + } + + if $dnssec { + exec { "dnssec-keygen-${name}": + command => "/usr/local/bin/dnssec-init '${cachedir}' '${name}'\ + '${_domain}' '${key_directory}'", + cwd => $cachedir, + user => $bind::params::bind_user, + creates => "${cachedir}/${name}/${_domain}.signed", + timeout => 0, # crypto is hard + require => [ + File['/usr/local/bin/dnssec-init'], + File["${cachedir}/${name}/${_domain}"] + ], } - if $dnssec { - exec { "dnssec-keygen-${name}": - command => "/usr/local/bin/dnssec-init '${cachedir}' '${name}'\ - '${_domain}' '${key_directory}'", - cwd => $cachedir, - user => $bind::params::bind_user, - creates => "${cachedir}/${name}/${_domain}.signed", - timeout => 0, # crypto is hard - require => [ - File['/usr/local/bin/dnssec-init'], - File["${cachedir}/${name}/${_domain}"] - ], - } - - file { "${cachedir}/${name}/${_domain}.signed": - owner => $bind::params::bind_user, - group => $bind::params::bind_group, - mode => '0644', - audit => [ content ], - } + file { "${cachedir}/${name}/${_domain}.signed": + owner => $bind::params::bind_user, + group => $bind::params::bind_group, + mode => '0644', + audit => [ content ], } } } - + file { "${bind::confdir}/zones/${name}.conf": ensure => present, owner => 'root',