From 57002c31a42b52a85f765ddbfe5ba884aa22424e Mon Sep 17 00:00:00 2001 From: Nate Riffe Date: Tue, 29 Dec 2015 20:54:14 -0600 Subject: [PATCH 1/4] Include the default zones on RedHat RedHat's default zones are baked into the stock named.conf, which the module's template completely rewrites. Since the module is extremely view-based, and the Debian default-zones are repositioned into the zones, let's take those defaults out of the stock named.conf, build a configuration file out of them and include it in the view just the same. --- data/osfamily/Debian.yaml | 1 + data/osfamily/RedHat.yaml | 2 ++ files/RedHat/named.default-zones.conf | 6 ++++++ manifests/defaults.pp | 2 ++ manifests/init.pp | 6 ++++++ manifests/view.pp | 1 + templates/view.erb | 4 ++-- 7 files changed, 20 insertions(+), 2 deletions(-) create mode 100644 files/RedHat/named.default-zones.conf diff --git a/data/osfamily/Debian.yaml b/data/osfamily/Debian.yaml index 4660f6b..8d30019 100644 --- a/data/osfamily/Debian.yaml +++ b/data/osfamily/Debian.yaml @@ -8,5 +8,6 @@ bind::defaults::nsupdate_package: 'dnsutils' bind::defaults::confdir: '/etc/bind' bind::defaults::namedconf: '/etc/bind/named.conf' bind::defaults::cachedir: '/var/cache/bind' +bind::defaults::default_zones_include: '/etc/bind/named.conf.default-zones' bind::updater::keydir: '/etc/bind/keys' diff --git a/data/osfamily/RedHat.yaml b/data/osfamily/RedHat.yaml index e405356..1fd9c20 100644 --- a/data/osfamily/RedHat.yaml +++ b/data/osfamily/RedHat.yaml @@ -10,5 +10,7 @@ bind::defaults::confdir: '/etc/named' bind::defaults::namedconf: '/etc/named.conf' bind::defaults::cachedir: '/var/named' bind::defaults::default_zones_warning: true +bind::defaults::default_zones_include: '/etc/named.default-zones.conf' +bind::defaults::default_zones_source: 'puppet:///module/bind/RedHat/named.default-zones.conf' bind::updater::keydir: '/etc/named/keys' diff --git a/files/RedHat/named.default-zones.conf b/files/RedHat/named.default-zones.conf new file mode 100644 index 0000000..3d49630 --- /dev/null +++ b/files/RedHat/named.default-zones.conf @@ -0,0 +1,6 @@ +zone "." IN { + type hint; + file "named.ca"; +}; + +include "/etc/named.rfc1912.zones"; diff --git a/manifests/defaults.pp b/manifests/defaults.pp index 7b0b1a1..e8cec51 100644 --- a/manifests/defaults.pp +++ b/manifests/defaults.pp @@ -13,6 +13,8 @@ class bind::defaults ( $nsupdate_package = undef, $managed_keys_directory = undef, $default_zones_warning = undef, + $default_zones_include = undef, + $default_zones_source = undef, ) { unless is_bool($supported) { fail('Please ensure that the dependencies of the bind module are installed and working correctly') diff --git a/manifests/init.pp b/manifests/init.pp index d38b3d7..39bed29 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -62,6 +62,12 @@ class bind ( content => template('bind/named.conf.erb'), } + if $default_zones_source { + file { $default_zones_include: + source => $default_zones_source, + } + } + class { 'bind::keydir': keydir => "${confdir}/keys", } diff --git a/manifests/view.pp b/manifests/view.pp index 467fc88..dfab715 100644 --- a/manifests/view.pp +++ b/manifests/view.pp @@ -12,6 +12,7 @@ define bind::view ( $order = '10', ) { $confdir = $::bind::confdir + $default_zones_include = $::bind::default_zones_include concat::fragment { "bind-view-${name}": order => $order, diff --git a/templates/view.erb b/templates/view.erb index 9270391..661c2c3 100644 --- a/templates/view.erb +++ b/templates/view.erb @@ -44,8 +44,8 @@ view "<%= @name %>" { }; <%- end -%> <%- end -%> -<%- if scope.lookupvar('osfamily') == 'Debian' -%> - include "<%= @confdir %>/named.conf.default-zones"; +<%- if @default_zones_include -%> + include "<%= @default_zones_include %>"; <%- end -%> <%- Array(@zones).each do |zone| -%> From 91c883cfd97a2e372b8ef7cefc262b357105f4a2 Mon Sep 17 00:00:00 2001 From: Nate Riffe Date: Mon, 4 Jan 2016 07:43:56 -0600 Subject: [PATCH 2/4] Fix source path --- data/osfamily/RedHat.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/osfamily/RedHat.yaml b/data/osfamily/RedHat.yaml index 1fd9c20..50f1697 100644 --- a/data/osfamily/RedHat.yaml +++ b/data/osfamily/RedHat.yaml @@ -11,6 +11,6 @@ bind::defaults::namedconf: '/etc/named.conf' bind::defaults::cachedir: '/var/named' bind::defaults::default_zones_warning: true bind::defaults::default_zones_include: '/etc/named.default-zones.conf' -bind::defaults::default_zones_source: 'puppet:///module/bind/RedHat/named.default-zones.conf' +bind::defaults::default_zones_source: 'puppet:///modules/bind/RedHat/named.default-zones.conf' bind::updater::keydir: '/etc/named/keys' From 44b4b45761b6961c8e5f33ff0afcab6f14f2fe20 Mon Sep 17 00:00:00 2001 From: Nate Riffe Date: Wed, 6 Jan 2016 18:43:08 -0600 Subject: [PATCH 3/4] Add option to disable default zone inclusion By setting bind::include_default_zones to false, a user can suppress the inclusion of the default definitions for the root hints zone and RFC 1912 zones. These are supplied with the BIND package's default configuration on both Debian and RedHat derived systems. These zones are necessary for a resolver, but may be omitted if the server acts strictly as an authoritative server. --- manifests/init.pp | 4 ++-- manifests/view.pp | 1 + templates/view.erb | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 39bed29..87698dc 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -7,8 +7,8 @@ class bind ( $rndc = undef, $statistics_port = undef, $auth_nxdomain = false, - $include_local = false, $include_default_zones = true, + $include_local = false, ) inherits bind::defaults { File { @@ -62,7 +62,7 @@ class bind ( content => template('bind/named.conf.erb'), } - if $default_zones_source { + if $include_default_zones and $default_zones_source { file { $default_zones_include: source => $default_zones_source, } diff --git a/manifests/view.pp b/manifests/view.pp index dfab715..ca0c09b 100644 --- a/manifests/view.pp +++ b/manifests/view.pp @@ -13,6 +13,7 @@ define bind::view ( ) { $confdir = $::bind::confdir $default_zones_include = $::bind::default_zones_include + $include_default_zones = $::bind::include_default_zones concat::fragment { "bind-view-${name}": order => $order, diff --git a/templates/view.erb b/templates/view.erb index 661c2c3..0adf904 100644 --- a/templates/view.erb +++ b/templates/view.erb @@ -44,7 +44,7 @@ view "<%= @name %>" { }; <%- end -%> <%- end -%> -<%- if @default_zones_include -%> +<%- if @include_default_zones and @default_zones_include -%> include "<%= @default_zones_include %>"; <%- end -%> From 88481f94fd81bd4b9573d2abd3728d9569e36e1e Mon Sep 17 00:00:00 2001 From: Nate Riffe Date: Mon, 4 Jul 2016 09:39:51 -0500 Subject: [PATCH 4/4] Finalize the 6.0-prerelease branch --- DEFAULT_ZONES.md | 10 +++++----- README.md | 4 ++-- data/common.yaml | 1 - data/osfamily/RedHat.yaml | 1 - manifests/defaults.pp | 1 - manifests/zone.pp | 5 ++--- metadata.json | 2 +- 7 files changed, 10 insertions(+), 14 deletions(-) diff --git a/DEFAULT_ZONES.md b/DEFAULT_ZONES.md index 5559353..62b2b8a 100644 --- a/DEFAULT_ZONES.md +++ b/DEFAULT_ZONES.md @@ -13,7 +13,7 @@ compliance with [RFC 1912](https://www.ietf.org/rfc/rfc1912.txt). The content of these zones is standardized, and the zone files for them are maintained by the package distributor. -## Change Is Coming +## Version 5.x vs. version 6.x of `puppet-bind` ### The Warning @@ -30,10 +30,10 @@ If you are seeing this warning, it is because starting in version 6.0.0 certain catalog application failures. There are [steps](#configuration-changes) to take prior to version 6.0.0 to prepare for it. -### The Present: Debian and Red Hat Divergence +### Older versions: Debian and Red Hat Divergence -The treatment of default zones in this module has been different between Debian -and Red Hat systems until now. +The treatment of default zones in versions 5.x and earlier of this module has +differed between Debian and Red Hat systems. On Debian systems, the `bind9` package installs a separate configuration file at `/etc/bind/named.conf.default-zones` which defines these zones and also @@ -49,7 +49,7 @@ rewrites this file, these definitions are lost. In both cases, the current behavior is not configurable and always happens. -### The Future: Consistency with Flexibility +### Version 6.x and later: Consistency with Flexibility Starting in version 6.0.0 of this module, default zones will be preserved on both Debian and Red Hat, with the option of disabling them. This will not diff --git a/README.md b/README.md index 82c4fe3..519efc5 100644 --- a/README.md +++ b/README.md @@ -2,8 +2,8 @@ [![Build Status](https://secure.travis-ci.org/inkblot/puppet-bind.png)](http://travis-ci.org/inkblot/puppet-bind) -**IMPORTANT UPGRADE INFORMATION:** In a future version of this module there -will be significant changes to the handling of default zones that may require +**IMPORTANT UPGRADE INFORMATION:** In version 6.0.0 of this module there are +significant changes to the handling of default zones that may require preparations prior to upgrading. See [DEFAULT_ZONES.md](DEFAULT_ZONES.md) for details. diff --git a/data/common.yaml b/data/common.yaml index 0984f00..14f23a3 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -2,7 +2,6 @@ bind::defaults::supported: false bind::defaults::random_device: '/dev/random' bind::defaults::rndc: true -bind::defaults::default_zones_warning: false bind::forwarders: '' bind::dnssec: true diff --git a/data/osfamily/RedHat.yaml b/data/osfamily/RedHat.yaml index 50f1697..a7fc8bd 100644 --- a/data/osfamily/RedHat.yaml +++ b/data/osfamily/RedHat.yaml @@ -9,7 +9,6 @@ bind::defaults::managed_keys_directory: '/var/named/dynamic' bind::defaults::confdir: '/etc/named' bind::defaults::namedconf: '/etc/named.conf' bind::defaults::cachedir: '/var/named' -bind::defaults::default_zones_warning: true bind::defaults::default_zones_include: '/etc/named.default-zones.conf' bind::defaults::default_zones_source: 'puppet:///modules/bind/RedHat/named.default-zones.conf' diff --git a/manifests/defaults.pp b/manifests/defaults.pp index e8cec51..5b5e06c 100644 --- a/manifests/defaults.pp +++ b/manifests/defaults.pp @@ -12,7 +12,6 @@ class bind::defaults ( $bind_service = undef, $nsupdate_package = undef, $managed_keys_directory = undef, - $default_zones_warning = undef, $default_zones_include = undef, $default_zones_source = undef, ) { diff --git a/manifests/zone.pp b/manifests/zone.pp index afcab2c..27d68ac 100644 --- a/manifests/zone.pp +++ b/manifests/zone.pp @@ -29,7 +29,6 @@ define bind::zone ( $random_device = $::bind::defaults::random_device $bind_user = $::bind::defaults::bind_user $bind_group = $::bind::defaults::bind_group - $default_zones_warning = $::bind::defaults::default_zones_warning $include_default_zones = $::bind::include_default_zones $_domain = pick($domain, $name) @@ -38,8 +37,8 @@ define bind::zone ( default => $_domain } - if $include_default_zones and $default_zones_warning and member(['.', 'localhost', '127.in-addr.arpa', '0.in-addr.arpa', '255.in-addr.arpa'], $_domain) { - warning("The bind module will include a default definition for zone \"${_domain}\" starting in version 6.0.0. Please see https://github.com/inkblot/puppet-bind/blob/master/DEFAULT_ZONES.md for more information about how this will affect your configuration.") + if $include_default_zones and member(['.', 'localhost', '127.in-addr.arpa', '0.in-addr.arpa', '255.in-addr.arpa'], $_domain) { + fail("The bind module includes a default definition for zone \"${_domain}\" starting in version 6.0.0. Please see https://github.com/inkblot/puppet-bind/blob/master/DEFAULT_ZONES.md for more information about how this affects your configuration.") } unless !($masters != '' and ! member(['slave', 'stub'], $zone_type)) { diff --git a/metadata.json b/metadata.json index 8a0ff8c..71cd120 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "inkblot/bind", - "version": "5.2.0", + "version": "6.0.0", "author": "inkblot", "license": "Apache-2.0", "summary": "ISC BIND name server",