547cebc73f
In Debian families, the rndc.key file is created in /etc/bind instead of /etc. This fixes the key file path in rndc.conf. Also this updates the rncd.conf path to place it in the same directory. Change-Id: If6fa440541b5c8b3073b72de97d9550dbe6f8c2a
58 lines
1.7 KiB
Puppet
58 lines
1.7 KiB
Puppet
# Configures the BIND service for use with Designate's BIND backend
|
|
#
|
|
|
|
class openstack_integration::bind {
|
|
|
|
include openstack_integration::config
|
|
include openstack_integration::params
|
|
|
|
$bind_host = $::openstack_integration::config::host
|
|
|
|
$listen_on = $::openstack_integration::config::ipv6 ? {
|
|
true => 'none',
|
|
default => $bind_host,
|
|
}
|
|
$listen_on_v6 = $::openstack_integration::config::ipv6 ? {
|
|
true => $bind_host,
|
|
default => 'none',
|
|
}
|
|
|
|
# NOTE (dmsimard): listen_on_v6 is false and overridden due to extended port
|
|
# configuration in additional_options
|
|
class { 'dns':
|
|
recursion => 'no',
|
|
allow_recursion => [],
|
|
listen_on_v6 => false,
|
|
additional_options => {
|
|
'listen-on' => "port 5322 { ${listen_on}; }",
|
|
'listen-on-v6' => "port 5322 { ${listen_on_v6}; }",
|
|
'auth-nxdomain' => 'no',
|
|
'allow-new-zones' => 'yes',
|
|
# Recommended by Designate docs as a mitigation for potential cache
|
|
# poisoning attacks:
|
|
# https://docs.openstack.org/designate/latest/admin/production-guidelines.html#bind9-mitigation
|
|
'minimal-responses' => 'yes',
|
|
},
|
|
controls => {
|
|
$bind_host => {
|
|
'port' => 953,
|
|
'allowed_addresses' => [$bind_host],
|
|
'keys' => ['rndc-key'],
|
|
}
|
|
},
|
|
}
|
|
|
|
$dnsdir = $::dns::params::dnsdir
|
|
|
|
# ::dns creates the rndc key but not a rndc.conf.
|
|
# Contribute this in upstream ::dns ?
|
|
file { 'rndc.conf':
|
|
ensure => present,
|
|
path => "${dnsdir}/rndc.conf",
|
|
owner => $::dns::params::user,
|
|
group => $::dns::params::group,
|
|
content => template("${module_name}/rndc.conf.erb"),
|
|
require => Package[$dns::params::dns_server_package]
|
|
}
|
|
}
|