bertvv / ansible-role-bind Goto Github PK
View Code? Open in Web Editor NEWSets up ISC BIND as an authoritative DNS server on several Linux distros & FreeBSD
Home Page: https://galaxy.ansible.com/bertvv/bind/
License: Other
Sets up ISC BIND as an authoritative DNS server on several Linux distros & FreeBSD
Home Page: https://galaxy.ansible.com/bertvv/bind/
License: Other
After updating configuration file I think we need to reload bind instead of restart? I mean restarting could end up in networking problems for those who's using this DNS server right? If you approve I'd try to submit PR
I don't see support for specifying zone transfers. I am considering how I might incorporate it for my environment, so I might submit a pull request if I get it figured out soon.
your example is:
networks:
- '192.0.2'
- '10'
- '172.16'
if network is 172.16.18.0/29 ?
Thanks.
Hi,
When i skip role in my playbook, your role return an error :/
For fix, just add - skip: true
in main.yml :
- name: Source specific variables
include_vars: "{{ item }}"
with_first_found:
- "{{ ansible_distribution }}.yml"
- "{{ ansible_os_family }}.yml"
- skip: true
tags: bind
EDIT : Or not with - skip: true
, include_vars its always skipped....
The include_tasks:
syntax, used in this role, was only introduced in Ansible 2.4.
Hi!
First of all, thank you very much for this module.
I think it would be interesting to give the possibility of enabling the log of queries.
I'll make the change and pull the request.
A greeting
I really like this role but its usage is kinda limited.
When testing the creation of zone files using the ansible check mode the creation fails when calculating the serial.
Hi
Firstly thanks for the role.
Are we able to get the statistics-channels config added to it ?
This is to allow setups like https://github.com/digitalocean/bind_exporter
Thanks
bind_zone_domains:
The following variable definitions
bind_listen_ipv4: any
bind_listen_ipv4: "any"
bind_listen_ipv4: 'any'
all result in the same generated configuration entry
listen-on port 53 { a;n;y; };
Fedora 28, Ansible 2.6.1, commit f505f7e of this repo.
Reverse IPv6 lookups seem to be a bit of a challenge to set up[1], so automation of this process could be valuable.
This would enable DNS round robin.
This could be very useful if forwarding is required only for a specific zone/domain and a Master/Slave configuration would not be possible.
Combine this with allow-query-cache and the bind server will start to take care of most of the required queries minimizing bandwidth and requested to the forward zone.
This is also very useful if the forward zone is private and not known on the Internet.
Hi,
Thanks for the work you put into this Ansible playbook :D.
But im running into an issue trying to use it with the Vagrant ansible provisioner the output is as follows
==> ns1: Running provisioner: ansible...
PLAY [all] ********************************************************************
GATHERING FACTS ***************************************************************
ok: [ns1]
TASK: [bertvv.bind | Install BIND] ********************************************
changed: [ns1] => (item=bind,bind-utils)
TASK: [bertvv.bind | Create serial] *******************************************
changed: [ns1]
TASK: [bertvv.bind | Main BIND config file (master)] **************************
skipping: [ns1]
TASK: [bertvv.bind | Create forward lookup zone file] *************************
skipping: [ns1]
TASK: [bertvv.bind | Create reverse lookup zone file] *************************
skipping: [ns1] => (item=192.168.1)
skipping: [ns1] => (item=10.0)
TASK: [bertvv.bind | Main BIND config file (slave)] ***************************
fatal: [ns1] => {'msg': "AnsibleError: file: /vms/Ansible/ansible/bertvv.bind/templates/slave_etc_named.conf.j2, line number: 64, error: no filter named 'reverse_lookup_zone'", 'failed': True}
fatal: [ns1] => {'msg': "AnsibleError: file: /vms/Ansible/ansible/bertvv.bind/templates/slave_etc_named.conf.j2, line number: 64, error: no filter named 'reverse_lookup_zone'", 'failed': True}
FATAL: all hosts have already failed -- aborting
PLAY RECAP ********************************************************************
to retry, use: --limit @/root/bind.retry
ns1 : ok=4 changed=2 unreachable=1 failed=0
Ansible failed to complete successfully. Any error output should be
visible above. Please fix these errors and try again.
My Vagrantfile is as follows,
# -*- mode: ruby -*-
# vi: set ft=ruby :
# All Vagrant configuration is done below. The "2" in Vagrant.configure
# configures the configuration version (we support older styles for
# backwards compatibility). Please don't change it unless you know what
# you're doing.
Vagrant.configure(2) do |config|
config.vm.define "ns1" do |ns1|
ns1.vm.box = "relativkreativ/centos-7-minimal"
ns1.vm.hostname = "ns1.setkeh.local"
ns1.vm.network "private_network", ip: "192.168.33.10"
ns1.vm.network "public_network", bridge: "bond0"
ns1.vm.synced_folder "./ansible", "/ansible"
config.vm.provision "ansible" do |ansible|
ansible.playbook = "ansible/bind.yml"
end
end
config.vm.define "ns2" do |ns2|
ns2.vm.box = "relativkreativ/centos-7-minimal"
ns2.vm.hostname = "ns2.setkeh.local"
ns2.vm.network "private_network", ip: "192.168.33.11"
ns2.vm.network "public_network", bridge: "bond0"
ns2.vm.synced_folder "./ansible", "/ansible"
config.vm.provision "ansible" do |ansible|
ansible.playbook = "ansible/bind.yml"
end
end
end
and my bind.yml is as follows.
---
- hosts: all
sudo: true
vars:
bind_listen_ipv4:
- 'any'
bind_listen_ipv6:
- 'any'
bind_allow_query:
- '192.168.1.0/24'
- '10.0.0.0/24'
bind_zone_name: 'setkeh.local'
bind_zone_networks:
- '192.168.1'
- '10.0'
bind_zone_master_server_ip: '10.0.0.35'
bind_zone_name_servers:
- 'ns1'
- 'ns2'
bind_zone_mail_servers:
- name: 'mail'
preference: '10'
bind_zone_hosts:
- name: 'ns1'
ip: '10.0.0.35'
aliases:
- ns1
- name: 'ns2'
ip: '10.0.0.36'
aliases:
- ns2
- name: 'web'
ip: '10.0.0.7'
aliases:
- www
roles:
- bertvv.bind
If you have any suggestions or idea's as to what i have misconfigured that would be greatly appreciated :)
Thanks.
With the current templates/master_etc_named.conf.j2
it is not possible to add check-names master ignore;
Good work,
Very usefull role
But we need to define master-key by hand...
Simpliest way would be to add extra_lines variable in template ?
It's not clear what variables should at least be defined to get a working zone. This should be specified both for master and slave DNS.
Hi Bert,
When I reload my named service, all our slaves get notified for every zone, including localhost zones. I think this is probably undesirable. It appears that each zone can have "notify no;" added to individual zones. Would it break anything to add this to the localhost zones?
Dec 18 15:14:35 ns2 named[10317]: running
Dec 18 15:14:35 ns2 named[10317]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: sending notifies (serial 0)
Dec 18 15:14:35 ns2 named[10317]: zone 1.0.0.127.in-addr.arpa/IN: sending notifies (serial 0)
Dec 18 15:14:35 ns2 named[10317]: zone 253.125.216.in-addr.arpa/IN: sending notifies (serial 15121813)
Dec 18 15:14:35 ns2 named[10317]: zone 0.in-addr.arpa/IN: sending notifies (serial 0)
Dec 18 15:14:35 ns2 named[10317]: zone localhost.localdomain/IN: sending notifies (serial 0)
Dec 18 15:14:35 ns2 named[10317]: zone 66.162.25.52.in-addr.arpa/IN: sending notifies (serial 15121813)
Dec 18 15:14:35 ns2 named[10317]: zone csit.parkland.edu/IN: sending notifies (serial 15121813)
Dec 18 15:14:35 ns2 named[10317]: zone localhost/IN: sending notifies (serial 0)
Dec 18 15:14:35 ns2 systemd[1]: Started Berkeley Internet Name Domain (DNS).
When specifying a class B IP address (e.g. "172.16") in a variable file, it should be quoted. Otherwise, the Yaml parser will interpret it as a float
Looks like this commit: 9e1eebb no longer allows CNAMES or multiple IP addresses to work.
Hi Bert,
When I use this role to create reverse zones for my Elastic IPs, I end up with the origin of the full IP address, and then a record for the full IP address. PTR resolution doesn't work unless I remove the IP address from the record.
Maybe the reverse zone template can only insert the non-matching part of the reverse lookup address?
Thanks for an awesome role! I still use it all the time.
Joanna
When I started using this playbook, even after reading the docs a few times, I was not sure that it would even work with a slave that didn't also do master for some zones. I figured things out by looking at what was in the templates. I thought others might appreciate an example in the docs so I started a branch for that.
While doing that I noticed the table under "Minimal variables..." that lists what is required for master vs slave. It says that bind_zone_domains.name_servers
and bind_zone_domains.networks
are required for a slave, but it didn't seem to be necessary for me. Am I doing something wrong here or should I correct the docs for that too?
Hi,
Is it possible to populate the bind_zone_hosts
variable with values from the inventory?
The following in group_vars
reports an error 'item' is undefined
bind_zone_hosts:
- name: "{{ item }}"
ip: "{{ hostvars['{{ item }}']['ansible_host'] }}"
with_items: "{{ groups['all'] }}"
I'm not able to create records that are CNAME only with this playbook.
Hi, thanks for this awesome role!
I have an issue where a simple zone couldn't be created because of a strange error I see. Thats my playbook:
---
- hosts: all
become: true
vars:
bind_allow_query:
- any
bind_listen_ipv4:
- any
bind_zone_master_server_ip: 10.99.99.8
bind_zone_domains:
- name: 'nuage.internet'
networks:
- '10.99.99'
name_servers:
- ns1.nuage.internet.
hosts:
- name: utility
ip: 10.99.99.8
alias:
- dns
- name: vsc1
ip: 10.99.99.4
- name: vsc1
ip: 10.99.99.5
- name: vsc1
ip: 10.99.99.6
- name: vsc1
ip: 10.99.99.7
roles:
- ansible-role-bind
The error is:
"stdout": "zone nuage.internet/IN: NS 'ns1.nuage.internet' has no address records (A or AAAA)
zone nuage.internet/IN: not loaded due to errors."
I am a bit lost, why cant I use
name_servers:
- ns1.nuage.internet.
as my SOA? If I change this line to, say, acme.local.
everything works, but is it a correct behavior?
I think this shouldn't be here
ansible-role-bind/tasks/main.yml
Line 10 in e5936d2
basic script.
#!/bin/bash
mkdir -p /etc/bind/keys/
domain=test.loc
keyfile=/etc/bind/keys/$domain.key
if [ "x$bind_key" = x ]
then
pushd /etc/bind/keys
rm -f /etc/bind/keys/K$domain*
dnssec-keygen -a HMAC-MD5 -b 512 -n HOST $domain.key
bind_key="$(grep Key: K$domain*.private | cut -d ' ' -f 2)"
popd
fi
chown root:bind /etc/bind/keys/K$domain*
chmod 640 /etc/bind/keys/K$domain*
how can it be integrated into the playbook to achieve this result?
key "test.loc.key" {
algorithm hmac-md5;
secret "WkTF9DYyK4hcboNK1cxHTK/WcFu7di/sdHkwrFJqKBJU YA+08otWNW31g==";
};
zone "test.loc" {
type master;
file "test.loc.zone";
allow-query { any; };
allow-transfer { none; };
allow-update { key test.loc.key; };
};
The way this role is set up is suitable for an authoritative name server. Best practices state that recursion should be turned off in that case. The default settings should reflect this.
In my domain, the top of the domain resolves to a webserver. I don't see a way to configure that with this role. In my zone file, the entry is just below the NS entries in the ORIGIN . section, and is unique because it only contains the domain name, not a hostname, like so:
csit.parkland.edu. IN A 216.x.x.x
My current DNS server is ages out of date, and there may be a newer/better way to configure the top host now. Can this role set up a resolution for the domain?
Zone transfers fail with: "dumping master file: tmp-xxxxxxxxxxxxx: open: permission denied" on slaves.
To resolve, on slave issue:
setsebool -P named_write_master_zones true
to resolve in this role, in tasks/slave.yml:
but this adds a requirement on the "libsemanage-python" module ;-)
Should this be included in the role, or a pre-requisite outside of the role ?
bind_zone_domain is manageable if you have a small number of zones and a small number of hosts in each zone. It becomes problematic if you have a large number of zones and hosts in each zone. Is there a way to have the zones/hosts defined in separate files to improve manageability?
So, my domain is a a child domain of my college's domain. I need to have NS records for the NS servers that are authoritatively serving records I transfer to them. I also transfer records to our ISP, who serves my zone authoritatively. I have the need to put their records in the file appearing like so:
IN NS ns1.mydomain.college.edu.
IN NS ns2.mydomain.college.edu.
IN NS dns1.college.edu..mydomain.college.edu.
IN NS dns2.college.edu..mydomain.college.edu.
IN NS ns1.ISP.net..mydomain.college.edu.
IN NS ns2.ISP.net..mydomain.college.edu.
I have thought about this for a bit, and it seems easiest to change the variable to be the FQDN, and not append the domain name at all in the template.
As a reference, Zytrax.com states, "There is no requirement that any name servers are within the domain for which they are authoritative." http://www.zytrax.com/books/dns/ch8/ns.html
I use config with separate zone (see comment).
For enable - allow_update
on single zone?
Thanks
if i have multi server, example 3 hardware server.
ns1.domain.tld (master)
ns2.domain.tld (slave)
ns3.domain.tld (slave)
my hosts is
[dns-server]
ns1.domain.tld ansible_user=root ansible_port=2400
ns2.domain.tld ansible_user=root ansible_port=2400
ns3.domain.tld ansible_user=root ansible_port=2400
how can I say that ns1 is master and ns2 and ns3 is slave?
The variable bind_zone_master_server_ip
is mandatory, but the error message that you get when it is not defined seems unrelated to this. That makes it hard to interpret the error and fix it.
an example for the reverse zone?
Thanks.
Remove firewall configuration
Just faced an issue where the following condition was always failing:
when: ansible_all_ipv4_addresses|last == bind_zone_master_server_ip
My guest is set up so that it has two IP addresses, and the issue was that
ansible_all_ipv4_addresses|last
was not referring to the one I set up to be the bind_zone_master_server_ip
.
I'm not certain if there are any drawbacks, but what I did was replace the conditional with:
when: bind_zone_master_server_ip not in ansible_all_ipv4_addresses
It is very useful to have caching features working for a bind server, this allows the system administrator to use much less bandwidth and queries.
Hi Bert,
I'd love to see SRV and TXT records be able to be added to the zone file to support Kerberos realm and RedHat IdM/FreeIPA authentication servers.
For example:
; ldap servers
_ldap._tcp IN SRV 0 100 389 hostname
;kerberos realm
_kerberos IN TXT KERBEROS.REALM.NAME
; kerberos servers
_kerberos._tcp IN SRV 0 100 88 hostname
_kerberos._udp IN SRV 0 100 88 hostname
_kerberos-master._tcp IN SRV 0 100 88 hostname
_kerberos-master._udp IN SRV 0 100 88 hostname
_kpasswd._tcp IN SRV 0 100 464 hostname
_kpasswd._udp IN SRV 0 100 464 hostname
;ntp server
_ntp._udp IN SRV 0 100 123 hostname
; CNAME for IPA CA replicas (used for CRL, OCSP)
ipa-ca IN A ip.address
I know you had recursion originally, and then removed it. I now have the need to allow recursion only for localnets, which requires having recursion turned on. Apparently, localnets and localhost is the default access list if you turn on recursion and don't specify additional hosts. I don't know how the "allow-query" statement affects that, however. There is a statement specifically for allow-query-cache that can have its own set of allowed hosts.
If you don't want to add this back into your role, I understand. I'll be tweaking my template to turn it back on for my environment.
http://www.zytrax.com/books/dns/ch7/queries.html#allow-query-cache
https://kb.isc.org/article/AA-00503/0/Whats-the-difference-between-allow-query-cache-and-allow-recursion.html
In a very simple lab scenario where we only need to configure a master zone, why would we need bind_zone_master_server_ip
as a requirement?
Its only used in slave zones - https://github.com/bertvv/ansible-role-bind/search?q=bind_zone_master_server_ip&unscoped_q=bind_zone_master_server_ip
if I have more network does not insert spaces in zone, example:
allow-update { 10.27.253.0/24;10.27.22.1; };
correct syntax is:
allow-update { 10.27.253.0/24; 10.27.22.1; };
According to the README, a the mail_servers
zone variable defaults to [{name: mail, preference: 10}]
.
However, in the bind_zone.j2
template file it seems to default to []
.
Either the README or the template should be changed.
Adding the forwarders
option makes the role more useful for setting up a caching name server. This was not the initial intended use of this role, but there is some demand for it.
Try run playbook with your role using Ansible 2.0. It ends with error:
ERROR! 'version' is not a valid attribute for a RoleMetadata
The error appears to have been in '/etc/ansible/roles/bertvv.bind/meta/main.yml': line 2, column 1, but may
be elsewhere in the file depending on the exact syntax problem.
The offending line appears to be:
---
galaxy_info:
^ here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.