forked from saltstack-formulas/bind-formula
-
Notifications
You must be signed in to change notification settings - Fork 0
/
pillar.example
378 lines (339 loc) · 16.5 KB
/
pillar.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
# Note - Each section beginning with 'bind:' below represents a different way you may configure
# pillars for bind. When configuring your pillar(s), you may use any combination of subsections,
# but salt will not merge sections with the same heading.
### Overrides for the defaults specified by ###
### map.jinja ###
bind:
lookup:
pkgs:
- bind # Need to install
service: named # Service name
zones_source_dir: bind/zonedata # Take zonefiles from `salt://bind/zonedata`
# instead of `salt://zones`
### General config options ###
bind:
lookup:
key_directory: '/etc/bind/keys' # Key directory (needed to use auto-dnssec)
key_algorithm: RSASHA256 # Algorithm when using auto-dnssec
key_algorithm_field: '008' # See http://www.bind9.net/dns-sec-algorithm-numbers
key_size: 4096 # Key size
config:
tmpl: salt://bind/files/debian/named.conf # Template we'd like to use (not implemented?)
user: root # File & Directory user
group: named # File & Directory group
mode: 640 # File & Directory mode
enable_logging: true # Enable basic query logging
use_extensive_logging: # Enable extensive config for logging. Partial example. For proposed settings please refer to
channel: # https://kb.isc.org/article/AA-01526/0/BIND-Logging-some-basic-recommendations.html
default_log:
file: default
size: '200m' # size of a individual file (default 20m)
versions: '10' # how many files will be stored (default 3)
print-time: true
print-category: true
print-severity: true
severity: info
queries_log:
file: queries
print-time: true
print-category: true
print-severity: true
severity: info
query-errors_log:
file: query-errors
print-time: true
print-category: true
print-severity: true
severity: dynamic
default_syslog:
print-time: true
print-category: true
print-severity: true
syslog: daemon
severity: info
default_debug:
file: named.run
print-time: true
print-category: true
print-severity: true
severity: info
category:
default:
- default_syslog
- default_debug
- default_log
config:
- default_syslog
- default_debug
- default_log
network:
- default_syslog
- default_debug
- default_log
general:
- default_syslog
- default_debug
- default_log
queries:
- queries_log
query-errors:
- query-errors_log
options:
allow-recursion: '{ any; }' # Never include this on a public resolver
# RedHat defaults, needed to generate default config file
listen-on: 'port 53 { 127.0.0.1; }'
listen-on-v6: 'port 53 { ::1; }'
allow-query: '{ localhost; }'
recursion: 'yes'
dnssec-enable: 'yes'
dnssec-validation: 'yes'
# End RedHat defaults
protocol: 4 # Force bind to serve only one IP protocol
# (ipv4: 4, ipv6: 6). Omitting this reverts to
# binds default of both.
# Debian and FreeBSD based systems
default_zones: true # If set to true, the default-zones configuration
# will be enabled. Defaults to false.
includes: # Include any additional configuration file(s) in
- /some/additional/named.conf # named.conf
# Debian based systems optional configs
bind:
config:
options:
querylog: 'yes' # Enable query logs, by default is disabled in map.jinja (yes,no)
rndc_client: # Generate rndc.conf file it uses previously defined keys
options:
default:
server: localhost
port: 953
key: my_default_key
server:
'127.0.0.1':
key: dns_key
'localhost':
key: dns_key
'8.8.8.8':
key: my_default_key
controls: # If you define controls then you also should configure rndc_client
local:
enabled: true
bind:
address: 127.0.0.1
port: 953
allow:
- 127.0.0.1
keys:
- core_dhcp
myip4:
enabled: true
bind:
address: 10.161.161.168
port: 953
allow:
- 10.161.161.168
- my_net
keys:
- core_dhcp
statistics: # Enable statistics-channel
local:
enabled: true
bind:
address: 127.0.0.1
port: 8053
allow:
- 127.0.0.1
myip4:
enabled: true
bind:
address: 10.161.161.168
port: 8123
allow:
- 10.161.64.168
- my_net
configured_zones: # Debian based systems can have zones using only configured_zones
sub.domain.com: # This zone will be copied from zones_source_dir
file: sub.domain.com # You can optionally specify name of a file here.
type: master # Yo don't have define zone again in available_zones.
# This feature is backward compatibile and only available in debian
notify: false # if type master you need specify notify true/false
managed: true # Set this to false if you don't want Salt to manage this zone file
# If this parameter is set to true or is not set at all, the zone will be managed through salt
sub2.domain.com:
file: sub2.domain.com
type: master
notify: true
allow-query:
- any
allow-transfer:
- my_net
allow-update: 'none'
also-notify:
- 1.2.3.4
- 1.2.3.3
zone-statistics: true # Enable detailed statistics for zone. You need enable statistics first
test.zone.com:
file: test.zone.com
type: slave
notify: false
masters:
- my_dns_masters # You can specify masters by using name
test.zone2.com: # Zone definied in default style of this formula
type: slave # You need specify all info inside available_zones
notify: false
configured_masters: # Configure master dns
my_dns_masters:
- 10.10.20.20
- 10.10.30.30
available_zones: # Configuration required in default style
test.zone2.com:
file: test.zone2.com # You are required specify file name here
masters: # As also masters if you have slave type zone
- 10.167.73.21
- 10.174.60.44
# End Debian based systems features
# on SUSE include the forwarders.conf file generated by netconfig(8)
bind:
config:
include_forwarders: true
### Keys, Zones, ACLs and Views ###
bind:
keys:
"core_dhcp": # The name for our key
secret: "YourSecretKey" # The key its self
configured_zones:
sub.domain.com: # First domain zone
type: master # We're the master of this zone
notify: false # Don't notify any NS RRs of any changes to zone
also-notify: # Do notify these IP addresses (pointless as
- 1.1.1.1 # notify has been set to no)
- 2.2.2.2 # If using views, do not define configured_zones
# at this indentation level - define it using the sub-key
# of your view under configured_views.
sub.domain2.com: # Domain zone with DNSSEC
type: master # We're the master of this zone
notify: false # Don't notify any NS RRs of any changes to zone
dnssec: true # Create and manage signed zonefile with zonesigner
# You will have to install dnssec-tools by hand
# on many distributions
sub.domain3.com: # Domain zone with DNSSEC
type: master # We're the master of this zone
notify: false # Don't notify any NS RRs of any changes to zone
auto-dnssec: 'maintain' # Bind will create and manage the signed zonefile
# itself, we only have to provide the clear zone
1.168.192.in-addr.arpa: # Reverse lookup for local IPs
type: master # As above
notify: false # As above
allow-transfer: # As above
- 1.1.1.1
- 2.2.2.2
dynamic.domain.com: # Our ddns zone
type: master # As above
allow-update: "key core_dhcp" # Who we allow updates from (refers to above key)
notify: true # Notify NS RRs of changes
sub.anotherdomain.com: # Another domain zone
type: forward # This time it's a forwarding zone
forwarders: # Where we need to forward requests to
- 10.9.8.7
- 10.9.8.5
sub.forwardonlydomain.com: # Forwarding only domain
type: forward # As above
forward: only # We don't want the server to do any resulving
forwarders: # As above (but with different IPs)
- 10.9.8.8
- 10.9.8.9
configured_views:
myview1: # First (and only) view
match_clients: # The clients we wish to match
- client1
- client2
configured_zones: # Zones that our view is applicable to
my.zone: # We've defined a new zone in here
type: master
file: example.com.txt # Optional: specify the zone file to be used for this view,
# otherwise it will default to the file matching the name of the zone that you
# specify here (which must match a zone under 'available_zones'.
# The file name must match what you have entered for 'file' in the zone under
# 'available_zones'.
# This allows you to define multiple views that serve the same zone, but
# serve a different record set in each.
# If doing this, you need to configure the zones and their record sets
# underneath the 'available_zones' section.
notify: false
update_policy: # A given update policy
- "grant core_dhcp name dns_entry_allowed_to_update. ANY"
configured_acls: # And now for some ACLs
my_net: # Our ACL's name
- 127.0.0.0/8 # And the applicable IP addresses
- 10.20.0.0/16 # If using views, you need to create an ACL per view to differentiate
# who accesses the view, and then specify the appropriate ACL name under
# the 'match_clients' sub-key of your view.
### Define zone records in pillar ###
bind:
available_zones:
example.com:
file: example.com.txt
soa: # Declare the SOA RRs for the zone
ns: ns1.example.com # Required
contact: hostmaster.example.com # Required
serial: 2017041001 # Required
# serial: auto # Alternatively, autoupdate serial on each change
class: IN # Optional. Default: IN
refresh: 8600 # Optional. Default: 12h
retry: 900 # Optional. Default: 15m
expiry: 86000 # Optional. Default: 2w
nxdomain: 500 # Optional. Default: 1m
ttl: 8600 # Optional. Not set by default
records: # Records for the zone, grouped by type
A:
mx1: # A RR with multiple values can
- 1.2.3.228 # be written as an array
- 1.2.3.229
cat: 2.3.4.188
rat: 1.2.3.231
live: 1.2.3.236
NS:
'@':
- rat
- cat
CNAME:
ftp: cat.example.com.
www: cat.example.com.
mail: mx1.example.com.
smtp: mx1.example.com.
TXT: # Complex records can be expressed as strings
'@':
- '"some_value"'
- '"v=spf1 mx a ip4:1.2.3.4 ~all"'
_dmarc: '"v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; fo=1:d:s; adkim=r; aspf=r; pct=100; ri=86400"'
3.2.1.in-addr.arpa: # auto-generated reverse zone
file: example.com.rev.txt
soa: # Declare the SOA RRs for the zone
ns: ns1.example.com # Required
contact: hostmaster.example.com # Required
serial: auto # autoupdate serial on each change
class: IN # Optional. Default: IN
refresh: 8600 # Optional. Default: 12h
retry: 900 # Optional. Default: 15m
expiry: 86000 # Optional. Default: 2w
nxdomain: 500 # Optional. Default: 1m
ttl: 8600 # Optional. Not set by default
records: # Records for the zone, grouped by type
NS:
'@':
ns1.example.com.
generate_reverse: # take all A records from example.com that are in 1.2.3.0/24 subnet
net: 1.2.3.0/24 # and generate reverse records for them
for_zones:
- example.com # example.com is a zone defined in pillar, see above
# for_zones:
# - any # generate reverse record for any zone
### Externally defined Zones ###
bind:
available_zones:
sub.domain.org:
file: db.sub.domain.org # DB file containing our zone
masters: # Masters of this zone
- 192.168.0.1