Install and enable a BIND DNS server, manage its main configuration and install and manage its DNS zone files.
bind
: Main class to install and enable the server.bind::server::conf
: Main definition to configure the server.bind::server::file
: Definition to manage zone files.bind::package
: Class to install the server package (included frombind
)bind::service
: Class to manage the server service (included frombind
)
The split between bind
and bind::server::conf
allows to use a static file
or a different template-based file for the main named.conf
file if needed,
while still using this module for the main package, service and managing zone
files. This is useful if you have a large and/or complex named.conf file.
Note that you may also use the bind::package
and bind::service
classes on
their own, though you won't need to if you use the main class, which includes
them both.
Here is a typical LAN recursive caching DNS server configuration :
include bind
bind::server::conf { '/etc/named.conf':
listen_on_addr => [ 'any' ],
listen_on_v6_addr => [ 'any' ],
forwarders => [ '8.8.8.8', '8.8.4.4' ],
allow_query => [ 'localnets' ],
zones => {
'myzone.lan' => [
'type master',
'file "myzone.lan"',
],
'1.168.192.in-addr.arpa' => [
'type master',
'file "1.168.192.in-addr.arpa"',
],
},
}
The zone files for the above could then be managed like this :
bind::server::file { 'myzone.lan':
source => 'puppet:///modules/mymodule/dns/myzone.lan',
}
bind::server::file { '1.168.192.in-addr.arpa':
source => 'puppet:///modules/mymodule/dns/1.168.192.in-addr.arpa',
}
Then if all source files are in the same location and named after the zone :
bind::server::file { [ 'myzone.lan', '1.168.192.in-addr.arpa' ]:
source_base => 'puppet:///modules/mymodule/dns/',
}
For RHEL5, you might want to use the newest possible bind packages
(otherwise if you're using bind-chroot
, you'll need to check
whether the zone files need to be placed inside the chroot, e.g.
/var/named/chroot/var/named
. Doing this unconditionally will break
the newest versions of BIND if zone files are deployed before named
is started for the first time, so be careful):
class { '::bind': packagenameprefix => 'bind97' }
Since SELinux offers a very high level of protection, chrooting is quite redundant, so it's disabled by default. You can nevertheless enable it if you want :
class { '::bind': chroot => true }
bind::server::conf { '/etc/named.conf':
# [... same as before ...]
}
bind::server::file { 'myzone.lan':
zonedir => '/var/named',
source => 'puppet:///files/dns/myzone.lan',
}
To avoid repeating the zonedir
parameter each time, you can also use :
Bind::Server::File { zonedir => '/nfs/zones' }
The module also supports views, where the main zones
will be included in all
views, and view-specific zones
may be declared :
bind::server::conf {
zones => {
'example.com' => [
'type master',
'file "example.com"',
],
},
views => {
'trusted' => {
'match-clients' => [ '192.168.23.0/24' ],
'zones' => {
'myzone.lan' => [
'type master',
'file "myzone.lan"',
],
},
},
'default' => {
'match-clients' => [ 'any' ],
},
},
}
You can use the statistics_channels
parameter to set up one or more statistics channels.
statistics_channels
is a hash of hashes. Each nested hash sets up a statistics channel
and contains the listening IP address and port for the channel and the IP addresses/address
blocks or ACLs that are allowed to access the channel:
bind::server::conf { '/etc/named.conf':
...
statistics_channels => {
'channel-1' => {
listen_address => '*',
listen_port => '8053',
allow => ['127.0.0.1', '10.0.0.0/8'],
},
'channel-2' => {
listen_address => '*',
listen_port => '8054',
allow => ['127.0.0.1', '10.0.0.0/8'],
},
},
...
}