Mercurial > repos > other > Puppet

changeset 194:a08de3153548 puppet-3.6

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Add a named.conf file to control cache/memory size Also fixed dependencies at the same time
author IBBoard <dev@ibboard.co.uk>
date Wed, 10 Apr 2019 20:11:55 +0100
parents 9de3c4d597e9
children f70831cc2864
files common/named.conf manifests/templates.pp
diffstat 2 files changed, 69 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/common/named.conf	Wed Apr 10 20:11:55 2019 +0100
@@ -0,0 +1,59 @@
+//
+// named.conf
+//
+// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
+// server as a caching only nameserver (as a localhost DNS resolver only).
+//
+// See /usr/share/doc/bind*/sample/ for example named configuration files.
+//
+
+options {
+	listen-on port 53 { 127.0.0.1; };
+// Disable IPv6 because we don't have a routable address
+//	listen-on-v6 port 53 { ::1; };
+	directory 	"/var/named";
+	dump-file 	"/var/named/data/cache_dump.db";
+	statistics-file "/var/named/data/named_stats.txt";
+	memstatistics-file "/var/named/data/named_mem_stats.txt";
+	allow-query     { localhost; };
+
+	/* 
+	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
+	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
+	   recursion. 
+	 - If your recursive DNS server has a public IP address, you MUST enable access 
+	   control to limit queries to your legitimate users. Failing to do so will
+	   cause your server to become part of large scale DNS amplification 
+	   attacks. Implementing BCP38 within your network would greatly
+	   reduce such attack surface 
+	*/
+	recursion yes;
+	max-cache-size 150m;
+
+	dnssec-enable yes;
+	dnssec-validation yes;
+
+	/* Path to ISC DLV key */
+	bindkeys-file "/etc/named.iscdlv.key";
+
+	managed-keys-directory "/var/named/dynamic";
+
+	pid-file "/run/named/named.pid";
+	session-keyfile "/run/named/session.key";
+};
+
+logging {
+        channel default_debug {
+                file "data/named.run";
+                severity dynamic;
+        };
+};
+
+zone "." IN {
+	type hint;
+	file "named.ca";
+};
+
+include "/etc/named.rfc1912.zones";
+include "/etc/named.root.key";
+
--- a/manifests/templates.pp	Sun Mar 10 10:07:52 2019 +0000
+++ b/manifests/templates.pp	Wed Apr 10 20:11:55 2019 +0100
@@ -158,6 +158,15 @@
 	service { 'named':
 		ensure => running,
 		enable => true,
+		require => Package['bind'],
+	}
+
+	file { '/etc/named.conf':
+		ensure => present,
+		source => 'puppet:///common/named.conf',
+		group => 'named',
+		require => Package['bind'],
+		notify => Service['named'],
 	}
 
 	file { '/etc/NetworkManager/conf.d/local-dns-resolver.conf':
@@ -169,6 +178,7 @@
 	file { '/etc/sysconfig/named':
 		ensure => present,
 		content => 'OPTIONS="-4"',
+		require => Package['bind'],
 	}
 
 	file { '/etc/resolv.conf':