-
Notifications
You must be signed in to change notification settings - Fork 23
/
named.conf
154 lines (118 loc) · 4.75 KB
/
named.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
# Copyright (c) 2001-2004 SuSE Linux AG, Nuernberg, Germany.
# All rights reserved.
#
# Author: Frank Bodammer, Lars Mueller <lmuelle@suse.de>
#
# /etc/named.conf
#
# This is a sample configuration file for the name server BIND 9. It works as
# a caching only name server without modification.
#
# A sample configuration for setting up your own domain can be found in
# /usr/share/doc/packages/bind/sample-config.
#
# A description of all available options can be found in
# /usr/share/doc/packages/bind/misc/options.
options {
# The directory statement defines the name server's working directory
directory "{{ map.get('named_directory') }}";
# enable DNSSEC validation
#
# If BIND logs error messages about the root key being expired, you
# will need to update your keys. See https://www.isc.org/bind-keys
#
# dnssec-enable yes (default), indicates that a secure DNS service
# is being used which may be one, or more, of TSIG
# (for securing zone transfers or DDNS updates), SIG(0)
# (for securing DDNS updates) or DNSSEC.
#dnssec-enable yes;
# dnssec-validation yes (default), indicates that a resolver
# (a caching or caching-only name server) will attempt to validate
# replies from DNSSEC enabled (signed) zones. To perform this task
# the server also needs either a valid trusted-keys clause
# (containing one or more trusted-anchors or a managed-keys clause.
#dnssec-validation auto;
managed-keys-directory "{{ map.get('named_directory') }}/dyn/";
# Write dump and statistics file to the log subdirectory.
dump-file "/var/log/named_dump.db";
statistics-file "/var/log/named.stats";
# The forwarders record contains a list of servers to which queries
# should be forwarded. Enable this line and modify the IP address to
# your provider's name server. Up to three servers may be listed.
#forwarders { 192.0.2.1; 192.0.2.2; };
# Enable the next entry to prefer usage of the name server declared in
# the forwarders section.
#forward first;
# The listen-on record contains a list of local network interfaces to
# listen on. Optionally the port can be specified. Default is to
# listen on all interfaces found on your system. The default port is
# 53.
#listen-on port 53 { 127.0.0.1; };
# The listen-on-v6 record enables or disables listening on IPv6
# interfaces. Allowed values are 'any' and 'none' or a list of
# addresses.
listen-on-v6 { any; };
# The next three statements may be needed if a firewall stands between
# the local server and the internet.
#query-source address * port 53;
#transfer-source * port 53;
#notify-source * port 53;
# The allow-query record contains a list of networks or IP addresses
# to accept and deny queries from. The default is to allow queries
# from all hosts.
#allow-query { 127.0.0.1; };
# If notify is set to yes (default), notify messages are sent to other
# name servers when the the zone data is changed. Instead of setting
# a global 'notify' statement in the 'options' section, a separate
# 'notify' can be added to each zone definition.
notify no;
disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
# include the forwarders.conf file generated by netconfig(8)
{%- if salt['pillar.get']('bind:config:include_forwarders', False) %}
include "/etc/named.d/forwarders.conf";
{% endif %}
{#- Allow inclusion of arbitrary statements #}
{%- for statement, value in salt['pillar.get']('bind:config:options', map.get('options', {}))|dictsort -%}
{%- if value is iterable and value is not string %}
{{ statement }} {
{%- for item in value %}
{{ item }};
{%- endfor %}
};
{%- else %}
{{ statement }} {{ value }};
{%- endif %}
{%- endfor %}
#disable dnssec-validation as hotfix for bsc#1177790
dnssec-validation no;
};
# The following zone definitions don't need any modification. The first one
# is the definition of the root name servers. The second one defines
# localhost while the third defines the reverse lookup for localhost.
zone "." in {
type hint;
file "root.hint";
};
zone "localhost" in {
type master;
file "localhost.zone";
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "127.0.0.zone";
};
zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "127.0.0.zone";
};
{% if salt['grains.get']('osrelease') == '15.3' -%}
# Include the meta include file generated by createNamedConfInclude. This
# includes all files as configured in NAMED_CONF_INCLUDE_FILES from
# /etc/sysconfig/named
include "/etc/named.conf.include";
{% else -%}
include "{{ map.local_config }}";
{% for incl in salt['pillar.get']('bind:config:includes', []) %}
include "{{ incl }}";
{% endfor %}
{% endif -%}