diff --git a/files/dnssec-init b/files/dnssec-init index d9e2526..abe50e2 100644 --- a/files/dnssec-init +++ b/files/dnssec-init @@ -6,13 +6,14 @@ DOMAIN="$3" KEY_DIRECTORY="${4:-${CACHEDIR}/${NAME}}" RANDOM_DEVICE="$5" NSEC3_SALT="$6" +ZONE_FILE="$7" PATH=/bin:/sbin:/usr/bin:/usr/sbin dnssec-keygen -a RSASHA256 -b 1024 -r "${RANDOM_DEVICE}" -K "${KEY_DIRECTORY}" "${DOMAIN}" dnssec-keygen -a RSASHA256 -b 2048 -r "${RANDOM_DEVICE}" -f KSK -K "${KEY_DIRECTORY}" "${DOMAIN}" if [ $NSEC3_SALT != '' ]; then - dnssec-signzone -S -u -3 ${NSEC3_SALT} -d "${CACHEDIR}" -K "${KEY_DIRECTORY}" -o "${DOMAIN}" "${CACHEDIR}/${NAME}/${DOMAIN}" + dnssec-signzone -S -u -3 ${NSEC3_SALT} -d "${CACHEDIR}" -K "${KEY_DIRECTORY}" -o "${DOMAIN}" "${CACHEDIR}/${NAME}/${ZONE_FILE}" else - dnssec-signzone -S -d "${CACHEDIR}" -K "${KEY_DIRECTORY}" -o "${DOMAIN}" "${CACHEDIR}/${NAME}/${DOMAIN}" + dnssec-signzone -S -d "${CACHEDIR}" -K "${KEY_DIRECTORY}" -o "${DOMAIN}" "${CACHEDIR}/${NAME}/${ZONE_FILE}" fi diff --git a/manifests/zone.pp b/manifests/zone.pp index 8fbd62f..10b7cfb 100644 --- a/manifests/zone.pp +++ b/manifests/zone.pp @@ -31,6 +31,10 @@ $include_default_zones = $::bind::include_default_zones $_domain = pick($domain, $name) + $zone_file = $_domain ? { + '.' => 'root', + default => $_domain + } if $include_default_zones and $default_zones_warning and member(['.', 'localhost', '127.in-addr.arpa', '0.in-addr.arpa', '255.in-addr.arpa'], $_domain) { warning("The bind module will include a default definition for zone \"${_domain}\" starting in version 6.0.0. Please see https://github.com/inkblot/puppet-bind/blob/master/DEFAULT_ZONES.md for more information about how this will affect your configuration.") @@ -93,7 +97,7 @@ } if member(['init', 'managed'], $zone_file_mode) { - file { "${cachedir}/${name}/${_domain}": + file { "${cachedir}/${name}/${zone_file}": ensure => present, owner => $bind_user, group => $bind_group, @@ -110,7 +114,7 @@ user => $bind_user, refreshonly => true, require => Service['bind'], - subscribe => File["${cachedir}/${name}/${_domain}"], + subscribe => File["${cachedir}/${name}/${zone_file}"], } } } elsif $zone_file_mode == 'absent' { @@ -122,18 +126,19 @@ if $dnssec { exec { "dnssec-keygen-${name}": command => "/usr/local/bin/dnssec-init '${cachedir}' '${name}'\ - '${_domain}' '${key_directory}' '${random_device}' '${nsec3_salt}'", + '${_domain}' '${key_directory}' '${random_device}' '${nsec3_salt}'\ + '${zone_file}'", cwd => $cachedir, user => $bind_user, - creates => "${cachedir}/${name}/${_domain}.signed", + creates => "${cachedir}/${name}/${zone_file}.signed", timeout => 0, # crypto is hard require => [ File['/usr/local/bin/dnssec-init'], - File["${cachedir}/${name}/${_domain}"] + File["${cachedir}/${name}/${zone_file}"] ], } - file { "${cachedir}/${name}/${_domain}.signed": + file { "${cachedir}/${name}/${zone_file}.signed": owner => $bind_user, group => $bind_group, mode => '0644', diff --git a/templates/zone.conf.erb b/templates/zone.conf.erb index 53d9e27..6efcfce 100644 --- a/templates/zone.conf.erb +++ b/templates/zone.conf.erb @@ -9,9 +9,9 @@ zone "<%= @_domain %>" { <%- else -%> key-directory "<%= @cachedir %>/<%= @name %>"; <%- end -%> - file "<%= @cachedir %>/<%= @name %>/<%= @_domain %>.signed"; + file "<%= @cachedir %>/<%= @name %>/<%= @zone_file %>.signed"; <%- elsif %w(init managed allowed).include? @zone_file_mode -%> - file "<%= @cachedir %>/<%= @name %>/<%= @_domain %>"; + file "<%= @cachedir %>/<%= @name %>/<%= @zone_file %>"; <%- end -%> <%- if %w(master slave).include? @zone_type -%> notify <%= @ns_notify ? 'yes' : 'no' %>;