forked from saltstack-formulas/bind-formula
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpillar.example
311 lines (277 loc) · 11.8 KB
/
pillar.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
# Note - Each section beginning with 'bind:' below represents a different way you may configure
pillars for bind. When configuring your pillar(s), you may use any combination of subsections,
but salt will not merge sections with the same heading.
### Overrides for the defaults specified by ###
### map.jinja ###
bind:
lookup:
pkgs:
- bind # Need to install
service: named # Service name
zones_source_dir: bind/zonedata # Take zonefiles from `salt://bind/zonedata`
# instead of `salt://zones`
### General config options ###
bind:
config:
tmpl: salt://bind/files/debian/named.conf # Template we'd like to use (not implemented?)
user: root # File & Directory user
group: named # File & Directory group
mode: 640 # File & Directory mode
options:
allow-recursion: '{ any; }' # Never include this on a public resolver
# RedHat defaults, needed to generate default config file
listen-on: 'port 53 { 127.0.0.1; }'
listen-on-v6: 'port 53 { ::1; }'
allow-query: '{ localhost; }'
recursion: 'yes'
dnssec-enable: 'yes'
dnssec-validation: 'yes'
# End RedHat defaults
protocol: 4 # Force bind to serve only one IP protocol
# (ipv4: 4, ipv6: 6). Omitting this reverts to
# binds default of both.
# Debian and FreeBSD based systems
default_zones: True # If set to True, the default-zones configuration
# will be enabled. Defaults to False.
includes: # Include any additional configuration file(s) in
- /some/additional/named.conf # named.conf
# Debian based systems optional configs
bind:
config:
options:
querylog: 'yes' # Enable query logs, by default is disabled in map.jinja (yes,no)
use_extensive_logging: # Enable extensive config for logging. Partial example. For proposed settings please refer to
channel: # https://kb.isc.org/article/AA-01526/0/BIND-Logging-some-basic-recommendations.html
default_log:
file: default
size: '200m' # size of a individual file (default 20m)
versions: '10' # how many files will be stored (default 3)
print-time: yes
print-category: yes
print-severity: yes
severity: info
queries_log:
file: queries
print-time: yes
print-category: yes
print-severity: yes
severity: info
query-errors_log:
file: query-errors
print-time: yes
print-category: yes
print-severity: yes
severity: dynamic
default_syslog:
print-time: yes
print-category: yes
print-severity: yes
syslog: daemon
severity: info
default_debug:
file: named.run
print-time: yes
print-category: yes
print-severity: yes
severity: info
category:
default:
- default_syslog
- default_debug
- default_log
config:
- default_syslog
- default_debug
- default_log
network:
- default_syslog
- default_debug
- default_log
general:
- default_syslog
- default_debug
- default_log
queries:
- queries_log
query-errors:
- query-errors_log
rndc_client: # Generate rndc.conf file it uses previously defined keys
options:
default:
server: localhost
port: 953
key: my_default_key
server:
'127.0.0.1':
key: dns_key
'localhost':
key: dns_key
'8.8.8.8':
key: my_default_key
controls: # If you define controls then you also should configure rndc_client
local:
enabled: true
bind:
address: 127.0.0.1
port: 953
allow:
- 127.0.0.1
keys:
- core_dhcp
myip4:
enabled: true
bind:
address: 10.161.161.168
port: 953
allow:
- 10.161.161.168
- my_net
keys:
- core_dhcp
statistics: # Enable statistics-channel
local:
enabled: true
bind:
address: 127.0.0.1
port: 8053
allow:
- 127.0.0.1
myip4:
enabled: true
bind:
address: 10.161.161.168
port: 8123
allow:
- 10.161.64.168
- my_net
configured_zones: # Debian based systems can have zones using only configured_zones
sub.domain.com: # This zone will be copied from zones_source_dir
file: sub.domain.com # You can optionally specify name of a file here.
type: master # Yo don't have define zone again in available_zones.
# This feature is backward compatibile and only available in debian
notify: False # if type master you need specify notify True/False
sub2.domain.com:
file: sub2.domain.com
type: master
notify: True
allow-query:
- any
allow-transfer:
- my_net
allow-update: 'none'
also-notify:
- 1.2.3.4
- 1.2.3.3
zone-statistics: yes # Enable detailed statistics for zone. You need enable statistics first
test.zone.com:
file: test.zone.com
type: slave
notify: False
masters:
- my_dns_masters # You can specify masters by using name
test.zone2.com: # Zone definied in default style of this formula
type: slave # You need specify all info inside available_zones
notify: False
configured_masters: # Configure master dns
my_dns_masters:
- 10.10.20.20
- 10.10.30.30
available_zones: # Configuration required in default style
test.zone2.com:
file: test.zone2.com # You are required specify file name here
masters: # As also masters if you have slave type zone
- 10.167.73.21
- 10.174.60.44
# End Debian based systems features
### Keys, Zones, ACLs and Views ###
bind:
keys:
"core_dhcp": # The name for our key
secret: "YourSecretKey" # The key its self
configured_zones:
sub.domain.com: # First domain zone
type: master # We're the master of this zone
notify: False # Don't notify any NS RRs of any changes to zone
also-notify: # Do notify these IP addresses (pointless as
- 1.1.1.1 # notify has been set to no)
- 2.2.2.2
1.168.192.in-addr.arpa: # Reverse lookup for local IPs
type: master # As above
notify: False # As above
allow-transfer: # As above
- 1.1.1.1
- 2.2.2.2
dynamic.domain.com: # Our ddns zone
type: master # As above
allow-update: "key core_dhcp" # Who we allow updates from (refers to above key)
notify: True # Notify NS RRs of changes
sub.anotherdomain.com: # Another domain zone
type: forward # This time it's a forwarding zone
forwarders: # Where we need to forward requests to
- 10.9.8.7
- 10.9.8.5
sub.forwardonlydomain.com: # Forwarding only domain
type: forward # As above
forward: only # We don't want the server to do any resulving
forwarders: # As above (but with different IPs)
- 10.9.8.8
- 10.9.8.9
configured_views:
myview1: # First (and only) view
match_clients: # The clients we wish to match
- client1
- client2
configured_zones: # Zones that our view is applicable to
my.zone: # We've defined a new zone in here
type: master
notify: False
update_policy: # A given update policy
- "grant core_dhcp name dns_entry_allowed_to_update. ANY"
configured_acls: # And now for some ACLs
my_net: # Our ACL's name
- 127.0.0.0/8 # And the applicable IP addresses
- 10.20.0.0/16
### Define zone records in pillar ###
bind:
available_zones:
example.com:
file: example.com.txt
soa: # Declare the SOA RRs for the zone
ns: ns1.example.com # Required
contact: hostmaster.example.com # Required
serial: 2017041001 # Required
class: IN # Optional. Default: IN
refresh: 8600 # Optional. Default: 12h
retry: 900 # Optional. Default: 15m
expiry: 86000 # Optional. Default: 2w
nxdomain: 500 # Optional. Default: 1m
ttl: 8600 # Optional. Not set by default
records: # Records for the zone, grouped by type
A:
mx1: # A RR with multiple values can
- 1.2.3.228 # be written as an array
- 1.2.3.229
cat: 2.3.4.188
rat: 1.2.3.231
live: 1.2.3.236
NS:
'@':
- rat
- cat
CNAME:
ftp: cat.example.com.
www: cat.example.com.
mail: mx1.example.com.
smtp: mx1.example.com.
TXT: # Complex records can be expressed as strings
'@':
- '"some_value"'
- '"v=spf1 mx a ip4:1.2.3.4 ~all"'
_dmarc: '"v=DMARC1; p=quarantine; rua=mailto:[email protected]; fo=1:d:s; adkim=r; aspf=r; pct=100; ri=86400"'
### Externally defined Zones ###
bind:
available_zones:
sub.domain.org:
file: db.sub.domain.org # DB file containing our zone
masters: # Masters of this zone
- 192.168.0.1