bertvv / ansible-role-bind Goto Github PK

Try run playbook with your role using Ansible 2.0. It ends with error:

ERROR! 'version' is not a valid attribute for a RoleMetadata

The error appears to have been in '/etc/ansible/roles/bertvv.bind/meta/main.yml': line 2, column 1, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

---
galaxy_info:
^ here

I really like this role but its usage is kinda limited.

When testing the creation of zone files using the ansible check mode the creation fails when calculating the serial.

I think this shouldn't be here

So, my domain is a a child domain of my college's domain. I need to have NS records for the NS servers that are authoritatively serving records I transfer to them. I also transfer records to our ISP, who serves my zone authoritatively. I have the need to put their records in the file appearing like so:

                IN  NS     ns1.mydomain.college.edu.
                 IN  NS     ns2.mydomain.college.edu.
                 IN  NS     dns1.college.edu..mydomain.college.edu.
                 IN  NS     dns2.college.edu..mydomain.college.edu.
                 IN  NS     ns1.ISP.net..mydomain.college.edu.
                 IN  NS     ns2.ISP.net..mydomain.college.edu.

I have thought about this for a bit, and it seems easiest to change the variable to be the FQDN, and not append the domain name at all in the template.

As a reference, Zytrax.com states, "There is no requirement that any name servers are within the domain for which they are authoritative." http://www.zytrax.com/books/dns/ch8/ns.html

I use config with separate zone (see comment).
For enable - allow_update on single zone?

Thanks

This could be very useful if forwarding is required only for a specific zone/domain and a Master/Slave configuration would not be possible.
Combine this with allow-query-cache and the bind server will start to take care of most of the required queries minimizing bandwidth and requested to the forward zone.
This is also very useful if the forward zone is private and not known on the Internet.

Good work,
Very usefull role

But we need to define master-key by hand...

Simpliest way would be to add extra_lines variable in template ?

The following variable definitions
bind_listen_ipv4: any
bind_listen_ipv4: "any"
bind_listen_ipv4: 'any'
all result in the same generated configuration entry
listen-on port 53 { a;n;y; };
Fedora 28, Ansible 2.6.1, commit f505f7e of this repo.

In a very simple lab scenario where we only need to configure a master zone, why would we need bind_zone_master_server_ip as a requirement?

Its only used in slave zones - https://github.com/bertvv/ansible-role-bind/search?q=bind_zone_master_server_ip&unscoped_q=bind_zone_master_server_ip

if I have more network does not insert spaces in zone, example:
allow-update { 10.27.253.0/24;10.27.22.1; };
correct syntax is:
allow-update { 10.27.253.0/24; 10.27.22.1; };

Hi

Firstly thanks for the role.

Are we able to get the statistics-channels config added to it ?

This is to allow setups like https://github.com/digitalocean/bind_exporter

Thanks

basic script.

#!/bin/bash
mkdir -p /etc/bind/keys/
domain=test.loc
keyfile=/etc/bind/keys/$domain.key

if [ "x$bind_key" = x ]
then
  pushd /etc/bind/keys
  rm -f /etc/bind/keys/K$domain*
  dnssec-keygen -a HMAC-MD5 -b 512 -n HOST $domain.key
  bind_key="$(grep Key: K$domain*.private | cut -d ' ' -f 2)"
  popd
fi
chown root:bind /etc/bind/keys/K$domain*
chmod 640 /etc/bind/keys/K$domain*

how can it be integrated into the playbook to achieve this result?

key "test.loc.key" {
  algorithm hmac-md5;
  secret "WkTF9DYyK4hcboNK1cxHTK/WcFu7di/sdHkwrFJqKBJU YA+08otWNW31g==";
};

zone "test.loc" {
  type master;
  file "test.loc.zone";
  allow-query { any; };
  allow-transfer { none; };
  allow-update { key test.loc.key; };
};

After updating configuration file I think we need to reload bind instead of restart? I mean restarting could end up in networking problems for those who's using this DNS server right? If you approve I'd try to submit PR

Just faced an issue where the following condition was always failing:

when: ansible_all_ipv4_addresses|last == bind_zone_master_server_ip

My guest is set up so that it has two IP addresses, and the issue was that
ansible_all_ipv4_addresses|last was not referring to the one I set up to be the bind_zone_master_server_ip.

I'm not certain if there are any drawbacks, but what I did was replace the conditional with:

when: bind_zone_master_server_ip not in ansible_all_ipv4_addresses

Hi Bert,

When I reload my named service, all our slaves get notified for every zone, including localhost zones. I think this is probably undesirable. It appears that each zone can have "notify no;" added to individual zones. Would it break anything to add this to the localhost zones?

Dec 18 15:14:35 ns2 named[10317]: running
Dec 18 15:14:35 ns2 named[10317]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: sending notifies (serial 0)
Dec 18 15:14:35 ns2 named[10317]: zone 1.0.0.127.in-addr.arpa/IN: sending notifies (serial 0)
Dec 18 15:14:35 ns2 named[10317]: zone 253.125.216.in-addr.arpa/IN: sending notifies (serial 15121813)
Dec 18 15:14:35 ns2 named[10317]: zone 0.in-addr.arpa/IN: sending notifies (serial 0)
Dec 18 15:14:35 ns2 named[10317]: zone localhost.localdomain/IN: sending notifies (serial 0)
Dec 18 15:14:35 ns2 named[10317]: zone 66.162.25.52.in-addr.arpa/IN: sending notifies (serial 15121813)
Dec 18 15:14:35 ns2 named[10317]: zone csit.parkland.edu/IN: sending notifies (serial 15121813)
Dec 18 15:14:35 ns2 named[10317]: zone localhost/IN: sending notifies (serial 0)
Dec 18 15:14:35 ns2 systemd[1]: Started Berkeley Internet Name Domain (DNS).

I know you had recursion originally, and then removed it. I now have the need to allow recursion only for localnets, which requires having recursion turned on. Apparently, localnets and localhost is the default access list if you turn on recursion and don't specify additional hosts. I don't know how the "allow-query" statement affects that, however. There is a statement specifically for allow-query-cache that can have its own set of allowed hosts.

If you don't want to add this back into your role, I understand. I'll be tweaking my template to turn it back on for my environment.

http://www.zytrax.com/books/dns/ch7/queries.html#allow-query-cache
https://kb.isc.org/article/AA-00503/0/Whats-the-difference-between-allow-query-cache-and-allow-recursion.html

Reverse IPv6 lookups seem to be a bit of a challenge to set up[1], so automation of this process could be valuable.

[1] http://www.zytrax.com/books/dns/ch3/#ipv6

Hi, thanks for this awesome role!

I have an issue where a simple zone couldn't be created because of a strange error I see. Thats my playbook:

---
- hosts: all
  become: true
  vars:
    bind_allow_query:
      - any
    bind_listen_ipv4:
      - any
    bind_zone_master_server_ip: 10.99.99.8
    bind_zone_domains:
      - name: 'nuage.internet'
        networks:
          - '10.99.99'
        name_servers:
          - ns1.nuage.internet.
        hosts:
          - name: utility
            ip: 10.99.99.8
            alias:
              - dns
          - name: vsc1
            ip: 10.99.99.4
          - name: vsc1
            ip: 10.99.99.5
          - name: vsc1
            ip: 10.99.99.6
          - name: vsc1
            ip: 10.99.99.7
  roles:
    - ansible-role-bind

The error is:

"stdout": "zone nuage.internet/IN: NS 'ns1.nuage.internet' has no address records (A or AAAA)
zone nuage.internet/IN: not loaded due to errors."

I am a bit lost, why cant I use

 name_servers:
          - ns1.nuage.internet.

as my SOA? If I change this line to, say, acme.local. everything works, but is it a correct behavior?

With the current templates/master_etc_named.conf.j2 it is not possible to add check-names master ignore;

bind_zone_domain is manageable if you have a small number of zones and a small number of hosts in each zone. It becomes problematic if you have a large number of zones and hosts in each zone. Is there a way to have the zones/hosts defined in separate files to improve manageability?

Hi Bert,

When I use this role to create reverse zones for my Elastic IPs, I end up with the origin of the full IP address, and then a record for the full IP address. PTR resolution doesn't work unless I remove the IP address from the record.

Maybe the reverse zone template can only insert the non-matching part of the reverse lookup address?

Thanks for an awesome role! I still use it all the time.
Joanna

bind_zone_domains:

• name: mydomain.com
  hosts:
  • name: pub01
    ip: 192.0.2.1
    ipv6: 2001:db8::1
    ttl: 300
    aliases:
    • name: ns
      ttl: 300
      name_servers:
  • name: ns1
    ttl: 900
    delegate:
  • name: foo
    dns: 192.0.2.1
    ttl: 900
    mail_servers:
  • name: mail
    preference: 10
    ttl: 300

Looks like this commit: 9e1eebb no longer allows CNAMES or multiple IP addresses to work.

I'm not able to create records that are CNAME only with this playbook.

It's not clear what variables should at least be defined to get a working zone. This should be specified both for master and slave DNS.

• For #31, multiple TXT entries per record
• For #32, CNAMES, multi-IP entries

if i have multi server, example 3 hardware server.
ns1.domain.tld (master)
ns2.domain.tld (slave)
ns3.domain.tld (slave)

my hosts is
[dns-server]
ns1.domain.tld ansible_user=root ansible_port=2400
ns2.domain.tld ansible_user=root ansible_port=2400
ns3.domain.tld ansible_user=root ansible_port=2400

how can I say that ns1 is master and ns2 and ns3 is slave?

I don't see support for specifying zone transfers. I am considering how I might incorporate it for my environment, so I might submit a pull request if I get it figured out soon.

The variable bind_zone_master_server_ip is mandatory, but the error message that you get when it is not defined seems unrelated to this. That makes it hard to interpret the error and fix it.

The way this role is set up is suitable for an authoritative name server. Best practices state that recursion should be turned off in that case. The default settings should reflect this.

Zone transfers fail with: "dumping master file: tmp-xxxxxxxxxxxxx: open: permission denied" on slaves.

To resolve, on slave issue:
setsebool -P named_write_master_zones true

to resolve in this role, in tasks/slave.yml:

• name: Slave | permit master transfers
  seboolean: name=named_write_master_zones state=yes persistent=yes

but this adds a requirement on the "libsemanage-python" module ;-)

Should this be included in the role, or a pre-requisite outside of the role ?

Hi,

Thanks for the work you put into this Ansible playbook :D.

But im running into an issue trying to use it with the Vagrant ansible provisioner the output is as follows

==> ns1: Running provisioner: ansible...

PLAY [all] ******************************************************************** 

GATHERING FACTS *************************************************************** 
ok: [ns1]

TASK: [bertvv.bind | Install BIND] ******************************************** 
changed: [ns1] => (item=bind,bind-utils)

TASK: [bertvv.bind | Create serial] ******************************************* 
changed: [ns1]

TASK: [bertvv.bind | Main BIND config file (master)] ************************** 
skipping: [ns1]

TASK: [bertvv.bind | Create forward lookup zone file] ************************* 
skipping: [ns1]

TASK: [bertvv.bind | Create reverse lookup zone file] ************************* 
skipping: [ns1] => (item=192.168.1)
skipping: [ns1] => (item=10.0)

TASK: [bertvv.bind | Main BIND config file (slave)] *************************** 
fatal: [ns1] => {'msg': "AnsibleError: file: /vms/Ansible/ansible/bertvv.bind/templates/slave_etc_named.conf.j2, line number: 64, error: no filter named 'reverse_lookup_zone'", 'failed': True}
fatal: [ns1] => {'msg': "AnsibleError: file: /vms/Ansible/ansible/bertvv.bind/templates/slave_etc_named.conf.j2, line number: 64, error: no filter named 'reverse_lookup_zone'", 'failed': True}

FATAL: all hosts have already failed -- aborting

PLAY RECAP ******************************************************************** 
           to retry, use: --limit @/root/bind.retry

ns1                        : ok=4    changed=2    unreachable=1    failed=0   

Ansible failed to complete successfully. Any error output should be
visible above. Please fix these errors and try again.

My Vagrantfile is as follows,

# -*- mode: ruby -*-
# vi: set ft=ruby :

# All Vagrant configuration is done below. The "2" in Vagrant.configure
# configures the configuration version (we support older styles for
# backwards compatibility). Please don't change it unless you know what
# you're doing.
Vagrant.configure(2) do |config|

  config.vm.define "ns1" do |ns1|
    ns1.vm.box = "relativkreativ/centos-7-minimal"
    ns1.vm.hostname = "ns1.setkeh.local"
    ns1.vm.network "private_network", ip: "192.168.33.10"
    ns1.vm.network "public_network", bridge: "bond0"
    ns1.vm.synced_folder "./ansible", "/ansible"
    config.vm.provision "ansible" do |ansible|
        ansible.playbook = "ansible/bind.yml"
    end
  end

  config.vm.define "ns2" do |ns2|
    ns2.vm.box = "relativkreativ/centos-7-minimal"
    ns2.vm.hostname = "ns2.setkeh.local"
    ns2.vm.network "private_network", ip: "192.168.33.11"
    ns2.vm.network "public_network", bridge: "bond0"
    ns2.vm.synced_folder "./ansible", "/ansible"
    config.vm.provision "ansible" do |ansible|
        ansible.playbook = "ansible/bind.yml"
    end
  end
end

and my bind.yml is as follows.

---
- hosts: all
  sudo: true
  vars:
    bind_listen_ipv4:
      - 'any'
    bind_listen_ipv6:
      - 'any'
    bind_allow_query:
      - '192.168.1.0/24'
      - '10.0.0.0/24'
    bind_zone_name: 'setkeh.local'
    bind_zone_networks:
      - '192.168.1'
      - '10.0'
    bind_zone_master_server_ip: '10.0.0.35'
    bind_zone_name_servers:
      - 'ns1'
      - 'ns2'
    bind_zone_mail_servers:
      - name: 'mail'
        preference: '10'
    bind_zone_hosts:
      - name: 'ns1'
        ip: '10.0.0.35'
        aliases:
          - ns1
      - name: 'ns2'
        ip: '10.0.0.36'
        aliases:
          - ns2
      - name: 'web'
        ip: '10.0.0.7'
        aliases:
          - www
  roles:
    - bertvv.bind

If you have any suggestions or idea's as to what i have misconfigured that would be greatly appreciated :)

Thanks.

your example is:
networks:
- '192.0.2'
- '10'
- '172.16'

if network is 172.16.18.0/29 ?
Thanks.

This would enable DNS round robin.

Remove firewall configuration

an example for the reverse zone?
Thanks.

Hi,

Is it possible to populate the bind_zone_hosts variable with values from the inventory?

The following in group_vars reports an error 'item' is undefined

bind_zone_hosts:
  - name: "{{ item }}"
    ip: "{{ hostvars['{{ item }}']['ansible_host'] }}"
    with_items: "{{ groups['all'] }}"

Adding the forwarders option makes the role more useful for setting up a caching name server. This was not the initial intended use of this role, but there is some demand for it.

The include_tasks: syntax, used in this role, was only introduced in Ansible 2.4.

Hi!

First of all, thank you very much for this module.
I think it would be interesting to give the possibility of enabling the log of queries.
I'll make the change and pull the request.

A greeting

When I started using this playbook, even after reading the docs a few times, I was not sure that it would even work with a slave that didn't also do master for some zones. I figured things out by looking at what was in the templates. I thought others might appreciate an example in the docs so I started a branch for that.

While doing that I noticed the table under "Minimal variables..." that lists what is required for master vs slave. It says that bind_zone_domains.name_servers and bind_zone_domains.networks are required for a slave, but it didn't seem to be necessary for me. Am I doing something wrong here or should I correct the docs for that too?

Hi,

When i skip role in my playbook, your role return an error :/

For fix, just add - skip: true in main.yml :

- name: Source specific variables
  include_vars: "{{ item }}"
  with_first_found:
    - "{{ ansible_distribution }}.yml"
    - "{{ ansible_os_family }}.yml"
    - skip: true
  tags: bind

EDIT : Or not with - skip: true, include_vars its always skipped....

It is very useful to have caching features working for a bind server, this allows the system administrator to use much less bandwidth and queries.

Hi Bert,

I'd love to see SRV and TXT records be able to be added to the zone file to support Kerberos realm and RedHat IdM/FreeIPA authentication servers.

For example:
; ldap servers
_ldap._tcp IN SRV 0 100 389 hostname

;kerberos realm
_kerberos IN TXT KERBEROS.REALM.NAME

; kerberos servers
_kerberos._tcp IN SRV 0 100 88 hostname
_kerberos._udp IN SRV 0 100 88 hostname
_kerberos-master._tcp IN SRV 0 100 88 hostname
_kerberos-master._udp IN SRV 0 100 88 hostname
_kpasswd._tcp IN SRV 0 100 464 hostname
_kpasswd._udp IN SRV 0 100 464 hostname

;ntp server
_ntp._udp IN SRV 0 100 123 hostname

; CNAME for IPA CA replicas (used for CRL, OCSP)
ipa-ca IN A ip.address

In my domain, the top of the domain resolves to a webserver. I don't see a way to configure that with this role. In my zone file, the entry is just below the NS entries in the ORIGIN . section, and is unique because it only contains the domain name, not a hostname, like so:

csit.parkland.edu. IN A 216.x.x.x

My current DNS server is ages out of date, and there may be a newer/better way to configure the top host now. Can this role set up a resolution for the domain?

According to the README, a the mail_servers zone variable defaults to [{name: mail, preference: 10}].

However, in the bind_zone.j2 template file it seems to default to [].

Either the README or the template should be changed.

When specifying a class B IP address (e.g. "172.16") in a variable file, it should be quoted. Otherwise, the Yaml parser will interpret it as a float