// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // acl "whitelist-recursion" { {% for item in whitelist %} {{ item }}; {% endfor %} }; {% if is_dnsmaster is defined %} acl "transferlist" { {{ slave1_ipv6 }}; {{ slave2_ipv6 }}; {{ slave3_ipv6 }}; }; {% endif %} options { listen-on port 53 { localhost; {{ ansible_default_ipv4.address }}; }; {% if ansible_default_ipv6.address is defined %} listen-on-v6 port 53 { localhost; {{ ansible_default_ipv6.address }}; }; {% endif %} directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; recursion yes; allow-recursion { whitelist-recursion; }; allow-transfer { none; }; version "SECRET"; {% if is_dnsmaster is not defined %} forwarders { {{ master_ipv6 }}; {{ master_ipv4 }}; }; {% endif %} dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_syslog { file "/var/log/named/syslog.log" versions 18 size 100M; severity debug 3; print-time yes; }; channel update_debug { file "/var/log/named/update.log" versions 18 size 100M; severity debug 3; print-time yes; }; channel security_info { file "/var/log/named/security.log" versions 18 size 100M; severity debug 3; print-time yes; }; channel xfer-in_channel { file "/var/log/named/xfer-in.log" versions 18 size 100M; severity debug 3; print-time yes; }; channel xfer-out_channel { file "/var/log/named/xfer-out.log" versions 18 size 100M; severity debug 3; print-time yes; }; channel notify_channel { file "/var/log/named/notify.log" versions 18 size 100M; severity debug 3; print-time yes; }; channel query_channel { file "/var/log/named/query.log" versions 18 size 100M; severity debug 3; print-time yes; }; channel lame_servers_channel { file "/var/log/named/lame-servers.log" versions 18 size 100M; severity debug 3; print-time yes; }; category default { default_syslog; }; category unmatched { default_syslog; }; category update { update_debug; }; category dnssec { security_info; }; category security { security_info; }; category update-security { security_info; }; category notify { notify_channel; }; category queries { query_channel; }; category xfer-in { xfer-in_channel; }; category xfer-out { xfer-out_channel; }; category lame-servers { lame_servers_channel; }; }; // here are keys imported from ansible template keys.j2 // like this: // // key "rndc-key" { // algorithm hmac-md5; // secret "generated_string_here"; // }; // {% block keys %}{% endblock %} {% if is_dnsmaster is defined %} server {{ slave1_ipv4 }} { keys { Forwarder; }; }; server {{ slave1_ipv6 }} { keys { Forwarder; }; }; server {{ slave2_ipv4 }} { keys { Forwarder; }; }; server {{ slave2_ipv6 }} { keys { Forwarder; }; }; server {{ slave3_ipv4 }} { keys { Forwarder; }; }; server {{ slave3_ipv6 }} { keys { Forwarder; }; }; {% endif %} {% if is_dnsmaster is not defined %} server {{ master_ipv4 }} { keys { Forwarder; }; }; server {{ master_ipv6 }} { keys { Forwarder; }; }; {% endif %} controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; }; zone "." IN { type hint; file "named.ca"; }; {% for item in zonelist %} zone "{{ item }}" IN { {% if is_dnsmaster is defined %} type master; allow-transfer { transferlist; }; file "{{ item }}.zone"; notify yes; {% endif %} {% if is_dnsmaster is not defined %} type slave; file "{{ item }}.zone"; masters { {{ master_ipv6 }}; {{ master_ipv4 }}; }; {% endif %} }; {% endfor %} include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";