From d300440aaee9af48936ac9acaf9d9fae19e8f10e Mon Sep 17 00:00:00 2001 From: Jasper Koolhaas Date: Wed, 16 Jan 2019 14:57:02 +0100 Subject: [PATCH 1/6] named-checkconf, named-checkzone and rndc reload for dynamic zones added. --- bind/config.sls | 60 ++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 57 insertions(+), 3 deletions(-) diff --git a/bind/config.sls b/bind/config.sls index d7c83d5c..b1bea6fe 100644 --- a/bind/config.sls +++ b/bind/config.sls @@ -99,6 +99,7 @@ bind_local_config: - file: {{ map.chroot_dir }}{{ map.log_dir }}/query.log - watch_in: - service: bind + - cmd: bind_checknamed_conf {% if grains['os_family'] not in ['Arch', 'FreeBSD'] %} bind_default_config: @@ -113,6 +114,7 @@ bind_default_config: map: {{ map }} - watch_in: - service: bind_restart + - cmd: bind_checknamed_conf {% endif %} {%- if salt['pillar.get']('bind:config:use_extensive_logging', False) %} @@ -130,6 +132,7 @@ bind_logging_config: - pkg: bind - watch_in: - service: bind + - cmd: bind_checknamed_conf {%- endif %} {% if grains['os_family'] == 'Debian' %} @@ -145,6 +148,7 @@ bind_key_config: - pkg: bind - watch_in: - service: bind + - cmd: bind_checknamed_conf bind_options_config: file.managed: @@ -162,6 +166,7 @@ bind_options_config: - pkg: bind - watch_in: - service: bind + - cmd: bind_checknamed_conf bind_default_zones: file.managed: @@ -175,6 +180,13 @@ bind_default_zones: - pkg: bind - watch_in: - service: bind + - cmd: bind_checknamed_conf + +bind_checknamed_conf: + cmd.run: + - name: named-checkconf {{ map.config }} + - watch_in: + - service: bind /etc/logrotate.d/{{ map.service }}: file.managed: @@ -216,11 +228,14 @@ bind_rndc_client_config: {%- if salt['pillar.get']('bind:available_zones:' + zone + ':generate_reverse') %} {%- do generate_reverse(zone_records, salt['pillar.get']('bind:available_zones:' + zone + ':generate_reverse:net'), salt['pillar.get']('bind:available_zones:' + zone + ':generate_reverse:for_zones'), salt['pillar.get']('bind:available_zones', {})) %} {%- endif %} +{%- set dynamic_zone = zone_data.update_policy if 'update_policy' in zone_data else false %} + {# If we define RRs in pillar, we use the internal template to generate the zone file otherwise, we fallback to the old behaviour and use the declared file #} {%- set zone_source = 'salt://bind/files/zone.jinja' if zone_records != {} else 'salt://' ~ map.zones_source_dir ~ '/' ~ file %} {%- set serial_auto = salt['pillar.get']('bind:available_zones:' + zone + ':soa:serial', '') == 'auto' %} + {% if file and zone_data['type'] == 'master' -%} zones{{ dash_view }}-{{ zone }}{{ '.include' if serial_auto else ''}}: file.managed: @@ -244,6 +259,11 @@ zones{{ dash_view }}-{{ zone }}{{ '.include' if serial_auto else ''}}: {% if map.get('zones_directory') %} - file: bind_zones_directory {% endif %} + - watch_in: + - cmd: checkzones{{ dash_view }}-{{ zone }} + {% if dynamic_zone %} + - cmd: freeze-reload-thaw{{ dash_view }}-{{ zone }} + {% endif %} {% if serial_auto %} zones{{ dash_view }}-{{ zone }}: @@ -270,11 +290,16 @@ zones{{ dash_view }}-{{ zone }}: - mode: {{ salt['pillar.get']('bind:config:mode', '644') }} - watch_in: - service: bind + - cmd: checkzones{{ dash_view }}-{{ zone }} + {% if dynamic_zone %} + - cmd: freeze-reload-thaw{{ dash_view }}-{{ zone }} + {% endif %} - require: - file: named_directory {% if map.get('zones_directory') %} - file: bind_zones_directory {% endif %} + {% endif %} {% if zone_data['dnssec'] is defined and zone_data['dnssec'] -%} signed{{ dash_view }}-{{ zone }}: @@ -283,7 +308,12 @@ signed{{ dash_view }}-{{ zone }}: - name: zonesigner -zone {{ zone }} {{ file }} - prereq: - file: zones{{ dash_view }}-{{ zone }} -{% endif %} + - watch_in: + - cmd: checkzones{{ dash_view }}-{{ zone }} + {% if dynamic_zone %} + - cmd: freeze-reload-thaw{{ dash_view }}-{{ zone }} + {% endif %} + {% endif %} {% endif %} {% if zone_data['auto-dnssec'] is defined -%} @@ -295,8 +325,12 @@ zsk-{{ zone }}: - unless: "grep {{ key_flags.zsk }} {{ key_directory }}/K{{zone}}.+{{ key_algorithm_field }}+*.key" - require: - file: bind_key_directory - -ksk-{{ zone }}: + - watch_in: + - cmd: checkzones{{ dash_view }}-{{ zone }} + {% if dynamic_zone %} + - cmd: freeze-reload-thaw{{ dash_view }}-{{ zone }} + {% endif %} + ksk-{{ zone }}: cmd.run: - cwd: {{ key_directory }} - name: dnssec-keygen -f KSK -a {{ key_algorithm }} -b {{ key_size }} -n ZONE {{ zone }} @@ -304,6 +338,26 @@ ksk-{{ zone }}: - unless: "grep {{ key_flags.ksk }} {{ key_directory }}/K{{zone}}.+{{ key_algorithm_field }}+*.key" - require: - file: bind_key_directory + - watch_in: + - cmd: checkzones{{ dash_view }}-{{ zone }} + {% if dynamic_zone %} + - cmd: freeze-reload-thaw{{ dash_view }}-{{ zone }} + {% endif %} +{% endif %} + +checkzones{{ dash_view }}-{{ zone }}: + cmd.run: + - name: named-checkzone {{ zone }} {{ zones_directory }}/{{ file }} + - watch_in: + - service: bind + +{% if dynamic_zone %} +# Only allowed on dynamic zones (= with update_policy) +freeze-reload-thaw{{ dash_view }}-{{ zone }}: + cmd.run: + - name: rndc freeze {{ zone }} && rndc reload {{ zone }} && rndc thaw {{ zone }} + - require_in: # execute *before* bind reload. + - service: bind {% endif %} {% endfor %} From 02d8b150ab2d7610e62e53a4412840874190964a Mon Sep 17 00:00:00 2001 From: morgana2313 <32460045+morgana2313@users.noreply.github.com> Date: Wed, 16 Jan 2019 15:03:54 +0100 Subject: [PATCH 2/6] Update config.sls --- bind/config.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bind/config.sls b/bind/config.sls index b1bea6fe..5aa1063e 100644 --- a/bind/config.sls +++ b/bind/config.sls @@ -330,7 +330,7 @@ zsk-{{ zone }}: {% if dynamic_zone %} - cmd: freeze-reload-thaw{{ dash_view }}-{{ zone }} {% endif %} - ksk-{{ zone }}: +ksk-{{ zone }}: cmd.run: - cwd: {{ key_directory }} - name: dnssec-keygen -f KSK -a {{ key_algorithm }} -b {{ key_size }} -n ZONE {{ zone }} From e4a94c8acf137cb6f2333f0fa696de61c1d3c918 Mon Sep 17 00:00:00 2001 From: morgana2313 <32460045+morgana2313@users.noreply.github.com> Date: Wed, 16 Jan 2019 15:04:53 +0100 Subject: [PATCH 3/6] Update config.sls --- bind/config.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/bind/config.sls b/bind/config.sls index 5aa1063e..6df6f189 100644 --- a/bind/config.sls +++ b/bind/config.sls @@ -330,6 +330,7 @@ zsk-{{ zone }}: {% if dynamic_zone %} - cmd: freeze-reload-thaw{{ dash_view }}-{{ zone }} {% endif %} + ksk-{{ zone }}: cmd.run: - cwd: {{ key_directory }} From 0cf96b8e084053c4be92ac180a8904e57859d2a1 Mon Sep 17 00:00:00 2001 From: morgana2313 <32460045+morgana2313@users.noreply.github.com> Date: Wed, 16 Jan 2019 15:07:03 +0100 Subject: [PATCH 4/6] Update config.sls --- bind/config.sls | 1 - 1 file changed, 1 deletion(-) diff --git a/bind/config.sls b/bind/config.sls index 6df6f189..7265ba88 100644 --- a/bind/config.sls +++ b/bind/config.sls @@ -313,7 +313,6 @@ signed{{ dash_view }}-{{ zone }}: {% if dynamic_zone %} - cmd: freeze-reload-thaw{{ dash_view }}-{{ zone }} {% endif %} - {% endif %} {% endif %} {% if zone_data['auto-dnssec'] is defined -%} From a7ce362ef1f8329855c430c8ad86efac7c50bca3 Mon Sep 17 00:00:00 2001 From: morgana2313 <32460045+morgana2313@users.noreply.github.com> Date: Tue, 22 Jan 2019 17:09:10 +0100 Subject: [PATCH 5/6] Update config.sls --- bind/config.sls | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bind/config.sls b/bind/config.sls index 7265ba88..7e5aa066 100644 --- a/bind/config.sls +++ b/bind/config.sls @@ -360,5 +360,7 @@ freeze-reload-thaw{{ dash_view }}-{{ zone }}: - service: bind {% endif %} +{% endif %} # zone_data = master + {% endfor %} {% endfor %} From 7cb2d2ee342d6c70127ad625d8da665330270f20 Mon Sep 17 00:00:00 2001 From: morgana2313 <32460045+morgana2313@users.noreply.github.com> Date: Tue, 22 Jan 2019 17:14:02 +0100 Subject: [PATCH 6/6] Update config.sls Fix missing endif tag --- bind/config.sls | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bind/config.sls b/bind/config.sls index 7e5aa066..03a09a95 100644 --- a/bind/config.sls +++ b/bind/config.sls @@ -301,6 +301,7 @@ zones{{ dash_view }}-{{ zone }}: {% endif %} {% endif %} + {% if zone_data['dnssec'] is defined and zone_data['dnssec'] -%} signed{{ dash_view }}-{{ zone }}: cmd.run: @@ -314,6 +315,7 @@ signed{{ dash_view }}-{{ zone }}: - cmd: freeze-reload-thaw{{ dash_view }}-{{ zone }} {% endif %} {% endif %} +{% endif %} # zone_data = master {% if zone_data['auto-dnssec'] is defined -%} zsk-{{ zone }}: