add in recursion fixes

This commit is contained in:
Louis Abel 2023-04-19 00:46:15 -07:00
parent b233c24f58
commit 6b8424027e
Signed by: label
GPG key ID: 6735C0E1BD65D048
8 changed files with 80 additions and 1 deletions

View file

@ -4,3 +4,9 @@
ansible.builtin.service:
name: NetworkManager
state: reloaded
- name: restart_named
ansible.builtin.service:
name: named
state: restarted
...

View file

@ -5,7 +5,8 @@
hosts: ipaclient
become: true
vars_files:
- vars/ipa/ipaclient.yml
- vars/ipa/common.yml
- vars/ipa/ipaclient.yml
pre_tasks:
- name: Check if ansible cannot be run here

View file

@ -5,6 +5,7 @@
hosts: ipareplica
become: true
vars_files:
- vars/ipa/common.yml
- vars/ipa/ipareplica.yml
# This is to try to avoid the handler issue in pre/post tasks
@ -71,4 +72,7 @@
mode: '0644'
owner: root
group: root
- name: Configure recursion for private nets
import_tasks: tasks/dns-ext.yml
...

View file

@ -10,6 +10,7 @@
hosts: ipaserver
become: true
vars_files:
- vars/ipa/common.yml
- vars/ipa/ipaserver.yml
# This is to try to avoid the handler issue in pre/post tasks
@ -81,4 +82,7 @@
freeipa.ansible_freeipa.ipadnsconfig:
ipaadmin_password: '{{ ipaadmin_password }}'
allow_sync_ptr: true
- name: Configure recursion for private nets
import_tasks: tasks/dns-ext.yml
...

19
tasks/dns-ext.yml Normal file
View file

@ -0,0 +1,19 @@
---
- name: Configure ACL for nets
ansible.builtin.template:
src: "etc/named/ipa-ext.conf"
dest: "/etc/named/ipa-ext.conf"
owner: root
group: named
mode: '0640'
notify: restart_named
- name: Turn on recursion for nets
ansible.builtin.template:
src: "etc/named/ipa-options-ext.conf"
dest: "/etc/named/ipa-options-ext.conf"
owner: root
group: named
mode: '0640'
notify: restart_named
...

View file

@ -0,0 +1,18 @@
/* User customization for BIND named
*
* This file is included in /etc/named.conf and is not modified during IPA
* upgrades.
*
* "options" settings must be configured in /etc/named/ipa-options-ext.conf.
*
* Example: ACL for recursion access:
*
* acl "trusted_network" {
* localnets;
* localhost;
* 234.234.234.0/24;
* 2001::co:ffee:babe:1/48;
* };
*/
acl "trusted_nets" { {{ ipa_trusted_nets|join(';') }} };

View file

@ -0,0 +1,21 @@
/* User customization for BIND named
*
* This file is included in /etc/named.conf and is not modified during IPA
* upgrades.
*
* It must only contain "options" settings. Any other setting must be
* configured in /etc/named/ipa-ext.conf.
*
* Examples:
* allow-recursion { trusted_network; };
* allow-query-cache { trusted_network; };
*/
/* turns on IPv6 for port 53, IPv4 is on by default for all ifaces */
listen-on-v6 { any; };
/* dnssec-enable is obsolete and 'yes' by default */
dnssec-validation yes;
allow-recursion { trusted_nets; };
allow-query-cache { trusted_nets; };

6
vars/ipa/common.yml Normal file
View file

@ -0,0 +1,6 @@
---
ipa_trusted_nets:
- localnets
- localhost
- 10.0.0.0/8
...