add in recursion fixes

2023-04-19 00:46:15 -07:00 · 2023-04-19 00:46:15 -07:00 · 6b8424027e
parent b233c24f58
commit 6b8424027e
8 changed files with 80 additions and 1 deletions
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -4,3 +4,9 @@
  ansible.builtin.service:
    name: NetworkManager
    state: reloaded
+
+- name: restart_named
+  ansible.builtin.service:
+    name: named
+    state: restarted
+...
--- a/role-rocky-ipa-client.yml
+++ b/role-rocky-ipa-client.yml
@ -5,7 +5,8 @@
  hosts: ipaclient
  become: true
  vars_files:
-  - vars/ipa/ipaclient.yml
+    - vars/ipa/common.yml
+    - vars/ipa/ipaclient.yml

  pre_tasks:
    - name: Check if ansible cannot be run here
--- a/role-rocky-ipa-replica.yml
+++ b/role-rocky-ipa-replica.yml
@ -5,6 +5,7 @@
  hosts: ipareplica
  become: true
  vars_files:
+    - vars/ipa/common.yml
    - vars/ipa/ipareplica.yml

  # This is to try to avoid the handler issue in pre/post tasks
@ -71,4 +72,7 @@
        mode: '0644'
        owner: root
        group: root
+
+    - name: Configure recursion for private nets
+      import_tasks: tasks/dns-ext.yml
 ...
--- a/role-rocky-ipa.yml
+++ b/role-rocky-ipa.yml
@ -10,6 +10,7 @@
  hosts: ipaserver
  become: true
  vars_files:
+    - vars/ipa/common.yml
    - vars/ipa/ipaserver.yml

  # This is to try to avoid the handler issue in pre/post tasks
@ -81,4 +82,7 @@
      freeipa.ansible_freeipa.ipadnsconfig:
        ipaadmin_password: '{{ ipaadmin_password }}'
        allow_sync_ptr: true
+
+    - name: Configure recursion for private nets
+      import_tasks: tasks/dns-ext.yml
 ...
--- a/tasks/dns-ext.yml
+++ b/tasks/dns-ext.yml
@ -0,0 +1,19 @@
+---
+- name: Configure ACL for nets
+  ansible.builtin.template:
+    src: "etc/named/ipa-ext.conf"
+    dest: "/etc/named/ipa-ext.conf"
+    owner: root
+    group: named
+    mode: '0640'
+  notify: restart_named
+
+- name: Turn on recursion for nets
+  ansible.builtin.template:
+    src: "etc/named/ipa-options-ext.conf"
+    dest: "/etc/named/ipa-options-ext.conf"
+    owner: root
+    group: named
+    mode: '0640'
+  notify: restart_named
+...
--- a/templates/etc/named/ipa-ext.conf
+++ b/templates/etc/named/ipa-ext.conf
@ -0,0 +1,18 @@
+/* User customization for BIND named
+ *
+ * This file is included in /etc/named.conf and is not modified during IPA
+ * upgrades.
+ *
+ * "options" settings must be configured in /etc/named/ipa-options-ext.conf.
+ *
+ * Example: ACL for recursion access:
+ *
+ * acl "trusted_network" {
+ *   localnets;
+ *   localhost;
+ *   234.234.234.0/24;
+ *   2001::co:ffee:babe:1/48;
+ * };
+ */
+
+acl "trusted_nets" { {{ ipa_trusted_nets|join(';') }} };
--- a/templates/etc/named/ipa-options-ext.conf
+++ b/templates/etc/named/ipa-options-ext.conf
@ -0,0 +1,21 @@
+/* User customization for BIND named
+ *
+ * This file is included in /etc/named.conf and is not modified during IPA
+ * upgrades.
+ *
+ * It must only contain "options" settings. Any other setting must be
+ * configured in /etc/named/ipa-ext.conf.
+ *
+ * Examples:
+ * allow-recursion { trusted_network; };
+ * allow-query-cache { trusted_network; };
+ */
+
+/* turns on IPv6 for port 53, IPv4 is on by default for all ifaces */
+listen-on-v6 { any; };
+
+/* dnssec-enable is obsolete and 'yes' by default */
+dnssec-validation yes;
+
+allow-recursion { trusted_nets; };
+allow-query-cache { trusted_nets; };
--- a/vars/ipa/common.yml
+++ b/vars/ipa/common.yml
@ -0,0 +1,6 @@
+---
+ipa_trusted_nets:
+  - localnets
+  - localhost
+  - 10.0.0.0/8
+...