From 6b8424027ef0ec44f043916904fb49d4706ede67 Mon Sep 17 00:00:00 2001 From: Louis Abel Date: Wed, 19 Apr 2023 00:46:15 -0700 Subject: [PATCH] add in recursion fixes --- handlers/main.yml | 6 ++++++ role-rocky-ipa-client.yml | 3 ++- role-rocky-ipa-replica.yml | 4 ++++ role-rocky-ipa.yml | 4 ++++ tasks/dns-ext.yml | 19 +++++++++++++++++++ templates/etc/named/ipa-ext.conf | 18 ++++++++++++++++++ templates/etc/named/ipa-options-ext.conf | 21 +++++++++++++++++++++ vars/ipa/common.yml | 6 ++++++ 8 files changed, 80 insertions(+), 1 deletion(-) create mode 100644 tasks/dns-ext.yml create mode 100644 templates/etc/named/ipa-ext.conf create mode 100644 templates/etc/named/ipa-options-ext.conf create mode 100644 vars/ipa/common.yml diff --git a/handlers/main.yml b/handlers/main.yml index 92c2fa8..644f929 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -4,3 +4,9 @@ ansible.builtin.service: name: NetworkManager state: reloaded + +- name: restart_named + ansible.builtin.service: + name: named + state: restarted +... diff --git a/role-rocky-ipa-client.yml b/role-rocky-ipa-client.yml index 5a05ae0..3301828 100644 --- a/role-rocky-ipa-client.yml +++ b/role-rocky-ipa-client.yml @@ -5,7 +5,8 @@ hosts: ipaclient become: true vars_files: - - vars/ipa/ipaclient.yml + - vars/ipa/common.yml + - vars/ipa/ipaclient.yml pre_tasks: - name: Check if ansible cannot be run here diff --git a/role-rocky-ipa-replica.yml b/role-rocky-ipa-replica.yml index bd7c5a4..db47d64 100644 --- a/role-rocky-ipa-replica.yml +++ b/role-rocky-ipa-replica.yml @@ -5,6 +5,7 @@ hosts: ipareplica become: true vars_files: + - vars/ipa/common.yml - vars/ipa/ipareplica.yml # This is to try to avoid the handler issue in pre/post tasks @@ -71,4 +72,7 @@ mode: '0644' owner: root group: root + + - name: Configure recursion for private nets + import_tasks: tasks/dns-ext.yml ... diff --git a/role-rocky-ipa.yml b/role-rocky-ipa.yml index b1151eb..6e77f02 100644 --- a/role-rocky-ipa.yml +++ b/role-rocky-ipa.yml @@ -10,6 +10,7 @@ hosts: ipaserver become: true vars_files: + - vars/ipa/common.yml - vars/ipa/ipaserver.yml # This is to try to avoid the handler issue in pre/post tasks @@ -81,4 +82,7 @@ freeipa.ansible_freeipa.ipadnsconfig: ipaadmin_password: '{{ ipaadmin_password }}' allow_sync_ptr: true + + - name: Configure recursion for private nets + import_tasks: tasks/dns-ext.yml ... diff --git a/tasks/dns-ext.yml b/tasks/dns-ext.yml new file mode 100644 index 0000000..0f5e099 --- /dev/null +++ b/tasks/dns-ext.yml @@ -0,0 +1,19 @@ +--- +- name: Configure ACL for nets + ansible.builtin.template: + src: "etc/named/ipa-ext.conf" + dest: "/etc/named/ipa-ext.conf" + owner: root + group: named + mode: '0640' + notify: restart_named + +- name: Turn on recursion for nets + ansible.builtin.template: + src: "etc/named/ipa-options-ext.conf" + dest: "/etc/named/ipa-options-ext.conf" + owner: root + group: named + mode: '0640' + notify: restart_named +... diff --git a/templates/etc/named/ipa-ext.conf b/templates/etc/named/ipa-ext.conf new file mode 100644 index 0000000..3bedd5d --- /dev/null +++ b/templates/etc/named/ipa-ext.conf @@ -0,0 +1,18 @@ +/* User customization for BIND named + * + * This file is included in /etc/named.conf and is not modified during IPA + * upgrades. + * + * "options" settings must be configured in /etc/named/ipa-options-ext.conf. + * + * Example: ACL for recursion access: + * + * acl "trusted_network" { + * localnets; + * localhost; + * 234.234.234.0/24; + * 2001::co:ffee:babe:1/48; + * }; + */ + +acl "trusted_nets" { {{ ipa_trusted_nets|join(';') }} }; diff --git a/templates/etc/named/ipa-options-ext.conf b/templates/etc/named/ipa-options-ext.conf new file mode 100644 index 0000000..e031efe --- /dev/null +++ b/templates/etc/named/ipa-options-ext.conf @@ -0,0 +1,21 @@ +/* User customization for BIND named + * + * This file is included in /etc/named.conf and is not modified during IPA + * upgrades. + * + * It must only contain "options" settings. Any other setting must be + * configured in /etc/named/ipa-ext.conf. + * + * Examples: + * allow-recursion { trusted_network; }; + * allow-query-cache { trusted_network; }; + */ + +/* turns on IPv6 for port 53, IPv4 is on by default for all ifaces */ +listen-on-v6 { any; }; + +/* dnssec-enable is obsolete and 'yes' by default */ +dnssec-validation yes; + +allow-recursion { trusted_nets; }; +allow-query-cache { trusted_nets; }; diff --git a/vars/ipa/common.yml b/vars/ipa/common.yml new file mode 100644 index 0000000..036c258 --- /dev/null +++ b/vars/ipa/common.yml @@ -0,0 +1,6 @@ +--- +ipa_trusted_nets: + - localnets + - localhost + - 10.0.0.0/8 +...