add named.conf.options
authorRalf Jung <post@ralfj.de>
Sat, 12 May 2018 12:56:41 +0000 (14:56 +0200)
committerRalf Jung <post@ralfj.de>
Sat, 12 May 2018 12:56:41 +0000 (14:56 +0200)
roles/bind/handlers/main.yml [new file with mode: 0644]
roles/bind/tasks/main.yml
roles/bind/templates/named.conf.options [new file with mode: 0644]

diff --git a/roles/bind/handlers/main.yml b/roles/bind/handlers/main.yml
new file mode 100644 (file)
index 0000000..ed762d1
--- /dev/null
@@ -0,0 +1,2 @@
+- name: bind9
+  service: name=bind9 state=restarted enabled=yes
index beb8ea0..8fbbc6b 100644 (file)
@@ -9,6 +9,11 @@
   copy:
     dest: /var/lib/bind/Makefile
     src: files/Makefile
+- name: install bind config
+  template:
+    dest: /etc/bind/named.conf.options
+    src: templates/named.conf.options
+  notify: bind9
 # dyn-nsupdate
 - name: install dyn-nsupdate build-deps
   apt: name=libboost-regex-dev,libboost-program-options-dev,cmake state=latest
diff --git a/roles/bind/templates/named.conf.options b/roles/bind/templates/named.conf.options
new file mode 100644 (file)
index 0000000..7ed35ed
--- /dev/null
@@ -0,0 +1,27 @@
+//========================================================================
+// If BIND logs error messages about the root key being expired,
+// you will need to update your keys.  See https://www.isc.org/bind-keys
+//========================================================================
+
+options {
+       directory "/var/cache/bind";
+       key-directory "/var/lib/bind/keys";
+
+       recursion no;
+       dnssec-enable yes;
+       sig-validity-interval 14;
+
+       auth-nxdomain no;    # conform to RFC1035
+       listen-on { {{ bind.listen }}; 127.0.0.1; };
+{% if bind.listen_v6 is defined %}
+       listen-on-v6 { {{ bind.listen_v6 }}; ::1; };
+{% endif %}
+
+       // hide BIND version
+       version "unknown";
+
+       // do rate-limiting
+       rate-limit {
+               responses-per-second 15;
+       };
+};