From f3691338d64eed5f570f3103cde00d471e39e961 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Sat, 12 May 2018 14:56:41 +0200 Subject: [PATCH] add named.conf.options --- roles/bind/handlers/main.yml | 2 ++ roles/bind/tasks/main.yml | 5 +++++ roles/bind/templates/named.conf.options | 27 +++++++++++++++++++++++++ 3 files changed, 34 insertions(+) create mode 100644 roles/bind/handlers/main.yml create mode 100644 roles/bind/templates/named.conf.options diff --git a/roles/bind/handlers/main.yml b/roles/bind/handlers/main.yml new file mode 100644 index 0000000..ed762d1 --- /dev/null +++ b/roles/bind/handlers/main.yml @@ -0,0 +1,2 @@ +- name: bind9 + service: name=bind9 state=restarted enabled=yes diff --git a/roles/bind/tasks/main.yml b/roles/bind/tasks/main.yml index beb8ea0..8fbbc6b 100644 --- a/roles/bind/tasks/main.yml +++ b/roles/bind/tasks/main.yml @@ -9,6 +9,11 @@ copy: dest: /var/lib/bind/Makefile src: files/Makefile +- name: install bind config + template: + dest: /etc/bind/named.conf.options + src: templates/named.conf.options + notify: bind9 # dyn-nsupdate - name: install dyn-nsupdate build-deps apt: name=libboost-regex-dev,libboost-program-options-dev,cmake state=latest diff --git a/roles/bind/templates/named.conf.options b/roles/bind/templates/named.conf.options new file mode 100644 index 0000000..7ed35ed --- /dev/null +++ b/roles/bind/templates/named.conf.options @@ -0,0 +1,27 @@ +//======================================================================== +// If BIND logs error messages about the root key being expired, +// you will need to update your keys. See https://www.isc.org/bind-keys +//======================================================================== + +options { + directory "/var/cache/bind"; + key-directory "/var/lib/bind/keys"; + + recursion no; + dnssec-enable yes; + sig-validity-interval 14; + + auth-nxdomain no; # conform to RFC1035 + listen-on { {{ bind.listen }}; 127.0.0.1; }; +{% if bind.listen_v6 is defined %} + listen-on-v6 { {{ bind.listen_v6 }}; ::1; }; +{% endif %} + + // hide BIND version + version "unknown"; + + // do rate-limiting + rate-limit { + responses-per-second 15; + }; +}; -- 2.30.2