[bind] Mise au propre de named.conf.local, ajout d'une response-policy

On utilise des with class as v pour écrire named.conf.local, ça permet d'avoir
a de forcer l'identation à être identique dans le fichier de bcfg2 et dans le
fichier produit.
On rajoute une zone de response-policy pour les vlan où on ment potentiellement
sur les réponse dns (pour le moment, ça ne concerne que install-party).
Actuellement, on ne ment que pour rediriger les dépot officiel d'ubuntu vers
charybde depuis install-party.

Bundler/bind.xml

@@ -3,6 +3,7 @@
   <Python name="/etc/bind/named.conf"/>
   <Python name="/etc/bind/named.conf.local"/>
   <Python name="/etc/bind/named.conf.options"/>
+  <Python name="/etc/bind/db.loppsi.crans.org"/>
   <Group name="dns-primary">
       <Python name="/etc/bind/named.conf.notify"/>
   </Group>

Python/etc/bind/named.conf.local

@@ -12,96 +12,126 @@ comment_start = "//"
 
 header("Conf locale de Bind9")
 
-def forward_zone(zone,forwarders):
-    print """zone "%s" {
-  type forward;
-  forward only;
-  forwarders { %s; };
-};
-""" % (zone,'; '.join(forwarders))
+ident=0
+class print_idented(object):
+    def __init(self):
+        pass
+    def p(self, str):
+        print '%s%s' % ('    '*ident, str)
+
+class view(print_idented):
+    def __init__(self, name, match_client=None):
+        self.name = name
+        self.match_client =match_client
+    def __enter__(self):
+        global ident
+        self.p('view "%s" {' % self.name)
+        ident+=1
+        if self.match_client:
+            self.p("match-clients { %s; };" % self.match_client)
+        return self
+    def __exit__(self ,type, value, traceback):
+        global ident
+        ident-=1
+        self.p("};")
+
+class zone(print_idented):
+    def __init__(self, name, type):
+        self.name = name
+        self.type = type
+    def __enter__(self):
+        global ident
+        self.p('zone "%s" {' % self.name)
+        ident+=1
+        self.p("type %s;" % self.type)
+        return self
+    def __exit__(self ,type, value, traceback):
+        global ident
+        ident-=1
+        self.p("};")
+    
+def forward_zone(zone_name, forwarders):
+    with zone(zone_name, "forward") as z:
+        z.p("forward only;")
+        z.p("forwarders { %s; };" % '; '.join(forwarders))
 
 def reverse_crans():
-    for net in set([ net for net in config.dns.zones_reverse if net not in config.NETs['multicast']]):
+    # On ne génère plus les zone de forward pour les reverse des ips publiques, vu que maintenant, ils marchent
+    for net in set([ net for net in config.dns.zones_reverse if net not in config.NETs['multicast'] + config.NETs["all"]]):
         for zone in netv4_to_arpa(net):
             forward_zone(zone, [config.dns.master] + config.dns.slaves)
 
-    for net in set(config.dns.zones_reverse_v6):
-         forward_zone(netv6_to_arpa(net), [config.dns.master] + config.dns.slaves)
+    #for net in set(config.dns.zones_reverse_v6):
+    #     forward_zone(netv6_to_arpa(net), [config.dns.master] + config.dns.slaves)
 
 def direct_crans():
     for zone in config.dns.zones_direct:
         forward_zone(zone, [config.dns.master] + config.dns.slaves)
 
-if has("vlan-accueil"):
-    @view "accueilview" {
-    @   match-clients { "accueil"; };
-    @    
-    @// On ment pour tout sauf quelques ips crans
-    @    zone "." {
-    @        type master;
-    @        file "/etc/bind/db.fake";
-    @    };
-    @
-    @    recursion no;
-    @};
-
-    @view "others" {
-    @   match-clients { any; };
-    @   recursion yes;
-if has("dns-secondary-no-forward") or has("dns-secondary") or has("dns-primary"):
-    @include "/etc/bind/zones.rfc1918";
-
-    @// zones crans
-    @include "/etc/bind/generated/zones_crans"; 
-    
-if has("dns-tv"):
-    @// La zone TV
-    @zone "tv.crans.org" {
-    @   type master;
-    if not "tv.crans.org" in config.dns.zones_dnssec:
-        @   file "/etc/bind/generated/db.tv.crans.org";
-    else:
-        @   file "/etc/bind/signed/db.tv.crans.org";
-    @};
-    
-    @zone "239.in-addr.arpa" {
-    @	  type master;
-    @	  file "/etc/bind/generated/db.239.in-addr.arpa";
-    @};
-    
-    
 if has("dns-recursif") and not has("dns-secondary-no-forward"):
-    @zone "239.in-addr.arpa" {
-    @   type slave;
-    @   file "/etc/bind/generated/db.239.in-addr.arpa";
-    print"   masters { %s; };" % config.dns.master_tv
-    @};
-    
-    reverse_crans()
-    
-elif has("dns-forward-only"):
-    @forward only;
-    print "forwarders { %s; };"  % '; '.join(config.dns.recursiv['adm'])
-    
-@// anti SPAM
-@// Rajout pour generer le forward vers ariane pour la zone rbl-plus.mail-abuse.org --Nico 21/04/02
-@zone "rbl-plus.mail-abuse.org" {
-@    type forward;
-@    forward only;
-print "    forwarders { "
-print "                 %s;" % "; \n                 ".join(config.dns.parents)
-print "               }; "
-@};
-@
+    with view("menteur", "menteur") as v:
+        v.p('response-policy { zone "loppsi.crans.org"; };')
+        with zone("loppsi.crans.org", "master") as z:
+            z.p('file "/etc/bind/db.loppsi.crans.org";')
+            z.p('allow-query {none;};')
 
+        with zone("239.in-addr.arpa", "slave") as z:
+            z.p('file "/etc/bind/generated/db.239.in-addr.arpa";')
+            z.p('masters { %s; };' % config.dns.master_tv)
+
+        reverse_crans()
 
 if has("vlan-accueil"):
-    @};
+    with view("accueilview", "accueil") as v:
+        v.p("recursion no;")
+        v.p("// On ment pour tout sauf quelques ips crans")
+        with zone(".", "master") as z:
+            z.p('file "/etc/bind/db.fake";')
 
-@// bricoles de config en plus
-@include "/etc/bind/rndc.key";
-@
-@controls {
-@    inet 127.0.0.1 allow { 127.0.0.1; } keys { "key"; };
-@};
+with view("default-view", "any") as v:
+    v.p("recursion yes;")
+    if has("dns-secondary-no-forward") or has("dns-secondary") or has("dns-primary"):
+        v.p('include "/etc/bind/zones.rfc1918";')
+        v.p('// zones crans')
+        v.p('include "/etc/bind/generated/zones_crans";')
+    
+    if has("dns-tv"):
+        v.p('// La zone TV')
+        with zone("tv.crans.org", "master") as z:
+            if not "tv.crans.org" in config.dns.zones_dnssec:
+                z.p('file "/etc/bind/generated/db.tv.crans.org";')
+            else:
+                z.p('file "/etc/bind/signed/db.tv.crans.org";')
+    
+        with zone("239.in-addr.arpa", "master") as z:
+            z.p('type master;')
+            z.p('file "/etc/bind/generated/db.239.in-addr.arpa";')
+    
+    if has("dns-recursif") and not has("dns-secondary-no-forward"):
+        with zone("239.in-addr.arpa", "slave") as z:
+            z.p('file "/etc/bind/generated/db.239.in-addr.arpa";')
+            z.p('masters { %s; };' % config.dns.master_tv)
 
+        reverse_crans()
+    
+    elif has("dns-forward-only"):
+        v.p("forward only;")
+        v.p("forwarders { %s; };"  % '; '.join(config.dns.recursiv['adm']))
+    
+    v.p('// anti SPAM')
+    v.p('// Rajout pour generer le forward vers ariane pour la zone rbl-plus.mail-abuse.org --Nico 21/04/02')
+    with zone("rbl-plus.mail-abuse.org", "forward") as z:
+        z.p('forward only;')
+        z.p('forwarders {')
+        for f in config.dns.parents:
+            z.p('    %s;' % f)
+        z.p('};')
+
+print """
+// bricoles de config en plus
+include "/etc/bind/rndc.key";
+
+controls {
+    inet 127.0.0.1 allow { 127.0.0.1; } keys { "key"; };
+};
+"""

Python/etc/bind/named.conf.options

@@ -22,6 +22,7 @@ if has("vlan-ens"):
      print 'acl "appartement" { %s; };' % '; '.join(config.NETs['personnel-ens'] + config.prefix['personnel-ens'])
 print 'acl "crans" { %s; };' % '; '.join(config.prefix['fil'] + config.prefix['wifi'] + config.NETs['all'])
 print 'acl "cransadm" { %s; };' % '; '.join(config.prefix['adm'] + config.NETs['adm'])
+print 'acl "menteur" { %s; };' % '; '.join(config.dns.menteur_clients) 
 
 
 @options {