[bind] On utilise les paramètres de config.py pour générer la configuration (le plus possible). Ajout de résolveur forward-only, ajout des zones reverses automatiquement.

Ignore-this: 7a8d861f375286e92cdc5ca7895a53ba

darcs-hash:20130126180241-3a55a-fd022b037cd914c55a6079e83d5089b98b2a0403.gz

Bundler/bind.xml

@@ -19,8 +19,6 @@
   </Group>
   <Group name="vlan-accueil">
       <Path name="/etc/bind/db.fake"/>
-      <Path name="/etc/bind/generated/zones_crans"/>
-      <Action name="bind-permission"/>
   </Group>
   <Package name="bind9"/>
   <Service name="bind9"/>

Metadata/groups.xml

@@ -355,7 +355,7 @@
   <Group name="routeur"
         profile="true">
     <Group name="crans-squeeze-domu"/>
-    <Group name="dns-recursif"/>
+    <Group name="dns-forward-only"/>
     <Group name="dnssec-validation"/>
     <Group name="vlan-radin"/>
     <Group name="vlan-accueil" />
@@ -651,6 +651,11 @@
      comment="un serveur DNS récursif de l'association">
     <Group name="dns-server"/>
   </Group>
+  
+  <Group name="dns-forward-only"
+     comment="un serveur DNS forwardant les requête à un récursif">
+    <Group name="dns-server"/>
+  </Group>
 
 
   <Group name="dns-secondary-no-forward"

Python/etc/bind/named.conf.local

@@ -4,27 +4,51 @@ info["owner"] = "root"
 info["group"] = "bind"
 info["perms"] = 0644
 
+import config
+from gen_confs.bind import netv4_to_arpa, netv6_to_arpa
+
 comment_start = "//"
 
 header("Conf locale de Bind9")
 
+def forward_zone(zone,forwarders):
+    print """zone "%s" {
+  type forward;
+  forward only;
+  forwarders { %s; };
+};
+""" % (zone,'; '.join(forwarders))
+
+def reverse_crans():
+    for net in set(config.dns.zones_reverse):
+        for zone in netv4_to_arpa(net):
+            forward_zone(zone, [config.dns.master] + config.dns.slaves)
+
+    for net in set(config.dns.zones_reverse_v6):
+         forward_zone(netv6_to_arpa(net), [config.dns.master] + config.dns.slaves)
+
+def direct_crans():
+    for zone in config.dns.zones_direct:
+        forward_zone(zone, [config.dns.master] + config.dns.slaves)
+
 if has("vlan-accueil"):
     @view "accueilview" {
     @   match-clients { "accueil"; };
     @    
-    @   // zones crans
+    @// On resoud les zones crans
-    @    include "/etc/bind/generated/zones_crans";
+    direct_crans()
     @
-    @   // Zones RFC 1918
+    @// On effectue la resolution inverse pour les ips crans
-    @    include "/etc/bind/zones.rfc1918";
+    reverse_crans()
-    @
-    @    recursion no;
     @
+    @// On ment pour le reste
     @    zone "." {
     @        type master;
     @        file "/etc/bind/db.fake";
     @    };
     @};
+    @
+    @    recursion no;
 
     @view "others" {
     @   match-clients { any; };
@@ -39,13 +63,13 @@ if has("dns-secondary-no-forward") or has("dns-secondary") or has("dns-primary")
     @zone "tv.crans.org" {
     @   type slave;
     @   file "/etc/bind/generated/db.tv.crans.org";
-    @   masters { 138.231.136.243; };
+    print"   masters { %s; };" % config.dns.master_tv
     @};
     
     @zone "239.in-addr.arpa" {
     @   type slave;
     @   file "/etc/bind/generated/db.239.in-addr.arpa";
-    @   masters { 138.231.136.243; };
+    print"   masters { %s; };" % config.dns.master_tv
     @};
 
 elif has("dns-tv"):
@@ -69,21 +93,21 @@ elif has("dns-recursif"):
     @zone "239.in-addr.arpa" {
     @    type forward;
     @    forward only;
-    @    forwarders { 138.231.136.243; 138.231.136.9; };
+    print "    forwarders { %s; };" % '; '.join([config.dns.master_tv, config.dns.master] + config.dns.slaves)
     @};
     
-    @zone "136.231.10.in-addr.arpa" {
+    reverse_crans()
-    @   type forward;
+    
-    @   forward only;
+elif has("dns-forward-only"):
-    @   forwarders { 138.231.136.9; 138.231.136.14; };
+    @forward only;
-    @};
+    print "forwarders { %s; };"  % '; '.join(config.dns.recursiv)
     
 @// anti SPAM
 @// Rajout pour generer le forward vers ariane pour la zone rbl-plus.mail-abuse.org --Nico 21/04/02
 @zone "rbl-plus.mail-abuse.org" {
 @    type forward;
 @    forward only;
-@    forwarders { 138.231.176.4 ; };
+print"    forwarders { %s ; }; " % config.dns.parent
 @};
 @
 

Python/etc/bind/named.conf.options

@@ -8,23 +8,19 @@ comment_start = "//"
 
 header("Options de Bind9")
 
-comment("Listes d'accès")
+import config
+
+comment("Listes d'acces")
+if has("vlan-isolement"):
+    print 'acl "isolement" { %s; };' % '; '.join(config.NETs['isolement'])
 if has("vlan-radin"):
-    @acl "radins" { 10.42.0.0/16; };
+    print 'acl "radins" { %s; };' % '; '.join(config.NETs['gratuit'])
 if has("vlan-accueil"):
-    @acl "accueil" { 10.51.0.0/16; };
+    print 'acl "accueil" { %s; };' % '; '.join(config.NETs['accueil'])
 if has("vlan-ens"):
-    @acl "appartement" { 10.2.9.0/24; };
+     print 'acl "appartement" { %s; };' % '; '.join(config.NETs['personnel-ens'] + config.prefix['personnel-ens'])
-@acl "crans" {
+print 'acl "crans" { %s; };' % '; '.join(config.prefix['fil'] + config.prefix['wifi'] + config.NETs['all'])
-@    138.231.136.0/21;
+print 'acl "cransadm" { %s; };' % '; '.join(config.prefix['adm'] + config.NETs['adm'])
-@    138.231.144.0/21;
-@    2a01:240:fe3d:4::/64;
-@    2a01:240:fe3d:f7::/64;
-@};
-@acl "cransadm" {
-@    10.231.136.0/24;
-@    2a01:240:fe3d:c804::/64;
-@};
 
 
 @options {
@@ -35,28 +31,29 @@ if has("dns-primary"):
     @    include "/etc/bind/named.conf.notify";
 
 
-if has("dns-recursif"):
+if has("dns-recursif") or has("dns-forward-only"):
     zones=["127.0.0.1", "crans", "cransadm"]
     if has("vlan-ens"):
         zones.append("appartement")
     if has("vlan-radin"):
         zones.append("radins")
+    if has("vlan-accueil"):
         zones.append("accueil")
-    print "    allow-query-cache { %s; };" % ';'.join(zones)
+    print "    allow-query-cache { %s; };" % '; '.join(zones)
-    print "    allow-recursion { %s; };" % ';'.join(zones)
+    print "    allow-recursion { %s; };" % '; '.join(zones)
     @    recursive-clients 5000;
 
 else:
-    @    allow-query-cache { };
+    @    allow-query-cache { 127.0.0.1; };
-    @    allow-recursion { };
+    @    allow-recursion { 127.0.0.1; };
 if has("dns-primary") or has("dns-tv"):
     @    allow-transfer {
     @         127.0.0.1;
     @         138.231.136.0/21; // fixes
-    @         82.225.39.54;     // freebox
     @         138.231.148.0/22; // wifi
     @         10.231.136.0/24;  // adm
-    @         138.231.176.4;    // ariane
+    print "         %s;" % ';\n         '.join(config.dns.slaves)
+    print "         %s;" % config.dns.parent
     @    };
 @    allow-query { any; };
 @    auth-nxdomain no; # conform to RFC1035
@@ -65,11 +62,11 @@ if has("dns-primary") or has("dns-tv"):
 @    listen-on-v6 { any; };
 @
 
-if not has("dns-secondary-no-forward"):
+if not has("dns-secondary-no-forward") and not has("dns-forward-only"):
     @    // Ne pas modifier le commentaire de fin de ligne suivant,
     @    // traitement automatique pour la connexion de secours
     @    // (ligne decommentee automatiquement en mode secours)
-    @//  forwarders { 138.231.136.14; } ; #POUR SECOURS
+    print"//  forwarders { %s; } ; #POUR SECOURS" % config.dns.secours_relay
 
 if has("dnssec-validation"):
     @    dnssec-enable yes;