[bind] Rationalisation de la séparation dns autoritaire, dns récursif, named.conf.local est maintenant généré par python

Ignore-this: 8d1cd1381242a85d0180a72a814e1c62

darcs-hash:20130125023918-3a55a-00fe31a1714219c64b3d78370e2af3eaa27d2470.gz

Bundler/bind.xml

@@ -1,20 +1,27 @@
 <Bundle name="bind">
   <Python name="/etc/bind/rndc.key"/>
   <Python name="/etc/bind/named.conf"/>
-  <Path name="/etc/bind/named.conf.local"/>
+  <Python name="/etc/bind/named.conf.local"/>
   <Python name="/etc/bind/named.conf.options"/>
   <Group name="dns-primary">
       <Path name="/etc/bind/named.conf.notify"/>
   </Group>
   <Group name="dns-secondary">
       <Path name="/etc/bind/generated/zones_crans"/>
+      <Action name="bind-permission"/>
   </Group>
   <Group name="dns-secondary-no-forward">
       <Path name="/etc/bind/generated/zones_crans"/>
+      <Action name="bind-permission"/>
   </Group>
   <Group name="vlan-radin">
       <Path name="/etc/bind/db.fake"/>
   </Group>
+  <Group name="vlan-accueil">
+      <Path name="/etc/bind/db.fake"/>
+      <Path name="/etc/bind/generated/zones_crans"/>
+      <Action name="bind-permission"/>
+  </Group>
   <Package name="bind9"/>
   <Service name="bind9"/>
   <Package name="dnssec-tools"/>

Cfg/etc/bind/named.conf.local/info.xml

@@ -1,3 +0,0 @@
-<FileInfo>
-    <Info owner='root' group='bind' perms='0644'/>
-</FileInfo>

Cfg/etc/bind/named.conf.local/named.conf.local

@@ -1,36 +0,0 @@
-// Fichier gere par BCfg2 (plugin Cfg)
-//
-// A ne modifier que sur vert
-
-include "/etc/bind/zones.rfc1918";
-
-// zones crans
-include "/etc/bind/generated/zones_crans"; 
-
-// anti SPAM
-// Rajout pour generer le forward vers ariane pour la zone rbl-plus.mail-abuse.org --Nico 21/04/02
-zone "rbl-plus.mail-abuse.org" {
-    type forward;
-    forward only;
-    forwarders { 138.231.176.4 ; };
-};
-
-// la tele
-zone "tv.crans.org" {
-    type slave;
-    file "/etc/bind/generated/db.tv.crans.org";
-    masters { 138.231.136.243; };
-};
-
-zone "239.in-addr.arpa" {
-    type slave;
-    file "/etc/bind/generated/db.239.in-addr.arpa";
-    masters { 138.231.136.243; };
-};
-
-// bricoles de config en plus
-include "/etc/bind/rndc.key";
-
-controls {
-    inet 127.0.0.1 allow { 127.0.0.1; } keys { "key"; };
-};

Cfg/etc/bind/named.conf.local/named.conf.local.G99_dns-tv

@@ -1,19 +0,0 @@
-// Fichier gere par BCfg2 (plugin Cfg)
-//
-// A ne modifier que sur vert
-
-// La zone TV
-zone "tv.crans.org" {
-	  type master;
-	  file "/etc/bind/generated/db.tv.crans.org";
-};
-
-zone "239.in-addr.arpa" {
-	  type master;
-	  file "/etc/bind/generated/db.239.in-addr.arpa";
-};
-
-// reduce log verbosity on issues outside our control
-logging {
-	  category lame-servers { null; };
-};

Cfg/etc/bind/named.conf.local/named.conf.local.G99_vlan-radin

@@ -1,61 +0,0 @@
-// Fichier gere par BCfg2 (plugin Cfg)
-//
-// A ne modifier que sur vert
-
-
-view "accueilview" {
-    match-clients { "accueil"; };
-    
-   // zones crans
-    include "/etc/bind/generated/zones_crans";
-
-   // Zones RFC 1918
-    include "/etc/bind/zones.rfc1918";
-
-    recursion no;
-
-    zone "." {
-        type master;
-        file "/etc/bind/db.fake";
-    };
-};
-
-view "others" {
-    match-clients { any; };
-
-    // Zones RFC 1918
-    include "/etc/bind/zones.rfc1918";
-
-    // zones crans
-    include "/etc/bind/generated/zones_crans"; 
-
-	recursion yes;
-
-    // anti SPAM
-    // Rajout pour generer le forward vers ariane pour la zone rbl-plus.mail-abuse.org --Nico 21/04/02
-    zone "rbl-plus.mail-abuse.org" {
-        type forward;
-        forward only;
-        forwarders { 138.231.176.4; };
-    };
-
-    // la tele
-    zone "tv.crans.org" {
-        type slave;
-        file "/etc/bind/generated/db.tv.crans.org";
-        masters { 138.231.136.243; };
-    };
-
-    zone "239.in-addr.arpa" {
-        type slave;
-        file "/etc/bind/generated/db.239.in-addr.arpa";
-        masters { 138.231.136.243; };
-    };
-};
-
-// bricoles de config en plus
-include "/etc/bind/rndc.key";
-
-controls {
-    inet 127.0.0.1 allow { 127.0.0.1; } keys { "key"; };
-};

Cfg/etc/bind/named.conf.notify/named.conf.notify

@@ -7,4 +7,5 @@
 		 10.231.136.8;  // ovh
 		 10.231.136.98; // charybde
 		 10.231.136.14; // titanic
+		 138.231.176.4; // ariane
 		 };

Metadata/groups.xml

@@ -19,8 +19,8 @@
   <Group name="charybde"
      profile="true">
     <Group name="crans-squeeze"/>
-    <Group name="dns-secondary"/>
     <Group name="dnssec-validation"/>
+    <Group name="dns-recursif"/>
     <Group name="main-ftp-server"/>
 <!-- <Group name="ups-monitor"/> -->
     <Group name="debian-mirror"/>
@@ -37,17 +37,18 @@
   <Group name="sable"
      profile="true">
     <Group name="crans-squeeze"/>
+<!--
     <Group name="main-proxy-server"/>
-    <Group name="radius-server"/>
-    <Group name="db-replicat"/>
-    <Group name="dns-primary"/>
-    <Group name="dnssec-validation"/>
-<!-- <Group name="ups-monitor"/> -->
+    <Group name="ups-monitor"/>
     <Group name="vlan-radin"/>
     <Group name="vlan-accueil" />
     <Group name="vlan-isolement"/>
-    <Group name="firmware-bnx2"/>
     <Group name="vlan-ens"/>
+-->
+    <Group name="radius-server"/>
+    <Group name="db-replicat"/>
+    <Group name="dns-primary"/>
+    <Group name="firmware-bnx2"/>
   </Group>
 
   <Group name="gordon"
@@ -55,6 +56,8 @@
     <Group name="crans-squeeze"/>
     <Group name="router-wifi"/>
     <Group name="freeradius"/>
+    <Group name="dnssec-validation"/>
+    <Group name="dns-recursif"/>
     <Group name="secondary-ntp-server"/>
   </Group>
 
@@ -171,6 +174,7 @@
     <Group name="crans-squeeze"/>
     <Group name="mail-mx-secondary"/>
     <Group name="dns-secondary-no-forward"/>
+    <Group name="dns-recursif"/>
     <Group name="connection-rescue"/>
     <Group name="failover-proxy-server"/>
     <Group name="vlan-ens"/>
@@ -368,12 +372,12 @@
         profile="true">
     <Group name="crans-squeeze"/>
     <Group name="domu"/>
+    <Group name="dns-recursif"/>
+    <Group name="dnssec-validation"/>
     <Group name="vlan-radin"/>
     <Group name="vlan-accueil" />
     <Group name="vlan-isolement"/>
     <Group name="vlan-ens"/>
-    <Group name="dns-secondary"/>
-    <Group name="dnssec-validation"/>
     <Group name="nginx" comment="Proxy web et pages déco"/>
   </Group>
 
@@ -653,6 +657,11 @@
     <Group name="dns-server"/>
   </Group>
 
+  <Group name="dns-recursif"
+     comment="un serveur DNS récursif de l'association">
+    <Group name="dns-server"/>
+  </Group>
+
 
   <Group name="dns-secondary-no-forward"
      comment="un serveur DNS secondaire sans forward de l'association"

Python/etc/bind/named.conf.local

@@ -0,0 +1,100 @@
+# -*- mode: python; encoding: utf-8 -*-
+
+info["owner"] = "root"
+info["group"] = "bind"
+info["perms"] = 0644
+
+comment_start = "//"
+
+header("Conf locale de Bind9")
+
+if has("vlan-accueil"):
+    @view "accueilview" {
+    @   match-clients { "accueil"; };
+    @    
+    @   // zones crans
+    @    include "/etc/bind/generated/zones_crans";
+    @
+    @   // Zones RFC 1918
+    @    include "/etc/bind/zones.rfc1918";
+    @
+    @    recursion no;
+    @
+    @    zone "." {
+    @        type master;
+    @        file "/etc/bind/db.fake";
+    @    };
+    @};
+
+    @view "others" {
+    @   match-clients { any; };
+    @   recursion yes;
+if has("dns-secondary-no-forward") or has("dns-secondary") or has("dns-primary"):
+    @include "/etc/bind/zones.rfc1918";
+
+    @// zones crans
+    @include "/etc/bind/generated/zones_crans"; 
+    
+    @// la tele
+    @zone "tv.crans.org" {
+    @   type slave;
+    @   file "/etc/bind/generated/db.tv.crans.org";
+    @   masters { 138.231.136.243; };
+    @};
+    
+    @zone "239.in-addr.arpa" {
+    @   type slave;
+    @   file "/etc/bind/generated/db.239.in-addr.arpa";
+    @   masters { 138.231.136.243; };
+    @};
+
+elif has("dns-tv"):
+    @// La zone TV
+    @zone "tv.crans.org" {
+    @   type master;
+    @   file "/etc/bind/generated/db.tv.crans.org";
+    @};
+    
+    @zone "239.in-addr.arpa" {
+    @	  type master;
+    @	  file "/etc/bind/generated/db.239.in-addr.arpa";
+    @};
+    
+    @// reduce log verbosity on issues outside our control
+    @logging {
+    @   category lame-servers { null; };
+    @};
+    
+elif has("dns-recursif"):
+    @zone "239.in-addr.arpa" {
+    @    type forward;
+    @    forward only;
+    @    forwarders { 138.231.136.243; 138.231.136.9; };
+    @};
+    
+    @zone "136.231.10.in-addr.arpa" {
+    @   type forward;
+    @   forward only;
+    @   forwarders { 138.231.136.9; 138.231.136.14; };
+    @};
+    
+@// anti SPAM
+@// Rajout pour generer le forward vers ariane pour la zone rbl-plus.mail-abuse.org --Nico 21/04/02
+@zone "rbl-plus.mail-abuse.org" {
+@    type forward;
+@    forward only;
+@    forwarders { 138.231.176.4 ; };
+@};
+@
+
+
+if has("vlan-accueil"):
+    @};
+
+@// bricoles de config en plus
+@include "/etc/bind/rndc.key";
+@
+@controls {
+@    inet 127.0.0.1 allow { 127.0.0.1; } keys { "key"; };
+@};
+

Python/etc/bind/named.conf.options

@@ -11,7 +11,10 @@ header("Options de Bind9")
 comment("Listes d'accès")
 if has("vlan-radin"):
     @acl "radins" { 10.42.0.0/16; };
+if has("vlan-accueil"):
     @acl "accueil" { 10.51.0.0/16; };
+if has("vlan-ens"):
+    @acl "appartement" { 10.2.9.0/24; };
 @acl "crans" {
 @    138.231.136.0/21;
 @    138.231.144.0/21;
@@ -26,21 +29,36 @@ if has("vlan-radin"):
 
 @options {
 @    directory "/var/cache/bind";
-@    recursive-clients 5000;
 @
 
 if has("dns-primary"):
     @    include "/etc/bind/named.conf.notify";
 
-@
-@    allow-transfer {
-@         127.0.0.1;
-@         138.231.136.0/21; // fixes
-@         82.225.39.54;     // freebox
-@         138.231.148.0/22; // wifi
-@         10.231.136.0/24;  // adm
-@         138.231.176.4;    // ariane
-@    };
+
+if has("dns-recursif"):
+    zones=["127.0.0.1", "crans", "cransadm"]
+    if has("vlan-ens"):
+        zones.append("appartement")
+    if has("vlan-radin"):
+        zones.append("radins")
+        zones.append("accueil")
+    print "    allow-query-cache { %s; };" % ';'.join(zones)
+    print "    allow-recursion { %s; };" % ';'.join(zones)
+    @    recursive-clients 5000;
+
+else:
+    @    allow-query-cache { };
+    @    allow-recursion { };
+if has("dns-primary") or has("dns-tv"):
+    @    allow-transfer {
+    @         127.0.0.1;
+    @         138.231.136.0/21; // fixes
+    @         82.225.39.54;     // freebox
+    @         138.231.148.0/22; // wifi
+    @         10.231.136.0/24;  // adm
+    @         138.231.176.4;    // ariane
+    @    };
+@    allow-query { any; };
 @    auth-nxdomain no; # conform to RFC1035
 @
 @    listen-on { any; };

Python/etc/network/interfaces

@@ -29,7 +29,7 @@ iface %(interface)s inet static
     netmask 255.255.248.0
     broadcast 138.231.143.255
     gateway 138.231.136.4
-    dns-nameservers 138.231.136.98 138.231.136.9
+    dns-nameservers 138.231.136.98 138.231.136.247
     dns-search crans.org""" % { 'interface': interface, 'ip': pubip() }
         if not has('vlan-wifi'):
             print """    post-up ip r add 138.231.144.0/21 dev %(interface)s via 138.231.136.247 src %(ip)s""" % { 'interface': interface, 'ip': pubip() }
@@ -47,7 +47,7 @@ iface %(interface)s inet static
     network 138.231.144.0
     netmask 255.255.248.0
     broadcast 138.231.148.255
-    dns-nameservers 138.231.148.1
+    dns-nameservers 138.231.136.98 138.231.136.247
     dns-search wifi.crans.org""" % { 'interface': interface, 'ip': wifiip() }
 
         for line in additionnals:
@@ -62,7 +62,7 @@ iface %(interface)s inet static
     netmask 255.255.255.0
     broadcast 10.231.136.255
     mtu 1496
-    dns-nameservers 10.231.136.98 10.231.136.9
+    dns-nameservers 10.231.136.98 10.231.136.247
     dns-search adm.crans.org""" % { 'interface': interface, 'ip': admip() }
 
         for line in additionnals:

Rules/bind.xml

@@ -1,4 +1,7 @@
 <!-- Règles pour bind //-->
 <Rules priority="1">
   <Service type="deb" name="bind9" status="on"/>
+  <Action name="bind-permission" timing="post"
+        when="modified" status="check"
+        command="mkdir -p /etc/bind/generated; mkdir -p /etc/bind/signed; chmod 775 /etc/bind/generated /etc/bind/signed"/>
 </Rules>