aboutsummaryrefslogtreecommitdiffstats
path: root/roles/space_server/templates
diff options
context:
space:
mode:
Diffstat (limited to 'roles/space_server/templates')
-rw-r--r--roles/space_server/templates/dhcp.zone.j22
-rw-r--r--roles/space_server/templates/named.conf.j2133
2 files changed, 135 insertions, 0 deletions
diff --git a/roles/space_server/templates/dhcp.zone.j2 b/roles/space_server/templates/dhcp.zone.j2
new file mode 100644
index 0000000..e6b2b40
--- /dev/null
+++ b/roles/space_server/templates/dhcp.zone.j2
@@ -0,0 +1,2 @@
+dhcp. 600 IN SOA space.labitat.dk. esmil.labitat.dk. 2019040101 7200 3600 604800 86400
+dhcp. 600 IN NS space.labitat.dk.
diff --git a/roles/space_server/templates/named.conf.j2 b/roles/space_server/templates/named.conf.j2
new file mode 100644
index 0000000..0314545
--- /dev/null
+++ b/roles/space_server/templates/named.conf.j2
@@ -0,0 +1,133 @@
+//
+// named.conf
+//
+// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
+// server as a caching only nameserver (as a localhost DNS resolver only).
+//
+// See /usr/share/doc/bind*/sample/ for example named configuration files.
+//
+
+options {
+ listen-on port 53 {
+ 127.0.0.1;
+ 185.38.175.0;
+ };
+ listen-on-v6 port 53 {
+ ::1;
+ 2a01:4262:1ab::;
+ };
+ allow-query {
+ 127.0.0.1;
+ 185.38.175.0/24;
+ 10.42.0.0/16;
+ ::1;
+ 2a01:4262:1ab::/48;
+ };
+ dns64 2a01:4262:1ab:0:0:f::/96 {
+ clients { 2a01:4262:1ab:f::/64; };
+ exclude {
+ 2a01:4262:1ab:0:0:f::/96;
+ ::ffff:0:0/96;
+ };
+ };
+ directory "/var/named";
+ dump-file "/var/named/data/cache_dump.db";
+ statistics-file "/var/named/data/named_stats.txt";
+ memstatistics-file "/var/named/data/named_mem_stats.txt";
+ secroots-file "/var/named/data/named.secroots";
+ recursing-file "/var/named/data/named.recursing";
+
+ /*
+ - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
+ - If you are building a RECURSIVE (caching) DNS server, you need to enable
+ recursion.
+ - If your recursive DNS server has a public IP address, you MUST enable access
+ control to limit queries to your legitimate users. Failing to do so will
+ cause your server to become part of large scale DNS amplification
+ attacks. Implementing BCP38 within your network would greatly
+ reduce such attack surface
+ */
+ recursion yes;
+
+ dnssec-enable yes;
+ dnssec-validation yes;
+
+ managed-keys-directory "/var/named/dynamic";
+
+ pid-file "/run/named/named.pid";
+ session-keyfile "/run/named/session.key";
+
+ /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
+ include "/etc/crypto-policies/back-ends/bind.config";
+};
+
+logging {
+ channel default_debug {
+ syslog daemon;
+ severity dynamic;
+ };
+ channel default {
+ syslog daemon;
+ severity info;
+ };
+ category default {
+ default;
+ };
+};
+
+acl local {
+ 127.0.0.1;
+ 10.42.0.0/24; // infrastructure
+ 10.42.1.0/24; // member wired
+ 10.42.2.0/24; // member wireless
+ ::1;
+ 2a01:4262:1ab:a::/64; // infrastructure
+ 2a01:4262:1ab:b::/64; // member wired
+ 2a01:4262:1ab:c::/64; // member wireless
+ 2a01:4262:1ab:f::/64; // member nat64
+};
+{% if ddns_secret is defined %}
+
+key dhcpupdate {
+ algorithm {{ ddns_secret.algorithm }};
+ secret "{{ ddns_secret.key }}";
+};
+{% endif %}
+
+zone "." IN {
+ type hint;
+ file "named.ca";
+};
+
+zone "s" IN {
+ type master;
+ file "/etc/named/s.zone";
+ allow-query { local; };
+ allow-update { none; };
+ allow-transfer { none; };
+};
+{% if ddns_secret is defined %}
+
+zone "dhcp" IN {
+ type master;
+ file "dynamic/dhcp.zone";
+ allow-query { local; };
+ allow-update { key dhcpupdate; };
+ allow-transfer { none; };
+ notify no;
+};
+{% endif %}
+
+zone "42.10.in-addr.arpa" IN {
+ type master;
+ file "dynamic/ipv4.rev.zone";
+ allow-query { local; };
+{% if ddns_secret is defined %}
+ allow-update { key dhcpupdate; };
+{% endif %}
+ allow-transfer { none; };
+ notify no;
+};
+
+include "/etc/named.rfc1912.zones";
+include "/etc/named.root.key";