1
0
forked from infra/ansible

dns_intern: fix role for non-clustered setups

This commit is contained in:
Markus 2021-07-30 23:44:00 +02:00
parent 0dd467e564
commit 36b75e1c6a
2 changed files with 6 additions and 2 deletions

View File

@ -8,8 +8,10 @@ addLocal('{{ ansible_default_ipv4.address }}')
newServer({address='127.0.0.1:5300', pool='authdns'}) newServer({address='127.0.0.1:5300', pool='authdns'})
newServer({address='127.0.0.1:5353', pool='resolve'}) newServer({address='127.0.0.1:5353', pool='resolve'})
{% if dns_secondary is defined %}
-- allow AXFR/IXFR only from slaves -- allow AXFR/IXFR only from slaves
addAction(AndRule({OrRule({QTypeRule(dnsdist.AXFR), QTypeRule(dnsdist.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(dnsdist.REFUSED)) addAction(AndRule({OrRule({QTypeRule(dnsdist.AXFR), QTypeRule(dnsdist.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(dnsdist.REFUSED))
{% endif %}
-- allow NOTIFY only from master -- allow NOTIFY only from master
addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(dnsdist.REFUSED)) addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(dnsdist.REFUSED))

View File

@ -5,7 +5,7 @@
# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. # allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges.
# #
# allow-dnsupdate-from=127.0.0.0/8,::1 # allow-dnsupdate-from=127.0.0.0/8,::1
allow-dnsupdate-from=127.0.0.0/8,::1,{{ dhcpd_primary }},{{ dhcpd_secondary }} allow-dnsupdate-from=127.0.0.0/8,::1,{{ dhcpd_primary }}{% if dhcpd_secondary is defined %},{{ dhcpd_secondary }}{% endif %}
################################# #################################
# dnsupdate Enable/Disable DNS update (RFC2136) support. Default is no. # dnsupdate Enable/Disable DNS update (RFC2136) support. Default is no.
@ -45,12 +45,14 @@ local-port=5300
# master=no # master=no
master=yes master=yes
{% if dns_secondary is defined %}
################################# #################################
# only-notify Only send AXFR NOTIFY to these IP addresses or netmasks # only-notify Only send AXFR NOTIFY to these IP addresses or netmasks
# #
# only-notify=0.0.0.0/0,::/0 # only-notify=0.0.0.0/0,::/0
only-notify={{ dns_secondary }} only-notify={{ dns_secondary }}
{% endif %} {% endif %}
{% endif %}
################################# #################################
# security-poll-suffix Domain name from which to query security update notifications # security-poll-suffix Domain name from which to query security update notifications
@ -68,7 +70,7 @@ setgid=pdns
# #
setuid=pdns setuid=pdns
{% if ansible_default_ipv4.address == dns_secondary %} {% if adns_secondary is defined and ansible_default_ipv4.address == dns_secondary %}
################################# #################################
# slave Act as a slave # slave Act as a slave
# #