Forge Home

bind

Manage the BIND name server.

6,534 downloads

69 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 1.2.0 (latest)
  • 1.1.0
  • 1.0.0
  • 0.12.1
  • 0.12.0
  • 0.11.0
  • 0.10.0
  • 0.9.0
  • 0.8.0
  • 0.7.0
  • 0.6.0
  • 0.5.0
  • 0.4.0
  • 0.3.1
  • 0.3.0
  • 0.2.0
  • 0.1.0
released Oct 22nd 2024
This version is compatible with:
  • Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
  • Puppet >= 7.0.0 < 9.0.0
  • ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'stm-bind', '1.2.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add stm-bind
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install stm-bind --version 1.2.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

stm/bind — version 1.2.0 Oct 22nd 2024

bind

Build Status Puppet Forge License

Table of Contents

  1. Description
  2. Setup - The basics of getting started with bind
  3. Usage - Configuration options and additional functionality
  4. Limitations - OS compatibility, etc.
  5. Development - Guide for contributing to the module

Description

This module manages the BIND Name Server on Debian and Ubuntu. The module supports setting up a Caching Name Server or an Authoritative Name Server using primary and secondary zones.

Setup

What bind affects

The module manages the named process and related service files. It also managed the configuration and zone files. On Debian and Ubuntu these files are below the /etc/bind, /var/lib/bind and /var/cache/bind directories. The module uses a multi-level directory tree below /var/lib/bind and /var/cache/bind to separate primary and secondary zone files.

Setup Requirements

The module uses the stdlib and concat modules. It is tested on Debian and Ubuntu using Puppet 8.

Beginning with bind

Set up a caching name server on localhost:

class { 'bind':
  listen_on         => [ '127.0.0.1', ],
  listen_on_v6      => [ 'none', ],
  allow_query       => [ 'localhost', ],
  allow_query_cache => [ 'localhost', ],
  allow_recursion   => [ 'localhost', ],
}

Usage

Caching name server

Set up a caching name server that provides recursive name resolution for a local subnet:

class { 'bind':
  allow_query       => [ 'localhost', 'lan', ],
  allow_query_cache => [ 'localhost', 'lan', ],
  allow_recursion   => [ 'localhost', 'lan', ],
}

bind::acl { 'lan':
  address_match_list => [ '192.168.10.0/24' ],
}

Caching name server with forwarders

Set up a caching name server that provides recursive name resolution for a local subnet and uses forwarders:

class { 'bind':
  allow_query       => [ 'localhost', '10/8', ],
  allow_query_cache => [ 'localhost', '10/8', ],
  allow_recursion   => [ 'localhost', '10/8', ],
  forwarders        => [ '10.0.0.53', '10.1.1.53', ],
}

Manage a primary zone

Add a primary zone for the example.com domain and manage the zone file using Puppet:

bind::zone::primary { 'example.com':
  source => 'puppet:///modules/profile/dns/example.com.zone',
}

The zone file will be managed on the server as /var/lib/bind/primary/com/example/db.example.com. This tree structure is better than a flat directory structure if many zones will be managed by the server.

Manage a primary zone with dynamic updates

Add a primary zone for the example.com domain and allow dynamic updates using a generated key called nsupdate:

bind::key { 'nsupdate':
  secret  => 'TopSecret',
  keyfile => '/etc/bind/nsupdate.key',
}

bind::zone::primary { 'example.com':
  update_policy => ['grant nsupdate zonesub any'],
  content       => epp("profile/dynamic-zone-template.epp", $params),
}

If the zone file /var/lib/bind/primary/com/example/db.example.com does not exist on the name server, a new file will be created using the specified template. After that the file content can not be managed by Puppet as named will periodically need to update the zone file when processing dynamic updates. The source or content parameters are ignored in this case.

Manual updates to the zone file will have to be done locally on the name server. Remember that you need to use rndc freeze example.com and rndc thaw example.com when editing the zone file manually.

Define a DNSSEC policy for a zone

Create a new DNSSEC policy named standard with a Combined Signing Key (CSK) and use the policy to create a DNSSEC signed zone:

bind::dnssec_policy { 'standard':
  csk_lifetime  => 'unlimited',
  csk_algorithm => 'ecdsap256sha256',
}

bind::zone::primary { 'example.net':
  dnssec_policy  => 'standard',
  inline_signing => true,
  source         => 'puppet:///modules/profile/dns/example.net.zone',
}

DNSSEC policies are available with Bind 9.16 and later.

Create views for internal and external access

The view internal allow recursive DNS resolution for all hosts on the local network.

bind::view { 'internal':
  match_clients   => [ 'localnets', ],
  allow_query     => [ 'localnets', ],
  allow_recursion => [ 'localnets', ],
  recursion       => true,
  order           => '10',
}

The view external is for all other hosts and should only be used for your primary or secondary zones.

bind::view { 'external':
  match_clients            => [ 'any', ],
  allow_query              => [ 'any', ],
  recursion                => false,
  localhost_forward_enable => false,
  localhost_reverse_enable => false,
  order                    => '20',
}

The defined types bind::zone::primary and bind::zone::secondary can be used to add zones to this view.

Reference

See REFERENCE.md

Limitations

Not all BIND features are currently implemented as I started with the options I needed myself. Some options are not yet available and features like DNSSEC are not well tested.

Creating DNSSEC keys manually using the dnssec_key type with automatic rollover is discouraged. The defined type bind::dnssec_policy should be used instead.

Development

You may open Github issues for this module if you need additional options currently not available.

Feel free to send pull requests for new features.