A chef cookbook to manage BIND servers and zones.
This cookbook follows the library pattern. To use the cookbook effectively you'll need a wrapper cookbook that uses the resources provided in this cookbook.
A default recipe is provided. It only provides a basic recursive name server.
- CentOS/RHEL 7+
- Debian 10+
- Ubuntu 18.04+
- Chef 15.3+
Most attributes have been removed in favour of custom resources. See the MIGRATION.md document.
The following resources are provided:
- bind_acl
- bind_config
- bind_forward_zone
- bind_key
- bind_linked_zone
- bind_logging_category
- bind_logging_channel
- bind_primary_zone
- bind_primary_zone_template
- bind_secondary_zone
- bind_server
- bind_service
- bind_stub_zone
- bind_view
Using custom resources leads to a quite flexible configuration, but requires a little bit more work in a wrapper cookbook to use. The following examples are presented here:
- Internal recursive nameserver
- Authoritative primary nameserver
- Authoritative secondary nameserver
- Using views for internal recursion and external authoritative name service
bind_service 'default' do
action [:create, :start]
end
bind_config 'default' do
ipv6_listen true
options [
'check-names slave ignore',
'multi-master yes',
'provide-ixfr yes',
'recursive-clients 10000',
'request-ixfr yes',
'allow-notify { acl-dns-masters; acl-dns-slaves; }',
'allow-query { example-lan; localhost; }',
'allow-query-cache { example-lan; localhost; }',
'allow-recursion { example-lan; localhost; }',
'allow-transfer { acl-dns-masters; acl-dns-slaves; }',
'allow-update-forwarding { any; }',
]
end
bind_acl 'acl-dns-masters' do
entries [
'! 10.1.1.1',
'10/8'
]
end
bind_acl 'acl-dns-slaves' do
entries [
'acl-dns-masters'
]
end
bind_acl 'example-lan' do
entries [
'10.2/16',
'10.3.2/24',
'10.4.3.2'
]
end
There are two ways to create primary zone files with this cookbook. The first is by providing a complete zone file that is placed in the correct directory (and is added to the nameserver configuration by using the bind_primary_zone
resource). The second way is by using the bind_primary_zone_template
resource. To use this you need to provide an array of hashes containing the records you want to be added to the zone file.
The following example has both options shown. In a wrapper cookbook add the code below with appropriate modifications.
You'll need to configure the ACL entries (and names) for the example-lan and acl-dns-masters ACLs for your local configuration.
You will also need to arrange for the zone files to be placed in the configured location (which is OS dependent by default).
Resource style:
bind_service 'default' do
action [:create, :start]
end
bind_config 'default' do
ipv6_listen true
options [
'recursion no',
'allow-query { any; }',
'allow-transfer { external-private-interfaces; external-dns; }',
'allow-notify { external-private-interfaces; external-dns; localhost; }',
'listen-on-v6 { any; }'
]
end
bind_acl 'external-private-interfaces' do
entries [
]
end
bind_acl 'external-dns' do
entries [
]
end
cookbook_file '/var/named/primary/db.example.com' do
owner 'named'
group 'named'
mode '0440'
action :create
end
bind_primary_zone 'example.com'
bind_primary_zone_template 'example.org' do
soa serial: 100
default_ttl 200
records [
{ type: 'NS', rdata: 'ns1.example.org.' },
{ type: 'NS', rdata: 'ns2.example.org.' },
{ type: 'MX', rdata: '10 mx1.example.org.' },
{ type: 'MX', rdata: '20 mx1.example.org.' },
{ owner: 'www', type: 'A', ttl: 20, rdata: '10.5.0.1' },
{ owner: 'ns1', type: 'A', ttl: 20, rdata: '10.5.1.1' },
{ owner: 'ns2', type: 'A', ttl: 20, rdata: '10.5.2.1' },
{ owner: 'mx1', type: 'A', ttl: 20, rdata: '10.5.1.100' },
{ owner: 'mx2', type: 'A', ttl: 20, rdata: '10.5.2.100' },
]
end
In a wrapper cookbook add the code below with appropriate modifications.
You'll need to configure the ACL entries (and names) for the example-lan and acl-dns-masters ACLs for your local configuration.
bind_service 'default' do
action [:create, :start]
end
bind_config 'default' do
ipv6_listen true
options [
'recursion no',
'allow-query { any; }',
'allow-transfer { external-private-interfaces; external-dns; }',
'allow-notify { external-private-interfaces; external-dns; localhost; }',
'listen-on-v6 { any; }'
]
end
bind_acl 'acl-dns-masters' do
entries [
'! 10.1.1.1',
'10/8'
]
end
bind_acl 'acl-dns-slaves' do
entries [
'acl-dns-masters'
]
end
bind_acl 'example-lan' do
entries [
'10.2/16',
'10.3.2/24',
'10.4.3.2'
]
end
bind_secondary_zone 'example.com' do
primaries %w(192.0.2.10 192.0.2.11 192.0.2.12)
end
bind_secondary_zone 'example.org' do
primaries %w(192.0.2.10 192.0.2.11 192.0.2.12)
end
Using the bind_view
resource allows you to configure one or more views in the configuration. When using bind_view
you will need to tell the zone resources which view they should be configured in. If this is omitted the zone will be configured in the bind_config
property default_view
(which defaults to default
).
bind_service 'default'
bind_config 'default' do
default_view 'external'
end
bind_view 'internal' do
match_clients ['10.0.0.0/8']
options [
'recursion yes'
]
end
bind_primary_zone 'internal-example.com' do
view 'internal'
zone_name 'example.com'
end
bind_primary_zone 'secret.example.com' do
view 'internal'
end
bind_view 'external' do
options [
'recursion no'
]
end
bind_primary_zone 'example.com'
The bind_service
and bind_config
resources can accept a boolean true
or false
for chroot
, declaring whether or not to install the BIND server in a chroot manner. If one provider declares this value, the other must match or the converge will fail. Currently all supported platforms except Ubuntu 16.04 LTS are supported with chrooted configuration. By default, this is set to false
bind_service 'default' do
chroot true
action :create
end
bind_config 'default' do
chroot true
options [
'recursion no',
'allow-transfer { internal-dns; }'
]
end
This cookbook is maintained by the Sous Chefs. The Sous Chefs are a community of Chef cookbook maintainers working together to maintain important cookbooks. If you’d like to know more please visit sous-chefs.org or come chat with us on the Chef Community Slack in #sous-chefs.
This project exists thanks to all the people who contribute.
Thank you to all our backers!
Support this project by becoming a sponsor. Your logo will show up here with a link to your website.