1 # our primary nameserver
3 # it will not, by default, open the firewall for requests.
4 class named::primary inherits named::authoritative {
5 include dnsextras::entries
7 concat::fragment { 'dsa-named-conf-puppet-misc---local-shared-keys':
8 target => '/etc/bind/named.conf.puppet-misc',
11 include "/etc/bind/named.conf.shared-keys";
14 concat::fragment { 'dsa-named-conf-puppet-misc---named.conf.external-secondaries-ACLs':
15 target => '/etc/bind/named.conf.puppet-misc',
17 content => template('named/named.conf.external-secondaries-ACLs.erb'),
20 concat::fragment { 'dsa-named-conf-puppet-misc---openpgpkey-zone':
21 target => '/etc/bind/named.conf.puppet-misc',
24 // MAINTAIN-KEY: _openpgpkey.debian.org
26 zone "_openpgpkey.debian.org" {
28 file "db._openpgpkey.debian.org";
31 ${ join(getfromhash($deprecated::allnodeinfo, 'kaufmann.debian.org', 'ipHostNumber'), ";") } ;
45 key-directory "/srv/dns.debian.org/var/keys/_openpgpkey.debian.org";
46 sig-validity-interval 40 25;
52 @@ferm::rule::simple { "dsa-bind-from-${::fqdn}":
53 tag => 'named::keyring::ferm',
54 description => 'Allow primary access to the keyring master',
55 proto => ['udp', 'tcp'],
57 saddr => $base::public_addresses,
60 concat::fragment { 'puppet-crontab--nsec3':
61 target => '/etc/cron.d/puppet-crontab',
63 13 19 4 * * root chronic /usr/sbin/rndc signing -nsec3param 1 0 16 $(head -c 20 /dev/urandom | sha512sum | cut -b 1-10) debian.net
64 29 12 7 * * root chronic /usr/sbin/rndc signing -nsec3param 1 0 16 $(head -c 20 /dev/urandom | sha512sum | cut -b 1-10) debian.org
65 32 12 7 * * root chronic /usr/sbin/rndc signing -nsec3param 1 0 16 $(head -c 20 /dev/urandom | sha512sum | cut -b 1-10) debconf.org
66 36 12 7 * * root chronic /usr/sbin/rndc signing -nsec3param 1 0 16 $(head -c 20 /dev/urandom | sha512sum | cut -b 1-10) _openpgpkey.debian.org