exim: allow a host to indicate that it is the master for tracker.d.o

[mirror/dsa-puppet.git] / modules / named / manifests / primary.pp

diff --git a/modules/named/manifests/primary.pp b/modules/named/manifests/primary.pp
index b383ca5..cafefff 100644 (file)
--- a/modules/named/manifests/primary.pp
+++ b/modules/named/manifests/primary.pp
@@ -1,13 +1,9 @@
+# our primary nameserver
+#
+# it will not, by default, open the firewall for requests.
 class named::primary inherits named::authoritative {
   include dnsextras::entries
 
-  ferm::rule { '01-dsa-bind-4':
-    domain      => '(ip ip6)',
-    description => 'Allow nameserver access',
-    rule        => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_GEO $HOST_NAGIOS $HOST_RCODE0 $HOST_EASYDNS $HOST_NETNOD ) )',
-  }
-  Ferm::Rule::Simple <<| tag == 'named::primary::ferm' |>>
-
   concat::fragment { 'dsa-named-conf-puppet-misc---local-shared-keys':
     target  => '/etc/bind/named.conf.puppet-misc',
     order   => '020',
@@ -53,6 +49,13 @@ class named::primary inherits named::authoritative {
       };
       | EOF
   }
+  @@ferm::rule::simple { "dsa-bind-from-${::fqdn}":
+    tag         => 'named::keyring::ferm',
+    description => 'Allow primary access to the keyring master',
+    proto       => ['udp', 'tcp'],
+    port        => 'domain',
+    saddr       => $base::public_addresses,
+  }
 
   concat::fragment { 'puppet-crontab--nsec3':
     target  => '/etc/cron.d/puppet-crontab',