X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fnamed%2Fmanifests%2Fprimary.pp;h=cafefff658d08ba2f2b307e97c1351311674da10;hb=1dee729d00307f93d600b5bb6902494bd30a4484;hp=046fd9d49689adee5123de83f8831e02a21c159e;hpb=1a8153431c3370785f9a1c9b335dd4420a2daa9b;p=mirror%2Fdsa-puppet.git

diff --git a/modules/named/manifests/primary.pp b/modules/named/manifests/primary.pp
index 046fd9d49..cafefff65 100644
--- a/modules/named/manifests/primary.pp
+++ b/modules/named/manifests/primary.pp
@@ -1,12 +1,9 @@
+# our primary nameserver
+#
+# it will not, by default, open the firewall for requests.
 class named::primary inherits named::authoritative {
   include dnsextras::entries
 
-  ferm::rule { '01-dsa-bind-4':
-    domain      => '(ip ip6)',
-    description => 'Allow nameserver access',
-    rule        => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_GEO $HOST_NAGIOS $HOST_RCODE0 $HOST_EASYDNS $HOST_NETNOD ) )',
-  }
-
   concat::fragment { 'dsa-named-conf-puppet-misc---local-shared-keys':
     target  => '/etc/bind/named.conf.puppet-misc',
     order   => '020',
@@ -52,6 +49,13 @@ class named::primary inherits named::authoritative {
       };
       | EOF
   }
+  @@ferm::rule::simple { "dsa-bind-from-${::fqdn}":
+    tag         => 'named::keyring::ferm',
+    description => 'Allow primary access to the keyring master',
+    proto       => ['udp', 'tcp'],
+    port        => 'domain',
+    saddr       => $base::public_addresses,
+  }
 
   concat::fragment { 'puppet-crontab--nsec3':
     target  => '/etc/cron.d/puppet-crontab',