modules/named/manifests/primary.pp

   1 class named::primary inherits named::authoritative {
   2         include dnsextras::entries
   3
   4         ferm::rule { '01-dsa-bind-4':
   5                 domain      => '(ip ip6)',
   6                 description => 'Allow nameserver access',
   7                 rule        => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_GEO $HOST_NAGIOS $HOST_RCODE0 $HOST_EASYDNS $HOST_NETNOD ) )',
   8         }
   9
  10         concat::fragment { 'dsa-named-conf-puppet-misc---local-shared-keys':
  11                 target => '/etc/bind/named.conf.puppet-misc',
  12                 order  => '020',
  13                 content  => @(EOF),
  14                         include "/etc/bind/named.conf.shared-keys";
  15                         | EOF
  16         }
  17         concat::fragment { 'dsa-named-conf-puppet-misc---named.conf.external-secondaries-ACLs':
  18                 target => '/etc/bind/named.conf.puppet-misc',
  19                 order  => '025',
  20                 content => template('named/named.conf.external-secondaries-ACLs.erb'),
  21         }
  22
  23         concat::fragment { 'dsa-named-conf-puppet-misc---openpgpkey-zone':
  24                 target => '/etc/bind/named.conf.puppet-misc',
  25                 order  => '020',
  26                 content  => @("EOF"/$)
  27                         // MAINTAIN-KEY: _openpgpkey.debian.org
  28
  29                         zone "_openpgpkey.debian.org" {
  30                                 type slave;
  31                                 file "db._openpgpkey.debian.org";
  32                                 allow-query { any; };
  33                                 masters {
  34                                         ${ join(getfromhash($deprecated::allnodeinfo, 'kaufmann.debian.org', 'ipHostNumber'), ";") } ;
  35                                 };
  36                                 allow-transfer {
  37                                         127.0.0.1;
  38                                         rcode0-ACL;
  39                                         dnsnode-ACL;
  40                                         dnsnodeapi-ACL;
  41                                 };
  42                                 also-notify {
  43                                         rcode0-masters;
  44                                         dnsnode-masters;
  45                                         dnsnodeapi-masters;
  46                                 };
  47
  48                                 key-directory "/srv/dns.debian.org/var/keys/_openpgpkey.debian.org";
  49                                 sig-validity-interval 40 25;
  50                                 auto-dnssec maintain;
  51                                 inline-signing yes;
  52                         };
  53                         | EOF
  54         }
  55
  56         concat::fragment { 'dsa-puppet-stuff--nsec3':
  57                 target => '/etc/cron.d/dsa-puppet-stuff',
  58                 content  => @(EOF)
  59                         13 19 4 * * root chronic /usr/sbin/rndc signing -nsec3param 1 0 16 $(head -c 20 /dev/urandom | sha512sum | cut -b 1-10) debian.net
  60                         29 12 7 * * root chronic /usr/sbin/rndc signing -nsec3param 1 0 16 $(head -c 20 /dev/urandom | sha512sum | cut -b 1-10) debian.org
  61                         32 12 7 * * root chronic /usr/sbin/rndc signing -nsec3param 1 0 16 $(head -c 20 /dev/urandom | sha512sum | cut -b 1-10) debconf.org
  62                         36 12 7 * * root chronic /usr/sbin/rndc signing -nsec3param 1 0 16 $(head -c 20 /dev/urandom | sha512sum | cut -b 1-10) _openpgpkey.debian.org
  63
  64                         | EOF
  65         }
  66
  67 }