Add configuration for authoritive name server(s).

Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>

dns-server/auth/ZONES

@@ -0,0 +1,4 @@
+The zones/ directory is part of the internal salt git as the contents of the
+zones should not be public :-)
+
+Go there for zone changes.

dns-server/auth/init.sls

@@ -0,0 +1,39 @@
+#
+# Authoritive FFHO DNS Server configuration (dns01/dns02 anycast)
+#
+
+include:
+  - dns-server
+
+# Bind options
+/etc/bind/named.conf.options:
+  file.managed:
+    - source: salt://dns-server/auth/named.conf.options
+    - template: jinja
+    - require:
+      - pkg: bind9
+    - watch_in:
+      - cmd: rndc-reload
+
+
+# Configure authoritive zones in local config
+/etc/bind/named.conf.local:
+  file.managed:
+    - source: salt://dns-server/auth/named.conf.local
+    - require:
+      - pkg: bind9
+    - watch_in:
+      - cmd: rndc-reload
+
+
+# Copy zonefiles
+/etc/bind/zones/_tree:
+  file.recurse:
+    - name: /etc/bind/zones
+    - source: salt://dns-server/auth/zones
+    - file_mode: 644
+    - dir_mode: 755
+    - user: root
+    - group: root
+    - watch_in:
+      - cmd: rndc-reload

dns-server/auth/named.conf.local

@@ -0,0 +1,113 @@
+//
+// Zone configuration for master name server (Salt managed)
+//
+
+acl slaves {
+	// dns01.srv.rfc2324.org
+	31.172.8.66;
+	2a01:a700:4621:866::10;
+
+	// dns.gnuzifer.de
+	78.46.242.18;
+	2a01:4f8:190:6500::12:1;
+
+	// ns.youngage.eu
+	5.9.142.19;
+	2a01:4f8:190:2105::53;
+};
+
+acl ffho-ops {
+	10.123.249.0/27;
+};
+
+//
+// Public forward zones
+//
+
+zone "paderborn.freifunk.net" {
+	type master;
+	file "/etc/bind/zones/paderborn.freifunk.net.zone";
+	allow-transfer { slaves; localhost; ffho-ops; };
+};
+
+zone "pb.freifunk.net" {
+	type master;
+	file "/etc/bind/zones/pb.freifunk.net.zone";
+	allow-transfer { slaves; localhost; ffho-ops; };
+};
+
+zone "hochstift.freifunk.net" {
+	type master;
+	file "/etc/bind/zones/hochstift.freifunk.net.zone";
+	allow-transfer { slaves; localhost; ffho-ops; };
+};
+
+zone "ffho.net" {
+	type master;
+	file "/etc/bind/zones/ffho.net.zone";
+	allow-transfer { slaves; localhost; ffho-ops; };
+};
+
+
+//
+// Vega Systems v6 reverse nets
+//
+// 2a02:450:0:6::/64
+zone "6.0.0.0.0.0.0.0.0.5.4.0.2.0.a.2.ip6.arpa" {
+	type master;
+	file "/etc/bind/zones/2a02:450:0:6_64.ip6.arpa.zone";
+	allow-transfer { slaves; localhost; ffho-ops; };
+};
+
+// 2a02:450:1::/60
+zone "0.0.0.1.0.0.0.0.5.4.0.2.0.a.2.ip6.arpa" {
+	type master;
+	file "/etc/bind/zones/2a02:450:1_60.ip6.arpa.zone";
+	allow-transfer { slaves; localhost; ffho-ops; };
+};
+
+
+//
+// FFRL v6 Assignments
+//
+
+// 2a03:2260:2342::/48
+zone "2.4.3.2.0.6.2.2.3.0.a.2.ip6.arpa" {
+	type master;
+	file "/etc/bind/zones/2a03:2260:2342::_48.ip6.arpa.zone";
+	allow-transfer { slaves; localhost; ffho-ops; };
+};
+
+
+//
+// Internal stuff
+//
+
+// 10.132.0.0/16 reverse
+zone "132.10.in-addr.arpa" {
+	type master;
+	file "/etc/bind/zones/132.10.in-addr.arpa.db";
+	allow-transfer { localhost; ffho-ops; };
+};
+
+// Management reverse
+zone "30.172.in-addr.arpa" {
+	type master;
+	file "/etc/bind/zones/30.172.in-addr.arpa.zone";
+	allow-transfer { localhost; ffho-ops; };
+};
+
+// Legacy .ffpb
+zone "ffpb" {
+	type master;
+	file "/etc/bind/zones/ffpb.db";
+	allow-transfer { localhost; ffho-ops; };
+};
+
+
+// Legacy fdca:ffee:ff12::/48 reverse
+zone "2.1.f.f.e.e.f.f.a.c.d.f.ip6.arpa" {
+	type master;
+	file "/etc/bind/zones//fdca:ffce:ff12::_48.db";
+	allow-transfer { localhost; ffho-ops; };
+};

dns-server/auth/named.conf.options

@@ -0,0 +1,43 @@
+//
+// Bind options (Salt managed)
+//
+
+options {
+	directory "/var/cache/bind";
+
+	// If there is a firewall between you and nameservers you want
+	// to talk to, you may need to fix the firewall to allow multiple
+	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113
+
+	// If your ISP provided one or more IP addresses for stable
+	// nameservers, you probably want to use them as forwarders.
+	// Uncomment the following block, and insert the addresses replacing
+	// the all-0's placeholder.
+
+	// forwarders {
+	//	0.0.0.0;
+	// };
+
+	//========================================================================
+	// If BIND logs error messages about the root key being expired,
+	// you will need to update your keys.  See https://www.isc.org/bind-keys
+	//========================================================================
+	// Disable DNSSEC validation as it will FAIL for all ffXY domains which will
+	// render them unuseable. As bind can only be run in all-on or all-off mode
+	// this seems to be our only chance for now :-(
+	dnssec-validation no;
+
+
+	auth-nxdomain no;    # conform to RFC1035
+	listen-on-v6 { any; };
+
+	allow-recursion {
+		127.0.0.1/8;
+		::1/128;
+
+		// Entries from pillar
+{%- for entry in salt['pillar.get']('dns-server:auth:allow-recursion', []) %}
+		{{ entry }};
+{%- endfor %}
+	};
+};

dns-server/init.sls

@@ -0,0 +1,28 @@
+#
+# Bind name server
+#
+
+bind9:
+  pkg.installed:
+    - name: bind9
+  service.running:
+    - enable: True
+    - reload: True
+
+
+# Create zones directory
+/etc/bind/zones/:
+  file.directory:
+    - makedirs: true
+    - user: root
+    - group: root
+    - mode: 755
+    - require:
+      - pkg: bind9
+
+
+# Reload command
+rndc-reload:
+  cmd.wait:
+    - watch: []
+    - name: /usr/sbin/rndc reload

top.sls

@@ -56,3 +56,8 @@ base:
     - match: pillar
     - kvm
 
+  # Authoritive DNS server
+  nodes:{{ grains['id'] }}:roles:dns-auth:
+    - match: pillar
+    - dns-server.auth
+