|
|
@@ -0,0 +1,48 @@
|
|
|
+//
|
|
|
+// Bind options (Salt managed)
|
|
|
+//
|
|
|
+
|
|
|
+options {
|
|
|
+ directory "/var/cache/bind";
|
|
|
+
|
|
|
+ // If there is a firewall between you and nameservers you want
|
|
|
+ // to talk to, you may need to fix the firewall to allow multiple
|
|
|
+ // ports to talk. See http://www.kb.cert.org/vuls/id/800113
|
|
|
+
|
|
|
+ // If your ISP provided one or more IP addresses for stable
|
|
|
+ // nameservers, you probably want to use them as forwarders.
|
|
|
+ // Uncomment the following block, and insert the addresses replacing
|
|
|
+ // the all-0's placeholder.
|
|
|
+
|
|
|
+ // forwarders {
|
|
|
+ // 0.0.0.0;
|
|
|
+ // };
|
|
|
+
|
|
|
+ //========================================================================
|
|
|
+ // If BIND logs error messages about the root key being expired,
|
|
|
+ // you will need to update your keys. See https://www.isc.org/bind-keys
|
|
|
+ //========================================================================
|
|
|
+ // Disable DNSSEC validation as it will FAIL for all ffXY domains which will
|
|
|
+ // render them unuseable. As bind can only be run in all-on or all-off mode
|
|
|
+ // this seems to be our only chance for now :-(
|
|
|
+ dnssec-validation no;
|
|
|
+
|
|
|
+
|
|
|
+ auth-nxdomain no; # conform to RFC1035
|
|
|
+ listen-on-v6 { any; };
|
|
|
+
|
|
|
+ allow-recursion {
|
|
|
+ 127.0.0.1/8;
|
|
|
+ ::1/128;
|
|
|
+
|
|
|
+ // Entries from pillar
|
|
|
+{%- for entry in salt['pillar.get']('dns-server:auth:allow-recursion', []) %}
|
|
|
+ {{ entry }};
|
|
|
+{%- endfor %}
|
|
|
+ };
|
|
|
+
|
|
|
+{%- if grains['id'] != 'dns01.in.ffho.net' %}
|
|
|
+ // Disable notifies on non-master DNS
|
|
|
+ notify no;
|
|
|
+{%- endif %}
|
|
|
+};
|
Maximilian Wilhelm