This role installs and configures the Bind9 nameserver on Debian.
Features:
host_vars/master_name/vars/XX_bind.yml
, here with an example.com static zones and forwarder:
bind9_authoritative: yes
bind9_zones_static:
bind9_zones_static:
- { name: example.com, type: slave }
bind9_forward: yes
bind9_forward_servers:
- 8.8.8.8
- 4.4.4.4
bind9_masters:
- { name: master_name, addresses: [master_ip] }
bind9_recursor: our_network
So called "dynamic" zones' records are defined through YAML ansible variable bind9_zones_dynamic
which is parsed by bind/zones/db.template.j2
template.
As there can be several zones, and zone definitions can be long, zone vars are worthily defined in a different vars file, for instance host_vars/master_name/vars/YY_zones.yml
. bind9_zones_dynamic
can be split in several variables, which can be defined in specific files, as in the example below.
In YY_zones.yml
we may have:
bind9_zones_dynamic: >
{{ zones_my_domains
| union ( zone_my_reverse_inaddr_arpa )
| union ( zone_my_reverse_ip6_arpa ) }}
# bind9_zone_static: zone files copied from `files/bind/zones/`
bind9_zones_static:
- name: static_dom.org
type: master
- name: static_dom2.org
type: master
- name: static_dom3.org
type: slave
And in other vars files:
zones_my_domains:
# This is the variables set for my domain
- name: dyn_domain.org
type: master
default_ttl: 600
serial: 2022050501
refresh: 1D
retry: 2H
expire: 1000H
# NS and other pre-formatted records values must be given as full qualified domain names, with or without final dot, but not relative to the zone
primary: ns1.dyn_domain.org # Optional, if you don't define it, firs NS is taken
admin: postmaster.dyn_domain.org
ns_records:
- ns1.dyn_domain.org
- ns2.dyn_domain.org
# RR values are either relative to the zone, either with a final dot when outside.
rrs:
- {label: "@", type: MX, rdata: 10 mail}
- {label: webmail, type: CNAME, rdata: mail}
- {label: "@", type: A, rdata: 8.8.8.221}
- {label: "@", type: AAAA, rdata: 2001:db8:6a::95}
- {label: www, type: CNAME, rdata: webserver.dyn_domain.org.}
- {label: mail, type: A, rdata: 8.8.8.222}
- {label: mail, type: AAAA, rdata: 2001:db8:6a::22}
- {label: webserver, ttl: 86400, type: A, rdata: 8.8.8.223}
- {label: webserver, ttl: 86400, type: AAAA, rdata: 2001:db8:6a::23}
And similarly zone_my_reverse_inaddr_arpa
and zone_my_reverse_ip6_arpa
for IP reverse DNS resolution. Note that we adopted for generic NS records the terminology defined in RFC 1034, Section 3.6
If you want to have your DDNS keys created by this role configure bind9_generate_ddns_key
:
- bind9_generate_ddns_key: true
Keys will by default be stored to files/bind/zones
withinin your playbook location, but you can customize this with bind9_local_keydir
- bind9_local_keydir: credentials/bind
Please note that for DDNS updates to work, the location of the zone files needs to be writable by the BIND process.
Linux distros with Mandatory Access Control (Apparmor, SELinux) ususally don't allow writing to the default /etc/bind/zones
path. In order to circumvent this you may want to change the zone files location to /var/lib/bind/zones
instead:
- bind9_zonedir: /var/lib/bind/zones
For the XMPP notification feature, python-xmpp
needs to be installed.
See defaults/main.yml
for a list of role variables.
For developing and testing the role we use Github Actions, Molecule and Vagrant. On the local environment you can easily test the role with
Run local tests with:
molecule test
This Ansible role is licensed under the GNU GPLv3.
Copyright 2017-2020 systemli.org (https://www.systemli.org/)