search

theforeman / puppet-dns

Installs and manages an ISC BIND DNS server with zones
Apache License 2.0
18 stars 70 forks source link

ACLs are unusable with allow_transfer #164

Open damluk opened 4 years ago

damluk commented 4 years ago

The following beaker test fails on Debian 10 and probably other distros, even though it might encode a desirable setup:

diff --git a/spec/acceptance/dns_spec.rb b/spec/acceptance/dns_spec.rb
index 50f6729..8ddc748 100644
--- a/spec/acceptance/dns_spec.rb
+++ b/spec/acceptance/dns_spec.rb
@@ -14,12 +14,15 @@ describe 'Scenario: install bind' do

   let(:pp) do
     <<-EOS
-    include dns
+    class { 'dns':
+      acls => { 'trusted' => ['10.0.0.0/24'] },
+    }

     dns::zone { 'example.com':
       soa     => 'ns1.example.com',
       soaip   => '192.0.2.1',
       soaipv6 => '2001:db8::1',
+      allow_transfer => ['"trusted"'],
     }
     EOS
   end

The error is due to named-checkconf:

Error: Execution of '/usr/sbin/named-checkconf /etc/bind/zones.conf20200501-1763-1xd9g1x' returned 1: /etc/bind/zones.conf20200501-1763-1xd9g1x:7: undefined ACL 'trusted'

Interestingly there are other ACL-capable clauses that do not care about undefinedness in the same config file.

The best solution I can come up with, is to place acl, view and zone definitions into the same config file.

ekohl commented 4 years ago

Looks like this problem is not limited to Debian 10.