1. Description
2. Setup - The basics of getting started with bind
   • What bind affects
   • Setup requirements
   • Beginning with bind
3. Usage - Configuration options and additional functionality
4. Limitations - OS compatibility, etc.
5. Development - Guide for contributing to the module

This module manages the BIND Name Server on Debian and Ubuntu. The module supports setting up a Caching Name Server or an Authoritative Name Server using primary and secondary zones.

The module manages the named process and related service files. It also managed the configuration and zone files. On Debian and Ubuntu these files are below the /etc/bind, /var/lib/bind and /var/cache/bind directories. The module uses a multi-level directory tree below /var/lib/bind and /var/cache/bind to separate primary and secondary zone files.

The module uses the stdlib and concat modules. It is tested on Debian and Ubuntu using Puppet 7.

Set up a caching name server on localhost:

class { 'bind':
  listen_on         => [ '127.0.0.1', ],
  listen_on_v6      => [ 'none', ],
  allow_query       => [ 'localhost', ],
  allow_query_cache => [ 'localhost', ],
  allow_recursion   => [ 'localhost', ],
}

Set up a caching name server that provides recursive name resolution for a local subnet:

class { 'bind':
  allow_query       => [ 'localhost', 'lan', ],
  allow_query_cache => [ 'localhost', 'lan', ],
  allow_recursion   => [ 'localhost', 'lan', ],
}

bind::acl { 'lan':
  address_match_list => [ '192.168.10.0/24' ],
}

Set up a caching name server that provides recursive name resolution for a local subnet and uses forwarders:

class { 'bind':
  allow_query       => [ 'localhost', '10/8', ],
  allow_query_cache => [ 'localhost', '10/8', ],
  allow_recursion   => [ 'localhost', '10/8', ],
  forwarders        => [ '10.0.0.53', '10.1.1.53', ],
}

Add a primary zone for the example.com domain and manage the zone file using Puppet:

bind::zone::primary { 'example.com':
  source => 'puppet:///modules/profile/dns/example.com.zone',
}

The zone file will be managed on the server as /var/lib/bind/primary/com/example/db.example.com. This tree structure is better than a flat directory structure if many zones will be managed by the server.

Add a primary zone for the example.com domain and allow dynamic updates using a generated key called nsupdate:

bind::key { 'nsupdate':
  secret  => 'TopSecret',
  keyfile => '/etc/bind/nsupdate.key',
}

bind::zone::primary { 'example.com':
  update_policy => ['grant nsupdate zonesub any'],
}

The zone file must already exist on the server as /var/lib/bind/primary/com/example/db.example.com. It can't be managed by Puppet as named will periodically need to update the zone file when processing dynamic updates.

Remember that you need to use rndc freeze example.com and rndc thaw example.com when editing the zone file manually.

Create a new DNSSEC policy named standard with a Combined Signing Key (CSK) and use the policy to create a DNSSEC signed zone:

bind::dnssec_policy { 'standard':
  csk_lifetime  => 'unlimited',
  csk_algorithm => 'ecdsap256sha256',
}

bind::zone::primary { 'example.net':
  dnssec         => true,
  inline_signing => true,
  dnssec_policy  => 'standard',
  source         => 'puppet:///modules/profile/dns/example.net.zone',
}

DNSSEC policies are available with Bind 9.16 and later.

The view internal allow recursive DNS resolution for all hosts on the local network.

bind::view { 'internal':
  match_clients   => [ 'localnets', ],
  allow_query     => [ 'localnets', ],
  allow_recursion => [ 'localnets', ],
  recursion       => true,
  order           => '10',
}

The view external is for all other hosts and should only be used for your primary or secondary zones.

bind::view { 'external':
  match_clients            => [ 'any', ],
  allow_query              => [ 'any', ],
  recursion                => false,
  localhost_forward_enable => false,
  localhost_reverse_enable => false,
  order                    => '20',
}

The defined types bind::zone::primary and bind::zone::secondary can be used to add zones to this view.

See REFERENCE.md

Not all BIND features are currently implemented as I started with the options I needed myself. Some options are not yet available and features like DNSSEC are not well tested.

Creating DNSSEC keys manually using the dnssec_key type with automatic rollover is discouraged. The defined type bind::dnssec_policy should be used instead.

You may open Github issues for this module if you need additional options currently not available.

Feel free to send pull requests for new features.