theforeman / puppet-dns Goto Github PK

I would like to set several options inside zones that are currenty not supported by named.zone.erb. Would you like to make me a merge request with a bunch of new dns::zone parameters or with an additional_options parameter?

In our environment the following error is thrown when using the dns module:

Error: /Stage[main]/Dns::Config/Concat[/etc/named.conf]/File[/etc/named.conf]/content: change from '{md5}bdddc3e08bde5104b16abf184f83c595' to '{md5}6b06a55481ffdc7be89c2dcf03cbeede' failed: Execution of '/usr/sbin/named-checkconf /etc/named.conf20220309-56666-ap026i' returned 1: /etc/named.conf20220309-56666-ap026i:16: open: /etc/named/zones.conf: file not found (corrective)

We found that this must be an execution order problem as the named.conf includes the statement

include "/etc/named/zones.conf";

We fixed the problem in our code with the following execution order constraint:

Concat['/etc/named/zones.conf']->Concat['/etc/named.conf']

In the modules code the code in config.pp (

  concat { $dns::namedconf_path:
    owner        => 'root',
    group        => $dns::params::group,
    mode         => '0640',
    require      => [
     Concat[$dns::optionspath],
     Concat[$dns::publicviewpath],
    ]
    validate_cmd => $validate_cmd,
  }

Since bind 9.18 a number of deprecated options were removed, and are errors to include in the configuration https://bind9.readthedocs.io/en/v9_18_0/notes.html

When declaring a dns::zone resource with zonetype => 'forward' and also setting manage_file/manage_file_name, or even masters, allow_transfer, etc then the resulting configuration in zones.conf is invalid and named refuses to start, with error messages like this:

named[13888]: /etc/bind/zones.conf:14: option 'allow-query' is not allowed in 'forward' zone 'foo.example.com'
named[13888]: /etc/bind/zones.conf:13: option 'allow-transfer' is not allowed in 'forward' zone 'foo.example.com'
named[13888]: /etc/bind/zones.conf:15: option 'also-notify' is not allowed in 'forward' zone 'foo.example.com'
named[13888]: /etc/bind/zones.conf:11: option 'masters' is not allowed in 'forward' zone 'foo.example.com'
named[13888]: /etc/bind/zones.conf:12: option 'notify' is not allowed in 'forward' zone 'foo.example.com'
named[13888]: loading configuration: failure
named[13888]: exiting (due to fatal error)

I will submit a PR to fix this.

Hey,

I am in the middle of evaluating a foreman puppet setup, trying out all the foreman smart proxy features. I want to do everything through puppet and u guys have pretty good modules already for that. But i can't find how I would be able to add a key to bind for foremans nsupdates, shoulnd this be supported by this module or am I missing something ?

Best regards

With isc-projects/bind9@3a4f820 -r option is removed in confgen command, so now if -r /dev/urandom is passed to the command then it fails due to fatal("The -r option has been deprecated.").

I see it's used at two place in puppet-dns code:-

• https://github.com/theforeman/puppet-dns/blob/master/manifests/config.pp#L67-L70
• https://github.com/theforeman/puppet-dns/blob/master/manifests/key.pp#L40-L41

Also looks this parameter is not mandatory in earlier bind versions and confgen works without it too, but may be it was passed for some use case, Anyway it would be good to get it fixed for bind-9.13.0+.

Faced this while testing with bind-9.16.11 on a CentOS9 machine.

Hi,

I'm sorry but I'm a bit confuse with the capabilites of this module.
I was able to create a zone exemple.com.
But I would like that my DNS records to be manage by puppet too.

I didn't see anything in the code which allow me to create dns records into a specific zone.

Can you please explain to me what this module manage exactly ?

Thank you !

dns::defaultzonepath is defined as a parameter, however setting this has no effect to named.conf.

The following beaker test fails on Debian 10 and probably other distros, even though it might encode a desirable setup:

diff --git a/spec/acceptance/dns_spec.rb b/spec/acceptance/dns_spec.rb
index 50f6729..8ddc748 100644
--- a/spec/acceptance/dns_spec.rb
+++ b/spec/acceptance/dns_spec.rb
@@ -14,12 +14,15 @@ describe 'Scenario: install bind' do
 
   let(:pp) do
     <<-EOS
-    include dns
+    class { 'dns':
+      acls => { 'trusted' => ['10.0.0.0/24'] },
+    }
 
     dns::zone { 'example.com':
       soa     => 'ns1.example.com',
       soaip   => '192.0.2.1',
       soaipv6 => '2001:db8::1',
+      allow_transfer => ['"trusted"'],
     }
     EOS
   end

The error is due to named-checkconf:

Error: Execution of '/usr/sbin/named-checkconf /etc/bind/zones.conf20200501-1763-1xd9g1x' returned 1: /etc/bind/zones.conf20200501-1763-1xd9g1x:7: undefined ACL 'trusted'

Interestingly there are other ACL-capable clauses that do not care about undefinedness in the same config file.

The best solution I can come up with, is to place acl, view and zone definitions into the same config file.

Hello,

Is there a way to manage zones records ?
I would like Puppet to enforce my complete bind configuration.

Actually, zone.header.erb only manages the header of the file.
Is there a way without concat to add my records (A, CNAME, ...) at the bottom ?

Thank you !

init.pp has service_ensure and service_enable, but no package_ensure. install.pp thus always ensures the package is present. There is no way to use this module without having it install the package, or to enforce the installed version (like latest).

This would be a useful feature, like in our case where we want to use puppet to create the configuration, but don't want it installed because we want to run bind in a Docker container.

Is it possible to make the location of the named.zone.erb template configurable like the other templates? This way i can manage the base zone settings from a custom template and keep the config clean.

In our organisation we manage system users and groups (like bind in this case) globally, using Hiera and our own user account module. This way we have control over user and group IDs, home directories, shells, etc from a single source.

This conflicts with modules that unconditionally manage users and groups using the Puppet types user or group, like this module does with the BIND system group.

I have created PR #139 to make managing the system group optional (but enabled by default) to fix this.

If I want to have BIND listen on a different port on v4, I can do the following:

class { '::dns':
  additional_options => {
    'listen-on' => 'port 5322 { any; }',
  }
}

However, for ipv6, there's the listen_on_v6 parameter that will always be present in the template:

listen-on-v6 { <%= scope.lookupvar('::dns::listen_on_v6') %>; };

There's no way to precise the port so it will always be on port 53.

For backwards compatibility purposes, I recommend adding a condition in the template -- if listen_on_v6 is defined, add it with the value.
If someone wants more "advanced" config, such as listening on v6 on an alternate port, he can set listen_on_v6 to false and use additional_options like the snippet at the beginning of this issue:

class { '::dns':
  listen_on_v6       => false,
  additional_options => {
    'listen-on'    => 'port 5322 { any; }',
    'listen-on-v6' => 'port 5322 { any; }'
  }
}

Hi,

Could you add support for the 'also-notify' option in the option.conf file, to allow notifications to slave dns hosts that do not have NS records.

Thanks

When using theforeman/dns 5.1.0 with puppetlabs/concat 4.1.1, my catalogues fail to compile with the following error:

no parameter named 'format' at [...]/modules/concat/manifests/init.pp:94 on Concat_file[/etc/bind/zones.conf] at [...]/modules/concat/manifests/init.pp:94 on node foo.example.com

README says that this project is licensed under GPLv3+ but LICENSE and metadata says ASL 2.0, could you fix it, please?

The EL6 /etc/sysconfig/named documents a list of files and directories that are mounted into named chroot when ROOTDIR is set. The /etc/zones.conf file is not in the list, my guess is the location is not what bind expects. I can submit a PR that modifies the path of zones.conf to be /etc/named/zones.conf, but wanted to get an idea if such a change would be accepted.

The named-checkconf command is installed not in /usr/sbin but in /usr/bin in Ubuntu 22.04.
https://packages.ubuntu.com/jammy/bind9-utils

Because of this change, applying a manifest with dns::config_check => true (this is default) fails with the following error in Ubuntu 22.04.

2023-03-14 01:27:22 +0000 /Stage[main]/Dns::Config/Concat[/etc/bind/zones.conf]/File[/etc/bind/zones.conf]/ensure (err): change from 'absent' to 'file' failed: Execution of '/usr/sbin/named-checkconf /etc/bind/zones.conf20230314-5533-1381cdx' returned 1: /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/log/destinations.rb:112:in `flush': Bad file descriptor (Errno::EBADF)
	from /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/log/destinations.rb:112:in `handle'
	...
	from /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:77:in `execute'
	from /opt/puppetlabs/puppet/bin/puppet:5:in `<main>'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/execution.rb:360:in `exec': No such file or directory - /usr/sbin/named-checkconf (Errno::ENOENT)
	from /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/execution.rb:360:in `block (2 levels) in execute_posix'
	...
	from /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:77:in `execute'
	from /opt/puppetlabs/puppet/bin/puppet:5:in `<main>'

OS detection is just $operatingsystem and it only supports redhat/centos, no $osfamily or Fedora.

Currently this module still writes to /etc/default/bind9, but since Debian Bullseye and at least Ubuntu Focal (20.04) the defaults was renamed to /etc/default/named.

See https://salsa.debian.org/dns-team/bind9/-/blob/debian/9.18/debian/bind9.named.service#L10
unfortunately there was never a note in the release notes (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23993257), but still the current value is wrong.``

Having installed this module I find that it's not possible to edit the zone parameter. Some classes need some manual editing to work "theforeman" way but I would've expected a class written by you guys to work "out of the box". I'd appreciate a little guidance as your documentation is virtually non-existent