Fixing bind9 config

ansible-5/playbooks/bootstrap.yaml

@@ -104,4 +104,5 @@
       ansible.builtin.replace:
         path: /etc/apt/sources.list
         regexp: '(\s+)bullseye\/updates(\s+.*)?$'
-        replace: '\1bullseye-security\/updates\2'
+        replace: '\1bullseye-security/updates\2'
+      become: true

ansible-5/roles/ns.xai-corp.net/defaults/main.yml

@@ -6,13 +6,15 @@ bind:
   user: root
   group: bind
   service: named
+  named:
+    options: -n1 -d0
   zonefiles:
     - xai-corp.net.internal
     - xai-corp.net.external
     - xai-corp.net.reverse
   namedfiles:
     - named.conf.local
-    - named.conf.options
-    - named.conf.default-zones
+#    - named.conf.options
+#    - named.conf.default-zones
   cleanup:
     - /etc/bind/db.localhost.zone

ansible-5/roles/ns.xai-corp.net/tasks/config_named.yaml

@@ -5,35 +5,16 @@
 - name: install bind package
   apt:
     name: "{{ item }}"
-    #    update_cache: yes
-    #    cache_valid_time: 86400
     state: latest
   with_items:
     - bind9
 
-- name: set correct permissions for logging
-  file:
-    state=directory
-    path=/var/log/named/
-    recurse=yes
-    owner={{ bind.user }}
-    group={{ bind.group }}
-    mode=0777
-
-- name: set correct permissions on cache
-  file:
-    state: directory
-    path: /var/cache/bind/
-    owner: "{{ bind.user }}"
-    group: "{{ bind.group }}"
-    recurse: yes
-
 - name: copy zone files to /etc/bind/
   template:
     src: "{{ item }}.j2"
     dest: /etc/bind/db.{{ item }}
-    owner: "{{ bind.user }}"
-    group: "{{ bind.group }}"
+    owner: root
+    group: root
     mode: 0644
   with_items: "{{ bind.zonefiles }}"
   notify:
@@ -47,7 +28,12 @@
     - 4.168.192.IN-ADDR.ARPA. /etc/bind/db.xai-corp.net.reverse
 
 - name: copy named.confs to /etc/bind/
-  template: src={{ item }}.j2 dest=/etc/bind/{{ item }} owner={{ bind.user }} group={{ bind.group }} mode=0640
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/bind/{{ item }}"
+    owner: root
+    group: "{{ bind.group }}"
+    mode: 0644
   with_items: "{{ bind.namedfiles }}"
   notify:
     - restart bind
@@ -59,14 +45,9 @@
 
 - name: set named startup options
   ansible.builtin.copy:
-    content: OPTIONS="-d1"
+    content: OPTIONS="{{ bind.named.options }}"
     dest: /etc/default/named
 
-- name: set permisions on rndc.key
-  ansible.builtin.file:
-    mode: 644
-    path: /etc/bind/rndc.key
-
 - name: remove old named sysconfig options
   file:
     state: absent

ansible-5/roles/ns.xai-corp.net/templates/named.conf.default-zones.j2

@@ -1,34 +1,32 @@
 /*
  * using views for internal zone requires a view for defaults
  */
-view "defaults" {
-    // prime the server with knowledge of the root servers
-    zone "." {
-            type hint;
-            file "/usr/share/dns/root.hints";
-    };
-
-
-    // be authoritative for the localhost forward and reverse zones, and for
-    // broadcast zones as per RFC 1912
-
-    zone "localhost" {
-            type master;
-            file "/etc/bind/db.local";
-    };
-
-    zone "127.in-addr.arpa" {
-            type master;
-            file "/etc/bind/db.127";
-    };
-
-    zone "0.in-addr.arpa" {
-            type master;
-            file "/etc/bind/db.0";
-    };
-
-    zone "255.in-addr.arpa" {
-            type master;
-            file "/etc/bind/db.255";
-    };
+// prime the server with knowledge of the root servers
+zone "." {
+        type hint;
+        file "/usr/share/dns/root.hints";
+};
+
+
+// be authoritative for the localhost forward and reverse zones, and for
+// broadcast zones as per RFC 1912
+
+zone "localhost" {
+        type master;
+        file "/etc/bind/db.local";
+};
+
+zone "127.in-addr.arpa" {
+        type master;
+        file "/etc/bind/db.127";
+};
+
+zone "0.in-addr.arpa" {
+        type master;
+        file "/etc/bind/db.0";
+};
+
+zone "255.in-addr.arpa" {
+        type master;
+        file "/etc/bind/db.255";
 };

ansible-5/roles/ns.xai-corp.net/templates/named.conf.local.j2

@@ -2,70 +2,16 @@
 #
 # - local zones and views
 
-view "internal" {
-	match-clients {
-	    any;
-	};
-	recursion yes;
-
-	zone "xai-corp.net." IN {
-		type master;
-		file "/etc/bind/db.xai-corp.net.internal";
-		allow-query { any; };
-		allow-transfer { none; };
-	};
-
-	zone "4.168.192.in-addr.arpa." IN {
-		type master;
-		file "/etc/bind/db.xai-corp.net.reverse";
-		allow-update { none; };
-	};
-
+zone "xai-corp.net." IN {
+    type master;
+    file "/etc/bind/db.xai-corp.net.internal";
+    allow-query { any; };
+    allow-transfer { none; };
 };
 
-//view "external" {
-//	match-clients { none; };
-//	recursion no;
+zone "4.168.192.in-addr.arpa." IN {
+    type master;
+    file "/etc/bind/db.xai-corp.net.reverse";
+    allow-update { none; };
+};
 
-
-//	zone "xai-corp.net" {
-//		type master;
-//		file "/etc/bind/db.xai-corp.net.external";
-//		allow-query { none; };
-//		allow-transfer { 127.0.0.1; };
-//	};
-//};
-
-/*
- * Briefly, a zone which has been declared delegation-only will be effectively
- * limited to containing NS RRs for subdomains, but no actual data beyond its
- * own apex (for example, its SOA RR and apex NS RRset). This can be used to
- * filter out "wildcard" or "synthesized" data from NAT boxes or from
- * authoritative name servers whose undelegated (in-zone) data is of no
- * interest.
- * See http://www.isc.org/software/bind/delegation-only for more info
- */
-
-//zone "COM" { type delegation-only; };
-//zone "NET" { type delegation-only; };
-
-//zone "YOUR-DOMAIN.TLD" {
-//	type master;
-//	file "/var/bind/pri/YOUR-DOMAIN.TLD.zone";
-//	allow-query { any; };
-//	allow-transfer { xfer; };
-//};
-
-//zone "YOUR-SLAVE.TLD" {
-//	type slave;
-//	file "/var/bind/sec/YOUR-SLAVE.TLD.zone";
-//	masters { <MASTER>; };
-
-	/* Anybody is allowed to query but transfer should be controlled by the master. */
-//	allow-query { any; };
-//	allow-transfer { none; };
-
-	/* The master should be the only one who notifies the slaves, shouldn't it? */
-//	allow-notify { <MASTER>; };
-//	notify no;
-//};

ansible-5/roles/ns.xai-corp.net/templates/named.conf.options.j2

@@ -60,8 +60,8 @@ options {
 		// If BIND logs error messages about the root key being expired,
 		// you will need to update your keys.  See https://www.isc.org/bind-keys
 		//========================================================================
-		//dnssec-validation auto; //auto?
-		dnssec-validation no; //auto?
+		dnssec-validation auto; //auto?
+		//dnssec-validation no; //auto?
 
 		//auth-nxdomain no;    # conform to RFC1035
 		listen-on-v6 { any; };
@@ -70,11 +70,15 @@ options {
 		//listen-on { any; };
 		//query-source address *;
 		//allow-query { trusted; };
+
+        //querylog no;
+
 };
 
 
 
-//logging {
+logging {
+
 //    channel default_log {
 //        file "/var/log/named/named.log" versions 3 size 5M;
 //        severity notice;
@@ -85,7 +89,7 @@ options {
 //
 //    category default { default_log; };
 //    category general { default_log; };
-//};
+};
 
 
 //include "etc/bind/rndc.key";