update bind9 configuration example / view

This commit is contained in:
Thomas Waldmann 2013-11-10 06:48:48 +01:00
parent bd3e7c80f7
commit e27d1fa687
2 changed files with 31 additions and 7 deletions

View File

@ -1,11 +1,12 @@
// configuration snippet for bind 9 nameserver (put it into /etc/bind9/named.conf )
key "nsupdate.info." {
// everyone who has this key may update this zone:
// must be same algorithm as in the Domain record of the nsupdate.info based service
algorithm hmac-sha512;
// the secret is just a shared secret in base64-encoding, you don't need
// to use a special tool to create it. Some random in base64 encoding should
// be OK. must be same secret as in the Domain record of the nsupdate.info based service
// be OK. must be same secret as in the Domain database record of the nsupdate.info based service
secret "YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYQ==";
};
@ -13,6 +14,16 @@ zone nsupdate.info {
type master;
// bind9 needs write permissions into that directory and into that file:
file "/etc/bind/zones/nsupdate.info";
// everyone who has that key may update this zone:
allow-update { key "nsupdate.info."; };
update-policy {
// these "deny" entries are needed for the service domain,
// if you add another domain, you may want to check the need
// for other "deny" entries if the zone is not fully available.
// we don't allow updates to the infrastructure hosts:
deny nsupdate.info. name nsupdate.info;
deny nsupdate.info. name www.nsupdate.info;
deny nsupdate.info. name ipv4.nsupdate.info;
deny nsupdate.info. name ipv6.nsupdate.info;
// but we allow updates to any other host:
grant nsupdate.info. subdomain nsupdate.info;
};
};

View File

@ -18,9 +18,12 @@
// configuration snippet for bind 9 nameserver (put it into /etc/bind9/named.conf )
key "{{ object.domain }}." {
// everyone who has this key may update this zone:
// must be same algorithm as in the Domain record of the nsupdate.info based service
algorithm {{ object.get_bind9_algorithm }};
// the secret is just a shared secret in base64-encoding, you don't need to use a special tool
// to create it. Some random in base64 encoding should be OK.
// the secret is just a shared secret in base64-encoding, you don't need
// to use a special tool to create it. Some random in base64 encoding should
// be OK. must be same secret as in the Domain database record of the nsupdate.info based service
secret "{{ shared_secret }}";
};
@ -28,8 +31,18 @@ zone {{ object.domain }} {
type master;
// bind9 needs write permissions into that directory and into that file:
file "/etc/bind/zones/{{ object.domain }}";
// everyone who has that key may update this zone:
allow-update { key "{{ object.domain }}."; };
update-policy {
// these "deny" entries are needed for the service domain,
// if you add another domain, you may want to check the need
// for other "deny" entries if the zone is not fully available.
// we don't allow updates to the infrastructure hosts:
deny {{ object.domain }}. name {{ object.domain }};
deny {{ object.domain }}. name www.{{ object.domain }};
deny {{ object.domain }}. name ipv4.{{ object.domain }};
deny {{ object.domain }}. name ipv6.{{ object.domain }};
// but we allow updates to any other host:
grant {{ object.domain }}. subdomain {{ object.domain }};
};
};
</pre>
</div>