update bind9 configuration example / view
This commit is contained in:
parent
bd3e7c80f7
commit
e27d1fa687
@ -1,11 +1,12 @@
|
||||
// configuration snippet for bind 9 nameserver (put it into /etc/bind9/named.conf )
|
||||
|
||||
key "nsupdate.info." {
|
||||
// everyone who has this key may update this zone:
|
||||
// must be same algorithm as in the Domain record of the nsupdate.info based service
|
||||
algorithm hmac-sha512;
|
||||
// the secret is just a shared secret in base64-encoding, you don't need
|
||||
// to use a special tool to create it. Some random in base64 encoding should
|
||||
// be OK. must be same secret as in the Domain record of the nsupdate.info based service
|
||||
// be OK. must be same secret as in the Domain database record of the nsupdate.info based service
|
||||
secret "YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYQ==";
|
||||
};
|
||||
|
||||
@ -13,6 +14,16 @@ zone nsupdate.info {
|
||||
type master;
|
||||
// bind9 needs write permissions into that directory and into that file:
|
||||
file "/etc/bind/zones/nsupdate.info";
|
||||
// everyone who has that key may update this zone:
|
||||
allow-update { key "nsupdate.info."; };
|
||||
update-policy {
|
||||
// these "deny" entries are needed for the service domain,
|
||||
// if you add another domain, you may want to check the need
|
||||
// for other "deny" entries if the zone is not fully available.
|
||||
// we don't allow updates to the infrastructure hosts:
|
||||
deny nsupdate.info. name nsupdate.info;
|
||||
deny nsupdate.info. name www.nsupdate.info;
|
||||
deny nsupdate.info. name ipv4.nsupdate.info;
|
||||
deny nsupdate.info. name ipv6.nsupdate.info;
|
||||
// but we allow updates to any other host:
|
||||
grant nsupdate.info. subdomain nsupdate.info;
|
||||
};
|
||||
};
|
||||
|
@ -18,9 +18,12 @@
|
||||
// configuration snippet for bind 9 nameserver (put it into /etc/bind9/named.conf )
|
||||
|
||||
key "{{ object.domain }}." {
|
||||
// everyone who has this key may update this zone:
|
||||
// must be same algorithm as in the Domain record of the nsupdate.info based service
|
||||
algorithm {{ object.get_bind9_algorithm }};
|
||||
// the secret is just a shared secret in base64-encoding, you don't need to use a special tool
|
||||
// to create it. Some random in base64 encoding should be OK.
|
||||
// the secret is just a shared secret in base64-encoding, you don't need
|
||||
// to use a special tool to create it. Some random in base64 encoding should
|
||||
// be OK. must be same secret as in the Domain database record of the nsupdate.info based service
|
||||
secret "{{ shared_secret }}";
|
||||
};
|
||||
|
||||
@ -28,8 +31,18 @@ zone {{ object.domain }} {
|
||||
type master;
|
||||
// bind9 needs write permissions into that directory and into that file:
|
||||
file "/etc/bind/zones/{{ object.domain }}";
|
||||
// everyone who has that key may update this zone:
|
||||
allow-update { key "{{ object.domain }}."; };
|
||||
update-policy {
|
||||
// these "deny" entries are needed for the service domain,
|
||||
// if you add another domain, you may want to check the need
|
||||
// for other "deny" entries if the zone is not fully available.
|
||||
// we don't allow updates to the infrastructure hosts:
|
||||
deny {{ object.domain }}. name {{ object.domain }};
|
||||
deny {{ object.domain }}. name www.{{ object.domain }};
|
||||
deny {{ object.domain }}. name ipv4.{{ object.domain }};
|
||||
deny {{ object.domain }}. name ipv6.{{ object.domain }};
|
||||
// but we allow updates to any other host:
|
||||
grant {{ object.domain }}. subdomain {{ object.domain }};
|
||||
};
|
||||
};
|
||||
</pre>
|
||||
</div>
|
||||
|
Loading…
x
Reference in New Issue
Block a user