From: Matt Birkholz Date: Sun, 21 Apr 2024 20:28:04 +0000 (-0600) Subject: Simplify BIND options for Debian 12. Listen on localhost. X-Git-Url: https://birchwood-abbey.net/git?a=commitdiff_plain;h=644abbcbf0d8160770fc0d4304fa23c4cd832e20;p=Institute Simplify BIND options for Debian 12. Listen on localhost. Punt disabling SecureDNS; run with the defaults. One or both of the dnssec- options is no longer supported by BIND. --- diff --git a/README.org b/README.org index 8e6f867..be22896 100644 --- a/README.org +++ b/README.org @@ -2672,18 +2672,17 @@ The following tasks install and configure BIND9 on Core. Examples of the necessary zone files, for the "Install BIND9 zonefiles." task above, are given below. If the campus ISP provided one or more IP addresses for stable name servers, those should -probably be used as forwarders rather than Google. And SecureDNS just -craps up =/var/log/= and the Systemd journal. +probably be used as forwarders rather than Google. #+NAME: bind-options #+CAPTION: ~bind-options~ #+BEGIN_SRC conf acl "trusted" { - {{ private_net_cidr }}; - {{ public_vpn_net_cidr }}; - {{ campus_vpn_net_cidr }}; - {{ gate_wifi_net_cidr }}; - localhost; + {{ private_net_cidr }}; + {{ public_vpn_net_cidr }}; + {{ campus_vpn_net_cidr }}; + {{ gate_wifi_net_cidr }}; + localhost; }; options { @@ -2698,19 +2697,10 @@ options { allow-recursion { trusted; }; allow-query-cache { trusted; }; - //============================================================ - // If BIND logs error messages about the root key being - // expired, you will need to update your keys. - // See https://www.isc.org/bind-keys - //============================================================ - //dnssec-validation auto; - // If Secure DNS is too much of a headache... - dnssec-enable no; - dnssec-validation no; - - auth-nxdomain no; # conform to RFC1035 - //listen-on-v6 { any; }; - listen-on { {{ core_addr }}; }; + listen-on { + {{ core_addr }}; + localhost; + }; }; #+END_SRC diff --git a/roles_t/core/tasks/main.yml b/roles_t/core/tasks/main.yml index a63a7f1..0fd0455 100644 --- a/roles_t/core/tasks/main.yml +++ b/roles_t/core/tasks/main.yml @@ -92,11 +92,11 @@ copy: content: | acl "trusted" { - {{ private_net_cidr }}; - {{ public_vpn_net_cidr }}; - {{ campus_vpn_net_cidr }}; - {{ gate_wifi_net_cidr }}; - localhost; + {{ private_net_cidr }}; + {{ public_vpn_net_cidr }}; + {{ campus_vpn_net_cidr }}; + {{ gate_wifi_net_cidr }}; + localhost; }; options { @@ -111,19 +111,10 @@ allow-recursion { trusted; }; allow-query-cache { trusted; }; - //============================================================ - // If BIND logs error messages about the root key being - // expired, you will need to update your keys. - // See https://www.isc.org/bind-keys - //============================================================ - //dnssec-validation auto; - // If Secure DNS is too much of a headache... - dnssec-enable no; - dnssec-validation no; - - auth-nxdomain no; # conform to RFC1035 - //listen-on-v6 { any; }; - listen-on { {{ core_addr }}; }; + listen-on { + {{ core_addr }}; + localhost; + }; }; dest: /etc/bind/named.conf.options notify: Reload BIND9.