From 644abbcbf0d8160770fc0d4304fa23c4cd832e20 Mon Sep 17 00:00:00 2001 From: Matt Birkholz Date: Sun, 21 Apr 2024 14:28:04 -0600 Subject: [PATCH] Simplify BIND options for Debian 12. Listen on localhost. Punt disabling SecureDNS; run with the defaults. One or both of the dnssec- options is no longer supported by BIND. --- README.org | 30 ++++++++++-------------------- roles_t/core/tasks/main.yml | 27 +++++++++------------------ 2 files changed, 19 insertions(+), 38 deletions(-) diff --git a/README.org b/README.org index 8e6f867..be22896 100644 --- a/README.org +++ b/README.org @@ -2672,18 +2672,17 @@ The following tasks install and configure BIND9 on Core. Examples of the necessary zone files, for the "Install BIND9 zonefiles." task above, are given below. If the campus ISP provided one or more IP addresses for stable name servers, those should -probably be used as forwarders rather than Google. And SecureDNS just -craps up =/var/log/= and the Systemd journal. +probably be used as forwarders rather than Google. #+NAME: bind-options #+CAPTION: ~bind-options~ #+BEGIN_SRC conf acl "trusted" { - {{ private_net_cidr }}; - {{ public_vpn_net_cidr }}; - {{ campus_vpn_net_cidr }}; - {{ gate_wifi_net_cidr }}; - localhost; + {{ private_net_cidr }}; + {{ public_vpn_net_cidr }}; + {{ campus_vpn_net_cidr }}; + {{ gate_wifi_net_cidr }}; + localhost; }; options { @@ -2698,19 +2697,10 @@ options { allow-recursion { trusted; }; allow-query-cache { trusted; }; - //============================================================ - // If BIND logs error messages about the root key being - // expired, you will need to update your keys. - // See https://www.isc.org/bind-keys - //============================================================ - //dnssec-validation auto; - // If Secure DNS is too much of a headache... - dnssec-enable no; - dnssec-validation no; - - auth-nxdomain no; # conform to RFC1035 - //listen-on-v6 { any; }; - listen-on { {{ core_addr }}; }; + listen-on { + {{ core_addr }}; + localhost; + }; }; #+END_SRC diff --git a/roles_t/core/tasks/main.yml b/roles_t/core/tasks/main.yml index a63a7f1..0fd0455 100644 --- a/roles_t/core/tasks/main.yml +++ b/roles_t/core/tasks/main.yml @@ -92,11 +92,11 @@ copy: content: | acl "trusted" { - {{ private_net_cidr }}; - {{ public_vpn_net_cidr }}; - {{ campus_vpn_net_cidr }}; - {{ gate_wifi_net_cidr }}; - localhost; + {{ private_net_cidr }}; + {{ public_vpn_net_cidr }}; + {{ campus_vpn_net_cidr }}; + {{ gate_wifi_net_cidr }}; + localhost; }; options { @@ -111,19 +111,10 @@ allow-recursion { trusted; }; allow-query-cache { trusted; }; - //============================================================ - // If BIND logs error messages about the root key being - // expired, you will need to update your keys. - // See https://www.isc.org/bind-keys - //============================================================ - //dnssec-validation auto; - // If Secure DNS is too much of a headache... - dnssec-enable no; - dnssec-validation no; - - auth-nxdomain no; # conform to RFC1035 - //listen-on-v6 { any; }; - listen-on { {{ core_addr }}; }; + listen-on { + {{ core_addr }}; + localhost; + }; }; dest: /etc/bind/named.conf.options notify: Reload BIND9. -- 2.25.1