From 3bcb5159f9b91b03e1479c46b6535643fab686f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= Date: Mon, 6 Oct 2008 23:58:04 +0000 Subject: [PATCH] stop overwriting named.conf starting this release, only named.conf.options will be replaced (as we need to modify the options {} block and can't just add another one). We still install a named.conf, a fresh version from Lenny this time, so that we get a clean start. Also get rid of the bind_internal parameter that is not really used or recommended, as it allows for authoritative nameservers to also serve recursive queries (which is bad practice). See: #1025 Closes: #1104 --- .gitattributes | 1 + debian/alternc-slave.config | 7 ---- debian/alternc-slave.postinst | 4 -- debian/alternc-slave.templates | 6 --- debian/alternc.config | 7 ---- debian/alternc.postinst | 4 -- debian/changelog | 7 ++++ debian/templates | 6 --- etc/alternc/templates/bind/named.conf | 37 ++++++------------- etc/alternc/templates/bind/named.conf.options | 30 +++++++++++++++ install/alternc.install | 7 +--- 11 files changed, 50 insertions(+), 66 deletions(-) create mode 100644 etc/alternc/templates/bind/named.conf.options diff --git a/.gitattributes b/.gitattributes index 7d353035..496c1731 100644 --- a/.gitattributes +++ b/.gitattributes @@ -283,6 +283,7 @@ etc/alternc/postfix.cf -text etc/alternc/templates/alternc/bureau.conf -text etc/alternc/templates/bind/automatic.conf -text etc/alternc/templates/bind/named.conf -text +etc/alternc/templates/bind/named.conf.options -text etc/alternc/templates/bind/slaveip.conf -text etc/alternc/templates/bind/templates/mx.template -text etc/alternc/templates/bind/templates/named.template -text diff --git a/debian/alternc-slave.config b/debian/alternc-slave.config index 896aaa47..5bd3c7ee 100644 --- a/debian/alternc-slave.config +++ b/debian/alternc-slave.config @@ -94,12 +94,6 @@ if [ -z "$RET" ] db_set alternc-slave/ns2 "$NS2_HOSTNAME" fi -db_get alternc-slave/bind_internal -if [ -z "$RET" ] - then -db_set alternc-slave/bind_internal "$BIND_INTERNAL" -fi - db_get alternc-slave/default_mx if [ -z "$RET" ] then @@ -170,7 +164,6 @@ db_input low alternc-slave/mysql/client || true db_input low alternc-slave/sql/backup_type || true db_input low alternc-slave/sql/overwrite || true db_input low alternc-slave/monitor_ip || true -db_input low alternc-slave/bind_internal || true db_go # vim: et sw=4 diff --git a/debian/alternc-slave.postinst b/debian/alternc-slave.postinst index 52283945..62aff9a7 100644 --- a/debian/alternc-slave.postinst +++ b/debian/alternc-slave.postinst @@ -79,9 +79,6 @@ NS1_HOSTNAME="" # Secondary DNS hostname NS2_HOSTNAME="" -# IP that have privilegied access to the DNS server. Separated by ';'. -BIND_INTERNAL="" - # Mail server hostname DEFAULT_MX="" @@ -120,7 +117,6 @@ EOF update_var alternc-slave/monitor_ip MONITOR_IP update_var alternc-slave/ns1 NS1_HOSTNAME update_var alternc-slave/ns2 NS2_HOSTNAME - update_var alternc-slave/bind_internal BIND_INTERNAL update_var alternc-slave/default_mx DEFAULT_MX update_var alternc-slave/mysql/client MYSQL_CLIENT update_var alternc-slave/sql/backup_type SQLBACKUP_TYPE diff --git a/debian/alternc-slave.templates b/debian/alternc-slave.templates index f7ce4c47..bc1d0b7b 100644 --- a/debian/alternc-slave.templates +++ b/debian/alternc-slave.templates @@ -142,12 +142,6 @@ _Description: The monitoring server: The IP address (or ip/prefix) of the server(s) which must be authorized to ping us and access apache status pages. Completely optional. -Template:alternc-slave/bind_internal -Type: string -_Description: trusted servers for bind: - IP address or prefix of trusted machines for DNS transfers, - delimited by ';', optional. - Template:alternc-slave/pop_before_smtp_warning Type: note _Description: POP Before SMTP deprecated diff --git a/debian/alternc.config b/debian/alternc.config index aaa95676..0116e1b7 100644 --- a/debian/alternc.config +++ b/debian/alternc.config @@ -94,12 +94,6 @@ if [ -z "$RET" ] db_set alternc/ns2 "$NS2_HOSTNAME" fi -db_get alternc/bind_internal -if [ -z "$RET" ] - then -db_set alternc/bind_internal "$BIND_INTERNAL" -fi - db_get alternc/default_mx if [ -z "$RET" ] then @@ -170,7 +164,6 @@ db_input low alternc/mysql/client || true db_input low alternc/sql/backup_type || true db_input low alternc/sql/overwrite || true db_input low alternc/monitor_ip || true -db_input low alternc/bind_internal || true db_go # vim: et sw=4 diff --git a/debian/alternc.postinst b/debian/alternc.postinst index 325d1791..8df93b75 100644 --- a/debian/alternc.postinst +++ b/debian/alternc.postinst @@ -79,9 +79,6 @@ NS1_HOSTNAME="" # Secondary DNS hostname NS2_HOSTNAME="" -# IP that have privilegied access to the DNS server. Separated by ';'. -BIND_INTERNAL="" - # Mail server hostname DEFAULT_MX="" @@ -120,7 +117,6 @@ EOF update_var alternc/monitor_ip MONITOR_IP update_var alternc/ns1 NS1_HOSTNAME update_var alternc/ns2 NS2_HOSTNAME - update_var alternc/bind_internal BIND_INTERNAL update_var alternc/default_mx DEFAULT_MX update_var alternc/mysql/client MYSQL_CLIENT update_var alternc/sql/backup_type SQLBACKUP_TYPE diff --git a/debian/changelog b/debian/changelog index f5b5a927..abfa7497 100644 --- a/debian/changelog +++ b/debian/changelog @@ -28,6 +28,13 @@ alternc (0.9.9) stable; urgency=low * note that even though main.cf is not directly overwritten (#1029, as per Debian Policy), some settings are directly overwritten. those settings are configured in /etc/alternc/postfix.cf. + * simplify the bind configuration: do not overwrite named.conf, put + all changes in named.options. get rid of the bind_internal parameter + that is not recommended anyways (as it allows recursive queries on an + authoritative nameserver). Note that the 'internal' ACL can still be + changed in a template if required. named.conf is still deployed by + AlternC, but this will be the last release that does so. See #1025 and + #1104. -- Antoine Beaupré Tue, 15 Apr 2008 11:52:56 -0400 diff --git a/debian/templates b/debian/templates index 582f3209..954ba20d 100644 --- a/debian/templates +++ b/debian/templates @@ -142,12 +142,6 @@ _Description: The monitoring server: The IP address (or ip/prefix) of the server(s) which must be authorized to ping us and access apache status pages. Completely optional. -Template: alternc/bind_internal -Type: string -_Description: trusted servers for bind: - IP address or prefix of trusted machines for DNS transfers, - delimited by ';', optional. - Template: alternc/pop_before_smtp_warning Type: note _Description: POP Before SMTP deprecated diff --git a/etc/alternc/templates/bind/named.conf b/etc/alternc/templates/bind/named.conf index 50fab2c7..09c3e718 100644 --- a/etc/alternc/templates/bind/named.conf +++ b/etc/alternc/templates/bind/named.conf @@ -1,34 +1,22 @@ +// This is the primary configuration file for the BIND DNS server named. // -// %%warning_message%% +// Please read /usr/share/doc/bind9/README.Debian.gz for information on the +// structure of BIND configuration files in Debian, *BEFORE* you customize +// this configuration file. // -acl "internal" { - { - %%bind_internal%% - 127.0.0.1; - }; -}; +// If you are just adding zones, please do that in /etc/bind/named.conf.local -include "/var/alternc/bind/slaveip.conf"; - -options { - directory "/var/cache/bind"; - - // forwarders { - // 0.0.0.0; - // }; - version "Name Server Ready"; - - auth-nxdomain no; # conform to RFC1035 - allow-query { "internal"; }; - allow-transfer { "allslaves"; }; - recursion no; -}; +include "/etc/bind/named.conf.options"; +// prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; }; +// be authoritative for the localhost forward and reverse zones, and for +// broadcast zones as per RFC 1912 + zone "localhost" { type master; file "/etc/bind/db.local"; @@ -49,7 +37,4 @@ zone "255.in-addr.arpa" { file "/etc/bind/db.255"; }; -include "/etc/bind/rndc.key"; - -// add entries for other zones below here -include "/var/alternc/bind/automatic.conf"; +include "/etc/bind/named.conf.local"; diff --git a/etc/alternc/templates/bind/named.conf.options b/etc/alternc/templates/bind/named.conf.options new file mode 100644 index 00000000..bf078027 --- /dev/null +++ b/etc/alternc/templates/bind/named.conf.options @@ -0,0 +1,30 @@ +// Bind configuration for AlternC +// +// This is mostly a non-recursive, authoritative DNS server configuration +options { + directory "/var/cache/bind"; + + // forwarders { + // 0.0.0.0; + // }; + version "Name Server Ready"; + + auth-nxdomain no; # conform to RFC1035 + allow-query { "internal"; }; + allow-transfer { "allslaves"; }; + recursion no; +}; + +acl "internal" { + { + 127.0.0.1; + }; +}; + +// the ip of the slaves generated by alternc +include "/var/alternc/bind/slaveip.conf"; + +include "/etc/bind/rndc.key"; + +// the zones generated by the users +include "/var/alternc/bind/automatic.conf"; \ No newline at end of file diff --git a/install/alternc.install b/install/alternc.install index d751ef58..f9f52381 100644 --- a/install/alternc.install +++ b/install/alternc.install @@ -25,7 +25,7 @@ CONFIG_FILES="etc/alternc/bureau.conf" if [ -e /etc/bind/named.conf ]; then CONFIG_FILES="$CONFIG_FILES etc/bind/templates/zone.template - etc/bind/templates/named.template etc/bind/named.conf" + etc/bind/templates/named.template etc/bind/named.conf etc/bind/named.conf.options" fi if [ -e /etc/courier/authdaemonrc ]; then CONFIG_FILES="$CONFIG_FILES etc/courier/authdaemonrc @@ -110,10 +110,6 @@ NS2_IP=`perl -e "\\$h = (gethostbyname(\"$NS2_HOSTNAME\"))[4]; @ip = unpack('C4', \\$h); print join (\".\", @ip);"` -if [ ! -z "$BIND_INTERNAL" ]; then - BIND_INTERNAL="$BIND_INTERNAL;" -fi - if [ -z "$MONITOR_IP" ]; then MONITOR_IP="127.0.0.1" fi @@ -129,7 +125,6 @@ s\\%%internal_ip%%\\$INTERNAL_IP\\; s\\%%monitor_ip%%\\$MONITOR_IP\\; s\\%%ns1%%\\$NS1_HOSTNAME\\; s\\%%ns2%%\\$NS2_HOSTNAME\\; -s\\%%bind_internal%%\\$BIND_INTERNAL\\; s\\%%mx%%\\$DEFAULT_MX\\; s\\%%dbhost%%\\$MYSQL_HOST\\; s\\%%dbname%%\\$MYSQL_DATABASE\\;