stop overwriting named.conf

starting this release, only named.conf.options will be replaced (as we
need to modify the options {} block and can't just add another one). We
still install a named.conf, a fresh version from Lenny this time, so
that we get a clean start.

Also get rid of the bind_internal parameter that is not really used or
recommended, as it allows for authoritative nameservers to also serve
recursive queries (which is bad practice).

See: #1025
Closes: #1104

.gitattributes

@@ -283,6 +283,7 @@ etc/alternc/postfix.cf -text
 etc/alternc/templates/alternc/bureau.conf -text
 etc/alternc/templates/bind/automatic.conf -text
 etc/alternc/templates/bind/named.conf -text
+etc/alternc/templates/bind/named.conf.options -text
 etc/alternc/templates/bind/slaveip.conf -text
 etc/alternc/templates/bind/templates/mx.template -text
 etc/alternc/templates/bind/templates/named.template -text

debian/alternc-slave.config

@@ -94,12 +94,6 @@ if [ -z "$RET" ]
 db_set alternc-slave/ns2 "$NS2_HOSTNAME"
 fi
 
-db_get alternc-slave/bind_internal
-if [ -z "$RET" ]
-    then
-db_set alternc-slave/bind_internal "$BIND_INTERNAL"
-fi
-
 db_get alternc-slave/default_mx
 if [ -z "$RET" ]
     then
@@ -170,7 +164,6 @@ db_input low alternc-slave/mysql/client || true
 db_input low alternc-slave/sql/backup_type || true
 db_input low alternc-slave/sql/overwrite || true
 db_input low alternc-slave/monitor_ip || true
-db_input low alternc-slave/bind_internal || true
 db_go
 
 # vim: et sw=4

debian/alternc-slave.postinst

@@ -79,9 +79,6 @@ NS1_HOSTNAME=""
 # Secondary DNS hostname
 NS2_HOSTNAME=""
 
-# IP that have privilegied access to the DNS server. Separated by ';'.
-BIND_INTERNAL=""
-
 # Mail server hostname
 DEFAULT_MX=""
 
@@ -120,7 +117,6 @@ EOF
     update_var alternc-slave/monitor_ip MONITOR_IP
     update_var alternc-slave/ns1 NS1_HOSTNAME
     update_var alternc-slave/ns2 NS2_HOSTNAME
-    update_var alternc-slave/bind_internal BIND_INTERNAL
     update_var alternc-slave/default_mx DEFAULT_MX 
     update_var alternc-slave/mysql/client MYSQL_CLIENT 
     update_var alternc-slave/sql/backup_type SQLBACKUP_TYPE

debian/alternc-slave.templates

@@ -142,12 +142,6 @@ _Description: The monitoring server:
  The IP address (or ip/prefix) of the server(s) which must be authorized to 
  ping us and access apache status pages. Completely optional.
 
-Template:alternc-slave/bind_internal
-Type: string
-_Description: trusted servers for bind:
- IP address or prefix of trusted machines for DNS transfers,
- delimited by ';', optional.
-
 Template:alternc-slave/pop_before_smtp_warning
 Type: note
 _Description: POP Before SMTP deprecated

debian/alternc.config

@@ -94,12 +94,6 @@ if [ -z "$RET" ]
 db_set alternc/ns2 "$NS2_HOSTNAME"
 fi
 
-db_get alternc/bind_internal
-if [ -z "$RET" ]
-    then
-db_set alternc/bind_internal "$BIND_INTERNAL"
-fi
-
 db_get alternc/default_mx
 if [ -z "$RET" ]
     then
@@ -170,7 +164,6 @@ db_input low alternc/mysql/client || true
 db_input low alternc/sql/backup_type || true
 db_input low alternc/sql/overwrite || true
 db_input low alternc/monitor_ip || true
-db_input low alternc/bind_internal || true
 db_go
 
 # vim: et sw=4

debian/alternc.postinst

@@ -79,9 +79,6 @@ NS1_HOSTNAME=""
 # Secondary DNS hostname
 NS2_HOSTNAME=""
 
-# IP that have privilegied access to the DNS server. Separated by ';'.
-BIND_INTERNAL=""
-
 # Mail server hostname
 DEFAULT_MX=""
 
@@ -120,7 +117,6 @@ EOF
     update_var alternc/monitor_ip MONITOR_IP
     update_var alternc/ns1 NS1_HOSTNAME
     update_var alternc/ns2 NS2_HOSTNAME
-    update_var alternc/bind_internal BIND_INTERNAL
     update_var alternc/default_mx DEFAULT_MX 
     update_var alternc/mysql/client MYSQL_CLIENT 
     update_var alternc/sql/backup_type SQLBACKUP_TYPE

debian/changelog

@@ -28,6 +28,13 @@ alternc (0.9.9) stable; urgency=low
     * note that even though main.cf is not directly overwritten (#1029, as
       per Debian Policy), some settings are directly overwritten. those
       settings are configured in /etc/alternc/postfix.cf.
+    * simplify the bind configuration: do not overwrite named.conf, put
+      all changes in named.options. get rid of the bind_internal parameter
+      that is not recommended anyways (as it allows recursive queries on an
+      authoritative nameserver). Note that the 'internal' ACL can still be
+      changed in a template if required. named.conf is still deployed by
+      AlternC, but this will be the last release that does so. See #1025 and
+      #1104.
 
  -- Antoine Beaupré <anarcat@koumbit.org>  Tue, 15 Apr 2008 11:52:56 -0400
 

debian/templates

@@ -142,12 +142,6 @@ _Description: The monitoring server:
  The IP address (or ip/prefix) of the server(s) which must be authorized to 
  ping us and access apache status pages. Completely optional.
 
-Template: alternc/bind_internal
-Type: string
-_Description: trusted servers for bind:
- IP address or prefix of trusted machines for DNS transfers,
- delimited by ';', optional.
-
 Template: alternc/pop_before_smtp_warning
 Type: note
 _Description: POP Before SMTP deprecated

etc/alternc/templates/bind/named.conf

@@ -1,34 +1,22 @@
+// This is the primary configuration file for the BIND DNS server named.
 //
-// %%warning_message%%
+// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
+// structure of BIND configuration files in Debian, *BEFORE* you customize 
+// this configuration file.
 //
-acl "internal" {
+// If you are just adding zones, please do that in /etc/bind/named.conf.local
-        {
-        %%bind_internal%%
-	127.0.0.1;
-        };
-};
 
-include "/var/alternc/bind/slaveip.conf";
+include "/etc/bind/named.conf.options";
-
-options {
-	directory "/var/cache/bind";
-
-	// forwarders {
-	// 	0.0.0.0;
-	// };
-	version "Name Server Ready";
-
-	auth-nxdomain no;    # conform to RFC1035
-        allow-query     { "internal"; };
-        allow-transfer  { "allslaves"; };
-	recursion no;
-};
 
+// prime the server with knowledge of the root servers
 zone "." {
 	type hint;
 	file "/etc/bind/db.root";
 };
 
+// be authoritative for the localhost forward and reverse zones, and for
+// broadcast zones as per RFC 1912
+
 zone "localhost" {
 	type master;
 	file "/etc/bind/db.local";
@@ -49,7 +37,4 @@ zone "255.in-addr.arpa" {
 	file "/etc/bind/db.255";
 };
 
-include "/etc/bind/rndc.key";
+include "/etc/bind/named.conf.local";
-
-// add entries for other zones below here
-include "/var/alternc/bind/automatic.conf";

etc/alternc/templates/bind/named.conf.options

@@ -0,0 +1,30 @@
+// Bind configuration for AlternC
+//
+// This is mostly a non-recursive, authoritative DNS server configuration
+options {
+	directory "/var/cache/bind";
+
+	// forwarders {
+	// 	0.0.0.0;
+	// };
+	version "Name Server Ready";
+
+	auth-nxdomain no;    # conform to RFC1035
+        allow-query     { "internal"; };
+        allow-transfer  { "allslaves"; };
+	recursion no;
+};
+
+acl "internal" {
+        {
+	127.0.0.1;
+        };
+};
+
+// the ip of the slaves generated by alternc
+include "/var/alternc/bind/slaveip.conf";
+
+include "/etc/bind/rndc.key";
+
+// the zones generated by the users
+include "/var/alternc/bind/automatic.conf";

install/alternc.install

@@ -25,7 +25,7 @@ CONFIG_FILES="etc/alternc/bureau.conf"
 
 if [ -e /etc/bind/named.conf ]; then
     CONFIG_FILES="$CONFIG_FILES etc/bind/templates/zone.template
-                  etc/bind/templates/named.template etc/bind/named.conf"
+                  etc/bind/templates/named.template etc/bind/named.conf etc/bind/named.conf.options"
 fi
 if [ -e /etc/courier/authdaemonrc ]; then
     CONFIG_FILES="$CONFIG_FILES etc/courier/authdaemonrc
@@ -110,10 +110,6 @@ NS2_IP=`perl -e "\\$h = (gethostbyname(\"$NS2_HOSTNAME\"))[4];
                  @ip = unpack('C4', \\$h);
                  print join (\".\", @ip);"`
 
-if [ ! -z "$BIND_INTERNAL" ]; then
-    BIND_INTERNAL="$BIND_INTERNAL;"
-fi
-
 if [ -z "$MONITOR_IP" ]; then
     MONITOR_IP="127.0.0.1"
 fi
@@ -129,7 +125,6 @@ s\\%%internal_ip%%\\$INTERNAL_IP\\;
 s\\%%monitor_ip%%\\$MONITOR_IP\\;
 s\\%%ns1%%\\$NS1_HOSTNAME\\;
 s\\%%ns2%%\\$NS2_HOSTNAME\\;
-s\\%%bind_internal%%\\$BIND_INTERNAL\\;
 s\\%%mx%%\\$DEFAULT_MX\\;
 s\\%%dbhost%%\\$MYSQL_HOST\\;
 s\\%%dbname%%\\$MYSQL_DATABASE\\;