diff --git a/ansible/roles/public_dns/files/master.db b/ansible/roles/public_dns/files/master.db index 468c8c6..9587a4b 100644 --- a/ansible/roles/public_dns/files/master.db +++ b/ansible/roles/public_dns/files/master.db @@ -1,7 +1,7 @@ $ORIGIN fizz.buzz. @ 3600 IN SOA ns1.fizz.buzz. ( dnsadm.choopa.com. ; E-Mail of responsible person - 2023061800 ; serial + 2023061900 ; serial 7200 ; refresh (2 hours) 3600 ; retry (1 hour) 1209600 ; expire (2 weeks) @@ -9,25 +9,30 @@ $ORIGIN fizz.buzz. ) 3600 IN NS ns1.fizz.buzz. - ; 3600 IN NS ns2.fizz.buzz. + 3600 IN NS ns2.fizz.buzz. + 3600 IN NS ns5.he.net. + 3600 IN NS ns4.he.net. + 3600 IN NS ns3.he.net. + 3600 IN NS ns2.he.net. + 3600 IN NS ns1.he.net. ; Allow receiving mail at fizz.buzz -1h IN MX 10 in1-smtp.messagingengine.com -1h IN MX 20 in2-smtp.messagingengine.com +IN MX 10 in1-smtp.messagingengine.com +IN MX 20 in2-smtp.messagingengine.com ; Allows receivers to know you send your mail via Fastmail, and other servers -1h IN TXT v=spf1 include:spf.messagingengine.com ?all +IN TXT v=spf1 include:spf.messagingengine.com ?all ns1 IN A 74.80.180.138 -; ns2 IN A 74.80.180.138 +ns2 IN A 74.80.180.138 ; Allow receiving mail on subdomains -* 1h IN MX 10 in1-smtp.messagingengine.com -* 1h IN MX 20 in2-smtp.messagingengine.com +* IN MX 10 in1-smtp.messagingengine.com +* IN MX 20 in2-smtp.messagingengine.com ; The A-records for mail.fizz.buzz override the wildcard, so we have to manually re-create the MX records -mail 1h IN MX 10 in1-smtp.messagingengine.com -mail 1h IN MX 20 in2-smtp.messagingengine.com +mail IN MX 10 in1-smtp.messagingengine.com +mail IN MX 20 in2-smtp.messagingengine.com ; Access webmail at mail.fizz.buzz mail IN A 103.168.172.47 diff --git a/ansible/roles/public_dns/files/pdns.conf b/ansible/roles/public_dns/files/pdns.conf index a8bb4ef..6e18f74 100644 --- a/ansible/roles/public_dns/files/pdns.conf +++ b/ansible/roles/public_dns/files/pdns.conf @@ -1,11 +1,12 @@ -launch=gsqlite3,bind +launch=gsqlite3 gsqlite3-database=/var/lib/powerdns/pdns.sqlite3 gsqlite3-pragma-foreign-keys=yes -bind-config=/usr/local/etc/pdns/bind.conf master=yes allow-axfr-ips= dnsupdate=yes -allow-dnsupdate-from= +allow-dnsupdate-from=10.215.1.0/24 +# Only notify on ipv4 +only-notify=0.0.0.0/0 # Autogenerated configuration file template diff --git a/ansible/roles/public_dns/tasks/freebsd.yaml b/ansible/roles/public_dns/tasks/freebsd.yaml index e0eb54a..0011993 100644 --- a/ansible/roles/public_dns/tasks/freebsd.yaml +++ b/ansible/roles/public_dns/tasks/freebsd.yaml @@ -1,4 +1,3 @@ -# NOTE: I had to disable bind and manually create the fizz.buzz zone with the sqlite backend or else the metadata updates would have no effect. - name: Install packages package: name: @@ -24,7 +23,6 @@ group: pdns loop: - /var/lib/powerdns - - /var/lib/powerdns/zones/ - name: Copy files copy: @@ -41,19 +39,22 @@ - name: Initialize DB command: "sudo -u pdns sqlite3 -init /usr/local/share/doc/powerdns/schema.sqlite3.sql /var/lib/powerdns/pdns.sqlite3" + register: initdb args: creates: "/var/lib/powerdns/pdns.sqlite3" -- name: Copy files - copy: - src: "files/{{ item.src }}" - dest: "{{ item.dest }}" - mode: 0644 - owner: pdns - group: pdns - loop: - - src: master.db - dest: /var/lib/powerdns/zones/ +- name: Initialize DB + when: initdb.changed + register: initsql + command: "sudo -u pdns zone2sql zone2sql --gsqlite=yes --named-conf=/usr/local/etc/pdns/bind.conf --transactions=yes" + args: + stdin: "{{ lookup('file', 'master.db') }}" + +- name: Initialize DB + when: initdb.changed + command: "sudo -u pdns sqlite3 /var/lib/powerdns/pdns.sqlite3" + args: + stdin: "{{ initsql.stdout }}" - name: Check TSIG keys command: pdnsutil list-tsig-keys @@ -89,3 +90,16 @@ command: pdnsutil add-meta fizz.buzz TSIG-ALLOW-DNSUPDATE externaldns when: '"externaldns" not in tsigallowupdate.stdout' +- name: Check ALLOW-DNSUPDATE-FROM + command: pdnsutil get-meta fizz.buzz ALLOW-DNSUPDATE-FROM + register: allowdnsupdatefrom + changed_when: false + check_mode: no + +- name: Allow IP addresses + command: pdnsutil add-meta fizz.buzz ALLOW-DNSUPDATE-FROM 10.215.1.0/24 + when: '"10.215.1.0/24" not in allowdnsupdatefrom.stdout' + +- name: Allow AXFR from the externaldns tsig key + command: pdnsutil add-meta fizz.buzz TSIG-ALLOW-AXFR externaldns + when: '"externaldns" not in tsigaxfr.stdout'