diff --git a/bundles/bind/files/named.conf.local b/bundles/bind/files/named.conf.local index 28482f6..6447296 100644 --- a/bundles/bind/files/named.conf.local +++ b/bundles/bind/files/named.conf.local @@ -1,6 +1,6 @@ -% for view_name, view_conf in views.items(): -acl "${view_name}" { - % for ac in sorted(view_conf['acl'], key=lambda e: (not e.startswith('!'), not e.startswith('key'))): +% for acl_name, acl_content in acls.items(): +acl "${acl_name}" { + % for ac in sorted(acl_content, key=lambda e: (not e.startswith('!'), not e.startswith('key'))): ${ac}; % endfor }; @@ -47,7 +47,7 @@ view "${view_name}" { masters { ${master_ip}; }; % endif % if type == 'master' and zone_conf.get('key', False): - allow-update { key "${view_name}.${zone_name}"; }; + allow-update { !{ !our-nets; any; }; key "${view_name}.${zone_name}"; }; % endif file "/var/lib/bind/${view_name}/db.${zone_name}"; }; diff --git a/bundles/bind/items.py b/bundles/bind/items.py index af427a9..d1ed8af 100644 --- a/bundles/bind/items.py +++ b/bundles/bind/items.py @@ -74,6 +74,13 @@ files['/etc/bind/named.conf.local'] = { 'context': { 'type': node.metadata.get('bind/type'), 'master_ip': master_ip, + 'acls': { + **master_node.metadata.get('bind/acls'), + **{ + view_name: view_conf['acl'] + for view_name, view_conf in master_node.metadata.get('bind/views').items() + }, + }, 'views': dict(sorted( master_node.metadata.get('bind/views').items(), key=lambda e: (e[1].get('default', False), e[0]), diff --git a/bundles/bind/metadata.py b/bundles/bind/metadata.py index 2e47882..8d496fe 100644 --- a/bundles/bind/metadata.py +++ b/bundles/bind/metadata.py @@ -11,15 +11,20 @@ defaults = { }, 'bind': { 'slaves': {}, + 'acls': { + 'our-nets': { + '127.0.0.1', + '10.0.0.0/8', + '169.254.0.0/16', + '172.16.0.0/12', + '192.168.0.0/16', + } + }, 'views': { 'internal': { 'is_internal': True, 'acl': { - '127.0.0.1', - '10.0.0.0/8', - '169.254.0.0/16', - '172.16.0.0/12', - '192.168.0.0/16', + 'our-nets', }, 'zones': {}, },