|
Packit Service |
0a38ef |
DNSZone Module
|
|
Packit Service |
0a38ef |
==============
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Description
|
|
Packit Service |
0a38ef |
-----------
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
The dnszone module allows to configure zones in DNS server.
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Features
|
|
Packit Service |
0a38ef |
--------
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
* Add, remove, modify, enable or disable DNS zones.
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Supported FreeIPA Versions
|
|
Packit Service |
0a38ef |
--------------------------
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
FreeIPA versions 4.4.0 and up are supported by ipadnszone module.
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Requirements
|
|
Packit Service |
0a38ef |
------------
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
**Controller**
|
|
Packit Service |
0a38ef |
* Ansible version: 2.8+
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
**Node**
|
|
Packit Service |
0a38ef |
* Supported FreeIPA version (see above)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Usage
|
|
Packit Service |
0a38ef |
-----
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
```ini
|
|
Packit Service |
0a38ef |
[ipaserver]
|
|
Packit Service |
0a38ef |
ipaserver.test.local
|
|
Packit Service |
0a38ef |
```
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Example playbook to create a simple DNS zone:
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
```yaml
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
---
|
|
Packit Service |
0a38ef |
- name: dnszone present
|
|
Packit Service |
0a38ef |
hosts: ipaserver
|
|
Packit Service |
0a38ef |
become: true
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
tasks:
|
|
Packit Service |
0a38ef |
- name: Ensure zone is present.
|
|
Packit Service |
0a38ef |
ipadnszone:
|
|
Packit Service |
0a38ef |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
0a38ef |
name: testzone.local
|
|
Packit Service |
0a38ef |
state: present
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
```
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Example playbook to create a DNS zone with all currently supported variables:
|
|
Packit Service |
0a38ef |
```yaml
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
---
|
|
Packit Service |
0a38ef |
- name: dnszone present
|
|
Packit Service |
0a38ef |
hosts: ipaserver
|
|
Packit Service |
0a38ef |
become: true
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
tasks:
|
|
Packit Service |
0a38ef |
- name: Ensure zone is present.
|
|
Packit Service |
0a38ef |
ipadnszone:
|
|
Packit Service |
0a38ef |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
0a38ef |
name: testzone.local
|
|
Packit Service |
0a38ef |
allow_sync_ptr: true
|
|
Packit Service |
0a38ef |
dynamic_update: true
|
|
Packit Service |
0a38ef |
dnssec: true
|
|
Packit Service |
0a38ef |
allow_transfer:
|
|
Packit Service |
0a38ef |
- 1.1.1.1
|
|
Packit Service |
0a38ef |
- 2.2.2.2
|
|
Packit Service |
0a38ef |
allow_query:
|
|
Packit Service |
0a38ef |
- 1.1.1.1
|
|
Packit Service |
0a38ef |
- 2.2.2.2
|
|
Packit Service |
0a38ef |
forwarders:
|
|
Packit Service |
0a38ef |
- ip_address: 8.8.8.8
|
|
Packit Service |
0a38ef |
- ip_address: 8.8.4.4
|
|
Packit Service |
0a38ef |
port: 52
|
|
Packit Service |
0a38ef |
serial: 1234
|
|
Packit Service |
0a38ef |
refresh: 3600
|
|
Packit Service |
0a38ef |
retry: 900
|
|
Packit Service |
0a38ef |
expire: 1209600
|
|
Packit Service |
0a38ef |
minimum: 3600
|
|
Packit Service |
0a38ef |
ttl: 60
|
|
Packit Service |
0a38ef |
default_ttl: 90
|
|
Packit Service |
0a38ef |
name_server: ipaserver.test.local.
|
|
Packit Service |
0a38ef |
admin_email: admin.admin@example.com
|
|
Packit Service |
0a38ef |
nsec3param_rec: "1 7 100 0123456789abcdef"
|
|
Packit Service |
0a38ef |
skip_overlap_check: true
|
|
Packit Service |
0a38ef |
skip_nameserver_check: true
|
|
Packit Service |
0a38ef |
state: present
|
|
Packit Service |
0a38ef |
```
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Example playbook to disable a zone:
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
```yaml
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
---
|
|
Packit Service |
0a38ef |
- name: Playbook to disable DNS zone
|
|
Packit Service |
0a38ef |
hosts: ipaserver
|
|
Packit Service |
0a38ef |
become: true
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
tasks:
|
|
Packit Service |
0a38ef |
- name: Disable zone.
|
|
Packit Service |
0a38ef |
ipadnszone:
|
|
Packit Service |
0a38ef |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
0a38ef |
name: testzone.local
|
|
Packit Service |
0a38ef |
state: disabled
|
|
Packit Service |
0a38ef |
```
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Example playbook to enable a zone:
|
|
Packit Service |
0a38ef |
```yaml
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
---
|
|
Packit Service |
0a38ef |
- name: Playbook to enable DNS zone
|
|
Packit Service |
0a38ef |
hosts: ipaserver
|
|
Packit Service |
0a38ef |
become: true
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
tasks:
|
|
Packit Service |
0a38ef |
- name: Enable zone.
|
|
Packit Service |
0a38ef |
ipadnszone:
|
|
Packit Service |
0a38ef |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
0a38ef |
name: testzone.local
|
|
Packit Service |
0a38ef |
state: enabled
|
|
Packit Service |
0a38ef |
```
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Example playbook to remove a zone:
|
|
Packit Service |
0a38ef |
```yaml
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
---
|
|
Packit Service |
0a38ef |
- name: Playbook to remove DNS zone
|
|
Packit Service |
0a38ef |
hosts: ipaserver
|
|
Packit Service |
0a38ef |
become: true
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
tasks:
|
|
Packit Service |
0a38ef |
- name: Remove zone.
|
|
Packit Service |
0a38ef |
ipadnszone:
|
|
Packit Service |
0a38ef |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
0a38ef |
name: testzone.local
|
|
Packit Service |
0a38ef |
state: absent
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
```
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
a166ed |
Example playbook to create a zone for reverse DNS lookup, from an IP address:
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
```yaml
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
---
|
|
Packit Service |
a166ed |
- name: dnszone present
|
|
Packit Service |
a166ed |
hosts: ipaserver
|
|
Packit Service |
a166ed |
become: true
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
tasks:
|
|
Packit Service |
a166ed |
- name: Ensure zone for reverse DNS lookup is present.
|
|
Packit Service |
a166ed |
ipadnszone:
|
|
Packit Service |
a166ed |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
a166ed |
name_from_ip: 192.168.1.2
|
|
Packit Service |
a166ed |
state: present
|
|
Packit Service |
a166ed |
```
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Note that, on the previous example the zone created with `name_from_ip` might be "1.168.192.in-addr.arpa.", "168.192.in-addr.arpa.", or "192.in-addr.arpa.", depending on the DNS response the system get while querying for zones, and for this reason, when creating a zone using `name_from_ip`, the inferred zone name is returned to the controller, in the attribute `dnszone.name`. Since the zone inferred might not be what a user expects, `name_from_ip` can only be used with `state: present`. To have more control over the zone name, the prefix length for the IP address can be provided.
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Example playbook to create a zone for reverse DNS lookup, from an IP address, given the prefix length and displaying the resulting zone name:
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
```yaml
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
---
|
|
Packit Service |
a166ed |
- name: dnszone present
|
|
Packit Service |
a166ed |
hosts: ipaserver
|
|
Packit Service |
a166ed |
become: true
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
tasks:
|
|
Packit Service |
a166ed |
- name: Ensure zone for reverse DNS lookup is present.
|
|
Packit Service |
a166ed |
ipadnszone:
|
|
Packit Service |
a166ed |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
a166ed |
name_from_ip: 192.168.1.2/24
|
|
Packit Service |
a166ed |
state: present
|
|
Packit Service |
a166ed |
register: result
|
|
Packit Service |
a166ed |
- name: Display inferred zone name.
|
|
Packit Service |
a166ed |
debug:
|
|
Packit Service |
a166ed |
msg: "Zone name: {{ result.dnszone.name }}"
|
|
Packit Service |
a166ed |
```
|
|
Packit Service |
a166ed |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Variables
|
|
Packit Service |
0a38ef |
=========
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
ipadnszone
|
|
Packit Service |
0a38ef |
----------
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Variable | Description | Required
|
|
Packit Service |
0a38ef |
-------- | ----------- | --------
|
|
Packit Service |
0a38ef |
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
|
|
Packit Service |
0a38ef |
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
|
|
Packit Service |
a166ed |
`name` \| `zone_name` | The zone name string or list of strings. | no
|
|
Packit Service |
a166ed |
`name_from_ip` | Derive zone name from reverse of IP (PTR). Can only be used with `state: present`. | no
|
|
Packit Service |
0a38ef |
`forwarders` | The list of forwarders dicts. Each `forwarders` dict entry has:| no
|
|
Packit Service |
0a38ef |
| `ip_address` - The IPv4 or IPv6 address of the DNS server. | yes
|
|
Packit Service |
0a38ef |
| `port` - The custom port that should be used on this server. | no
|
|
Packit Service |
0a38ef |
`forward_policy` | The global forwarding policy. It can be one of `only`, `first`, or `none`. | no
|
|
Packit Service |
0a38ef |
`allow_sync_ptr` | Allow synchronization of forward (A, AAAA) and reverse (PTR) records (bool). | no
|
|
Packit Service |
0a38ef |
`state` | The state to ensure. It can be one of `present`, `enabled`, `disabled` or `absent`, default: `present`. | yes
|
|
Packit Service |
0a38ef |
`name_server`| Authoritative nameserver domain name | no
|
|
Packit Service |
0a38ef |
`admin_email`| Administrator e-mail address | no
|
|
Packit Service |
0a38ef |
`update_policy`| BIND update policy | no
|
|
Packit Service |
0a38ef |
`dynamic_update` \| `dynamicupdate` | Allow dynamic updates | no
|
|
Packit Service |
0a38ef |
`dnssec`| Allow inline DNSSEC signing of records in the zone | no
|
|
Packit Service |
0a38ef |
`allow_transfer`| List of IP addresses or networks which are allowed to transfer the zone | no
|
|
Packit Service |
0a38ef |
`allow_query`| List of IP addresses or networks which are allowed to issue queries | no
|
|
Packit Service |
0a38ef |
`serial`| SOA record serial number | no
|
|
Packit Service |
0a38ef |
`refresh`| SOA record refresh time | no
|
|
Packit Service |
0a38ef |
`retry`| SOA record retry time | no
|
|
Packit Service |
0a38ef |
`expire`| SOA record expire time | no
|
|
Packit Service |
0a38ef |
`minimum`| How long should negative responses be cached | no
|
|
Packit Service |
0a38ef |
`ttl`| Time to live for records at zone apex | no
|
|
Packit Service |
0a38ef |
`default_ttl`| Time to live for records without explicit TTL definition | no
|
|
Packit Service |
0a38ef |
`nsec3param_rec`| NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt | no
|
|
Packit Service |
0a38ef |
`skip_overlap_check`| Force DNS zone creation even if it will overlap with an existing zone | no
|
|
Packit Service |
0a38ef |
`skip_nameserver_check` | Force DNS zone creation even if nameserver is not resolvable | no
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
a166ed |
Return Values
|
|
Packit Service |
a166ed |
=============
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
ipadnszone
|
|
Packit Service |
a166ed |
----------
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Variable | Description | Returned When
|
|
Packit Service |
a166ed |
-------- | ----------- | -------------
|
|
Packit Service |
a166ed |
`dnszone` | DNS Zone dict with zone name infered from `name_from_ip`. Options: | If `state` is `present`, `name_from_ip` is used, and a zone was created.
|
|
Packit Service |
a166ed |
| `name` - The name of the zone created, inferred from `name_from_ip`. | Always
|
|
Packit Service |
a166ed |
|
|
Packit Service |
0a38ef |
Authors
|
|
Packit Service |
0a38ef |
=======
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Sergio Oliveira Campos
|