bind - include redirect zone type, enable/disable zone option and fix sync code

author: Marcello Coutinho <marcellocoutinho@gmail.com> 2013-10-23 18:11:00 -0200
committer: Marcello Coutinho <marcellocoutinho@gmail.com> 2013-10-23 18:11:00 -0200
commit: bddbf46510b426f60a32ed26c0698822b991d7f3 (patch)
tree: f878d5508b0379ae768b037dd0375d0761742dfe /config/bind/bind.inc
parent: 600c422388506b0b42a25ce61eacf18e43e04822 (diff)
download: pfsense-packages-bddbf46510b426f60a32ed26c0698822b991d7f3.tar.gz
pfsense-packages-bddbf46510b426f60a32ed26c0698822b991d7f3.tar.bz2
pfsense-packages-bddbf46510b426f60a32ed26c0698822b991d7f3.zip
1 files changed, 62 insertions, 21 deletions
diff --git a/config/bind/bind.inc b/config/bind/bind.inc
index 6ae870db..60fa23d5 100644
--- a/config/bind/bind.inc
+++ b/config/bind/bind.inc
@@ -60,9 +60,19 @@ function bind_zone_validate($post, $input_errors){
 			if( $_POST['forwarders'] == "")
 			$input_errors[] = 'The field \'Forwarders\' is required for forward zones.';
 		break;
+		case 'redirect':
+			$_POST['tll']=300;
+			$_POST['refresh']=0;
+			$_POST['serial']=0;
+			$_POST['retry']=0;
+			$_POST['expire']=0;
+			$_POST['minimum']=0;
+			if($_POST['mail']=='')
+				$input_errors[] = "The field 'Mail Admin Zone' is required for {$_POST['type']} zones.";
+			
 		default:
 			if($_POST['nameserver']=='')
-				$input_errors[] = 'The field \'Name server\' is required for master zones.';
+				$input_errors[] = "The field 'Name server' is required for {$_POST['type']} zones.";
 			for ($i=0;$i < count($_POST);$i++){
 				if (key_exists("hostname$i",$_POST)){
 					if ($_POST['reverso']=="on"){
@@ -261,12 +271,7 @@ EOD;
 		$bind_conf .= "\tmatch-clients { $viewmatchclients;};\n"; 
 		$bind_conf .= "\tallow-recursion { $viewallowrecursion;};\n"; 
 		$bind_conf .= "\t$viewcustomoptions\n\n"; 
-		
-		$bind_conf .="\tzone \".\" {\n";
-		$bind_conf .="\t\ttype hint;\n";
-		$bind_conf .="\t\tfile \"/etc/namedb/named.root\";\n";
-		$bind_conf .= "\t};\n\n";
-	
+			
 		if(is_array($config["installedpackages"]["bindzone"])) 
 			$bindzone = $config["installedpackages"]["bindzone"]["config"];
 		else
@@ -276,8 +281,13 @@ EOD;
 		for ($x=0; $x<sizeof($bindzone); $x++)
 		{
 			$zone = $bindzone[$x];
-		
+			if ($zone['disabled']=="on"){
+				continue;
+				}
 			$zonename = $zone['name'];
+			if ($zonename=="."){
+				$custom_root_zone[$i]=true;
+			}
 			$zonetype = $zone['type'];
 			$zoneview = $zone['view'];
 			$zonecustom = base64_decode($zone['custom']);
@@ -313,31 +323,39 @@ EOD;
         			switch ($zonetype){
         				case "slave":
         				$bind_conf .= "\t\tmasters { $zoneipslave; };\n";
+        				$bind_conf .= "\t\tallow-transfer {none;};\n";
+        				$bind_conf .= "\t\tnotify no;\n";
         				break;
         				case "forward":
         				$bind_conf .= "\t\tforward only;\n";
         				$bind_conf .= "\t\tforwarders { $zoneforwarders; };\n";
         				break;
+        				case "redirect":
+							$bind_conf .= "\t\t# While using redirect zones,NXDOMAIN Redirection will not override DNSSEC\n";
+							$bind_conf .= "\t\t# If the client has requested DNSSEC records (DO=1) and the NXDOMAIN response is signed then no substitution will occur\n";
+							$bind_conf .= "\t\t# https://kb.isc.org/article/AA-00376/192/BIND-9.9-redirect-zones-for-NXDOMAIN-redirection.html\n";
+        				break;
         				default:
 						$bind_conf .= "\t\tallow-update { $zoneallowupdate;};\n"; 
 						$bind_conf .= "\t\tallow-query { $zoneallowquery;};\n"; 
 						$bind_conf .= "\t\tallow-transfer { $zoneallowtransfer;};\n";
-        				}
-        			if ($zone['dnssec']=="on"){
-        				//https://kb.isc.org/article/AA-00626/
-        				$bind_conf .="\n\t\t# look for dnssec keys here:\n";
-        				$bind_conf .="\t\tkey-directory \"/etc/namedb/keys\";\n\n";
-        				$bind_conf .="\t\t# publish and activate dnssec keys:\n";
-        				$bind_conf .="\t\tauto-dnssec maintain;\n\n";
-        				$bind_conf .="\t\t# use inline signing:\n";
-        				$bind_conf .="\t\tinline-signing yes;\n\n";
-        				}
+	        			if ($zone['dnssec']=="on"){
+	        				//https://kb.isc.org/article/AA-00626/
+	        				$bind_conf .="\n\t\t# look for dnssec keys here:\n";
+	        				$bind_conf .="\t\tkey-directory \"/etc/namedb/keys\";\n\n";
+	        				$bind_conf .="\t\t# publish and activate dnssec keys:\n";
+	        				$bind_conf .="\t\tauto-dnssec maintain;\n\n";
+	        				$bind_conf .="\t\t# use inline signing:\n";
+	        				$bind_conf .="\t\tinline-signing yes;\n\n";
+	        				}
+	        			}
 				 	if ($zonecustom != '')
         				$bind_conf .= "\t\t$zonecustom\n";
         				
 					$bind_conf .= "\t};\n\n";
         
 					switch($zonetype){
+					  case "redirect":
 					  case "master":
 					  	//check/update slave dir permission
 						chown(CHROOT_LOCALBASE."/etc/namedb/$zonetype","bind");
@@ -369,7 +387,7 @@ EOD;
 						$zone_conf .= ";\tDatabase file {$zonename}.DB for {$zonename} zone.\n";
 						$zone_conf .= ";\tDo not edit this file!!!\n";
 						$zone_conf .= ";\tZone version {$zoneserial}\n;\n";
-					 	if($zonereverso == "on")
+					 	if($zonereverso == "on" || $zonetype =="redirect")
 							$zone_conf .= "@\t IN  SOA $zonenameserver. \t $zonemail. (\n";	
 						else
 							$zone_conf .= "$zonename.\t IN  SOA $zonenameserver. \t $zonemail. (\n";	
@@ -445,6 +463,12 @@ EOD;
 					}
 				}
 		}
+		if (!$custom_root_zone[$i]){
+			$bind_conf .="\tzone \".\" {\n";
+			$bind_conf .="\t\ttype hint;\n";
+			$bind_conf .="\t\tfile \"/etc/namedb/named.root\";\n";
+			$bind_conf .= "\t};\n\n";
+			}
 		if($write_config > 0){
 			write_config("save result config file for zone on xml");
 		}
@@ -489,6 +513,8 @@ EOD;
  		mwexec("/usr/local/etc/rc.d/named.sh restart");
  	else
  		mwexec("/usr/local/etc/rc.d/named.sh stop");
+ 	//sync to backup servers
+ 	bind_sync_on_changes();
  	conf_mount_ro();
 }
 
@@ -546,6 +572,21 @@ function bind_print_javascript_type_zone(){
 					document.iform.expire.disabled = 1;
 					document.iform.minimum.disabled = 1;
 				break;
+               	case 'redirect':
+					document.iform.slaveip.disabled = 1;
+					document.iform.tll.disabled = 1;
+					document.iform.nameserver.disabled = 0;
+					document.iform.reverso.disabled = 1;
+					document.iform.forwarders.disabled = 1;
+					document.iform.dnssec.disabled = 1;
+					document.iform.ipns.disabled = 1;
+					document.iform.mail.disabled = 0;
+					document.iform.serial.disabled = 0;
+					document.iform.refresh.disabled = 0;
+					document.iform.retry.disabled = 0;
+					document.iform.expire.disabled = 0;
+					document.iform.minimum.disabled = 0;
+				break;
        			}
         }
         -->
@@ -602,8 +643,8 @@ function delete_log_file(){
 /* Uses XMLRPC to synchronize the changes to a remote node */
 function bind_sync_on_changes() {
 	global $config, $g;
-	if (is_array($config['installedpackages']['bind']['config'])){
-		$bind_sync=$config['installedpackages']['bind']['config'][0];
+	if (is_array($config['installedpackages']['bindsync']['config'])){
+		$bind_sync=$config['installedpackages']['bindsync']['config'][0];
 		$synconchanges = $bind_sync['synconchanges'];
 		$synctimeout = $bind_sync['synctimeout'];
 		$master_zone_ip=$bind_sync['masterip'];
author	Marcello Coutinho <marcellocoutinho@gmail.com>	2013-10-23 18:11:00 -0200
committer	Marcello Coutinho <marcellocoutinho@gmail.com>	2013-10-23 18:11:00 -0200
commit	bddbf46510b426f60a32ed26c0698822b991d7f3 (patch)
tree	f878d5508b0379ae768b037dd0375d0761742dfe /config/bind/bind.inc
parent	600c422388506b0b42a25ce61eacf18e43e04822 (diff)
download	pfsense-packages-bddbf46510b426f60a32ed26c0698822b991d7f3.tar.gz pfsense-packages-bddbf46510b426f60a32ed26c0698822b991d7f3.tar.bz2 pfsense-packages-bddbf46510b426f60a32ed26c0698822b991d7f3.zip