aboutsummaryrefslogtreecommitdiffstats
path: root/config/bind
diff options
context:
space:
mode:
authorMarcello Coutinho <marcellocoutinho@gmail.com>2013-10-23 18:11:00 -0200
committerMarcello Coutinho <marcellocoutinho@gmail.com>2013-10-23 18:11:00 -0200
commitbddbf46510b426f60a32ed26c0698822b991d7f3 (patch)
treef878d5508b0379ae768b037dd0375d0761742dfe /config/bind
parent600c422388506b0b42a25ce61eacf18e43e04822 (diff)
downloadpfsense-packages-bddbf46510b426f60a32ed26c0698822b991d7f3.tar.gz
pfsense-packages-bddbf46510b426f60a32ed26c0698822b991d7f3.tar.bz2
pfsense-packages-bddbf46510b426f60a32ed26c0698822b991d7f3.zip
bind - include redirect zone type, enable/disable zone option and fix sync code
Diffstat (limited to 'config/bind')
-rw-r--r--config/bind/bind.inc83
-rw-r--r--config/bind/bind.xml5
-rw-r--r--config/bind/bind_sync.xml7
-rw-r--r--config/bind/bind_zones.xml20
4 files changed, 87 insertions, 28 deletions
diff --git a/config/bind/bind.inc b/config/bind/bind.inc
index 6ae870db..60fa23d5 100644
--- a/config/bind/bind.inc
+++ b/config/bind/bind.inc
@@ -60,9 +60,19 @@ function bind_zone_validate($post, $input_errors){
if( $_POST['forwarders'] == "")
$input_errors[] = 'The field \'Forwarders\' is required for forward zones.';
break;
+ case 'redirect':
+ $_POST['tll']=300;
+ $_POST['refresh']=0;
+ $_POST['serial']=0;
+ $_POST['retry']=0;
+ $_POST['expire']=0;
+ $_POST['minimum']=0;
+ if($_POST['mail']=='')
+ $input_errors[] = "The field 'Mail Admin Zone' is required for {$_POST['type']} zones.";
+
default:
if($_POST['nameserver']=='')
- $input_errors[] = 'The field \'Name server\' is required for master zones.';
+ $input_errors[] = "The field 'Name server' is required for {$_POST['type']} zones.";
for ($i=0;$i < count($_POST);$i++){
if (key_exists("hostname$i",$_POST)){
if ($_POST['reverso']=="on"){
@@ -261,12 +271,7 @@ EOD;
$bind_conf .= "\tmatch-clients { $viewmatchclients;};\n";
$bind_conf .= "\tallow-recursion { $viewallowrecursion;};\n";
$bind_conf .= "\t$viewcustomoptions\n\n";
-
- $bind_conf .="\tzone \".\" {\n";
- $bind_conf .="\t\ttype hint;\n";
- $bind_conf .="\t\tfile \"/etc/namedb/named.root\";\n";
- $bind_conf .= "\t};\n\n";
-
+
if(is_array($config["installedpackages"]["bindzone"]))
$bindzone = $config["installedpackages"]["bindzone"]["config"];
else
@@ -276,8 +281,13 @@ EOD;
for ($x=0; $x<sizeof($bindzone); $x++)
{
$zone = $bindzone[$x];
-
+ if ($zone['disabled']=="on"){
+ continue;
+ }
$zonename = $zone['name'];
+ if ($zonename=="."){
+ $custom_root_zone[$i]=true;
+ }
$zonetype = $zone['type'];
$zoneview = $zone['view'];
$zonecustom = base64_decode($zone['custom']);
@@ -313,31 +323,39 @@ EOD;
switch ($zonetype){
case "slave":
$bind_conf .= "\t\tmasters { $zoneipslave; };\n";
+ $bind_conf .= "\t\tallow-transfer {none;};\n";
+ $bind_conf .= "\t\tnotify no;\n";
break;
case "forward":
$bind_conf .= "\t\tforward only;\n";
$bind_conf .= "\t\tforwarders { $zoneforwarders; };\n";
break;
+ case "redirect":
+ $bind_conf .= "\t\t# While using redirect zones,NXDOMAIN Redirection will not override DNSSEC\n";
+ $bind_conf .= "\t\t# If the client has requested DNSSEC records (DO=1) and the NXDOMAIN response is signed then no substitution will occur\n";
+ $bind_conf .= "\t\t# https://kb.isc.org/article/AA-00376/192/BIND-9.9-redirect-zones-for-NXDOMAIN-redirection.html\n";
+ break;
default:
$bind_conf .= "\t\tallow-update { $zoneallowupdate;};\n";
$bind_conf .= "\t\tallow-query { $zoneallowquery;};\n";
$bind_conf .= "\t\tallow-transfer { $zoneallowtransfer;};\n";
- }
- if ($zone['dnssec']=="on"){
- //https://kb.isc.org/article/AA-00626/
- $bind_conf .="\n\t\t# look for dnssec keys here:\n";
- $bind_conf .="\t\tkey-directory \"/etc/namedb/keys\";\n\n";
- $bind_conf .="\t\t# publish and activate dnssec keys:\n";
- $bind_conf .="\t\tauto-dnssec maintain;\n\n";
- $bind_conf .="\t\t# use inline signing:\n";
- $bind_conf .="\t\tinline-signing yes;\n\n";
- }
+ if ($zone['dnssec']=="on"){
+ //https://kb.isc.org/article/AA-00626/
+ $bind_conf .="\n\t\t# look for dnssec keys here:\n";
+ $bind_conf .="\t\tkey-directory \"/etc/namedb/keys\";\n\n";
+ $bind_conf .="\t\t# publish and activate dnssec keys:\n";
+ $bind_conf .="\t\tauto-dnssec maintain;\n\n";
+ $bind_conf .="\t\t# use inline signing:\n";
+ $bind_conf .="\t\tinline-signing yes;\n\n";
+ }
+ }
if ($zonecustom != '')
$bind_conf .= "\t\t$zonecustom\n";
$bind_conf .= "\t};\n\n";
switch($zonetype){
+ case "redirect":
case "master":
//check/update slave dir permission
chown(CHROOT_LOCALBASE."/etc/namedb/$zonetype","bind");
@@ -369,7 +387,7 @@ EOD;
$zone_conf .= ";\tDatabase file {$zonename}.DB for {$zonename} zone.\n";
$zone_conf .= ";\tDo not edit this file!!!\n";
$zone_conf .= ";\tZone version {$zoneserial}\n;\n";
- if($zonereverso == "on")
+ if($zonereverso == "on" || $zonetype =="redirect")
$zone_conf .= "@\t IN SOA $zonenameserver. \t $zonemail. (\n";
else
$zone_conf .= "$zonename.\t IN SOA $zonenameserver. \t $zonemail. (\n";
@@ -445,6 +463,12 @@ EOD;
}
}
}
+ if (!$custom_root_zone[$i]){
+ $bind_conf .="\tzone \".\" {\n";
+ $bind_conf .="\t\ttype hint;\n";
+ $bind_conf .="\t\tfile \"/etc/namedb/named.root\";\n";
+ $bind_conf .= "\t};\n\n";
+ }
if($write_config > 0){
write_config("save result config file for zone on xml");
}
@@ -489,6 +513,8 @@ EOD;
mwexec("/usr/local/etc/rc.d/named.sh restart");
else
mwexec("/usr/local/etc/rc.d/named.sh stop");
+ //sync to backup servers
+ bind_sync_on_changes();
conf_mount_ro();
}
@@ -546,6 +572,21 @@ function bind_print_javascript_type_zone(){
document.iform.expire.disabled = 1;
document.iform.minimum.disabled = 1;
break;
+ case 'redirect':
+ document.iform.slaveip.disabled = 1;
+ document.iform.tll.disabled = 1;
+ document.iform.nameserver.disabled = 0;
+ document.iform.reverso.disabled = 1;
+ document.iform.forwarders.disabled = 1;
+ document.iform.dnssec.disabled = 1;
+ document.iform.ipns.disabled = 1;
+ document.iform.mail.disabled = 0;
+ document.iform.serial.disabled = 0;
+ document.iform.refresh.disabled = 0;
+ document.iform.retry.disabled = 0;
+ document.iform.expire.disabled = 0;
+ document.iform.minimum.disabled = 0;
+ break;
}
}
-->
@@ -602,8 +643,8 @@ function delete_log_file(){
/* Uses XMLRPC to synchronize the changes to a remote node */
function bind_sync_on_changes() {
global $config, $g;
- if (is_array($config['installedpackages']['bind']['config'])){
- $bind_sync=$config['installedpackages']['bind']['config'][0];
+ if (is_array($config['installedpackages']['bindsync']['config'])){
+ $bind_sync=$config['installedpackages']['bindsync']['config'][0];
$synconchanges = $bind_sync['synconchanges'];
$synctimeout = $bind_sync['synctimeout'];
$master_zone_ip=$bind_sync['masterip'];
diff --git a/config/bind/bind.xml b/config/bind/bind.xml
index aa6a5f25..9a309a81 100644
--- a/config/bind/bind.xml
+++ b/config/bind/bind.xml
@@ -179,13 +179,14 @@
</field>
<field>
<type>listtopic</type>
- <name>Response limit</name>
+ <name>Response Rate Limit</name>
<fieldname>temp01</fieldname>
</field>
<field>
<fielddescr>Rate limit</fielddescr>
<fieldname>rate_enabled</fieldname>
- <description>Limit/rate response queries to prevent DOS attack.</description>
+ <description><![CDATA[<a target=_new href='https://kb.isc.org/article/AA-01000/189/A-Quick-Introduction-to-Response-Rate-Limiting.html?utm_source=isc&utm_medium=website&utm_term=rrl-kb&utm_content=kbarticle&utm_campaign=bind994_release_091913'>
+ Limit/rate response queries</a> to prevent DOS attack.]]></description>
<type>checkbox</type>
<enablefields>rate_limit,log_only</enablefields>
</field>
diff --git a/config/bind/bind_sync.xml b/config/bind/bind_sync.xml
index c6a80e98..d2f9c95b 100644
--- a/config/bind/bind_sync.xml
+++ b/config/bind/bind_sync.xml
@@ -105,8 +105,7 @@
<fielddescr>Zone Master IP</fielddescr>
<fieldname>masterip</fieldname>
<description><![CDATA[Set master zone ip you want to use to sync backup server zones with master.<br>
- <b>All master zones will be configured as backup on slave servers.</b><br>
- Do not forget to create firewall rules to allow zone transfer between master and slave servers.]]></description>
+ <b>All master zones will be configured as backup on slave servers.<b>]]></description>
<type>input</type>
<size>20</size>
<required/>
@@ -115,6 +114,10 @@
<fielddescr>Remote Server</fielddescr>
<fieldname>none</fieldname>
<type>rowhelper</type>
+ <description><![CDATA[<b>Do not forget to:</b><br>
+ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Create firewall rules to allow zone transfer between master and slave servers.<br>
+ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Create a acls with these slave servers.<br>
+ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Include created acl on allow-transfer option on zone config.]]></description>
<rowhelper>
<rowhelperfield>
<fielddescr>IP Address</fielddescr>
diff --git a/config/bind/bind_zones.xml b/config/bind/bind_zones.xml
index 09a5129f..db68d26c 100644
--- a/config/bind/bind_zones.xml
+++ b/config/bind/bind_zones.xml
@@ -82,6 +82,12 @@
<configpath>['installedpackages']['bindzone']['config']</configpath>
<adddeleteeditpagefields>
<columnitem>
+ <fielddescr>status</fielddescr>
+ <fieldname>disabled</fieldname>
+ <listmodeon>Disabled</listmodeon>
+ <listmodeoff>Enabled</listmodeoff>
+ </columnitem>
+ <columnitem>
<fielddescr>Zone Name</fielddescr>
<fieldname>name</fieldname>
</columnitem>
@@ -110,6 +116,12 @@
<fieldname>temp01</fieldname>
</field>
<field>
+ <fielddescr>Disable this zone</fielddescr>
+ <fieldname>disabled</fieldname>
+ <description><![CDATA[Do not Include this zone on bind config files.]]></description>
+ <type>checkbox</type>
+ </field>
+ <field>
<fielddescr>Zone Name</fielddescr>
<fieldname>name</fieldname>
<description><![CDATA[Enter the name for zone (ex:mydomain.com)<br>
@@ -128,14 +140,15 @@
<field>
<fielddescr>Zone Type</fielddescr>
<fieldname>type</fieldname>
- <description>Select zone type</description>
+ <description><![CDATA[Select zone type.]]></description>
<type>select</type>
<options>
<option><name>Master</name><value>master</value><enablefields>description</enablefields></option>
<option><name>Slave</name><value>slave</value><enablefields>ttl</enablefields></option>
<option><name>Forward</name><value>forward</value><enablefields>forward</enablefields></option>
+ <option><name>Redirect</name><value>redirect</value><enablefields>redirect</enablefields></option>
</options>
- <onchange>on_type_zone_changed()</onchange>
+ <onchange>on_type_zone_changed()</onchange>
<required/>
</field>
<field>
@@ -170,7 +183,7 @@
<field>
<fielddescr>Inline Signing</fielddescr>
<fieldname>dnssec</fieldname>
- <description>Enable inline DNSSEC Signing for this zones.</description>
+ <description><![CDATA[<a target=_new href='https://kb.isc.org/article/AA-00626/109/Inline-Signing-in-ISC-BIND-9.9.0-Examples.html'>Enable inline DNSSEC Signing</a> afor this zones.]]></description>
<type>checkbox</type>
</field>
<field>
@@ -360,6 +373,7 @@
<type>input</type>
<size>35</size>
</rowhelperfield>
+ <movable>on</movable>
</rowhelper>
</field>
<field>