diff options
author | Marcello Coutinho <marcellocoutinho@gmail.com> | 2013-10-23 18:11:00 -0200 |
---|---|---|
committer | Marcello Coutinho <marcellocoutinho@gmail.com> | 2013-10-23 18:11:00 -0200 |
commit | bddbf46510b426f60a32ed26c0698822b991d7f3 (patch) | |
tree | f878d5508b0379ae768b037dd0375d0761742dfe /config | |
parent | 600c422388506b0b42a25ce61eacf18e43e04822 (diff) | |
download | pfsense-packages-bddbf46510b426f60a32ed26c0698822b991d7f3.tar.gz pfsense-packages-bddbf46510b426f60a32ed26c0698822b991d7f3.tar.bz2 pfsense-packages-bddbf46510b426f60a32ed26c0698822b991d7f3.zip |
bind - include redirect zone type, enable/disable zone option and fix sync code
Diffstat (limited to 'config')
-rw-r--r-- | config/bind/bind.inc | 83 | ||||
-rw-r--r-- | config/bind/bind.xml | 5 | ||||
-rw-r--r-- | config/bind/bind_sync.xml | 7 | ||||
-rw-r--r-- | config/bind/bind_zones.xml | 20 |
4 files changed, 87 insertions, 28 deletions
diff --git a/config/bind/bind.inc b/config/bind/bind.inc index 6ae870db..60fa23d5 100644 --- a/config/bind/bind.inc +++ b/config/bind/bind.inc @@ -60,9 +60,19 @@ function bind_zone_validate($post, $input_errors){ if( $_POST['forwarders'] == "") $input_errors[] = 'The field \'Forwarders\' is required for forward zones.'; break; + case 'redirect': + $_POST['tll']=300; + $_POST['refresh']=0; + $_POST['serial']=0; + $_POST['retry']=0; + $_POST['expire']=0; + $_POST['minimum']=0; + if($_POST['mail']=='') + $input_errors[] = "The field 'Mail Admin Zone' is required for {$_POST['type']} zones."; + default: if($_POST['nameserver']=='') - $input_errors[] = 'The field \'Name server\' is required for master zones.'; + $input_errors[] = "The field 'Name server' is required for {$_POST['type']} zones."; for ($i=0;$i < count($_POST);$i++){ if (key_exists("hostname$i",$_POST)){ if ($_POST['reverso']=="on"){ @@ -261,12 +271,7 @@ EOD; $bind_conf .= "\tmatch-clients { $viewmatchclients;};\n"; $bind_conf .= "\tallow-recursion { $viewallowrecursion;};\n"; $bind_conf .= "\t$viewcustomoptions\n\n"; - - $bind_conf .="\tzone \".\" {\n"; - $bind_conf .="\t\ttype hint;\n"; - $bind_conf .="\t\tfile \"/etc/namedb/named.root\";\n"; - $bind_conf .= "\t};\n\n"; - + if(is_array($config["installedpackages"]["bindzone"])) $bindzone = $config["installedpackages"]["bindzone"]["config"]; else @@ -276,8 +281,13 @@ EOD; for ($x=0; $x<sizeof($bindzone); $x++) { $zone = $bindzone[$x]; - + if ($zone['disabled']=="on"){ + continue; + } $zonename = $zone['name']; + if ($zonename=="."){ + $custom_root_zone[$i]=true; + } $zonetype = $zone['type']; $zoneview = $zone['view']; $zonecustom = base64_decode($zone['custom']); @@ -313,31 +323,39 @@ EOD; switch ($zonetype){ case "slave": $bind_conf .= "\t\tmasters { $zoneipslave; };\n"; + $bind_conf .= "\t\tallow-transfer {none;};\n"; + $bind_conf .= "\t\tnotify no;\n"; break; case "forward": $bind_conf .= "\t\tforward only;\n"; $bind_conf .= "\t\tforwarders { $zoneforwarders; };\n"; break; + case "redirect": + $bind_conf .= "\t\t# While using redirect zones,NXDOMAIN Redirection will not override DNSSEC\n"; + $bind_conf .= "\t\t# If the client has requested DNSSEC records (DO=1) and the NXDOMAIN response is signed then no substitution will occur\n"; + $bind_conf .= "\t\t# https://kb.isc.org/article/AA-00376/192/BIND-9.9-redirect-zones-for-NXDOMAIN-redirection.html\n"; + break; default: $bind_conf .= "\t\tallow-update { $zoneallowupdate;};\n"; $bind_conf .= "\t\tallow-query { $zoneallowquery;};\n"; $bind_conf .= "\t\tallow-transfer { $zoneallowtransfer;};\n"; - } - if ($zone['dnssec']=="on"){ - //https://kb.isc.org/article/AA-00626/ - $bind_conf .="\n\t\t# look for dnssec keys here:\n"; - $bind_conf .="\t\tkey-directory \"/etc/namedb/keys\";\n\n"; - $bind_conf .="\t\t# publish and activate dnssec keys:\n"; - $bind_conf .="\t\tauto-dnssec maintain;\n\n"; - $bind_conf .="\t\t# use inline signing:\n"; - $bind_conf .="\t\tinline-signing yes;\n\n"; - } + if ($zone['dnssec']=="on"){ + //https://kb.isc.org/article/AA-00626/ + $bind_conf .="\n\t\t# look for dnssec keys here:\n"; + $bind_conf .="\t\tkey-directory \"/etc/namedb/keys\";\n\n"; + $bind_conf .="\t\t# publish and activate dnssec keys:\n"; + $bind_conf .="\t\tauto-dnssec maintain;\n\n"; + $bind_conf .="\t\t# use inline signing:\n"; + $bind_conf .="\t\tinline-signing yes;\n\n"; + } + } if ($zonecustom != '') $bind_conf .= "\t\t$zonecustom\n"; $bind_conf .= "\t};\n\n"; switch($zonetype){ + case "redirect": case "master": //check/update slave dir permission chown(CHROOT_LOCALBASE."/etc/namedb/$zonetype","bind"); @@ -369,7 +387,7 @@ EOD; $zone_conf .= ";\tDatabase file {$zonename}.DB for {$zonename} zone.\n"; $zone_conf .= ";\tDo not edit this file!!!\n"; $zone_conf .= ";\tZone version {$zoneserial}\n;\n"; - if($zonereverso == "on") + if($zonereverso == "on" || $zonetype =="redirect") $zone_conf .= "@\t IN SOA $zonenameserver. \t $zonemail. (\n"; else $zone_conf .= "$zonename.\t IN SOA $zonenameserver. \t $zonemail. (\n"; @@ -445,6 +463,12 @@ EOD; } } } + if (!$custom_root_zone[$i]){ + $bind_conf .="\tzone \".\" {\n"; + $bind_conf .="\t\ttype hint;\n"; + $bind_conf .="\t\tfile \"/etc/namedb/named.root\";\n"; + $bind_conf .= "\t};\n\n"; + } if($write_config > 0){ write_config("save result config file for zone on xml"); } @@ -489,6 +513,8 @@ EOD; mwexec("/usr/local/etc/rc.d/named.sh restart"); else mwexec("/usr/local/etc/rc.d/named.sh stop"); + //sync to backup servers + bind_sync_on_changes(); conf_mount_ro(); } @@ -546,6 +572,21 @@ function bind_print_javascript_type_zone(){ document.iform.expire.disabled = 1; document.iform.minimum.disabled = 1; break; + case 'redirect': + document.iform.slaveip.disabled = 1; + document.iform.tll.disabled = 1; + document.iform.nameserver.disabled = 0; + document.iform.reverso.disabled = 1; + document.iform.forwarders.disabled = 1; + document.iform.dnssec.disabled = 1; + document.iform.ipns.disabled = 1; + document.iform.mail.disabled = 0; + document.iform.serial.disabled = 0; + document.iform.refresh.disabled = 0; + document.iform.retry.disabled = 0; + document.iform.expire.disabled = 0; + document.iform.minimum.disabled = 0; + break; } } --> @@ -602,8 +643,8 @@ function delete_log_file(){ /* Uses XMLRPC to synchronize the changes to a remote node */ function bind_sync_on_changes() { global $config, $g; - if (is_array($config['installedpackages']['bind']['config'])){ - $bind_sync=$config['installedpackages']['bind']['config'][0]; + if (is_array($config['installedpackages']['bindsync']['config'])){ + $bind_sync=$config['installedpackages']['bindsync']['config'][0]; $synconchanges = $bind_sync['synconchanges']; $synctimeout = $bind_sync['synctimeout']; $master_zone_ip=$bind_sync['masterip']; diff --git a/config/bind/bind.xml b/config/bind/bind.xml index aa6a5f25..9a309a81 100644 --- a/config/bind/bind.xml +++ b/config/bind/bind.xml @@ -179,13 +179,14 @@ </field> <field> <type>listtopic</type> - <name>Response limit</name> + <name>Response Rate Limit</name> <fieldname>temp01</fieldname> </field> <field> <fielddescr>Rate limit</fielddescr> <fieldname>rate_enabled</fieldname> - <description>Limit/rate response queries to prevent DOS attack.</description> + <description><![CDATA[<a target=_new href='https://kb.isc.org/article/AA-01000/189/A-Quick-Introduction-to-Response-Rate-Limiting.html?utm_source=isc&utm_medium=website&utm_term=rrl-kb&utm_content=kbarticle&utm_campaign=bind994_release_091913'> + Limit/rate response queries</a> to prevent DOS attack.]]></description> <type>checkbox</type> <enablefields>rate_limit,log_only</enablefields> </field> diff --git a/config/bind/bind_sync.xml b/config/bind/bind_sync.xml index c6a80e98..d2f9c95b 100644 --- a/config/bind/bind_sync.xml +++ b/config/bind/bind_sync.xml @@ -105,8 +105,7 @@ <fielddescr>Zone Master IP</fielddescr> <fieldname>masterip</fieldname> <description><![CDATA[Set master zone ip you want to use to sync backup server zones with master.<br> - <b>All master zones will be configured as backup on slave servers.</b><br> - Do not forget to create firewall rules to allow zone transfer between master and slave servers.]]></description> + <b>All master zones will be configured as backup on slave servers.<b>]]></description> <type>input</type> <size>20</size> <required/> @@ -115,6 +114,10 @@ <fielddescr>Remote Server</fielddescr> <fieldname>none</fieldname> <type>rowhelper</type> + <description><![CDATA[<b>Do not forget to:</b><br> + Create firewall rules to allow zone transfer between master and slave servers.<br> + Create a acls with these slave servers.<br> + Include created acl on allow-transfer option on zone config.]]></description> <rowhelper> <rowhelperfield> <fielddescr>IP Address</fielddescr> diff --git a/config/bind/bind_zones.xml b/config/bind/bind_zones.xml index 09a5129f..db68d26c 100644 --- a/config/bind/bind_zones.xml +++ b/config/bind/bind_zones.xml @@ -82,6 +82,12 @@ <configpath>['installedpackages']['bindzone']['config']</configpath> <adddeleteeditpagefields> <columnitem> + <fielddescr>status</fielddescr> + <fieldname>disabled</fieldname> + <listmodeon>Disabled</listmodeon> + <listmodeoff>Enabled</listmodeoff> + </columnitem> + <columnitem> <fielddescr>Zone Name</fielddescr> <fieldname>name</fieldname> </columnitem> @@ -110,6 +116,12 @@ <fieldname>temp01</fieldname> </field> <field> + <fielddescr>Disable this zone</fielddescr> + <fieldname>disabled</fieldname> + <description><![CDATA[Do not Include this zone on bind config files.]]></description> + <type>checkbox</type> + </field> + <field> <fielddescr>Zone Name</fielddescr> <fieldname>name</fieldname> <description><![CDATA[Enter the name for zone (ex:mydomain.com)<br> @@ -128,14 +140,15 @@ <field> <fielddescr>Zone Type</fielddescr> <fieldname>type</fieldname> - <description>Select zone type</description> + <description><![CDATA[Select zone type.]]></description> <type>select</type> <options> <option><name>Master</name><value>master</value><enablefields>description</enablefields></option> <option><name>Slave</name><value>slave</value><enablefields>ttl</enablefields></option> <option><name>Forward</name><value>forward</value><enablefields>forward</enablefields></option> + <option><name>Redirect</name><value>redirect</value><enablefields>redirect</enablefields></option> </options> - <onchange>on_type_zone_changed()</onchange> + <onchange>on_type_zone_changed()</onchange> <required/> </field> <field> @@ -170,7 +183,7 @@ <field> <fielddescr>Inline Signing</fielddescr> <fieldname>dnssec</fieldname> - <description>Enable inline DNSSEC Signing for this zones.</description> + <description><![CDATA[<a target=_new href='https://kb.isc.org/article/AA-00626/109/Inline-Signing-in-ISC-BIND-9.9.0-Examples.html'>Enable inline DNSSEC Signing</a> afor this zones.]]></description> <type>checkbox</type> </field> <field> @@ -360,6 +373,7 @@ <type>input</type> <size>35</size> </rowhelperfield> + <movable>on</movable> </rowhelper> </field> <field> |