Getting started
Default setup
If you don't specify any configuration values, the role will setup BIND as a caching nameserver which is neither an authoritative, nor a secondary server for any domains/zones.
In addition, DNSSEC validation is enabled (i.e. DNSSEC is enabled when BIND acts as a resolver). The configuration is also prepared with policies which allow BIND to perform largely automatic DNSSEC signing of zones, on an opt-in basis.
When a valid Public Key Infrastructure is detected, and the installed version of BIND supports it, support for DNS over TLS/HTTP(S) is also enabled, either in a standalone fashion or, if the role is detected, using debops.nginx as a reverse proxy.
Initial zones can be created using the Ansible inventory (see Zones and Views) and later updated dynamically using e.g. nsupdate.
The role also supports the automatic generation of keys, which can be used to authenticate e.g. update requests or to provision other roles with keys to be used for automated DNS updates. These keys are, by default, also stored on the Ansible controller (in the directory tree maintained by the debops.secret role) for further use.
Example inventory
To install and configure BIND on a host, it needs to be present in the
[debops_service_bind] Ansible inventory group. Additionally, if you
plan to run a web server on the same host at some point, it is a good idea
to define that in the inventory before you apply this role, as a later
installation may clash with features such as DNS over TLS/HTTP(S).
[debops_all_hosts]
dns
[debops_service_nginx]
dns
[debops_service_bind]
dns
Example playbook
The following playbook can be used with DebOps. If you are using these role without DebOps you might need to adapt them to make them work in your setup.
---
- name: Manage BIND servers
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debops_service_bind' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
roles:
- role: apt_preferences
tags: [ 'role::apt_preferences', 'skip::apt_preferences',
'role::nginx' ]
apt_preferences__dependent_list:
- '{{ nginx__apt_preferences__dependent_list }}'
- '{{ bind__apt_preferences__dependent_list }}'
- role: ferm
tags: [ 'role::ferm', 'skip::ferm', 'role::nginx' ]
ferm__dependent_rules:
- '{{ nginx__ferm__dependent_rules }}'
- '{{ bind__ferm__dependent_rules }}'
- role: resolvconf
tags: [ 'role::resolvconf', 'skip::resolvconf' ]
resolvconf__dependent_services:
- 'bind'
- role: cron
tags: [ 'role::cron', 'skip::cron' ]
- role: logrotate
tags: [ 'role::logrotate', 'skip::logrotate' ]
logrotate__dependent_config:
- '{{ slapd__logrotate__dependent_config }}'
when:
- '"dnssec" in bind__features'
- bind__dnssec_script_enabled | d(False)
- role: bind
tags: [ 'role::bind', 'skip::bind' ]
- role: nginx
tags: [ 'role::nginx', 'skip::nginx' ]
nginx__dependent_servers:
- '{{ bind__nginx__dependent_servers }}'
# Run the role even if it is not being used by any
# BIND features so that the BIND-specific server can be disabled,
# if appropriate.
when: ansible_local.nginx.enabled | d(False) or
bind__features | intersect([ "doh_proxy", "stats_proxy" ]) | length > 0
This playbook is also shipped with DebOps as
ansible/playbooks/service/bind.yml.