response policy zone feature

SourceDoctor · Feb 26, 2018 · a659d0b · a659d0b
1 parent 827f878
commit a659d0b
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -20,11 +20,15 @@ The differences/advantages:
 * Code was rewritten mostly for handling Puppet4 features
 * **full hiera support**
 * full support of Debian
+* handling of Response Policy Zones
 
 
 ## Usage
 
 ```puppet
+include dns
+include dns::record
+
 node 'server.example.com' {
 
   # DNS Settings and Zone Configuration
@@ -102,7 +106,6 @@ node 'server.example.com' {
                 server    => "192.168.1.3"
             }
   }
-
 }
 ```
 
@@ -147,9 +150,6 @@ You can enable the report of bind stats trough the `statistics-channels` using:
 You can also create dynamic zones. Mind they are only created once by puppet and never replaced unless allow_update is empty.
 
 ```puppet
-dns::zone {
-}
-
   class { 'dns':
     zone => { 'example.com' => {
               soa             => 'ns1.example.com',
@@ -163,3 +163,21 @@ dns::zone {
   }
 ```
 
+Create a DNS forwarder and overrule rules with the response-policy. This is supported from BIND 9.8+
+
+```puppet
+include dns
+include dns::record
+
+class { 'dns':
+  forwarders            => ['8.8.8.8', '8.8.4.4'],
+  response_policy_zones => ['rpz'],
+  zone                  => { 'rpz': }
+}
+
+dns::record::a {
+  'test.example.tld.':
+    zone => 'rpz',
+    data => ['127.0.0.1']
+}
+```
diff --git a/manifests/config/options.pp b/manifests/config/options.pp
@@ -69,6 +69,10 @@
 # [*forwarders*]
 #   Array of forwarders IP addresses. Default: empty
 #
+# [*response_policy_zones*]
+#   Array of response policy zones. Default: empty
+#   allows local overwrite of DNS Response to requesting Client
+#
 # [*listen_on*]
 #   Array of IP addresses on which to listen. Default: empty, meaning "any"
 #
@@ -168,6 +172,7 @@
   $dnssec_validation = $::dns::dnssec_validation,
   $forward_policy = $::dns::forward_policy,
   $forwarders = $::dns::forwarders,
+  $response_policy_zones = $::dns::response_policy_zones,
   $listen_on = $::dns::listen_on,
   $listen_on_ipv6 = $::dns::listen_on_ipv6,
   $listen_on_port = $::dns::listen_on_port,

diff --git a/manifests/config/params.pp b/manifests/config/params.pp
@@ -55,6 +55,7 @@
   $listen_on                   = []
   $listen_on_ipv6              = []
   $forwarders                  = []
+  $response_policy_zones       = []
   $forward_policy              = undef
   $listen_on_port              = undef
   $transfers                   = []

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -12,6 +12,7 @@
   Optional[Integer] $listen_on_port                = $dns::config::params::listen_on_port,
 
   Array[String] $forwarders                        = $dns::config::params::forwarders,
+  Optional[Array[String]] $response_policy_zones   = $dns::config::params::response_policy_zones,
   Optional[Enum['first', 'only']] $forward_policy  = $dns::config::params::forward_policy,
 
   Optional[Enum['warn', 'fail', 'ignore']]

diff --git a/templates/named.conf.options.erb b/templates/named.conf.options.erb
@@ -26,6 +26,14 @@ options {
 <% if @forward_policy -%>
     forward <%= @forward_policy %>;
 
+<% end -%>
+<% unless @response_policy_zones.empty? -%>
+    response-policy {
+    <%- @response_policy_zones.each do |zone| -%>
+      zone "<%= zone -%>";
+    <%- end -%>
+    };
+
 <% end -%>
 <% unless @transfers.empty? -%>
     allow-transfer {