systemli.bind9

Ansible Role to Install and Manage Bind9 Nameserver on Debian

This role helps you to install and set up the Bind9 nameserver on Debian.

Features:

Set up an authoritative nameserver for DNS zones or a DNS recursor.
Strong support for DNSSEC:
- Automatically create KSK and ZSK keys.
- Automatically configure DNSSEC for zones.
- Ability to send DNSKEY/DS formatted output via XMPP.
Configure hidden primary and authoritative secondary servers.
Support for "static" zones defined by uploading a .db bind file.
Validate zone files with named-checkzone.
Basic support for "dynamic" zones defined using YAML variable sets.

Basic Server Configuration

Master Server

Set variables for your master server in a file like host_vars/master_name/vars/XX_bind.yml. Here’s an example:

bind9_authoritative: yes
bind9_zones_static: 
- { name: example.com , type: master }
bind9_forward: yes
bind9_forward_servers:
- 8.8.8.8
- 4.4.4.4
bind9_slaves:
- slave_ip_1
- slave_ip_2
- slave_ip_3
bind9_our_neighbors:
- slave_ip_1
- slave_ip_2
- slave_ip_3

Place your BIND zone file in the files/bind/zones/ directory (not in the role directory): db.example.com.

Slave Servers

Set variables for your slave servers:

bind9_zones_static: 
- { name: example.com, type: slave }
bind9_forward: yes
bind9_forward_servers:
- 8.8.8.8
- 4.4.4.4
bind9_masters:
- { name: master_name, addresses: [master_ip] }
bind9_recursor: our_network

Dynamic Zones

You define "dynamic" zone records using the YAML variable bind9_zones_dynamic, which refers to the bind/zones/db.template.j2 template. If you have many zones, it's best to put zone definitions in a separate file, like host_vars/master_name/vars/YY_zones.yml. You can split bind9_zones_dynamic into multiple variables.

In YY_zones.yml, you might have:

bind9_zones_dynamic: >
        {{ zones_my_domains
        | union ( zone_my_reverse_inaddr_arpa )
        | union ( zone_my_reverse_ip6_arpa ) }}

bind9_zones_static:
- name: static_dom.org
  type: master
- name: static_dom2.org
  type: master
- name: static_dom3.org
  type: slave

In other variable files, you can specify zones like this:

zones_my_domains:
- name: dyn_domain.org
  type: master
  default_ttl: 600
  serial: 2022050501
  refresh: 1D
  retry: 2H
  expire: 1000H
  primary: ns1.dyn_domain.org         # Optional
  admin: postmaster.dyn_domain.org
  ns_records:
  - ns1.dyn_domain.org
  - ns2.dyn_domain.org
  rrs:
  - {label: "@", type: MX, rdata: 10 mail}
  - {label: webmail, type: CNAME, rdata: mail}
  - {label: "@", type: A, rdata: 8.8.8.221}
  - {label: "@", type: AAAA, rdata: 2001:db8:6a::95}
  - {label: www, type: CNAME, rdata: webserver.dyn_domain.org.}
  - {label: mail, type: A, rdata: 8.8.8.222}
  - {label: mail, type: AAAA, rdata: 2001:db8:6a::22}
  - {label: webserver, ttl: 86400, type: A, rdata: 8.8.8.223}
  - {label: webserver, ttl: 86400, type: AAAA, rdata: 2001:db8:6a::23}

You can do something similar for zone_my_reverse_inaddr_arpa and zone_my_reverse_ip6_arpa for reverse DNS.

Deploy Role to Your Servers

DDNS Updates

Key Generation

To generate DDNS keys, set bind9_generate_ddns_key to true:

- bind9_generate_ddns_key: true

Keys will be stored by default in files/bind/zones, but you can change the location with bind9_local_keydir:

- bind9_local_keydir: credentials/bind

Zone Database

Make sure the BIND process can write to the zone files. If using Linux with access control (like AppArmor or SELinux), you may want to change the zone file location to /var/lib/bind/zones: