Skip to content

freddebacker/puppet-unbound

BranchesTags
 
 

Repository files navigation

unbound

Tested with Travis CI

Build Status Coverage Status Puppet Forge Dependency Status

Table of Contents

  1. Description
  2. Setup - The basics of getting started with unbound
  3. Usage - Configuration options and additional functionality
  4. Reference - An under-the-hood peek at what the module is doing and how
  5. Limitations - OS compatibility, etc.
  6. Development - Guide for contributing to the module

Description

This module manages Unbound.

RHEL/CentOS and OpenBSD are supported using Puppet 4.6.0 or later.

Setup

Beginning with unbound

In the simplest case, configure Unbound listening on all interfaces:

include ::unbound

Usage

Update the above example to specify the forwarders to use and allow access from the local network, also restrict outbound ports used to avoid anything below 32768 and above 65000:

class { '::unbound':
  access_control => [
    ["${::network}/${netmask_to_masklen($::netmask)}", 'allow'],
    ["${::network6}/${netmask_to_masklen($::netmask6)}", 'allow'],
  ],
  outgoing_port  => [
    ['avoid', 0, 32767],
    ['avoid', 65001, 65535],
  ],
}

::unbound::forward { '.':
  forward_addr => [
    '8.8.8.8',
    '8.8.4.4',
    '2001:4860:4860::8844',
    '2001:4860:4860::8888',
  ],
}

Configure NSD listening on the primary interface as a slave for a single zone protected with a given TSIG key and configure Unbound listening on the loopback interface only with a stub zone pointing to NSD:

class { '::nsd':
  ip_address => [
    $::ipaddress,
    $::ipaddress6,
  ],
}

::nsd::key { 'example.':
  algorithm => 'hmac-sha256',
  secret    => '6z+8iKRIQrwN43TFfO/Rf2NHzpHIFVi6PsJ7dDESclc=',
}

::nsd::zone { 'example.com.':
  allow_notify => [
    ['192.0.2.1', 'example.'],
  ],
  request_xfr  => [
    ['AXFR', '192.0.2.1', 'example.'],
  ],
}

class { '::unbound':
  interface => [
    $::ipaddress_lo,
    $::ipaddress6_lo,
  ],
}

::unbound::stub { 'example.com.':
  stub_addr => [
    $::ipaddress,
    $::ipaddress6,
  ],
}

If NSD is not required then local data can be used instead:

class { '::unbound':
  interface  => [
    $::ipaddress_lo,
    $::ipaddress6_lo,
  ],
  local_zone => [
    ['example.com.', 'static'],
  ],
  local_data => [
    {
      'name'     => 'example.com.'
      'ttl'      => 86400,
      'class'    => 'IN',
      'type'     => 'NS',
      'hostname' => 'ns1.example.com.',
    },
    {
      'name'     => 'example.com.'
      'ttl'      => 86400,
      'class'    => 'IN',
      'type'     => 'SOA',
      'primary'  => 'ns1.example.com.',
      'email'    => 'hostmaster.example.com.',
      'serial'   => 1,
      'refresh'  => 10800,
      'retry'    => 15,
      'expire'   => 604800,
      'negative' => 10800,
    },
    {
      'name'  => 'ns1.example.com.',
      'ttl'   => 86400,
      'class' => 'IN',
      'type'  => 'A',
      'ip'    => '192.0.2.1',
    },
  ],
}

Reference

The reference documentation is generated with puppet-strings and the latest version of the documentation is hosted at https://bodgit.github.io/puppet-unbound/.

Limitations

This module has been built on and tested against Puppet 4.6.0 and higher.

The module has been tested on:

  • RedHat Enterprise Linux 6/7
  • OpenBSD 6.0/6.1

Development

The module has both rspec-puppet and beaker-rspec tests. Run them with:

$ bundle exec rake test
$ PUPPET_INSTALL_TYPE=agent PUPPET_INSTALL_VERSION=x.y.z bundle exec rake beaker:<nodeset>

Please log issues or pull requests at github.

About

Puppet Module for managing Unbound

forge.puppet.com/bodgit/unbound

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

2 tags

Packages

No packages published

Languages

  • Puppet 49.3%
  • Ruby 30.1%
  • HTML 17.5%
  • Pascal 2.8%
  • Shell 0.3%