Skip to content

enable rpz zone support #284

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bastelfreak merged 13 commits into from
Dec 1, 2025
+64 −44
Merged

enable rpz zone support #284

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
32404fe
add functional support for enabling rpz zones
Oct 16, 2025
7aa3d6f
change options.conf.erb to epp and enable rpz zone support
Oct 16, 2025
78fd3c6
remove obsolete options.conf.erb template
Oct 16, 2025
bfba615
default rpz_zones to undefined aligning to best practice
Oct 16, 2025
73c03a8
improve template parameter validation logic
Oct 16, 2025
eeba354
correct undefined array value for rpz_zones
Oct 17, 2025
cc47656
fix incorrect condition on dnssec_enabled
Oct 18, 2025
e2b80c1
fix incorrect parameter condition
Oct 23, 2025
7d47940
validate rpz_zones againt stdlib::fqdn
Oct 30, 2025
f73e1e2
add test for rpz zone config validation
Oct 30, 2025
abd2e3f
improve check on dns::forwarders logic
Oct 30, 2025
c214837
correct rpz_zones to array
Oct 30, 2025
b42d17d
correct typo validating dns::forwarders
Oct 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion manifests/config.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@

concat::fragment { 'options.conf+10-main.dns':
target => $dns::optionspath,
content => template($dns::optionsconf_template),
content => epp($dns::optionsconf_template),
order => '10',
}

Expand Down
5 changes: 4 additions & 1 deletion manifests/init.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,8 @@
# The forward option
# @param forwarders
# The forwarders option
# @param rpz_zones
# Array of zones that will be included in response-policy definition
# @param listen_on
# The listen-on option
# @param listen_on_v6
Expand Down Expand Up @@ -161,6 +163,7 @@
Variant[Enum['unmanaged'], Stdlib::Absolutepath] $defaultzonepath = $dns::params::defaultzonepath,
Optional[Enum['only', 'first']] $forward = undef,
Array[Dns::Forwarder] $forwarders = [],
Array[Stdlib::Fqdn] $rpz_zones = [],
Optional[String] $listen_on = undef,
Variant[String, Boolean] $listen_on_v6 = 'any',
Enum['yes', 'no'] $recursion = 'yes',
Expand All @@ -172,7 +175,7 @@
Enum['yes', 'no', 'auto'] $dnssec_validation = 'auto',
String $namedconf_template = 'dns/named.conf.erb',
Hash[String, Array[String]] $acls = {},
String $optionsconf_template = 'dns/options.conf.erb',
String $optionsconf_template = 'dns/options.conf.epp',
Optional[Stdlib::Absolutepath] $sysconfig_file = $dns::params::sysconfig_file,
Optional[String] $sysconfig_template = $dns::params::sysconfig_template,
Optional[String] $sysconfig_startup_options = $dns::params::sysconfig_startup_options,
Expand Down
8 changes: 8 additions & 0 deletions spec/classes/dns_init_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -265,6 +265,14 @@
'listen-on-v6 { none; };',
])}
end

describe 'with rpz zone' do
let(:params) { {:rpz_zones => [ 'rpz.block.local' ]} }

it { verify_concat_fragment_contents(catalogue, 'options.conf+10-main.dns', [
'zone "rpz.block.local";'
])}
end

describe 'with empty zones disabled' do
let(:params) { {:empty_zones_enable => 'no'} }
Expand Down
51 changes: 51 additions & 0 deletions templates/options.conf.epp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
directory "<%= $dns::vardir %>";
<% unless empty($dns::forwarders) { -%>
forwarders { <%= join($dns::forwarders, '; ') %>; };
<% } -%>
<% if $dns::forward { -%>
forward <%= $dns::forward %>;
<% } -%>

<% unless empty($dns::rpz_zones) { -%>
response-policy {
<% $dns::rpz_zones.each |$zone| { -%>
zone "<%= $zone %>";
<% } -%>
};
<% } -%>

recursion <%= $dns::recursion %>;
allow-query { <%= join($dns::allow_query, '; ') %>; };
<% if $dns::dnssec_enable { -%>
dnssec-enable <%= $dns::dnssec_enable %>;
<% } -%>
dnssec-validation <%= $dns::dnssec_validation %>;

empty-zones-enable <%= $dns::empty_zones_enable %>;

<% if $dns::dns_notify { -%>
notify <%= $dns::dns_notify %>;
<% } -%>
<% if $dns::listen_on { -%>
listen-on { <%= $dns::listen_on %>; };
<% } -%>
<% if $dns::listen_on_v6 { -%>
listen-on-v6 { <%= $dns::listen_on_v6 %>; };
<% } -%>

<% if $dns::allow_recursion { -%>
allow-recursion { <%= join($dns::allow_recursion, '; ') %>; };
<% } -%>

<% if $facts['os']['family'] =~ /^(FreeBSD|DragonFly)$/ { -%>
pid-file "/var/run/named/pid";
<% } -%>

<% $dns::disable_empty_zones.sort.each |$disable_empty_zone| { -%>
disable-empty-zone "<%= $disable_empty_zone %>";
<% } -%>

<% $dns::additional_options.keys.sort.each |$option| { -%>
<% $value = $dns::additional_options[$option] -%>
<%= $option %> <%= $value %>;
<% } -%>
42 changes: 0 additions & 42 deletions templates/options.conf.erb
View file
Open in desktop

This file was deleted.

Loading