Skip to content

Zone Auth Resource

Jump to bottom
Rui Moreira edited this page Oct 19, 2017 · 20 revisions

The Zone_Auth resource allows for the creation and management of forward and reverse authoritative zones on infoblox.

Example Usage

resource "infoblox_zone_auth" "paas_forward_zone" {
  fqdn = "paas-testing.com"
  comment = "Created a forward zone and updated it again"
  zone_format = "FORWARD"
  view = "default"
  disable = false
  dns_integrity_enable = true
  dns_integrity_member = "s1ins01.devops.int.ovp.bskyb.com"
  locked = false
  soa_default_ttl = 1800
  soa_negative_ttl = 1200
  soa_refresh = 300
  soa_retry = 130
  allow_update = [
      {
        _struct = "addressac"
        address = "192.168.234.11"
        permission = "DENY"
      },
      {
        _struct = "tsigac"
        tsig_key = "0jnu3SdsMvzzlmTDPYTceA=="
        tsig_key_alg = "HMAC-SHA256"
        tsig_key_name = "abc.key"
        use_tsig_key_name = true
      },
      {
        _struct = "addressac"
        address = "192.168.101.11"
        permission = "ALLOW"
      },
      {
        _struct = "addressac"
        address = "192.168.111.10"
        permission = "ALLOW"
      },
    ]
}

resource "infoblox_zone_auth" "paas_reverse_zone" {
  fqdn = "192.168.234.0/24"
  comment = "Created a reverse zone and updated it."
  zone_format = "IPV4"
  view = "default"
  prefix = "128/6"
  disable = false
  dns_integrity_enable = true
  dns_integrity_member = "s1ins01.devops.int.ovp.bskyb.com"
  locked = false
  soa_default_ttl = 7200
  soa_negative_ttl = 1100
  soa_refresh = 150
  soa_retry = 110
  allow_update = [
      {
        type = "addressac"
        address = "192.168.102.11"
        permission = "ALLOW"
      },
      {
        type = "tsigac"
        tsig_key = "0jnu3SdsMvzzlmTDPYTceA=="
        tsig_key_alg = "HMAC-SHA256"
        tsig_key_name = "test.key"
        use_tsig_key_name = true
      },
      {
        type = "addressac"
        address = "192.168.101.15"
        permission = "ALLOW"
      },
      {
        type = "addressac"
        address = "192.168.111.10"
        permission = "ALLOW"
      },
    ]
}

Argument Reference

The following arguments are supported:

  • fqdn - (Required) - (String) - the name of this DNS zone. For a reverse zone, this is in “address/cidr” format. For other zones, this is in FQDN format. This value can be in unicode format. Note that for a reverse zone, the corresponding zoneformat value should be set.

  • view - (Optional, Default = "default") - (String) - The name of the DNS view in which the zone resides. Example “external”.

  • comment - (Optional, Default = empty) - (String) - Comment for the zone; maximum 256 characters.

  • zone_format - (Optional, Default = "FORWARD") - (String) - Determines the format of this zone. Cannot be updated. Valied values are: FORWARD, IPV4, IPV6

  • restart_if_needed - (Optional, Default = false) - (Bool) - Restarts the member service. The default value is False. Not readable.

  • prefix - (Optional, Default = empty) - (String) - The RFC2317 prefix value of this DNS zone. Use this field only when the netmask is greater than 24 bits; that is, for a mask between 25 and 31 bits. Enter a prefix, such as the name of the allocated address block. The prefix can be alphanumeric characters, such as 128/26 , 128-189 , or sub-B.

  • disable - (Optional, Default = false) - (Bool) - Determines whether a zone is disabled or not. When this is set to False, the zone is enabled.

  • dns_integrity_enable - (Optional, Default = false) - (Bool) - If this is set to True, DNS integrity check is enabled for this zone.

  • dns_integrity_member - (Optional, Default = empty) - (String) - The Grid member that performs DNS integrity checks for this zone.

  • use_external_primary - (Optional, Default=false ) - (bool) - This boolean determines if the zone must use external primary name servers or not (if it's a secondary zone) , it this value is changed from true to false, then you must remove any external primaries that you have defined previously.

  • external_primaries - (Optional, default = empty) - ([]struct)) - The primary preference list with Grid member names and/or External Server structs for this member.

  • external_secondaries - (Optional, default = empty) - ([]struct) - The list of external secondary servers.

  • grid_primary - (Optional, default = empty) - ([]struct) - The grid primary servers for this zone.

  • grid_secondaries - (Optional, default = empty) - ([]struct) - The list with Grid members that are secondary servers for this zone.

  • locked - (Optional, Default = false) - (Bool) - If you enable this flag, other administrators cannot make conflicting changes. This is for administration purposes only. The zone will continue to serve DNS data even when it is locked.

  • locked_by - (Optional, Default = empty) - (string) - The name of a superuser or the administrator who locked this zone (read-only)

  • network_view - (Computed) - (string) - The name of the network view in which this zone resides (read-only)

  • ns_group - (Optional, Computed) - (string) - The name server group that serves DNS for this zone.

  • soa_serial_number - (Optional, Computed) - (Int) - The SOA serial number to be used in conjunction with set_soa_serial_number (read-only)

  • soa_default_ttl - (Optional, Default = empty) - (Int) - The Time to Live (TTL) value of the SOA record of this zone. This value is the number of seconds that data is cached.

  • soa_negative_ttl - (Optional, Default = empty) - (Int) - The negative Time to Live (TTL) value of the SOA of the zone indicates how long a secondary server can cache data for “Does Not Respond” responses.

  • soa_refresh - (Optional, Default = empty) - (Int) - This indicates the interval at which a secondary server sends a message to the primary server for a zone to check that its data is current, and retrieve fresh data if it is not.

  • soa_retry - (Optional, Default = empty) - (Int) - This indicates how long a secondary server must wait before attempting to recontact the primary server after a connection failure between the two servers occurs.

  • soa_expire - (Optional, Default = 4 week) - (Int) - This setting defines the amount of time, in seconds, after which the secondary server stops giving out answers about the zone because the zone data is too old to be useful. The default is four weeks.

  • copy_xfer_to_notify - (Optional, Default = false) - (Bool) - If this flag is set to True then copy allowed IPs from Allow Transfer to Also Notify. requires use_copy_xfer_to_notify set to true.

  • use_copy_xfer_to_notify - (Optional, Default = false) - (Bool) - Use flag for: copy_xfer_to_notify.

  • use_check_names_policy - (Optional, Default = false) - (Bool) - Apply policy to dynamic updates and inbound zone transfers (This value applies only if the host name restriction policy is set to “Strict Hostname Checking”.)

  • allow_update - (Optional, Default = empty) - (Struct) - Determines whether dynamic DNS updates are allowed from a named ACL, or from a list of IPv4/IPv6 addresses, networks, and TSIG keys for the hosts. Either an 'Address ac' struct or a 'TSIG ac' struct array.

    • addressac:
      • address - (String) - The address this rule applies to or “Any”.
      • permission - (String) - The permission to use for this address. Allowed values = ALLOW or DENY
    • tsigac:
      • tsig_key - (Optional, Default = empty) - (String) - A generated TSIG key. If the external primary server is a NIOS appliance running DNS One 2.x code, this can be set to :2xCOMPAT.
      • tsig_key_alg - (Optional, Default = "HMAC-MD5")- (String) - The TSIG key algorithm. Accepted values are: "HMAC-MD5" or "HMAC-SHA256"
      • tsig_key_name - (Optional, Default = empty) - (String) - The name of the TSIG key. If 2.x TSIG compatibility is used, this is set to ‘tsig_xfer’ on retrieval, and ignored on insert or update.
      • use_tsig_key_name - (Optional, Default = false) - (Bool) - Use flag for: "tsig_key_name"

  • allow_transfer - (Optional, Default = empty) - (Struct) - Determines whether zone transfers are allowed from a named ACL, or from a list of IPv4/IPv6 addresses, networks, and TSIG keys for the hosts.

    • addressac:
      • address - (String) - The address this rule applies to or “Any”.
      • permission - (String) - The permission to use for this address. Allowed values = ALLOW or DENY
    • tsigac:
      • tsig_key - (Optional, Default = empty) - (String) - A generated TSIG key. If the external primary server is a NIOS appliance running DNS One 2.x code, this can be set to :2xCOMPAT.
      • tsig_key_alg - (Optional, Default = "HMAC-MD5")- (String) - The TSIG key algorithm. Accepted values are: "HMAC-MD5" or "HMAC-SHA256"
      • tsig_key_name - (Optional, Default = empty) - (String) - The name of the TSIG key. If 2.x TSIG compatibility is used, this is set to ‘tsig_xfer’ on retrieval, and ignored on insert or update.
      • use_tsig_key_name - (Optional, Default = false) - (Bool) - Use flag for: "tsigkeyname"

Notes on ddns updates :

If you are trying to use HMAC-SHA256 then you should be aware that support for TSIG keys signed using HMAC-SHA256 was only added in dhcpd version 4.2.8 , and Centos 7 only ships 4.2.5 https://kb.isc.org/article/AA-01243/0/DHCP-4.2.8b1-Release-Notes.html , so I would suggest using the latest Ubuntu for dhcp server, the following example dhcpd.conf works when updating a Infoblox dns Zone

default-lease-time 600;
max-lease-time 7200;

ddns-updates on;
ddns-update-style interim;
ignore client-updates;
update-static-leases on;


log-facility local7;

zone <ZONE>. {
  primary <PRIMARY_DNS_SERVER>;
  key <KEY_NAME>;
}

subnet 192.168.X.0 netmask 255.255.255.0 {
range 192.168.X.20 192.168.X.30;
option domain-name-servers <DNS SERVER>;
option domain-name "<ZONE>";
option routers 192.168.X.1;
option broadcast-address 192.168.X.255;
default-lease-time 600;
max-lease-time 7200;
}

key <KEY_NAME> {
        algorithm HMAC-SHA256;
        secret "<KEY>";
};
Clone this wiki locally