Add per-zone allow_transfer for primary zones

magior · magior · commit 20d60098ea87 · 2026-03-17T21:46:55.000+01:00
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -2472,6 +2472,16 @@ bind::zone::primary { 'example.com':
 }
 ```
 
+##### Restrict zone transfers for a primary zone
+
+```puppet
+
+bind::zone::primary { 'example.com':
+  source         => 'puppet:///modules/profile/example.com.zone',
+  allow_transfer => ['192.0.2.42'],
+}
+```
+
 ##### Use DNSSEC signing for a primary zone using a DNSSEC policy
 
 ```puppet
@@ -2499,6 +2509,7 @@ bind::zone::primary { '_acme-challenge.example.com':
 The following parameters are available in the `bind::zone::primary` defined type:
 
 * [`also_notify`](#-bind--zone--primary--also_notify)
+* [`allow_transfer`](#-bind--zone--primary--allow_transfer)
 * [`update_policy`](#-bind--zone--primary--update_policy)
 * [`dnssec_enable`](#-bind--zone--primary--dnssec_enable)
 * [`dnssec_dnskey_kskonly`](#-bind--zone--primary--dnssec_dnskey_kskonly)
@@ -2530,6 +2541,15 @@ nameservers that are listed in the zone file.
 
 Default value: `[]`
 
+##### <a name="-bind--zone--primary--allow_transfer"></a>`allow_transfer`
+
+Data type: `Array[String]`
+
+An array of ACL names or networks that are allowed to transfer zone
+information for this zone.
+
+Default value: `[]`
+
 ##### <a name="-bind--zone--primary--update_policy"></a>`update_policy`
 
 Data type: `Variant[Enum['local'],Array[String]]`
@@ -3372,4 +3392,3 @@ Alias of `Enum['critical', 'error', 'warning', 'notice', 'info', 'debug', 'dynam
 Type to match allowed values for the zone class
 
 Alias of `Enum['IN', 'HS', 'CH']`
-
diff --git a/manifests/zone/primary.pp b/manifests/zone/primary.pp
@@ -13,6 +13,13 @@
 #     source => 'puppet:///modules/profile/example.com.zone',
 #   }
 #
+# @example Restrict zone transfers for a primary zone
+#
+#   bind::zone::primary { 'example.com':
+#     source         => 'puppet:///modules/profile/example.com.zone',
+#     allow_transfer => ['192.0.2.42'],
+#   }
+#
 # @example Use DNSSEC signing for a primary zone using a DNSSEC policy
 #
 #   bind::zone::primary { 'example.com':
@@ -33,6 +40,10 @@
 #   Secondary servers that should be notified in addition to the
 #   nameservers that are listed in the zone file.
 #
+# @param allow_transfer
+#   An array of ACL names or networks that are allowed to transfer zone
+#   information for this zone.
+#
 # @param update_policy
 #   Enable dynamic updates for the zone and define the update policy. This
 #   can either be the string `local` or an array of strings. Using the string
@@ -124,6 +135,7 @@
 #
 define bind::zone::primary (
   Array[String]                        $also_notify               = [],
+  Array[String]                        $allow_transfer            = [],
   Variant[Enum['local'],Array[String]] $update_policy             = [],
   Optional[Boolean]                    $dnssec_enable             = undef,
   Optional[Boolean]                    $dnssec_dnskey_kskonly     = undef,
@@ -257,17 +269,18 @@
   }
 
   $params = {
-    'zone'          => $zone,
-    'file'          => $zonefile,
-    'also_notify'   => $also_notify,
-    'notify'        => $notify_secondaries,
-    'statistics'    => $zone_statistics,
-    'update_policy' => $update_policy,
-    'class'         => $class,
-    'comment'       => $comment,
-    'indent'        => bool2str($bind::views_enable, '  ', ''),
-    'zone_in_view'  => ($view =~ NotUndef),
-    'dnssec_params' => !empty(delete_undef_values($params_dnssec)),
+    'zone'           => $zone,
+    'file'           => $zonefile,
+    'also_notify'    => $also_notify,
+    'allow_transfer' => $allow_transfer,
+    'notify'         => $notify_secondaries,
+    'statistics'     => $zone_statistics,
+    'update_policy'  => $update_policy,
+    'class'          => $class,
+    'comment'        => $comment,
+    'indent'         => bool2str($bind::views_enable, '  ', ''),
+    'zone_in_view'   => ($view =~ NotUndef),
+    'dnssec_params'  => !empty(delete_undef_values($params_dnssec)),
   }
 
   if $bind::views_enable {
diff --git a/spec/defines/zone/primary_spec.rb b/spec/defines/zone/primary_spec.rb
@@ -375,6 +375,44 @@
         }
       end
 
+      context 'with source => "/file", allow_transfer => ["any"]' do
+        let(:params) do
+          { source: '/file', allow_transfer: ['any'] }
+        end
+
+        it {
+          is_expected.to contain_file('/var/lib/bind/primary/com')
+          is_expected.to contain_file('/var/lib/bind/primary/com/example')
+          is_expected.to contain_file('/var/lib/bind/primary/com/example/db.example.com')
+
+          is_expected.to contain_exec('bind::reload::example.com')
+
+          is_expected.to contain_concat__fragment('named.conf.zones-example.com')
+            .with_target('named.conf.zones')
+            .with_order('20')
+            .with_content(%r{allow-transfer {\n\s+any;\n\s+};})
+        }
+      end
+
+      context 'with source => "/file", allow_transfer => ["acl1", "192.0.2.42"]' do
+        let(:params) do
+          { source: '/file', allow_transfer: ['acl1', '192.0.2.42'] }
+        end
+
+        it {
+          is_expected.to contain_file('/var/lib/bind/primary/com')
+          is_expected.to contain_file('/var/lib/bind/primary/com/example')
+          is_expected.to contain_file('/var/lib/bind/primary/com/example/db.example.com')
+
+          is_expected.to contain_exec('bind::reload::example.com')
+
+          is_expected.to contain_concat__fragment('named.conf.zones-example.com')
+            .with_target('named.conf.zones')
+            .with_order('20')
+            .with_content(%r{allow-transfer {\n\s+acl1;\n\s+192.0.2.42;\n\s+};})
+        }
+      end
+
       context 'with source => "/file", zone_statistics => true' do
         let(:params) do
           { source: '/file', zone_statistics: true }
@@ -815,6 +853,25 @@
         }
       end
 
+      context 'with view => "internal", source => "/file", allow_transfer => ["any"]' do
+        let(:params) do
+          { view: 'internal', source: '/file', allow_transfer: ['any'] }
+        end
+
+        it {
+          is_expected.to contain_file('/var/lib/bind/primary/com')
+          is_expected.to contain_file('/var/lib/bind/primary/com/example')
+          is_expected.to contain_file('/var/lib/bind/primary/com/example/db.example.com')
+
+          is_expected.to contain_exec('bind::reload::internal::example.com')
+
+          is_expected.to contain_concat__fragment('named.conf.views-internal-50-example.com')
+            .with_target('named.conf.views')
+            .with_order('10')
+            .with_content(%r{allow-transfer {\n  \s+any;\n  \s+};})
+        }
+      end
+
       context 'with view => "internal", source => "/file", zone_statistics => true' do
         let(:params) do
           { view: 'internal', source: '/file', zone_statistics: true }
diff --git a/templates/zone-primary.epp b/templates/zone-primary.epp
@@ -29,6 +29,14 @@
 <% } -%>
 <%= $indent %>  };
 <% } -%>
+<% unless empty($allow_transfer) { -%>
+
+<%= $indent %>  allow-transfer {
+<% $allow_transfer.each |$item| { -%>
+<%= $indent %>    <%= $item -%>;
+<% } -%>
+<%= $indent %>  };
+<% } -%>
 <% if $dnssec_params { -%>
 
 <% if $dnssec_enable =~ NotUndef { -%>
