and we have a bunch

roles/dns/files/named.conf.data-analysis01.phx2.fedoraproject.org

@@ -0,0 +1,228 @@
+//
+// named.conf
+//
+// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
+// server as a caching only nameserver (as a localhost DNS resolver only).
+//
+// See /usr/share/doc/bind*/sample/ for example named configuration files.
+//
+
+options {
+	listen-on port 53 { 127.0.0.1; };
+	listen-on-v6 port 53 { ::1; };
+	directory 	"/var/named";
+	dump-file 	"/var/named/data/cache_dump.db";
+	statistics-file "/var/named/data/named_stats.txt";
+	memstatistics-file "/var/named/data/named_mem_stats.txt";
+	allow-query     { localhost; };
+
+	/* 
+	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
+	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
+	   recursion. 
+	 - If your recursive DNS server has a public IP address, you MUST enable access 
+	   control to limit queries to your legitimate users. Failing to do so will
+	   cause your server to become part of large scale DNS amplification 
+	   attacks. Implementing BCP38 within your network would greatly
+	   reduce such attack surface 
+	*/
+	recursion yes;
+
+	dnssec-enable yes;
+	dnssec-validation yes;
+
+	/* Path to ISC DLV key */
+	bindkeys-file "/etc/named.iscdlv.key";
+
+	managed-keys-directory "/var/named/dynamic";
+
+	pid-file "/run/named/named.pid";
+	session-keyfile "/run/named/session.key";
+};
+
+logging {
+        channel default_debug {
+                file "data/named.run";
+                severity dynamic;
+        };
+};
+
+zone "." IN {
+	type hint;
+	file "named.ca";
+};
+
+zone "phx2.fedoraproject.org" IN {
+     type forward;
+     forward only;
+     fowarders { 10.5.126.21; 10.5.126.22; };
+};
+
+zone "arm.fedoraproject.org" IN {
+     type forward;
+     forward only;
+     fowarders { 10.5.126.21; 10.5.126.22; };
+};
+
+zone "ppc.fedoraproject.org" IN {
+     type forward;
+     forward only;
+     fowarders { 10.5.126.21; 10.5.126.22; };
+};
+
+zone "cloud.fedoraproject.org" IN {
+     type forward;
+     forward only;
+     fowarders { 10.5.126.21; 10.5.126.22; };
+};
+
+zone "mgmt.fedoraproject.org" IN {
+     type forward;
+     forward only;
+     fowarders { 10.5.126.21; 10.5.126.22; };
+};
+
+zone "vpn.fedoraproject.org" IN {
+     type forward;
+     forward only;
+     fowarders { 10.5.126.21; 10.5.126.22; };
+};
+
+zone "fedoraproject.org" IN {
+     type forward;
+     forward only;
+     fowarders { 10.5.126.21; 10.5.126.22; };
+};
+
+zone "getfedora.org" IN {
+     type forward;
+     forward only;
+     fowarders { 10.5.126.21; 10.5.126.22; };
+};
+
+zone "fedorainfracloud.org" IN {
+     type forward;
+     forward only;
+     fowarders { 10.5.126.21; 10.5.126.22; };
+};
+
+
+zone "78.5.10.in-addr.arpa" {
+      type forward;
+      forward only;
+      forwarders { 10.5.126.21; 10.5.126.22; };
+};
+
+zone "79.5.10.in-addr.arpa" {
+      type forward;
+      forward only;
+      forwarders { 10.5.126.21; 10.5.126.22; };
+};
+
+zone "124.5.10.in-addr.arpa" {
+      type forward;
+      forward only;
+      forwarders { 10.5.126.21; 10.5.126.22; };
+};
+
+zone "125.5.10.in-addr.arpa" {
+      type forward;
+      forward only;
+      forwarders { 10.5.126.21; 10.5.126.22; };
+};
+
+zone "126.5.10.in-addr.arpa" {
+      type forward;
+      forward only;
+      forwarders { 10.5.126.21; 10.5.126.22; };
+};
+
+zone "127.5.10.in-addr.arpa" {
+      type forward;
+      forward only;
+      forwarders { 10.5.126.21; 10.5.126.22; };
+};
+
+zone "128.5.10.in-addr.arpa" {
+      type forward;
+      forward only;
+      forwarders { 10.5.126.21; 10.5.126.22; };
+};
+
+zone "129.5.10.in-addr.arpa" {
+      type forward;
+      forward only;
+      forwarders { 10.5.126.21; 10.5.126.22; };
+};
+
+zone "130.5.10.in-addr.arpa" {
+      type forward;
+      forward only;
+      forwarders { 10.5.126.21; 10.5.126.22; };
+};
+
+zone "131.5.10.in-addr.arpa" {
+      type forward;
+      forward only;
+      forwarders { 10.5.126.21; 10.5.126.22; };
+};
+
+zone "168.192.in-addr.arpa" {
+      type forward;
+      forward only;
+      forwarders { 10.5.126.21; 10.5.126.22; };
+};
+
+zone "redhat.com" {
+     type forward;
+     forward only;
+     forwarders { 10.5.26.20; 10.5.26.21; };
+};
+
+zone "88.5.10.in-addr.arpa" {
+      type forward;
+      forward only;
+      forwarders { 10.5.26.20; 10.5.26.21; };
+};
+
+zone "4.10.in-addr.arpa" {
+      type forward;
+      forward only;
+      forwarders { 10.5.26.20; 10.5.26.21; };
+};
+
+zone "5.10.in-addr.arpa" {
+      type forward;
+      forward only;
+      forwarders { 10.5.26.20; 10.5.26.21; };
+};
+
+zone "10.in-addr.arpa" {
+      type forward;
+      forward only;
+      forwarders { 10.5.26.20; 10.5.26.21; };
+};
+
+zone "10.in-addr.arpa" {
+      type forward;
+      forward only;
+      forwarders { 10.5.26.20; 10.5.26.21; };
+};
+
+zone "10.in-addr.arpa" {
+      type forward;
+      forward only;
+      forwarders { 10.5.26.20; 10.5.26.21; };
+};
+
+zone "186.132.209.in-addr.arpa." {
+      type forward;
+      forward only;
+      forwarders { 10.5.26.20; 10.5.26.21; };
+};
+
+
+
+include "/etc/named.rfc1912.zones";
+include "/etc/named.root.key";
+

roles/dns/files/named.conf.data-analysis01.phx2.fedoraproject.org.~1~

@@ -0,0 +1,90 @@
+//
+// named.conf
+//
+// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
+// server as a caching only nameserver (as a localhost DNS resolver only).
+//
+// See /usr/share/doc/bind*/sample/ for example named configuration files.
+//
+
+options {
+	listen-on port 53 { 127.0.0.1; };
+	listen-on-v6 port 53 { ::1; };
+	directory 	"/var/named";
+	dump-file 	"/var/named/data/cache_dump.db";
+	statistics-file "/var/named/data/named_stats.txt";
+	memstatistics-file "/var/named/data/named_mem_stats.txt";
+	allow-query     { localhost; };
+
+	/* 
+	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
+	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
+	   recursion. 
+	 - If your recursive DNS server has a public IP address, you MUST enable access 
+	   control to limit queries to your legitimate users. Failing to do so will
+	   cause your server to become part of large scale DNS amplification 
+	   attacks. Implementing BCP38 within your network would greatly
+	   reduce such attack surface 
+	*/
+	recursion yes;
+
+	dnssec-enable yes;
+	dnssec-validation yes;
+
+	/* Path to ISC DLV key */
+	bindkeys-file "/etc/named.iscdlv.key";
+
+	managed-keys-directory "/var/named/dynamic";
+
+	pid-file "/run/named/named.pid";
+	session-keyfile "/run/named/session.key";
+};
+
+logging {
+        channel default_debug {
+                file "data/named.run";
+                severity dynamic;
+        };
+};
+
+zone "." IN {
+	type hint;
+	file "named.ca";
+};
+
+zone "phx2.fedoraproject.org" IN {
+      type forward;
+      fowarders {
+	10.5.126.21;
+        10.5.126.22;
+      };
+};
+
+zone "vpn.fedoraproject.org" IN {
+      type forward;
+      fowarders {
+        10.5.126.21;
+        10.5.126.22;
+      };
+};
+
+zone "fedoraproject.org" IN {
+      type forward;
+      fowarders {
+        10.5.126.21;
+        10.5.126.22;
+      };
+};
+
+zone "redhat.com" {
+     type forward;
+     forward only;
+     forwarders { 10.5.26.20; 10.5.26.21; };
+};
+
+
+
+
+include "/etc/named.rfc1912.zones";
+include "/etc/named.root.key";
+