Version information
This version is compatible with:
- Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x
- Puppet >= 5.5.8 < 7.0.0
- , , , , , , , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'puppet-unbound', '2.7.0'
Learn more about managing modules with a PuppetfileDocumentation
Puppet powered DNS with Unbound
A puppet module for the Unbound caching resolver.
Supported Platforms
- Debian
- FreeBSD
- OpenBSD
- OS X (macports)
- RHEL clones (with EPEL)
- openSUSE (local repo or obs://server:dns)
Requirements
To use this module, you must be running at least Puppet 4.4. If you are on an older version of Puppet, please use a 1.x version of this module.
To use this module, you must install the puppetlabs/concat
and
puppetlabs/stdlib
modules, either from the forge using puppet module install
, or ensuring the following lines are present in your Puppetfile for an
R10k deployment.
mod 'concat', :git => 'git://github.com/puppetlabs/puppetlabs-concat.git'
mod 'stdlib', :git => 'git://github.com/puppetlabs/puppetlabs-stdlib.git'
Usage
Server Setup
At minimum you should setup the interfaces to listen on and allow access to a few subnets. This will tell unbound which interfaces to listen on, and which networks to allow queries from.
class { "unbound":
interface => ["::0","0.0.0.0"],
access => ["10.0.0.0/20","::1"],
}
Or, using hiera
unbound::interface:
- '::0'
- '0.0.0.0'
unbound::access:
- '10.0.0.0/20'
- '::1'
Stub Zones
These are zones for which you have an authoritative name server and want to direct queries.
unbound::stub { "lan.example.com":
address => '10.0.0.10',
insecure => true,
}
unbound::stub { "0.0.10.in-addr.arpa.":
address => '10.0.0.10',
insecure => true,
}
# port can be specified
unbound::stub { "0.0.10.in-addr.arpa.":
address => '10.0.0.10@10053',
insecure => true,
}
# address can be an array.
# in the following case, generated conf would be as follows:
#
# stub-host: ns1.example.com
# stub-addr: 10.0.0.10@10053
# stub-host: ns2.example.com
#
# note that conf will be generated in the same order provided.
unbound::stub { "10.0.10.in-addr.arpa.":
address => [ 'ns1.example.com', '10.0.0.10@10053', 'ns2.example.com' ],
}
Or, using hiera
unbound::stub:
'10.0.10.in-addr.arpa.':
address:
- 'ns1.example.com'
- '10.0.0.10@10053'
- 'ns2.example.com'
Unless you have DNSSEC for your private zones, they are considered insecure,
noted by insecure => true
.
Static DNS records
For overriding DNS record in zone.
unbound::record { 'test.example.tld':
type => 'A',
content => '10.0.0.1',
ttl => '14400',
}
Or, using hiera
unbound::record:
'test.example.tld':
type: 'A'
content: '10.0.0.1'
ttl: '14400'
Forward Zones
Setup a forward zone with a list of address from which you should resolve queries. You can configure a forward zone with something like the following:
unbound::forward { '.':
address => [
'8.8.8.8',
'8.8.4.4'
]
}
Or, using hiera
unbound::forward:
'.':
address:
- '8.8.8.8'
- '8.8.4.4'
This means that your server will use the Google DNS servers for any zones that it doesn't know how to reach and cache the result.
Domain Insecure
Sets domain name to be insecure, DNSSEC chain of trust is ignored towards the domain name. So a trust anchor above the domain name can not make the domain secure with a DS record, such a DS record is then ignored. Also keys from DLV are ignored for the domain. Can be given multiple times to specify multiple domains that are treated as if unsigned. If you set trust anchors for the domain they override this setting (and the domain is secured).
class {'unbound:'
domain_insecure => ['example.com', example.org']
}
Or, using hiera
unbound::domain_insecure:
- example.com
- example.org
Local Zones
Configure a local zone. The type determines the answer to give if there is no match from local-data. The types are deny, refuse, static, transparent, redirect, nodefault, typetranspar- ent, inform, inform_deny, always_transparent, always_refuse, always_nxdomain. See local-zone in the unbound documentation for more information. You can configure a local-zone with something like the following.
class {'unbound:'
local_zone => { '10.0.10.in-addr.arpa.' => 'nodefault'}
}
Or, using unbound::localzone
unbound::localzone { '10.0.10.in-addr.arpa.':
type => 'nodefault'
}
Or, using hiera
unbound::local_zone:
10.0.10.in-addr.arpa.: nodefault
11.0.10.in-addr.arpa.: nodefault
Fine grain access-control
class { "unbound":
interface => ["::0","0.0.0.0"],
access => ["10.0.0.0/20", "10.0.0.5/32 reject", "::1 allow_snoop"],
}
The access option allows to pass the action for each subnets, if the action is not provided we assume it’s 'allow'.
Adding arbitrary unbound configuration parameters
class { "unbound":
interface => ["::0","0.0.0.0"],
access => ["10.0.0.0/20","::1"],
custom_server_conf => [ 'include: "/etc/unbound/conf.d/*.conf"' ],
}
The custom_server_conf option allows the addition of arbitrary configuration parameters to your server configuration. It expects an array, and each element gets added to the configuration file on a separate line. In the example above, we instruct Unbound to load other configuration files from a subdirectory.
Remote Control
The Unbound remote controls the use of the unbound-control utility to issue commands to the Unbound daemon process.
class { "unbound::remote":
enable => true,
}
On some platforms this is needed to function correctly for things like service reloads.
Skipping hints download
In the case you're only building a caching forwarder and don't do iterative lookups you might not want to download the hints file containing the root nameservers because you don't need it, or you also might not be able to download it anyway because your server is firewalled which would cause the module would hang on trying to download the hints file. To skip the download set the skip_roothints_download parameter to true.
class { "unbound":
skip_roothints_download => true,
}
More information
You can find more information about Unbound and its configuration items at unbound.net.
Contribute
Please help me make this module awesome! Send pull requests and file issues.
Changelog
All notable changes to this project will be documented in this file. Each new release typically also includes the latest modulesync defaults. These should not affect the functionality of the module.
v2.7.0 (2020-04-21)
Implemented enhancements:
Merged pull requests:
v2.6.0 (2020-02-12)
Implemented enhancements:
- Purge unmanaged configuration files #225 (findmyname666)
Closed issues:
- Fix installation on Debian distribution - e.g. unbound option auto-trust-anchor-file is provided two times #223
- commit 5868593634371290ad013e4a3005f25cb8d7e1fe broke the module for me #221
- add ability to define/generate local-data + override local-zone template #215
unbound_version
fact needs a test #207- unbound-checkconf fails on first-time configuration (pid dir is missing) #188
- fatal error: auto-trust-anchor-file: "/var/lib/unbound/root.key" does not exist in chrootdir /etc/unbound #134
- Modifying forward config file location #129
- set permissions/ownership on configuration directories? #65
Merged pull requests:
- Update CHANGELOG.md, based on command bundle exec rake changelog #227 (dhoppe)
- ignore lint: quote boolean values have been [i belive] supported for … #226 (b4ldr)
- Add test for unbound::stub #222 (xaque208)
- validate_unbond_addr: replace functionality with a custom type #220 (b4ldr)
2.5.0 (2019-12-28)
Closed issues:
- Debian: module change ownership of directory /run to unbound #208
- version 2.4.3 breaks the configfile for tls-upstream on CentOS 7 #199
- Wrong quoting for local-data TXT records #196
- neg-cache-size is not specifiable #115
Merged pull requests:
- Add functionality to render local data and override local-zone template: #216 (findmyname666)
- update type typo #214 (dsoltero)
- update variable typos #213 (dsoltero)
- unbound_version: add spec tests to the unbound_version fact #212 (b4ldr)
- Fix facter regex #211 (xaque208)
- stop managing system directories like /run #210 (tequeter)
- Service #206 (xaque208)
- Fix neg-cache-size in unbound.conf #205 (cohoe)
- Add service control and package ensure parameters #204 (cohoe)
- Fix typo #203 (cure)
- beaker: fix beaker #201 (b4ldr)
- Issue 199: add version checking for ssl/tls parameters #200 (b4ldr)
- Set harden-referral-path to false by default. #198 (jensalmer)
2.4.3 (2019-04-22)
Merged pull requests:
- Update from xaque208 modulesync_config #195 (xaque208)
- Support TLS #193 (xaque208)
- Update from xaque208 modulesync_config #191 (xaque208)
2.4.2 (2019-03-04)
2.4.1 (2019-03-04)
Merged pull requests:
2.4.0 (2018-12-22)
Closed issues:
- Add SmartOS support #184
- Binding to 0.0.0.0 is a bad practice #183
- pid dir permissions could cause problems #180
- Unable to call unbound::local_zone class anymore #177
- interface changes don't take affect #166
- Add support for python-scipt #140
- Should add support for ssl-upstream config option #138
Merged pull requests:
- Add SmartOS support #184 #187 (joelgarboden)
- Fix module-config #186 (silkeh)
- Change default interface value #185 (xaque208)
- Restore unbound::local_zone function #182 (jlutran)
- Change default values for harden_short_bufsize & harden_large_queries #181 (jlutran)
- add module_config #176 (b4ldr)
2.3.2 (2018-06-03)
Merged pull requests:
- Update from xaque208 modulesync_config #178 (xaque208)
- add method to restart unbound on interface change #170 (b4ldr)
2.3.1 (2018-05-31)
Merged pull requests:
2.3.0 (2018-05-31)
Merged pull requests:
2.2.0-ICANN1 (2018-05-30)
Closed issues:
2.2.0 (2018-05-21)
Merged pull requests:
- Fix regressions #169 (fklajn)
- Set unbound pidfile for 6.3 #167 (xaque208)
- Update from xaque208 modulesync_config #165 (xaque208)
- Include .sync.yml for lost beaker tests #164 (xaque208)
- Update from xaque208 modulesync_config #163 (xaque208)
- Allow to set parameter forward-ssl-upstream for forward zones in #161 (buzzdeee)
- Update to hiera v5 #160 (jlutran)
- Allow forward-host option #159 (xaque208)
- acceptance testing #158 (b4ldr)
2.1.0 (2018-02-26)
Closed issues:
- Add option to allow unbound to log to file instead of syslog #146
- Options not found #145
- Should support the unbound port on FreeBSD #126
- New features are not documented #37
Merged pull requests:
- 138 tls options #156 (b4ldr)
- add log options #155 (b4ldr)
- add local_zone and domain_insecure parameters #153 (b4ldr)
- Added option to allow unbound to log to file instead of syslog #147 (enemarke)
- modulesync 2017-05-03 #139 (xaque208)
- Add test for the interface selection #137 (xaque208)
- Validation requires the anchor file is present #136 (xaque208)
2.0.0 (2016-10-28)
Closed issues:
- Should handle local unbound on FreeBSD with more grace #125
Merged pull requests:
1.3.6 (2016-07-12)
Closed issues:
- invalid parameter target #128
Merged pull requests:
- Remove dependency cycle when skip_roothints_download is true #131 (drt24)
- Set hints permissions after download #130 (claytono)
- White space fix for puppet-lint #127 (mld)
- Add ability to set cache settings as parameters #124 (jaxxstorm)
1.3.5 (2016-06-06)
Closed issues:
- harden-dnssec-stripped parameter is not controlled #108
Merged pull requests:
- Fix template variable reference #123 (xaque208)
- booleans: allow to actually toggle the booleans #122 (igalic)
1.3.4 (2016-04-14)
Merged pull requests:
1.3.3 (2016-04-09)
Merged pull requests:
- Default behavior for unbound::remote isn't well documented #120 (cPanelScott)
1.3.2 (2016-04-04)
Merged pull requests:
1.3.1 (2016-04-01)
Merged pull requests:
1.3.0 (2016-04-01)
Closed issues:
- hiera example is not documented #110
Merged pull requests:
1.2.2 (2016-02-22)
Closed issues:
- unable to load puppet_x/unbound/validate_addrs (on puppetserver) #105
Merged pull requests:
- Convert config_file to a definition parameter #114 (sbadia)
- Added missing option in the configuration: so_sndbuf #113 (marknl)
- using https to download named.root #112 (mmckinst)
- Add hiera support for define resources #111 (Rocco83)
- Allow to pass action with $access #109 (sileht)
1.2.1 (2015-12-19)
Closed issues:
Merged pull requests:
- Use the relative path for loading puppet_x #107 (xaque208)
- Add feature skip_roothints_download #106 (mrdima)
1.2.0 (2015-07-29)
Merged pull requests:
- Begin replacing unbound::stub address validation #104 (xaque208)
- Exec calls should have a full path. #72 (robbat2)
1.1.8 (2015-07-28)
Closed issues:
- Wrong unbound-checkconf path for Centos and Scientific 6 #99
Merged pull requests:
1.1.7 (2015-07-22)
Merged pull requests:
- Set correct checkconf on EL platforms #100 (xaque208)
- Multiple addressess/hosts for stub zones #98 (rswarts)
- Freebsd 10 #97 (b4ldr)
- Change scope of params #96 (b4ldr)
1.1.6-ICANN-3 (2015-07-03)
1.1.6-ICANN-2 (2015-07-03)
1.1.6-ICANN (2015-07-03)
Closed issues:
- We should manage the permissions of /var/unbound/etc so that the root.key can be written by the unbound user. #32
1.1.6 (2015-06-29)
Closed issues:
- Concat 2.x deletion #92
- Missing support for hide_identity/hide_version #90
- Default interfaces on multi-homed servers #12
Merged pull requests:
- stub: local-zones have multiple types; allow type to be overwritten #94 (kmullin)
- Bring back hide_version and hide_identity #93 (kmullin)
- default port 8953 for remote-control #91 (ghost)
- add forward-first option for forward zones. #87 (RyanFolsom)
1.1.5 (2015-06-03)
1.1.4 (2015-05-29)
Closed issues:
Merged pull requests:
- Some light fixes after recent merge #89 (xaque208)
- stub-zone could be specified with either ip or hostname #88 (ghost)
- Pin repo versions to aim for determinism #85 (xaque208)
- restart unbound without starting and stoping the daemon #84 (f0)
- Fix broken commit #82 (xaque208)
- Use the master branches status as build indicator #81 (xaque208)
- RedHat does not install wget by default, but curl is available #79 (robinbowes)
- Set correct runtime dir #78 (robinbowes)
- Make it work with strict variables #77 (robinbowes)
- Use str2bool so always-string data from hiera can still be used as if it... #75 (rswarts)
- Begin spec testing #74 (xaque208)
- Ensure local-zone is always under server. #71 (robbat2)
- Updates to trust anchoring #67 (b4ldr)
1.0.0-ICANN (2015-02-05)
Merged pull requests:
- create directory before exec #68 (f3rr)
- Run unbound-control-setup, in order to create the certificates #66 (buzzdeee)
- Add custom_server_conf configuration option #64 (cure)
- Some minor adjustments for OpenBSD 5.6 #63 (xaque208)
1.1.3 (2014-10-19)
1.1.2 (2014-10-18)
1.1.1 (2014-10-18)
Closed issues:
- Make a new puppetforge release? #55
Merged pull requests:
- Roll some blacksmith using the skeleton data #61 (xaque208)
- Clean up some newline issues #59 (xaque208)
- Fix syntax error in templates/forward.erb #57 (cure)
- add metadata.json (before new release) #56 (igalic)
- rebase of pull 44 #54 (b4ldr)
- make unbound module future parser compatible #53 (buzzdeee)
- Add support for OpenBSD 5.6 and future, #52 (buzzdeee)
- Update dependency to puppetlabs/concat in Readme.md #51 (buzzdeee)
- add hide_identity and hide_version parameters, and update the #50 (buzzdeee)
- OpenBSD has ftp and not fetch to retrieve files. #49 (buzzdeee)
1.1.0 (2014-08-27)
Merged pull requests:
- Update test files to pass lint #48 (xaque208)
- OS specific client to fetch root hints and edns buffer size option #45 (b4ldr)
- Add support for the prefetch-key option. #43 (daenney)
- Allow forwarding reverse DNS queries for the default local zones. #42 (dsolsona)
- Change concat module dependency. #41 (cure)
- Add control over tcp-upstream #39 (inkblot)
- Adding extra options for optimizing unbound #38 (dsolsona)
1.0.0 (2014-01-11)
Closed issues:
- extraneous comma in forward.pp #17
Merged pull requests:
- Add syntax highlighting for documentation #36 (igalic)
- unbound header is out of order with concat setup #35 (igalic)
- using "name" as parameter in types makes life difficult #34 (igalic)
- enable simple creation of reverse entries #33 (igalic)
- (maint) Add Travis CI testing #31 (xaque208)
- use correct owner variable #30 (mmoll)
- (maint) Change parameter names and cleanup #29 (xaque208)
0.0.5 (2013-12-13)
0.0.4 (2013-12-12)
Closed issues:
Merged pull requests:
- (maint) Add OpenBSD support #27 (xaque208)
- (maint) Mostly pass lint #26 (xaque208)
- Make sure unbound can read the root.hints file #25 (michakrause)
- fix typo in template #24 (mbakke)
- Add option to enable extended statistics #23 (bisscuitt)
- Adding change so make usage of ipv4 and ipv6 explicit if need be. Both ... #22 (jrodriguezjr)
- Adding change so make usage of ipv4 and ipv6 explicit. Both are enabled... #20 (jrodriguezjr)
- Removed call to concat::setup as concat module has made this private #19 (growse)
- Fix template variables by prefixing @ #18 (dkerwin)
- Add ability to specify port which unbound listens on #16 (growse)
- Fix typos in config file template for infra-host-ttl #13 (nicwaller)
- Added infra-host-ttl option #10 (rlex)
- Automatically install and configure DNS root hints #9 (nicwaller)
- Added notes about concat dependency #8 (nicwaller)
0.0.3 (2013-04-22)
Merged pull requests:
0.0.2 (2012-11-16)
0.0.1 (2012-03-25)
* This Changelog was automatically generated by github_changelog_generator
Dependencies
- puppetlabs/concat (>= 4.1.0 < 7.0.0)
- puppetlabs/stdlib (>= 4.25.0 < 7.0.0)
Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS Copyright 2013 Puppet Labs Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.