banananetwork
/
ansible
1
0
Fork 0
Code Issues Pull Requests Releases Activity

dns: Changed approach for DNSSEC signing to inline-signing

Browse Source 
- Moved keys into own directory
- Replaced makefile per zone by makefile for all zones
  - Only combining of zone files and setting serial number
  - signing now made by bind
- Added AppArmor profile extension for creating dynamic zone files
dehydrated
Felix Stupp 4 years ago
parent 274f658016
commit 025f77736a
Signed by: zocker
GPG Key ID: 93E1BD26F6B02FB7
17 changed files with 81 additions and 81 deletions
Show Stats Download Patch File Download Diff File

9
roles/dns/application/defaults/main.yml
Unescape Escape View File

@ -6,4 +6,11 @@ options_configuration: "{{ configuration_directory }}/named.conf.options"
zones_configuration: "{{ configuration_directory }}/named.conf.local"
zones_directory: "{{ configuration_directory }}/zones"
zones_environment_directory: "{{ global_configuration_environment_directory }}/dns-zones"
# zones_environment_directory from dns/handlers
zones_environment_link_name: "conf"
zones_environment_link: "{{ zones_environment_directory }}/{{ zones_environment_link_name }}"
zones_environment_database_name: "zone.db"
apparmor_profile_name: "usr.sbin.named"
apparmor_profile: "{{ global_apparmor_profiles_directory }}/{{ apparmor_profile_name }}"
apparmor_profile_local: "{{ global_apparmor_profiles_local_directory }}/{{ apparmor_profile_name }}"

5
roles/dns/application/handlers/main.yml
Unescape Escape View File

@ -0,0 +1,5 @@
---
- name: reload apparmor profile
command: "/usr/sbin/apparmor_parser -r {{ apparmor_profile }}"
notify: restart bind9

23
roles/dns/application/tasks/main.yml
Unescape Escape View File

@ -17,6 +17,20 @@
- "{{ zones_directory }}"
- "{{ zones_environment_directory }}"
- name: Upload makefile to domain zones configuration environment
template:
src: zones.makefile
dest: "{{ zones_environment_directory }}/makefile"
owner: root
group: root
mode: u=rw,g=r,o=r
- name: Create link in domain zone configuration environment
file:
state: link
src: "{{ zones_directory }}"
dest: "{{ zones_environment_link }}"
- name: Configure bind9 options
template:
src: named.conf.options
@ -26,6 +40,15 @@
mode: "u=rw,g=r,o=r"
notify: reload bind9
- name: Allow bind using apparmor to write zone files
template:
src: aa-profile.local
dest: "{{ apparmor_profile_local }}"
owner: root
group: root
mode: "u=rw,g=r,o="
notify: reload apparmor profile
- name: Enable bind9 service
systemd:
name: bind9

5
roles/dns/application/templates/aa-profile.local
Unescape Escape View File

@ -0,0 +1,5 @@
{{ zones_directory }}/* rw,
{{ zones_directory }}/*/tmp-* rwk,
{{ zones_directory }}/*/zone.db.jbk rwk,
{{ zones_directory }}/*/zone.db.signed rwk,
{{ zones_directory }}/*/zone.db.signed.jnl rwk,

11
roles/dns/application/templates/zones.makefile
Unescape Escape View File

@ -0,0 +1,11 @@
dest:={{ zones_environment_link_name }}
dest_name:={{ zones_environment_database_name }}
zone_dirs:=$(wildcard *.*/)
zones:=$(zone_dirs:/=)
.PHONY: all
all: $(addprefix ${dest}/,$(addsuffix /${dest_name},${zones}))
${dest}/%/${dest_name}: %/*.db
cat $^ | sed '0,/^ 0$$/s// '"$$(($$(date +%s) / 60))"'/' > "$@";

3
roles/dns/handlers/defaults/main.yml
Unescape Escape View File

@ -0,0 +1,3 @@
---
zones_environment_directory: "{{ global_configuration_environment_directory }}/dns-zones"

5
roles/dns/handlers/handlers/main.yml
Unescape Escape View File

@ -9,3 +9,8 @@
systemd:
name: bind9
state: reloaded
- name: rebuild dns zones
make:
chdir: "{{ zones_environment_directory }}"
notify: reload bind9

9
roles/dns/master/defaults/main.yml
Unescape Escape View File

@ -4,14 +4,9 @@
domain_directory: "{{ zones_directory }}/{{ domain }}"
configuration_file: "{{ domain_directory }}/zone.conf"
database_file_name: "zone.db"
database_file: "{{ domain_directory }}/{{ database_file_name }}"
database_signed_file_name: "{{ database_file_name }}.signed"
database_signed_file: "{{ domain_directory }}/{{ database_signed_file_name }}"
database_file: "{{ domain_directory }}/{{ zones_environment_database_name }}"
keys_directory: "{{ domain_directory }}/keys"
domain_environment_directory: "{{ zones_environment_directory }}/{{ domain }}"
domain_environment_link_name: "conf"
domain_environment_link: "{{ domain_environment_directory }}/{{ domain_environment_link_name }}"
dnssec_algorithm: "RSASHA512"
dnssec_key_length: "4096"

1
roles/dns/master/meta/main.yml
Unescape Escape View File

@ -3,5 +3,4 @@
allow_duplicates: yes
dependencies:
- role: dns/master_handlers
- role: dns/application

4
roles/dns/master/tasks/generate_keys.yml
Unescape Escape View File

@ -11,7 +11,7 @@
-b {{ dnssec_key_length | quote }}
-n ZONE {{ domain | quote }}
args:
chdir: "{{ domain_directory }}"
chdir: "{{ keys_directory }}"
- name: Generate zone signing key for zone {{ domain }}
command: >-
@ -21,6 +21,6 @@
-b {{ dnssec_key_length | quote }}
-n ZONE {{ domain | quote }}
args:
chdir: "{{ domain_directory }}"
chdir: "{{ keys_directory }}"
# TODO Copy public ZSK to localhost

38
roles/dns/master/tasks/main.yml
Unescape Escape View File

@ -1,33 +1,27 @@
---
- name: Create zone directories
- name: Create zone directory writeable
file:
path: "{{ domain_directory }}"
state: directory
owner: root
group: "{{ dns_user }}"
mode: u=rwx,g=rwx,o=
- name: Create other zone directories readable
file:
path: "{{ item }}"
state: directory
owner: root
group: root
group: "{{ dns_user }}"
mode: u=rwx,g=rx,o=
loop:
- "{{ domain_directory }}"
- "{{ keys_directory }}"
- "{{ domain_environment_directory }}"
- name: Upload makefile to domain zone configuration environment
template:
src: zone.makefile
dest: "{{ domain_environment_directory }}/makefile"
owner: root
group: root
mode: "u=rw,g=r,o=r"
- name: Create link in domain zone configuration environment
file:
state: link
src: "{{ domain_directory }}"
dest: "{{ domain_environment_link }}"
- name: Determine if keys are generated already
find:
paths: "{{ domain_directory }}"
paths: "{{ keys_directory }}"
patterns: "K{{ domain }}.+*+*"
register: keys_found
@ -35,12 +29,6 @@
include_tasks: generate_keys.yml
when: keys_found.matched < 2
- name: Find generated public keys
find:
paths: "{{ domain_directory }}"
patterns: "K{{ domain }}.+*+*.key"
register: keys_list
- name: Store main database of zone {{ domain }}
template:
src: zone.db
@ -49,7 +37,7 @@
group: "{{ dns_user }}"
mode: "u=rw,g=r,o=r"
validate: "named-checkzone {{ domain }} %s"
notify: reconfigure zone {{ domain }}
notify: rebuild dns zones
- name: Configure zone {{ domain }}
template:

5
roles/dns/master/templates/zone.conf
Unescape Escape View File

@ -1,6 +1,9 @@
zone "{{ domain }}" {
type master;
file "{{ database_signed_file }}";
file "{{ database_file }}";
key-directory "{{ keys_directory }}";
inline-signing yes;
auto-dnssec maintain;
notify yes;
allow-transfer {
{% for fqdn in slaves %}

4
roles/dns/master/templates/zone.db
Unescape Escape View File

@ -7,10 +7,6 @@ $TTL 86400
{{ ttl }}
)
{% for key in keys_list.files %}
$INCLUDE {{ key.path }}
{% endfor %}
; Certification Authority Authorization
@ IN CAA 0 issue "letsencrypt.org"

24
roles/dns/master/templates/zone.makefile
Unescape Escape View File

@ -1,24 +0,0 @@
dest:={{ domain_environment_link_name }}
db_files:=$(wildcard *.db)
db_file:={{ database_file_name }}
signed_file:={{ database_signed_file_name }}
all:: ${dest}/${signed_file}
${dest}/${db_file}.unchecked: ${db_files}
cat $^ > "$@";
${dest}/${db_file}: ${dest}/${db_file}.unchecked
named-compilezone -o "$@" {{ domain | quote }} "$<";
${dest}/${signed_file}: ${dest}/${db_file}
if [[ "$(dir $<)" != "$(dir $@)" ]]; then echo "directories not equal" > /dev/stderr; exit 1; fi
cd "$(dir $@)"; \
dnssec-signzone \
-3 $$(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) \
-a \
-N unixtime \
-o {{ domain | quote }} \
-f "$(notdir $@)" \
"$(notdir $<)";

4
roles/dns/master_handlers/default/main.yml
Unescape Escape View File

@ -1,4 +0,0 @@
---
# domain: example.com
# domain_environment_directory

6
roles/dns/master_handlers/handlers/main.yml
Unescape Escape View File

@ -1,6 +0,0 @@
---
- name: reconfigure zone {{ domain }}
make:
chdir: "{{ domain_environment_directory }}"
notify: reload bind9

6
roles/dns/master_handlers/meta/main.yml
Unescape Escape View File

@ -1,6 +0,0 @@
---
allow_duplicates: yes
dependencies:
- dns/handlers
Write Preview
Loading…
Cancel
Save