From 025f77736a7437c39068fbcb9c708658a36f8655 Mon Sep 17 00:00:00 2001
From: Felix Stupp <felix.stupp@outlook.com>
Date: Thu, 14 May 2020 17:24:20 +0200
Subject: [PATCH] dns: Changed approach for DNSSEC signing to inline-signing

- Moved keys into own directory
- Replaced makefile per zone by makefile for all zones
  - Only combining of zone files and setting serial number
  - signing now made by bind
- Added AppArmor profile extension for creating dynamic zone files
---
 roles/dns/application/defaults/main.yml       |  9 ++++-
 roles/dns/application/handlers/main.yml       |  5 +++
 roles/dns/application/tasks/main.yml          | 23 +++++++++++
 .../application/templates/aa-profile.local    |  5 +++
 .../dns/application/templates/zones.makefile  | 11 ++++++
 roles/dns/handlers/defaults/main.yml          |  3 ++
 roles/dns/handlers/handlers/main.yml          |  5 +++
 roles/dns/master/defaults/main.yml            |  9 +----
 roles/dns/master/meta/main.yml                |  1 -
 roles/dns/master/tasks/generate_keys.yml      |  4 +-
 roles/dns/master/tasks/main.yml               | 38 +++++++------------
 roles/dns/master/templates/zone.conf          |  5 ++-
 roles/dns/master/templates/zone.db            |  4 --
 roles/dns/master/templates/zone.makefile      | 24 ------------
 roles/dns/master_handlers/default/main.yml    |  4 --
 roles/dns/master_handlers/handlers/main.yml   |  6 ---
 roles/dns/master_handlers/meta/main.yml       |  6 ---
 17 files changed, 81 insertions(+), 81 deletions(-)
 create mode 100644 roles/dns/application/handlers/main.yml
 create mode 100644 roles/dns/application/templates/aa-profile.local
 create mode 100644 roles/dns/application/templates/zones.makefile
 create mode 100644 roles/dns/handlers/defaults/main.yml
 delete mode 100644 roles/dns/master/templates/zone.makefile
 delete mode 100644 roles/dns/master_handlers/default/main.yml
 delete mode 100644 roles/dns/master_handlers/handlers/main.yml
 delete mode 100644 roles/dns/master_handlers/meta/main.yml

diff --git a/roles/dns/application/defaults/main.yml b/roles/dns/application/defaults/main.yml
index 697e070..dd06c95 100644
--- a/roles/dns/application/defaults/main.yml
+++ b/roles/dns/application/defaults/main.yml
@@ -6,4 +6,11 @@ options_configuration: "{{ configuration_directory }}/named.conf.options"
 zones_configuration: "{{ configuration_directory }}/named.conf.local"
 zones_directory: "{{ configuration_directory }}/zones"
 
-zones_environment_directory: "{{ global_configuration_environment_directory }}/dns-zones"
+# zones_environment_directory from dns/handlers
+zones_environment_link_name: "conf"
+zones_environment_link: "{{ zones_environment_directory }}/{{ zones_environment_link_name }}"
+zones_environment_database_name: "zone.db"
+
+apparmor_profile_name: "usr.sbin.named"
+apparmor_profile: "{{ global_apparmor_profiles_directory }}/{{ apparmor_profile_name }}"
+apparmor_profile_local: "{{ global_apparmor_profiles_local_directory }}/{{ apparmor_profile_name }}"
diff --git a/roles/dns/application/handlers/main.yml b/roles/dns/application/handlers/main.yml
new file mode 100644
index 0000000..a18bb8d
--- /dev/null
+++ b/roles/dns/application/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+
+- name: reload apparmor profile
+  command: "/usr/sbin/apparmor_parser -r {{ apparmor_profile }}"
+  notify: restart bind9
diff --git a/roles/dns/application/tasks/main.yml b/roles/dns/application/tasks/main.yml
index ed5d3f3..f8ce204 100644
--- a/roles/dns/application/tasks/main.yml
+++ b/roles/dns/application/tasks/main.yml
@@ -17,6 +17,20 @@
     - "{{ zones_directory }}"
     - "{{ zones_environment_directory }}"
 
+- name: Upload makefile to domain zones configuration environment
+  template:
+    src: zones.makefile
+    dest: "{{ zones_environment_directory }}/makefile"
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+
+- name: Create link in domain zone configuration environment
+  file:
+    state: link
+    src: "{{ zones_directory }}"
+    dest: "{{ zones_environment_link }}"
+
 - name: Configure bind9 options
   template:
     src: named.conf.options
@@ -26,6 +40,15 @@
     mode: "u=rw,g=r,o=r"
   notify: reload bind9
 
+- name: Allow bind using apparmor to write zone files
+  template:
+    src: aa-profile.local
+    dest: "{{ apparmor_profile_local }}"
+    owner: root
+    group: root
+    mode: "u=rw,g=r,o="
+  notify: reload apparmor profile
+
 - name: Enable bind9 service
   systemd:
     name: bind9
diff --git a/roles/dns/application/templates/aa-profile.local b/roles/dns/application/templates/aa-profile.local
new file mode 100644
index 0000000..a101da3
--- /dev/null
+++ b/roles/dns/application/templates/aa-profile.local
@@ -0,0 +1,5 @@
+{{ zones_directory }}/* rw,
+{{ zones_directory }}/*/tmp-* rwk,
+{{ zones_directory }}/*/zone.db.jbk rwk,
+{{ zones_directory }}/*/zone.db.signed rwk,
+{{ zones_directory }}/*/zone.db.signed.jnl rwk,
diff --git a/roles/dns/application/templates/zones.makefile b/roles/dns/application/templates/zones.makefile
new file mode 100644
index 0000000..cd290c1
--- /dev/null
+++ b/roles/dns/application/templates/zones.makefile
@@ -0,0 +1,11 @@
+dest:={{ zones_environment_link_name }}
+dest_name:={{ zones_environment_database_name }}
+
+zone_dirs:=$(wildcard *.*/)
+zones:=$(zone_dirs:/=)
+
+.PHONY: all
+all: $(addprefix ${dest}/,$(addsuffix /${dest_name},${zones}))
+
+${dest}/%/${dest_name}: %/*.db
+	cat $^ | sed '0,/^  0$$/s//  '"$$(($$(date +%s) / 60))"'/' > "$@";
diff --git a/roles/dns/handlers/defaults/main.yml b/roles/dns/handlers/defaults/main.yml
new file mode 100644
index 0000000..6841538
--- /dev/null
+++ b/roles/dns/handlers/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+
+zones_environment_directory: "{{ global_configuration_environment_directory }}/dns-zones"
diff --git a/roles/dns/handlers/handlers/main.yml b/roles/dns/handlers/handlers/main.yml
index 7413edc..d24b5ab 100644
--- a/roles/dns/handlers/handlers/main.yml
+++ b/roles/dns/handlers/handlers/main.yml
@@ -9,3 +9,8 @@
   systemd:
     name: bind9
     state: reloaded
+
+- name: rebuild dns zones
+  make:
+    chdir: "{{ zones_environment_directory }}"
+  notify: reload bind9
diff --git a/roles/dns/master/defaults/main.yml b/roles/dns/master/defaults/main.yml
index 7d62c64..21f07c0 100644
--- a/roles/dns/master/defaults/main.yml
+++ b/roles/dns/master/defaults/main.yml
@@ -4,14 +4,9 @@
 
 domain_directory: "{{ zones_directory }}/{{ domain }}"
 configuration_file: "{{ domain_directory }}/zone.conf"
-database_file_name: "zone.db"
-database_file: "{{ domain_directory }}/{{ database_file_name }}"
-database_signed_file_name: "{{ database_file_name }}.signed"
-database_signed_file: "{{ domain_directory }}/{{ database_signed_file_name }}"
-
+database_file: "{{ domain_directory }}/{{ zones_environment_database_name }}"
+keys_directory: "{{ domain_directory }}/keys"
 domain_environment_directory: "{{ zones_environment_directory }}/{{ domain }}"
-domain_environment_link_name: "conf"
-domain_environment_link: "{{ domain_environment_directory }}/{{ domain_environment_link_name }}"
 
 dnssec_algorithm: "RSASHA512"
 dnssec_key_length: "4096"
diff --git a/roles/dns/master/meta/main.yml b/roles/dns/master/meta/main.yml
index 4c089ef..7301552 100644
--- a/roles/dns/master/meta/main.yml
+++ b/roles/dns/master/meta/main.yml
@@ -3,5 +3,4 @@
 allow_duplicates: yes
 
 dependencies:
-  - role: dns/master_handlers
   - role: dns/application
diff --git a/roles/dns/master/tasks/generate_keys.yml b/roles/dns/master/tasks/generate_keys.yml
index 8c26cfc..47b5884 100644
--- a/roles/dns/master/tasks/generate_keys.yml
+++ b/roles/dns/master/tasks/generate_keys.yml
@@ -11,7 +11,7 @@
     -b {{ dnssec_key_length | quote }}
     -n ZONE {{ domain | quote }}
   args:
-    chdir: "{{ domain_directory }}"
+    chdir: "{{ keys_directory }}"
 
 - name: Generate zone signing key for zone {{ domain }}
   command: >-
@@ -21,6 +21,6 @@
     -b {{ dnssec_key_length | quote }}
     -n ZONE {{ domain | quote }}
   args:
-    chdir: "{{ domain_directory }}"
+    chdir: "{{ keys_directory }}"
 
 # TODO Copy public ZSK to localhost
diff --git a/roles/dns/master/tasks/main.yml b/roles/dns/master/tasks/main.yml
index 565b897..84025f6 100644
--- a/roles/dns/master/tasks/main.yml
+++ b/roles/dns/master/tasks/main.yml
@@ -1,33 +1,27 @@
 ---
 
-- name: Create zone directories
+- name: Create zone directory writeable
+  file:
+    path: "{{ domain_directory }}"
+    state: directory
+    owner: root
+    group: "{{ dns_user }}"
+    mode: u=rwx,g=rwx,o=
+
+- name: Create other zone directories readable
   file:
     path: "{{ item }}"
     state: directory
     owner: root
-    group: root
+    group: "{{ dns_user }}"
     mode: u=rwx,g=rx,o=
   loop:
-    - "{{ domain_directory }}"
+    - "{{ keys_directory }}"
     - "{{ domain_environment_directory }}"
 
-- name: Upload makefile to domain zone configuration environment
-  template:
-    src: zone.makefile
-    dest: "{{ domain_environment_directory }}/makefile"
-    owner: root
-    group: root
-    mode: "u=rw,g=r,o=r"
-
-- name: Create link in domain zone configuration environment
-  file:
-    state: link
-    src: "{{ domain_directory }}"
-    dest: "{{ domain_environment_link }}"
-
 - name: Determine if keys are generated already
   find:
-    paths: "{{ domain_directory }}"
+    paths: "{{ keys_directory }}"
     patterns: "K{{ domain }}.+*+*"
   register: keys_found
 
@@ -35,12 +29,6 @@
   include_tasks: generate_keys.yml
   when: keys_found.matched < 2
 
-- name: Find generated public keys
-  find:
-    paths: "{{ domain_directory }}"
-    patterns: "K{{ domain }}.+*+*.key"
-  register: keys_list
-
 - name: Store main database of zone {{ domain }}
   template:
     src: zone.db
@@ -49,7 +37,7 @@
     group: "{{ dns_user }}"
     mode: "u=rw,g=r,o=r"
     validate: "named-checkzone {{ domain }} %s"
-  notify: reconfigure zone {{ domain }}
+  notify: rebuild dns zones
 
 - name: Configure zone {{ domain }}
   template:
diff --git a/roles/dns/master/templates/zone.conf b/roles/dns/master/templates/zone.conf
index 2370a38..cd61126 100644
--- a/roles/dns/master/templates/zone.conf
+++ b/roles/dns/master/templates/zone.conf
@@ -1,6 +1,9 @@
 zone "{{ domain }}" {
   type master;
-  file "{{ database_signed_file }}";
+  file "{{ database_file }}";
+  key-directory "{{ keys_directory }}";
+  inline-signing yes;
+  auto-dnssec maintain;
   notify yes;
   allow-transfer {
     {% for fqdn in slaves %}
diff --git a/roles/dns/master/templates/zone.db b/roles/dns/master/templates/zone.db
index 766f0c1..438f3bb 100644
--- a/roles/dns/master/templates/zone.db
+++ b/roles/dns/master/templates/zone.db
@@ -7,10 +7,6 @@ $TTL 86400
   {{ ttl }}
 )
 
-{% for key in keys_list.files %}
-$INCLUDE {{ key.path }}
-{% endfor %}
-
 ; Certification Authority Authorization
 @ IN CAA 0 issue "letsencrypt.org"
 
diff --git a/roles/dns/master/templates/zone.makefile b/roles/dns/master/templates/zone.makefile
deleted file mode 100644
index d89d5ec..0000000
--- a/roles/dns/master/templates/zone.makefile
+++ /dev/null
@@ -1,24 +0,0 @@
-dest:={{ domain_environment_link_name }}
-
-db_files:=$(wildcard *.db)
-db_file:={{ database_file_name }}
-signed_file:={{ database_signed_file_name }}
-
-all:: ${dest}/${signed_file}
-
-${dest}/${db_file}.unchecked: ${db_files}
-	cat $^ > "$@";
-
-${dest}/${db_file}: ${dest}/${db_file}.unchecked
-	named-compilezone -o "$@" {{ domain | quote }} "$<";
-
-${dest}/${signed_file}: ${dest}/${db_file}
-	if [[ "$(dir $<)" != "$(dir $@)" ]]; then echo "directories not equal" > /dev/stderr; exit 1; fi
-	cd "$(dir $@)"; \
-	dnssec-signzone \
-		-3 $$(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) \
-		-a \
-		-N unixtime \
-		-o {{ domain | quote }} \
-		-f "$(notdir $@)" \
-		"$(notdir $<)";
diff --git a/roles/dns/master_handlers/default/main.yml b/roles/dns/master_handlers/default/main.yml
deleted file mode 100644
index 4b6d74d..0000000
--- a/roles/dns/master_handlers/default/main.yml
+++ /dev/null
@@ -1,4 +0,0 @@
----
-
-# domain: example.com
-# domain_environment_directory
diff --git a/roles/dns/master_handlers/handlers/main.yml b/roles/dns/master_handlers/handlers/main.yml
deleted file mode 100644
index bc63c91..0000000
--- a/roles/dns/master_handlers/handlers/main.yml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-
-- name: reconfigure zone {{ domain }}
-  make:
-    chdir: "{{ domain_environment_directory }}"
-  notify: reload bind9
diff --git a/roles/dns/master_handlers/meta/main.yml b/roles/dns/master_handlers/meta/main.yml
deleted file mode 100644
index 4c1ee30..0000000
--- a/roles/dns/master_handlers/meta/main.yml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-
-allow_duplicates: yes
-
-dependencies:
-  - dns/handlers