dns/master: Added dnssec support

- Generation of keys - Signing zone after each change
5 years ago · df88e582a7
parent 69026d8d27
commit df88e582a7
5 changed files with 64 additions and 2 deletions
--- a/roles/dns/master/defaults/main.yml
+++ b/roles/dns/master/defaults/main.yml
@ -5,6 +5,10 @@ domain: "example.com"
 domain_directory: "{{ dns_zones_directory }}/{{ domain }}"
 configuration_file: "{{ domain_directory }}/zone.conf"
 database_file: "{{ domain_directory }}/zone.db"
+database_signed_file: "{{ database_file }}.signed"
+
+dnssec_algorithm: "RSASHA512"
+dnssec_key_length: "4096"

 main_nameserver_domain: "ns1.{{ domain }}."
 responsible_mail_name: "admin.{{ domain }}."
--- a/roles/dns/master/tasks/generate_keys.yml
+++ b/roles/dns/master/tasks/generate_keys.yml
@ -0,0 +1,24 @@
+---
+
+- name: Generate key signing key for zone {{ domain }}
+  command: >-
+    dnssec-keygen
+    -f KSK
+    -3
+    -a {{ dnssec_algorithm | quote }}
+    -b {{ dnssec_key_length | quote }}
+    -n ZONE {{ domain | quote }}
+  args:
+    chdir: "{{ domain_directory }}"
+
+- name: Generate zone signing key for zone {{ domain }}
+  command: >-
+    dnssec-keygen
+    -3
+    -a {{ dnssec_algorithm | quote }}
+    -b {{ dnssec_key_length | quote }}
+    -n ZONE {{ domain | quote }}
+  args:
+    chdir: "{{ domain_directory }}"
+
+# TODO Copy public keys to localhost
--- a/roles/dns/master/tasks/main.yml
+++ b/roles/dns/master/tasks/main.yml
@ -8,6 +8,22 @@
    group: root
    mode: "u=rwx,g=rx"

+- name: Determine if keys are generated already
+  find:
+    paths: "{{ domain_directory }}"
+    patterns: "K{{ domain }}.+*+*"
+  register: keys_found
+
+- name: Generate keys for zone {{ domain }}
+  include_tasks: generate_keys.yml
+  when: keys_found.matched < 2
+
+- name: Find generated public keys
+  find:
+    paths: "{{ domain_directory }}"
+    patterns: "K{{ domain }}.+*+*.key"
+  register: keys_list
+
 - name: Store database of zone {{ domain }}
  template:
    src: zone.db
@ -17,8 +33,22 @@
    mode: "u=rw,g=r,o=r"
    validate: "named-checkzone {{ domain }} %s"
  notify: reload bind9
+  register: database_stored

-# TODO DNSSEC
+# TODO test -N=UNIXTIME instead of unix time by ansible
+- name: Sign zone {{ domain }}
+  shell: >-
+    dnssec-signzone
+    -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16)
+    -a
+    -N KEEP
+    -o {{ domain | quote }}
+    -f {{ database_signed_file | quote }}
+    {{ database_file | quote }}
+  args:
+    chdir: "{{ domain_directory }}"
+    executable: "/bin/sh"
+  when: database_stored.changed

 - name: Configure zone {{ domain }}
  template:
--- a/roles/dns/master/templates/zone.conf
+++ b/roles/dns/master/templates/zone.conf
@ -1,6 +1,6 @@
 zone "{{ domain }}" {
  type master;
-  file "{{ database_file }}";
+  file "{{ database_signed_file }}";
  notify yes;
  allow-transfer {
    {% for fqdn in slaves %}
--- a/roles/dns/master/templates/zone.db
+++ b/roles/dns/master/templates/zone.db
@ -7,4 +7,8 @@ $TTL 86400
  {{ ttl }}
 )

+{% for key in keys_list.files %}
+$INCLUDE {{ key.path }}
+{% endfor %}
+
 {{ entries }}