dns/master: Added dnssec support

- Generation of keys - Signing zone after each change
5 years ago · df88e582a7
parent 69026d8d27
commit df88e582a7
5 changed files with 64 additions and 2 deletions
--- a/roles/dns/master/defaults/main.yml
+++ b/roles/dns/master/defaults/main.yml
@ -5,6 +5,10 @@ domain: "example.com"
 domain_directory: "{{ dns_zones_directory }}/{{ domain }}"
 configuration_file: "{{ domain_directory }}/zone.conf"
 database_file: "{{ domain_directory }}/zone.db"
 database_signed_file: "{{ database_file }}.signed"
 dnssec_algorithm: "RSASHA512"
 dnssec_key_length: "4096"
 main_nameserver_domain: "ns1.{{ domain }}."
 responsible_mail_name: "admin.{{ domain }}."
--- a/roles/dns/master/tasks/generate_keys.yml
+++ b/roles/dns/master/tasks/generate_keys.yml
@ -0,0 +1,24 @@
 ---
 - name: Generate key signing key for zone {{ domain }}
  command: >-
    dnssec-keygen
    -f KSK
    -3
    -a {{ dnssec_algorithm | quote }}
    -b {{ dnssec_key_length | quote }}
    -n ZONE {{ domain | quote }}
  args:
    chdir: "{{ domain_directory }}"
 - name: Generate zone signing key for zone {{ domain }}
  command: >-
    dnssec-keygen
    -3
    -a {{ dnssec_algorithm | quote }}
    -b {{ dnssec_key_length | quote }}
    -n ZONE {{ domain | quote }}
  args:
    chdir: "{{ domain_directory }}"
 # TODO Copy public keys to localhost
--- a/roles/dns/master/tasks/main.yml
+++ b/roles/dns/master/tasks/main.yml
@ -8,6 +8,22 @@
    group: root
    mode: "u=rwx,g=rx"
 - name: Determine if keys are generated already
  find:
    paths: "{{ domain_directory }}"
    patterns: "K{{ domain }}.+*+*"
  register: keys_found
 - name: Generate keys for zone {{ domain }}
  include_tasks: generate_keys.yml
  when: keys_found.matched < 2
 - name: Find generated public keys
  find:
    paths: "{{ domain_directory }}"
    patterns: "K{{ domain }}.+*+*.key"
  register: keys_list
 - name: Store database of zone {{ domain }}
  template:
    src: zone.db
@ -17,8 +33,22 @@
    mode: "u=rw,g=r,o=r"
    validate: "named-checkzone {{ domain }} %s"
  notify: reload bind9
  register: database_stored
-# TODO DNSSEC
+# TODO test -N=UNIXTIME instead of unix time by ansible
 - name: Sign zone {{ domain }}
  shell: >-
    dnssec-signzone
    -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16)
    -a
    -N KEEP
    -o {{ domain | quote }}
    -f {{ database_signed_file | quote }}
    {{ database_file | quote }}
  args:
    chdir: "{{ domain_directory }}"
    executable: "/bin/sh"
  when: database_stored.changed
 - name: Configure zone {{ domain }}
  template:
--- a/roles/dns/master/templates/zone.conf
+++ b/roles/dns/master/templates/zone.conf
@ -1,6 +1,6 @@
 zone "{{ domain }}" {
  type master;
-  file "{{ database_file }}";
+  file "{{ database_signed_file }}";
  notify yes;
  allow-transfer {
    {% for fqdn in slaves %}
--- a/roles/dns/master/templates/zone.db
+++ b/roles/dns/master/templates/zone.db
@ -7,4 +7,8 @@ $TTL 86400
  {{ ttl }}
 )
 {% for key in keys_list.files %}
 $INCLUDE {{ key.path }}
 {% endfor %}
 {{ entries }}