Commit 7378ac8d authored by godog's avatar godog

dns: use zonetool dnssec capabilities

Zones marked with 'DNSSEC' attribute in zonetool will get their records
signed with DNSSEC. If the signing key cannot be found it'll be
generated by zonetool.

Note NSEC3 salt is in passwords.yml so that it is the same on all hosts,
however the salt itself is public (i.e. published in the zone) and
should be rotated periodically.

See also ai3/testbed#160
parent 23c1c188
Pipeline #2948 failed with stage
in 3 minutes and 32 seconds
......@@ -34,3 +34,9 @@
- name: prometheus_alertmanager_mesh_secret
description: Password for the Prometheus alertmanager mesh protocol
length: 32
- name: dnssec_nsec3_salt
description: Salt used by dnssec-signzone for NSEC3 replies (public,
recommended to be rotated occasionally)
type: binary
length: 32
......@@ -36,6 +36,14 @@
group: bind
mode: 0775
- name: Create bind9 dsset dirs
file:
path: "/etc/bind/dnssec-ds"
state: directory
owner: root
group: bind
mode: 0775
- name: Create dns config dirs
file:
path: "/etc/dns/{{ item }}"
......@@ -49,7 +57,7 @@
path: "/etc/bind/named.conf.zones"
state: touch
changed_when: false
- name: Generate infrastructural zone
template:
src: dns/infra.yml
......@@ -72,7 +80,7 @@
- name: Generate zones
command: /usr/sbin/update-dns
when: dns_config.changed or zonetool_config.changed or zonetool_infra_config.changed
when: dns_config.changed or zonetool_config.changed or zonetool_infra_config.changed or nsec3_salt.changed
notify: reload bind
- name: Install firewall config
......
......@@ -7,4 +7,8 @@ exec /usr/bin/zonetool \
--config /etc/dns/zonetool.yml \
--named-conf /etc/bind/named.conf.zones \
--output-dir /etc/bind/zones --delete \
--key-dir /etc/credentials/dnssec \
--ds-dir /etc/bind/dnssec-ds \
--nsec3-salt {{ "%X" % dnssec_nsec3_salt }} \
--dnssec-refresh \
/etc/dns/manual /etc/dns/auto
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment