From 69cfc2ef81ee78abde6739155c3d34a85370fdb4 Mon Sep 17 00:00:00 2001 From: s3lph Date: Fri, 5 Feb 2021 21:36:46 +0100 Subject: [PATCH] Add support for TSIG keys --- .../group_vars/all/zones/zone.example.org.yml | 2 + docs/host_vars/foo.example.org/knot.yml | 8 ++++ docs/host_vars/ns1.example.org/knot.yml | 8 ++++ docs/host_vars/ns2.example.org/knot.yml | 7 ++++ docs/inventory.ini | 4 +- roles/knot/templates/etc/knot/knot.conf.j2 | 40 +++++++++++++++++-- 6 files changed, 65 insertions(+), 4 deletions(-) create mode 100644 docs/host_vars/foo.example.org/knot.yml diff --git a/docs/group_vars/all/zones/zone.example.org.yml b/docs/group_vars/all/zones/zone.example.org.yml index a11073d..f0a3aa4 100644 --- a/docs/group_vars/all/zones/zone.example.org.yml +++ b/docs/group_vars/all/zones/zone.example.org.yml @@ -8,6 +8,8 @@ knot_zone_example.org: replicas: - ns2.example.org - ns3.example.org + updaters: + - foo.example.org # Replace example.org. with your zone name name: example.org. diff --git a/docs/host_vars/foo.example.org/knot.yml b/docs/host_vars/foo.example.org/knot.yml new file mode 100644 index 0000000..83b78b7 --- /dev/null +++ b/docs/host_vars/foo.example.org/knot.yml @@ -0,0 +1,8 @@ +--- + +# TSIG updaters only need a key +# THIS REEEAAAALLY SHOULD GO INTO A VAULT-ENCRYPTED FILE +knot_tsig_key: + name: tsig.foo.example.org. + algorithm: hmac-sha384 + secret: j/yF6FFcC8rw57jjz0sMGMA0o//DrXvS82aiLelHDutFhPldMBQU3EB+NttANIc/ diff --git a/docs/host_vars/ns1.example.org/knot.yml b/docs/host_vars/ns1.example.org/knot.yml index 962f6da..5084056 100644 --- a/docs/host_vars/ns1.example.org/knot.yml +++ b/docs/host_vars/ns1.example.org/knot.yml @@ -10,6 +10,14 @@ knot_dns_addresses: - "2001:db8:42::1" - "10.42.0.1" +# Optional for replicated setup: TSIG keys for notify/xfer/update. If +# not present, ACL will use knot_dns_addresses instead... +# THIS REEEAAAALLY SHOULD GO INTO A VAULT-ENCRYPTED FILE +knot_tsig_key: + name: tsig.ns1.example.org. + algorithm: hmac-sha384 + secret: pZxgYlANxwWscfrZz4sdi6mQUlWFWlhUO/y7wjSJ6qdcXXGTaAxtwlaHWYYhJfTN + # Change other host specific options here # knot 2.7 in Debian stable doesn't know double-ds yet diff --git a/docs/host_vars/ns2.example.org/knot.yml b/docs/host_vars/ns2.example.org/knot.yml index 1251b55..f914f80 100644 --- a/docs/host_vars/ns2.example.org/knot.yml +++ b/docs/host_vars/ns2.example.org/knot.yml @@ -10,6 +10,13 @@ knot_dns_addresses: - "2001:db8:42::2" - "10.42.0.2" +# Optional for replicated setup: TSIG keys for notify/xfer/update. If +# not present, ACL will use knot_dns_addresses instead... +# THIS REEEAAAALLY SHOULD GO INTO A VAULT-ENCRYPTED FILE +knot_tsig_key: + name: tsig.ns2.example.org. + algorithm: hmac-sha384 + secret: poAeCzXByHLuuHjDfLceKmlUWFD+08p8QfV0ikXMBn0qTSJEXnBaDUupaG8aRS8M # Change other host specific options here # knot 2.7 in Debian stable doesn't know double-ds yet diff --git a/docs/inventory.ini b/docs/inventory.ini index 8d47b41..1eebc0b 100644 --- a/docs/inventory.ini +++ b/docs/inventory.ini @@ -8,4 +8,6 @@ ns2.example.org # These hosts only serve as dummy hosts to hold the necessary # information required for using them as zone transfer sources or # targets -ns3.example.org \ No newline at end of file +ns3.example.org +# TSIG update clients, also dummy host only +foo.example.org diff --git a/roles/knot/templates/etc/knot/knot.conf.j2 b/roles/knot/templates/etc/knot/knot.conf.j2 index 079ba9c..0e27a5b 100644 --- a/roles/knot/templates/etc/knot/knot.conf.j2 +++ b/roles/knot/templates/etc/knot/knot.conf.j2 @@ -20,11 +20,20 @@ log: # -# ALL KNOWN REMOTES +# ALL KNOWN REMOTES, TSIG KEYS AND ACLs # +key: +{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) + (zones | map(attribute='updaters') ) ) | flatten | unique %} + + - id: {{ hostvars[remote].knot_tsig_key.name }} + algorithm: {{ hostvars[remote].knot_tsig_key.algorithm }} + secret: {{ hostvars[remote].knot_tsig_key.secret }} +{% endfor %} + + remote: -{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) ) | flatten | unique %} +{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) + (zones | map(attribute='updaters') ) ) | flatten | unique %} - id: remote-{{ remote }} {% for address in hostvars[remote].knot_dns_addresses %} @@ -33,15 +42,40 @@ remote: {% endfor %} acl: -{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) ) | flatten | unique %} +{% for remote in zones | map(attribute='replicas') | flatten | unique %} - id: acl-xfr-{{ remote }} action: transfer +{% if knot_tsig_key in hostvars[remote] %} + key: {{ hostvars[remote].knot_tsig_key.name }} +{% else %} {% for address in hostvars[remote].knot_dns_addresses %} address: "{{ address }}" {% endfor %} +{% endif %} {% endfor %} +{% for remote in zones | map(attribute='masters') | flatten | unique %} + + - id: acl-notify-{{ remote }} + action: notify +{% if knot_tsig_key in hostvars[remote] %} + key: {{ hostvars[remote].knot_tsig_key.name }} +{% else %} +{% for address in hostvars[remote].knot_dns_addresses %} + address: "{{ address }}" +{% endfor %} +{% endif %} +{% endfor %} + +{% for remote in zones | map(attribute='updaters') | flatten | unique %} + + - id: acl-update-{{ remote }} + action: update + key: {{ hostvars[remote].knot_tsig_key.name }} +{% endfor %} + + # # MASTER ZONES #