Add support for TSIG keys

docs/group_vars/all/zones/zone.example.org.yml

@@ -8,6 +8,8 @@ knot_zone_example.org:
   replicas:
     - ns2.example.org
     - ns3.example.org
+  updaters:
+    - foo.example.org
 
   # Replace example.org. with your zone name
   name: example.org.

docs/host_vars/foo.example.org/knot.yml

@@ -0,0 +1,8 @@
+---
+
+# TSIG updaters only need a key
+# THIS REEEAAAALLY SHOULD GO INTO A VAULT-ENCRYPTED FILE
+knot_tsig_key:
+  name: tsig.foo.example.org.
+  algorithm: hmac-sha384
+  secret: j/yF6FFcC8rw57jjz0sMGMA0o//DrXvS82aiLelHDutFhPldMBQU3EB+NttANIc/

docs/host_vars/ns1.example.org/knot.yml

@@ -10,6 +10,14 @@ knot_dns_addresses:
   - "2001:db8:42::1"
   - "10.42.0.1"
 
+# Optional for replicated setup: TSIG keys for notify/xfer/update.  If
+# not present, ACL will use knot_dns_addresses instead...
+# THIS REEEAAAALLY SHOULD GO INTO A VAULT-ENCRYPTED FILE
+knot_tsig_key:
+  name: tsig.ns1.example.org.
+  algorithm: hmac-sha384
+  secret: pZxgYlANxwWscfrZz4sdi6mQUlWFWlhUO/y7wjSJ6qdcXXGTaAxtwlaHWYYhJfTN
+
 # Change other host specific options here
 
 # knot 2.7 in Debian stable doesn't know double-ds yet

docs/host_vars/ns2.example.org/knot.yml

@@ -10,6 +10,13 @@ knot_dns_addresses:
   - "2001:db8:42::2"
   - "10.42.0.2"
 
+# Optional for replicated setup: TSIG keys for notify/xfer/update.  If
+# not present, ACL will use knot_dns_addresses instead...
+# THIS REEEAAAALLY SHOULD GO INTO A VAULT-ENCRYPTED FILE
+knot_tsig_key:
+  name: tsig.ns2.example.org.
+  algorithm: hmac-sha384
+  secret: poAeCzXByHLuuHjDfLceKmlUWFD+08p8QfV0ikXMBn0qTSJEXnBaDUupaG8aRS8M
 # Change other host specific options here
 
 # knot 2.7 in Debian stable doesn't know double-ds yet

docs/inventory.ini

@@ -9,3 +9,5 @@ ns2.example.org
 # information required for using them as zone transfer sources or
 # targets
 ns3.example.org
+# TSIG update clients, also dummy host only
+foo.example.org

roles/knot/templates/etc/knot/knot.conf.j2

@@ -20,11 +20,20 @@ log:
 
 
 #
-#   ALL KNOWN REMOTES
+#   ALL KNOWN REMOTES, TSIG KEYS AND ACLs
 #
 
+key:
+{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) + (zones | map(attribute='updaters') ) ) | flatten | unique %}
+
+  - id: {{ hostvars[remote].knot_tsig_key.name }}
+    algorithm: {{ hostvars[remote].knot_tsig_key.algorithm }}
+    secret: {{ hostvars[remote].knot_tsig_key.secret }}
+{% endfor %}
+
+
 remote:
-{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) ) | flatten | unique %}
+{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) + (zones | map(attribute='updaters') ) ) | flatten | unique %}
 
   - id: remote-{{ remote }}
 {% for address in hostvars[remote].knot_dns_addresses %}
@@ -33,15 +42,40 @@ remote:
 {% endfor %}
 
 acl:
-{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) ) | flatten | unique %}
+{% for remote in zones | map(attribute='replicas') | flatten | unique %}
 
   - id: acl-xfr-{{ remote }}
     action: transfer
+{% if knot_tsig_key in hostvars[remote] %}
+    key: {{ hostvars[remote].knot_tsig_key.name }}
+{% else %}
 {% for address in hostvars[remote].knot_dns_addresses %}
     address: "{{ address }}"
 {% endfor %}
+{% endif %}
 {% endfor %}
 
+{% for remote in zones | map(attribute='masters') | flatten | unique %}
+
+  - id: acl-notify-{{ remote }}
+    action: notify
+{% if knot_tsig_key in hostvars[remote] %}
+    key: {{ hostvars[remote].knot_tsig_key.name }}
+{% else %}
+{% for address in hostvars[remote].knot_dns_addresses %}
+    address: "{{ address }}"
+{% endfor %}
+{% endif %}
+{% endfor %}
+
+{% for remote in zones | map(attribute='updaters') | flatten | unique %}
+
+  - id: acl-update-{{ remote }}
+    action: update
+    key: {{ hostvars[remote].knot_tsig_key.name }}
+{% endfor %}
+
+
 #
 #   MASTER ZONES
 #