Add support for TSIG keys

This commit is contained in:
s3lph 2021-02-05 21:36:46 +01:00
parent c040429eac
commit 69cfc2ef81
6 changed files with 65 additions and 4 deletions

View file

@ -8,6 +8,8 @@ knot_zone_example.org:
replicas: replicas:
- ns2.example.org - ns2.example.org
- ns3.example.org - ns3.example.org
updaters:
- foo.example.org
# Replace example.org. with your zone name # Replace example.org. with your zone name
name: example.org. name: example.org.

View file

@ -0,0 +1,8 @@
---
# TSIG updaters only need a key
# THIS REEEAAAALLY SHOULD GO INTO A VAULT-ENCRYPTED FILE
knot_tsig_key:
name: tsig.foo.example.org.
algorithm: hmac-sha384
secret: j/yF6FFcC8rw57jjz0sMGMA0o//DrXvS82aiLelHDutFhPldMBQU3EB+NttANIc/

View file

@ -10,6 +10,14 @@ knot_dns_addresses:
- "2001:db8:42::1" - "2001:db8:42::1"
- "10.42.0.1" - "10.42.0.1"
# Optional for replicated setup: TSIG keys for notify/xfer/update. If
# not present, ACL will use knot_dns_addresses instead...
# THIS REEEAAAALLY SHOULD GO INTO A VAULT-ENCRYPTED FILE
knot_tsig_key:
name: tsig.ns1.example.org.
algorithm: hmac-sha384
secret: pZxgYlANxwWscfrZz4sdi6mQUlWFWlhUO/y7wjSJ6qdcXXGTaAxtwlaHWYYhJfTN
# Change other host specific options here # Change other host specific options here
# knot 2.7 in Debian stable doesn't know double-ds yet # knot 2.7 in Debian stable doesn't know double-ds yet

View file

@ -10,6 +10,13 @@ knot_dns_addresses:
- "2001:db8:42::2" - "2001:db8:42::2"
- "10.42.0.2" - "10.42.0.2"
# Optional for replicated setup: TSIG keys for notify/xfer/update. If
# not present, ACL will use knot_dns_addresses instead...
# THIS REEEAAAALLY SHOULD GO INTO A VAULT-ENCRYPTED FILE
knot_tsig_key:
name: tsig.ns2.example.org.
algorithm: hmac-sha384
secret: poAeCzXByHLuuHjDfLceKmlUWFD+08p8QfV0ikXMBn0qTSJEXnBaDUupaG8aRS8M
# Change other host specific options here # Change other host specific options here
# knot 2.7 in Debian stable doesn't know double-ds yet # knot 2.7 in Debian stable doesn't know double-ds yet

View file

@ -8,4 +8,6 @@ ns2.example.org
# These hosts only serve as dummy hosts to hold the necessary # These hosts only serve as dummy hosts to hold the necessary
# information required for using them as zone transfer sources or # information required for using them as zone transfer sources or
# targets # targets
ns3.example.org ns3.example.org
# TSIG update clients, also dummy host only
foo.example.org

View file

@ -20,11 +20,20 @@ log:
# #
# ALL KNOWN REMOTES # ALL KNOWN REMOTES, TSIG KEYS AND ACLs
# #
key:
{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) + (zones | map(attribute='updaters') ) ) | flatten | unique %}
- id: {{ hostvars[remote].knot_tsig_key.name }}
algorithm: {{ hostvars[remote].knot_tsig_key.algorithm }}
secret: {{ hostvars[remote].knot_tsig_key.secret }}
{% endfor %}
remote: remote:
{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) ) | flatten | unique %} {% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) + (zones | map(attribute='updaters') ) ) | flatten | unique %}
- id: remote-{{ remote }} - id: remote-{{ remote }}
{% for address in hostvars[remote].knot_dns_addresses %} {% for address in hostvars[remote].knot_dns_addresses %}
@ -33,15 +42,40 @@ remote:
{% endfor %} {% endfor %}
acl: acl:
{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) ) | flatten | unique %} {% for remote in zones | map(attribute='replicas') | flatten | unique %}
- id: acl-xfr-{{ remote }} - id: acl-xfr-{{ remote }}
action: transfer action: transfer
{% if knot_tsig_key in hostvars[remote] %}
key: {{ hostvars[remote].knot_tsig_key.name }}
{% else %}
{% for address in hostvars[remote].knot_dns_addresses %} {% for address in hostvars[remote].knot_dns_addresses %}
address: "{{ address }}" address: "{{ address }}"
{% endfor %} {% endfor %}
{% endif %}
{% endfor %} {% endfor %}
{% for remote in zones | map(attribute='masters') | flatten | unique %}
- id: acl-notify-{{ remote }}
action: notify
{% if knot_tsig_key in hostvars[remote] %}
key: {{ hostvars[remote].knot_tsig_key.name }}
{% else %}
{% for address in hostvars[remote].knot_dns_addresses %}
address: "{{ address }}"
{% endfor %}
{% endif %}
{% endfor %}
{% for remote in zones | map(attribute='updaters') | flatten | unique %}
- id: acl-update-{{ remote }}
action: update
key: {{ hostvars[remote].knot_tsig_key.name }}
{% endfor %}
# #
# MASTER ZONES # MASTER ZONES
# #