Add support for TSIG keys
This commit is contained in:
parent
c040429eac
commit
69cfc2ef81
6 changed files with 65 additions and 4 deletions
|
@ -8,6 +8,8 @@ knot_zone_example.org:
|
||||||
replicas:
|
replicas:
|
||||||
- ns2.example.org
|
- ns2.example.org
|
||||||
- ns3.example.org
|
- ns3.example.org
|
||||||
|
updaters:
|
||||||
|
- foo.example.org
|
||||||
|
|
||||||
# Replace example.org. with your zone name
|
# Replace example.org. with your zone name
|
||||||
name: example.org.
|
name: example.org.
|
||||||
|
|
8
docs/host_vars/foo.example.org/knot.yml
Normal file
8
docs/host_vars/foo.example.org/knot.yml
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
# TSIG updaters only need a key
|
||||||
|
# THIS REEEAAAALLY SHOULD GO INTO A VAULT-ENCRYPTED FILE
|
||||||
|
knot_tsig_key:
|
||||||
|
name: tsig.foo.example.org.
|
||||||
|
algorithm: hmac-sha384
|
||||||
|
secret: j/yF6FFcC8rw57jjz0sMGMA0o//DrXvS82aiLelHDutFhPldMBQU3EB+NttANIc/
|
|
@ -10,6 +10,14 @@ knot_dns_addresses:
|
||||||
- "2001:db8:42::1"
|
- "2001:db8:42::1"
|
||||||
- "10.42.0.1"
|
- "10.42.0.1"
|
||||||
|
|
||||||
|
# Optional for replicated setup: TSIG keys for notify/xfer/update. If
|
||||||
|
# not present, ACL will use knot_dns_addresses instead...
|
||||||
|
# THIS REEEAAAALLY SHOULD GO INTO A VAULT-ENCRYPTED FILE
|
||||||
|
knot_tsig_key:
|
||||||
|
name: tsig.ns1.example.org.
|
||||||
|
algorithm: hmac-sha384
|
||||||
|
secret: pZxgYlANxwWscfrZz4sdi6mQUlWFWlhUO/y7wjSJ6qdcXXGTaAxtwlaHWYYhJfTN
|
||||||
|
|
||||||
# Change other host specific options here
|
# Change other host specific options here
|
||||||
|
|
||||||
# knot 2.7 in Debian stable doesn't know double-ds yet
|
# knot 2.7 in Debian stable doesn't know double-ds yet
|
||||||
|
|
|
@ -10,6 +10,13 @@ knot_dns_addresses:
|
||||||
- "2001:db8:42::2"
|
- "2001:db8:42::2"
|
||||||
- "10.42.0.2"
|
- "10.42.0.2"
|
||||||
|
|
||||||
|
# Optional for replicated setup: TSIG keys for notify/xfer/update. If
|
||||||
|
# not present, ACL will use knot_dns_addresses instead...
|
||||||
|
# THIS REEEAAAALLY SHOULD GO INTO A VAULT-ENCRYPTED FILE
|
||||||
|
knot_tsig_key:
|
||||||
|
name: tsig.ns2.example.org.
|
||||||
|
algorithm: hmac-sha384
|
||||||
|
secret: poAeCzXByHLuuHjDfLceKmlUWFD+08p8QfV0ikXMBn0qTSJEXnBaDUupaG8aRS8M
|
||||||
# Change other host specific options here
|
# Change other host specific options here
|
||||||
|
|
||||||
# knot 2.7 in Debian stable doesn't know double-ds yet
|
# knot 2.7 in Debian stable doesn't know double-ds yet
|
||||||
|
|
|
@ -8,4 +8,6 @@ ns2.example.org
|
||||||
# These hosts only serve as dummy hosts to hold the necessary
|
# These hosts only serve as dummy hosts to hold the necessary
|
||||||
# information required for using them as zone transfer sources or
|
# information required for using them as zone transfer sources or
|
||||||
# targets
|
# targets
|
||||||
ns3.example.org
|
ns3.example.org
|
||||||
|
# TSIG update clients, also dummy host only
|
||||||
|
foo.example.org
|
||||||
|
|
|
@ -20,11 +20,20 @@ log:
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# ALL KNOWN REMOTES
|
# ALL KNOWN REMOTES, TSIG KEYS AND ACLs
|
||||||
#
|
#
|
||||||
|
|
||||||
|
key:
|
||||||
|
{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) + (zones | map(attribute='updaters') ) ) | flatten | unique %}
|
||||||
|
|
||||||
|
- id: {{ hostvars[remote].knot_tsig_key.name }}
|
||||||
|
algorithm: {{ hostvars[remote].knot_tsig_key.algorithm }}
|
||||||
|
secret: {{ hostvars[remote].knot_tsig_key.secret }}
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
|
||||||
remote:
|
remote:
|
||||||
{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) ) | flatten | unique %}
|
{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) + (zones | map(attribute='updaters') ) ) | flatten | unique %}
|
||||||
|
|
||||||
- id: remote-{{ remote }}
|
- id: remote-{{ remote }}
|
||||||
{% for address in hostvars[remote].knot_dns_addresses %}
|
{% for address in hostvars[remote].knot_dns_addresses %}
|
||||||
|
@ -33,15 +42,40 @@ remote:
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
acl:
|
acl:
|
||||||
{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) ) | flatten | unique %}
|
{% for remote in zones | map(attribute='replicas') | flatten | unique %}
|
||||||
|
|
||||||
- id: acl-xfr-{{ remote }}
|
- id: acl-xfr-{{ remote }}
|
||||||
action: transfer
|
action: transfer
|
||||||
|
{% if knot_tsig_key in hostvars[remote] %}
|
||||||
|
key: {{ hostvars[remote].knot_tsig_key.name }}
|
||||||
|
{% else %}
|
||||||
{% for address in hostvars[remote].knot_dns_addresses %}
|
{% for address in hostvars[remote].knot_dns_addresses %}
|
||||||
address: "{{ address }}"
|
address: "{{ address }}"
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
|
{% for remote in zones | map(attribute='masters') | flatten | unique %}
|
||||||
|
|
||||||
|
- id: acl-notify-{{ remote }}
|
||||||
|
action: notify
|
||||||
|
{% if knot_tsig_key in hostvars[remote] %}
|
||||||
|
key: {{ hostvars[remote].knot_tsig_key.name }}
|
||||||
|
{% else %}
|
||||||
|
{% for address in hostvars[remote].knot_dns_addresses %}
|
||||||
|
address: "{{ address }}"
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
{% for remote in zones | map(attribute='updaters') | flatten | unique %}
|
||||||
|
|
||||||
|
- id: acl-update-{{ remote }}
|
||||||
|
action: update
|
||||||
|
key: {{ hostvars[remote].knot_tsig_key.name }}
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# MASTER ZONES
|
# MASTER ZONES
|
||||||
#
|
#
|
||||||
|
|
Loading…
Reference in a new issue