Add support for TSIG keys
This commit is contained in:
parent
c040429eac
commit
69cfc2ef81
6 changed files with 65 additions and 4 deletions
|
@ -8,6 +8,8 @@ knot_zone_example.org:
|
|||
replicas:
|
||||
- ns2.example.org
|
||||
- ns3.example.org
|
||||
updaters:
|
||||
- foo.example.org
|
||||
|
||||
# Replace example.org. with your zone name
|
||||
name: example.org.
|
||||
|
|
8
docs/host_vars/foo.example.org/knot.yml
Normal file
8
docs/host_vars/foo.example.org/knot.yml
Normal file
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
|
||||
# TSIG updaters only need a key
|
||||
# THIS REEEAAAALLY SHOULD GO INTO A VAULT-ENCRYPTED FILE
|
||||
knot_tsig_key:
|
||||
name: tsig.foo.example.org.
|
||||
algorithm: hmac-sha384
|
||||
secret: j/yF6FFcC8rw57jjz0sMGMA0o//DrXvS82aiLelHDutFhPldMBQU3EB+NttANIc/
|
|
@ -10,6 +10,14 @@ knot_dns_addresses:
|
|||
- "2001:db8:42::1"
|
||||
- "10.42.0.1"
|
||||
|
||||
# Optional for replicated setup: TSIG keys for notify/xfer/update. If
|
||||
# not present, ACL will use knot_dns_addresses instead...
|
||||
# THIS REEEAAAALLY SHOULD GO INTO A VAULT-ENCRYPTED FILE
|
||||
knot_tsig_key:
|
||||
name: tsig.ns1.example.org.
|
||||
algorithm: hmac-sha384
|
||||
secret: pZxgYlANxwWscfrZz4sdi6mQUlWFWlhUO/y7wjSJ6qdcXXGTaAxtwlaHWYYhJfTN
|
||||
|
||||
# Change other host specific options here
|
||||
|
||||
# knot 2.7 in Debian stable doesn't know double-ds yet
|
||||
|
|
|
@ -10,6 +10,13 @@ knot_dns_addresses:
|
|||
- "2001:db8:42::2"
|
||||
- "10.42.0.2"
|
||||
|
||||
# Optional for replicated setup: TSIG keys for notify/xfer/update. If
|
||||
# not present, ACL will use knot_dns_addresses instead...
|
||||
# THIS REEEAAAALLY SHOULD GO INTO A VAULT-ENCRYPTED FILE
|
||||
knot_tsig_key:
|
||||
name: tsig.ns2.example.org.
|
||||
algorithm: hmac-sha384
|
||||
secret: poAeCzXByHLuuHjDfLceKmlUWFD+08p8QfV0ikXMBn0qTSJEXnBaDUupaG8aRS8M
|
||||
# Change other host specific options here
|
||||
|
||||
# knot 2.7 in Debian stable doesn't know double-ds yet
|
||||
|
|
|
@ -9,3 +9,5 @@ ns2.example.org
|
|||
# information required for using them as zone transfer sources or
|
||||
# targets
|
||||
ns3.example.org
|
||||
# TSIG update clients, also dummy host only
|
||||
foo.example.org
|
||||
|
|
|
@ -20,11 +20,20 @@ log:
|
|||
|
||||
|
||||
#
|
||||
# ALL KNOWN REMOTES
|
||||
# ALL KNOWN REMOTES, TSIG KEYS AND ACLs
|
||||
#
|
||||
|
||||
key:
|
||||
{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) + (zones | map(attribute='updaters') ) ) | flatten | unique %}
|
||||
|
||||
- id: {{ hostvars[remote].knot_tsig_key.name }}
|
||||
algorithm: {{ hostvars[remote].knot_tsig_key.algorithm }}
|
||||
secret: {{ hostvars[remote].knot_tsig_key.secret }}
|
||||
{% endfor %}
|
||||
|
||||
|
||||
remote:
|
||||
{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) ) | flatten | unique %}
|
||||
{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) + (zones | map(attribute='updaters') ) ) | flatten | unique %}
|
||||
|
||||
- id: remote-{{ remote }}
|
||||
{% for address in hostvars[remote].knot_dns_addresses %}
|
||||
|
@ -33,15 +42,40 @@ remote:
|
|||
{% endfor %}
|
||||
|
||||
acl:
|
||||
{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) ) | flatten | unique %}
|
||||
{% for remote in zones | map(attribute='replicas') | flatten | unique %}
|
||||
|
||||
- id: acl-xfr-{{ remote }}
|
||||
action: transfer
|
||||
{% if knot_tsig_key in hostvars[remote] %}
|
||||
key: {{ hostvars[remote].knot_tsig_key.name }}
|
||||
{% else %}
|
||||
{% for address in hostvars[remote].knot_dns_addresses %}
|
||||
address: "{{ address }}"
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
{% for remote in zones | map(attribute='masters') | flatten | unique %}
|
||||
|
||||
- id: acl-notify-{{ remote }}
|
||||
action: notify
|
||||
{% if knot_tsig_key in hostvars[remote] %}
|
||||
key: {{ hostvars[remote].knot_tsig_key.name }}
|
||||
{% else %}
|
||||
{% for address in hostvars[remote].knot_dns_addresses %}
|
||||
address: "{{ address }}"
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
{% for remote in zones | map(attribute='updaters') | flatten | unique %}
|
||||
|
||||
- id: acl-update-{{ remote }}
|
||||
action: update
|
||||
key: {{ hostvars[remote].knot_tsig_key.name }}
|
||||
{% endfor %}
|
||||
|
||||
|
||||
#
|
||||
# MASTER ZONES
|
||||
#
|
||||
|
|
Loading…
Reference in a new issue