Add support for TSIG keys

This commit is contained in:
s3lph 2021-02-05 21:36:46 +01:00
parent c040429eac
commit 69cfc2ef81
6 changed files with 65 additions and 4 deletions

View file

@ -8,6 +8,8 @@ knot_zone_example.org:
replicas:
- ns2.example.org
- ns3.example.org
updaters:
- foo.example.org
# Replace example.org. with your zone name
name: example.org.

View file

@ -0,0 +1,8 @@
---
# TSIG updaters only need a key
# THIS REEEAAAALLY SHOULD GO INTO A VAULT-ENCRYPTED FILE
knot_tsig_key:
name: tsig.foo.example.org.
algorithm: hmac-sha384
secret: j/yF6FFcC8rw57jjz0sMGMA0o//DrXvS82aiLelHDutFhPldMBQU3EB+NttANIc/

View file

@ -10,6 +10,14 @@ knot_dns_addresses:
- "2001:db8:42::1"
- "10.42.0.1"
# Optional for replicated setup: TSIG keys for notify/xfer/update. If
# not present, ACL will use knot_dns_addresses instead...
# THIS REEEAAAALLY SHOULD GO INTO A VAULT-ENCRYPTED FILE
knot_tsig_key:
name: tsig.ns1.example.org.
algorithm: hmac-sha384
secret: pZxgYlANxwWscfrZz4sdi6mQUlWFWlhUO/y7wjSJ6qdcXXGTaAxtwlaHWYYhJfTN
# Change other host specific options here
# knot 2.7 in Debian stable doesn't know double-ds yet

View file

@ -10,6 +10,13 @@ knot_dns_addresses:
- "2001:db8:42::2"
- "10.42.0.2"
# Optional for replicated setup: TSIG keys for notify/xfer/update. If
# not present, ACL will use knot_dns_addresses instead...
# THIS REEEAAAALLY SHOULD GO INTO A VAULT-ENCRYPTED FILE
knot_tsig_key:
name: tsig.ns2.example.org.
algorithm: hmac-sha384
secret: poAeCzXByHLuuHjDfLceKmlUWFD+08p8QfV0ikXMBn0qTSJEXnBaDUupaG8aRS8M
# Change other host specific options here
# knot 2.7 in Debian stable doesn't know double-ds yet

View file

@ -9,3 +9,5 @@ ns2.example.org
# information required for using them as zone transfer sources or
# targets
ns3.example.org
# TSIG update clients, also dummy host only
foo.example.org

View file

@ -20,11 +20,20 @@ log:
#
# ALL KNOWN REMOTES
# ALL KNOWN REMOTES, TSIG KEYS AND ACLs
#
key:
{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) + (zones | map(attribute='updaters') ) ) | flatten | unique %}
- id: {{ hostvars[remote].knot_tsig_key.name }}
algorithm: {{ hostvars[remote].knot_tsig_key.algorithm }}
secret: {{ hostvars[remote].knot_tsig_key.secret }}
{% endfor %}
remote:
{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) ) | flatten | unique %}
{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) + (zones | map(attribute='updaters') ) ) | flatten | unique %}
- id: remote-{{ remote }}
{% for address in hostvars[remote].knot_dns_addresses %}
@ -33,15 +42,40 @@ remote:
{% endfor %}
acl:
{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) ) | flatten | unique %}
{% for remote in zones | map(attribute='replicas') | flatten | unique %}
- id: acl-xfr-{{ remote }}
action: transfer
{% if knot_tsig_key in hostvars[remote] %}
key: {{ hostvars[remote].knot_tsig_key.name }}
{% else %}
{% for address in hostvars[remote].knot_dns_addresses %}
address: "{{ address }}"
{% endfor %}
{% endif %}
{% endfor %}
{% for remote in zones | map(attribute='masters') | flatten | unique %}
- id: acl-notify-{{ remote }}
action: notify
{% if knot_tsig_key in hostvars[remote] %}
key: {{ hostvars[remote].knot_tsig_key.name }}
{% else %}
{% for address in hostvars[remote].knot_dns_addresses %}
address: "{{ address }}"
{% endfor %}
{% endif %}
{% endfor %}
{% for remote in zones | map(attribute='updaters') | flatten | unique %}
- id: acl-update-{{ remote }}
action: update
key: {{ hostvars[remote].knot_tsig_key.name }}
{% endfor %}
#
# MASTER ZONES
#