From eca967c8b30ceaab57e24299f71c4abbc0b10546 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Tue, 20 Feb 2018 16:12:23 -0600 Subject: [PATCH] roles/named: Support managing TSIG keys To support signing of updates, TSIG keys can be defined using the `named_keys` variable. This variable takes a list of objects with the following properties: * `name`: The name of the key * `algorithm`: The signature algorithm (default: `hmac-md5`) * `secret`: The base64-encoded key material --- roles/named/tasks/main.yml | 10 ++++++++++ roles/named/templates/named.conf.j2 | 1 + roles/named/templates/named.secrets.j2 | 8 ++++++++ 3 files changed, 19 insertions(+) create mode 100644 roles/named/templates/named.secrets.j2 diff --git a/roles/named/tasks/main.yml b/roles/named/tasks/main.yml index f515541..8419b34 100644 --- a/roles/named/tasks/main.yml +++ b/roles/named/tasks/main.yml @@ -13,6 +13,16 @@ tags: - install +- name: ensure named keys are configured + template: + src: named.secrets.j2 + dest: /etc/named.secrets + mode: '0440' + owner: root + group: named + validate: named-checkconf %s + notify: reload named + - name: ensure zones are configured template: src: named.zones.j2 diff --git a/roles/named/templates/named.conf.j2 b/roles/named/templates/named.conf.j2 index 0e21e1f..23d1dcc 100644 --- a/roles/named/templates/named.conf.j2 +++ b/roles/named/templates/named.conf.j2 @@ -65,6 +65,7 @@ zone "." IN { include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; +include "/etc/named.secrets"; include "/etc/named.zones"; {% for path in named_global_include %} include "{{ path }}"; diff --git a/roles/named/templates/named.secrets.j2 b/roles/named/templates/named.secrets.j2 new file mode 100644 index 0000000..6034965 --- /dev/null +++ b/roles/named/templates/named.secrets.j2 @@ -0,0 +1,8 @@ +// DNSSEC key configuration for ISC BIND +{% for key in named_keys %} + +key {{ key.name }} { + algorithm {{ key.algorithm|d('hmac-md5') }}; + secret "{{ key.secret }}"; +}; +{% endfor %}