roles/named: Support managing TSIG keys

To support signing of updates, TSIG keys can be defined using the `named_keys` variable. This variable takes a list of objects with the following properties: * `name`: The name of the key * `algorithm`: The signature algorithm (default: `hmac-md5`) * `secret`: The base64-encoded key material
2018-02-20 16:12:23 -06:00 · 2018-02-20 16:12:23 -06:00 · eca967c8b3
parent 0629a063bc
commit eca967c8b3
3 changed files with 19 additions and 0 deletions
--- a/roles/named/tasks/main.yml
+++ b/roles/named/tasks/main.yml
@ -13,6 +13,16 @@
  tags:
  - install

+- name: ensure named keys are configured
+  template:
+    src: named.secrets.j2
+    dest: /etc/named.secrets
+    mode: '0440'
+    owner: root
+    group: named
+    validate: named-checkconf %s
+  notify: reload named
+
 - name: ensure zones are configured
  template:
    src: named.zones.j2
--- a/roles/named/templates/named.conf.j2
+++ b/roles/named/templates/named.conf.j2
@ -65,6 +65,7 @@ zone "." IN {

 include "/etc/named.rfc1912.zones";
 include "/etc/named.root.key";
+include "/etc/named.secrets";
 include "/etc/named.zones";
 {% for path in named_global_include %}
 include "{{ path }}";
--- a/roles/named/templates/named.secrets.j2
+++ b/roles/named/templates/named.secrets.j2
@ -0,0 +1,8 @@
+// DNSSEC key configuration for ISC BIND
+{% for key in named_keys %}
+
+key {{ key.name }} {
+    algorithm {{ key.algorithm|d('hmac-md5') }};
+    secret "{{ key.secret }}";
+};
+{% endfor %}