Browse Source

feat: refactor dnssec

pull/1/head
Adrien Waksberg 3 years ago
parent
commit
233845a647
12 changed files with 146 additions and 116 deletions
  1. +1
    -0
      .kitchen.yml
  2. +32
    -18
      README.md
  3. +1
    -0
      defaults/main.yml
  4. +13
    -80
      tasks/keys.yml
  5. +0
    -1
      tasks/main.yml
  6. +1
    -1
      tasks/zones.yml
  7. +4
    -3
      templates/db.j2
  8. +1
    -3
      templates/dnssec.j2
  9. +2
    -2
      templates/named.conf.local.j2
  10. +2
    -0
      templates/public.key.j2
  11. +88
    -8
      test/integration/bind/default.yml
  12. +1
    -0
      test/integration/vault

+ 1
- 0
.kitchen.yml View File

@ -12,6 +12,7 @@ provisioner:
require_chef_for_busser: true
ansible_verbose: false
ansible_inventory: ./test/integration/inventory
ansible_vault_password_file: ./test/integration/vault
platforms:
- name: debian-9


+ 32
- 18
README.md View File

@ -13,32 +13,18 @@ Install and configure bind with dnssec
## Role variables
* `bind_role` - the role `master` or `slave`, don't generate dnssec key on `slave`
* `bind_options` - hash general bind options
* `bind_zones` - the dns zones
* `bind_dnssec` - hash with dnssec configuration
* `bind_zones_subset` array to use in `extra-vars` with the list zones to update
* `bind_listen_ipv4` - enable or disable ip v4 support (default: true)
* `bind_listen_ipv6` - enable or disable ip v6 support (default: true)
## How to use
* `host_vars/dns-master`
* `group_vars/dns-server/bind`
```
bind_role: master
```
* `host_vars/dns-slave`
```
bind_role: slave
```
* `group_vars/dns-server`
```
bind_listen_ipv6: true
bind_listen_ipv4: true
bind_options:
server-id: '"1"'
@ -47,9 +33,7 @@ bind_zones:
ns_primary: ns1.test.local
mail: root@test.local
serial: 2017092202
dnssec: yes
options:
key-directory: '"/etc/bind/keys"'
auto-dnssec: maintain
inline-signing: yes
records:
@ -68,6 +52,36 @@ bind_zones:
- { name: hello, type: a, value: 4.3.2.1 }
```
* `group_vars/dns-server/dnssec`
```
bind_dnssec:
test.local:
ksk:
algorithm: 8
digest: 3
tag: 63805
public_key: AwEAAbA3M8p+Cpf4k6mZKK8mb1eSIF8yDWXnpmI+i/Jm6CtIYMSigZ4B bmnN+r/SdpeeaPCP5RRZDO/6U0xs2zwPeLs=
private_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
33373964393565343638363964366133663235653931386664343435326362333031323130363362
[...]
65616337363634636365386166643133373331336333376430353663303563346236316532336532
62376530646231346237
zsk:
algorithm: 8
digest: 3
tag: 11346
public_key: AwEAAd9SkkrJQl4tOsK3zgtfZwmSJBzxU/NjApDZiKo6AVYVhDun6IIl Q/axOe901o+x/iUVwIs7cOMA5Z/h/8G8bq8=
private_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
37323036613735396364323363323464393731626466616262613033656264343765306238353934
[...]
38653039306430393564346636323966373265343032623430353765646639366536663566653836
32643931393165643236
```
* playbook
```


+ 1
- 0
defaults/main.yml View File

@ -3,3 +3,4 @@ bind_role: master
bind_listen_ipv4: true
bind_listen_ipv6: true
bind_options: {}
bind_dnssec: {}

+ 13
- 80
tasks/keys.yml View File

@ -1,90 +1,23 @@
- name: check if key has been generated
stat:
path: '/etc/bind/keys/{{ item.key }}-ksk.key'
with_dict: '{{ bind_zones }}'
when: item.value.dnssec is defined and item.value.dnssec
register: st
- name: generated keys for dnssec 1/2
shell: 'dnssec-keygen -a RSASHA256 -b 2048 -r /dev/urandom -n ZONE {{ item.item.key }}'
args:
chdir: /tmp
with_items: '{{ st.results }}'
when: item.stat is defined and not item.stat.exists
register: stdout
- name: move key file 1/2
- name: copy private key
copy:
remote_src: true
src: '/tmp/{{ item[0].stdout }}.{{ item[1] }}'
dest: '/etc/bind/keys/{{ item[0].stdout }}.{{ item[1] }}'
dest: '/etc/bind/keys/K{{ item.0 }}.+{{ "00{}".format(bind_dnssec[item.0][item.1].algorithm)[-3:] }}+{{ bind_dnssec[item.0][item.1].tag }}.private'
content: '{{ bind_dnssec[item.0][item.1].private_key }}'
owner: root
group: bind
mode: 0640
# no_log: true
with_nested:
- '{{ stdout.results }}'
- ['key', 'private']
when: not item[0].skipped is defined
- name: link key file 1/2
file:
src: '/etc/bind/keys/{{ item[0].stdout }}.{{ item[1] }}'
dest: '/etc/bind/keys/{{ item[0].item.item.key }}.{{ item[1] }}'
owner: root
group: root
state: link
with_nested:
- '{{ stdout.results }}'
- ['key', 'private']
when: not item[0].skipped is defined
- name: remove old key file 1/2
file:
path: '{{ item[0].stdout }}.{{ item[1] }}'
state: absent
with_nested:
- '{{ stdout.results }}'
- ['key', 'private']
when: not item[0].skipped is defined
- '{{ bind_dnssec }}'
- [ 'ksk', 'zsk' ]
- name: generated keys for dnssec 2/2
shell: 'dnssec-keygen -f KSK -a RSASHA256 -b 4096 -r /dev/urandom -n ZONE {{ item.item.key }}'
args:
chdir: /tmp
with_items: '{{ st.results }}'
when: item.stat is defined and not item.stat.exists
register: stdout
- name: move key file 2/2
copy:
remote_src: true
src: '/tmp/{{ item[0].stdout }}.{{ item[1] }}'
dest: '/etc/bind/keys/{{ item[0].stdout }}.{{ item[1] }}'
- name: copy public key
template:
src: public.key.j2
dest: '/etc/bind/keys/K{{ item.0 }}.+{{ "00{}".format(bind_dnssec[item.0][item.1].algorithm)[-3:] }}+{{ bind_dnssec[item.0][item.1].tag }}.key'
owner: root
group: bind
mode: 0640
# no_log: true
with_nested:
- '{{ stdout.results }}'
- ['key', 'private']
when: not item[0].skipped is defined
- name: link key file 2/2
file:
src: '/etc/bind/keys/{{ item[0].stdout }}.{{ item[1] }}'
dest: '/etc/bind/keys/{{ item[0].item.item.key }}-ksk.{{ item[1] }}'
owner: root
group: root
state: link
with_nested:
- '{{ stdout.results }}'
- ['key', 'private']
when: not item[0].skipped is defined
- name: remove old key file 2/2
file:
path: '{{ item[0].stdout }}.{{ item[1] }}'
state: absent
with_nested:
- '{{ stdout.results }}'
- ['key', 'private']
when: not item[0].skipped is defined
- '{{ bind_dnssec }}'
- [ 'ksk', 'zsk' ]

+ 0
- 1
tasks/main.yml View File

@ -2,7 +2,6 @@
tags: bind
- include: keys.yml
when: bind_role == 'master'
tags: bind
- include: zones.yml


+ 1
- 1
tasks/zones.yml View File

@ -28,7 +28,7 @@
args:
chdir: /etc/bind/keys
with_items: '{{ zone.results }}'
when: item.changed and item.item.value.dnssec is defined and item.item.value.dnssec
when: item.changed and item.item.key in bind_dnssec
notify: reload bind
- name: get zones files


+ 4
- 3
templates/db.j2 View File

@ -26,8 +26,9 @@ $TTL {{ item.value.ttl|default(3600) }}
{{ record.name }} {{ record.ttl|default(' ') }} IN {{ record.type|upper }} {{ record.value }}
{% endif %}
{% endfor %}
{% if 'dnssec' in item.value and item.value.dnssec %}
{% if item.key in bind_dnssec %}
$INCLUDE {{ item.key }}.key
$INCLUDE {{ item.key }}-ksk.key
{% for key_type, key_values in bind_dnssec[item.key].iteritems() %}
$INCLUDE K{{ item.key }}.+{{ "00{}".format(key_values.algorithm)[-3:] }}+{{ key_values.tag }}.key
{% endfor %}
{% endif %}

+ 1
- 3
templates/dnssec.j2 View File

@ -3,10 +3,8 @@
cd /etc/bind/keys
{% for zone, value in bind_zones.iteritems() %}
{% if 'dnssec' in value and value.dnssec %}
{% for zone in bind_dnssec %}
dnssec-signzone -3 $(head -n 1000 /dev/urandom | sha1sum | cut -b 1-16) -A -N INCREMENT -o {{ zone }} -t /etc/bind/zones/{{ zone }}/db
{% endif %}
{% endfor %}
systemctl reload bind9

+ 2
- 2
templates/named.conf.local.j2 View File

@ -4,13 +4,13 @@
zone "{{ zone }}" IN {
type master;
{% if 'dnssec' in value and value.dnssec %}
{% if zone in bind_dnssec %}
file "/etc/bind/zones/{{ zone }}/db.signed";
{% else %}
file "/etc/bind/zones/{{ zone }}/db";
{% endif %}
allow-transfer {
{% if 'allow_transfer' in value and value.dnssec %}
{% if 'allow_transfer' in value %}
{% for ip in value.allow_transfer %}
{{ ip }};
{% endfor %}


+ 2
- 0
templates/public.key.j2 View File

@ -0,0 +1,2 @@
; {{ ansible_managed }}
{{ item.0 }}. IN DNSKEY {% if item.1 == 'ksk' %}257{% else %}256{%endif %} {{ bind_dnssec[item.0][item.1].digest }} {{ bind_dnssec[item.0][item.1].algorithm }} {{ bind_dnssec[item.0][item.1].public_key}}

+ 88
- 8
test/integration/bind/default.yml View File

@ -5,6 +5,94 @@
bind_role: master
bind_options:
server-id: '"1"'
bind_dnssec:
test.local:
ksk:
algorithm: 8
digest: 3
tag: 63805
public_key: AwEAAbA3M8p+Cpf4k6mZKK8mb1eSIF8yDWXnpmI+i/Jm6CtIYMSigZ4B bmnN+r/SdpeeaPCP5RRZDO/6U0xs2zwPeLs=
private_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
33373964393565343638363964366133663235653931386664343435326362333031323130363362
3066333333636337363239313662653831666562633638360a653433393035663333663335373637
32636534386165653930613633636537643738316239393762396363353936646261353262363762
3231353136383132610a313935383837373665653531666432366534393435656439613831656163
39623939663732386434313532633765653239366565623834643632333161636534356561666161
30633864663636323239653237623538663230616533343931663664613034613964363238393037
66633935646164373037313733376237303461366533623937666530646634333338313962646439
34653230326333626636663333626261646235303438656366316130326533303433666630396330
33643836643435636134626136336165336330626537313964383532623530393937643339656364
33663438376339316265303634383066353034643338353837356633623130663430316237393662
64343439306239363864623563333061346562353236343661666664643933313034383236653864
63666561343066356462343732633932656638323161646630306335366233626566323661353833
30356661626631363461346632326137626239633734653139646130333461383439623466613633
62626264643736306264383033353031343231376561316362396366356331386162396163653066
32393831313939643662666439643564323661396537316137353965666639336534353834636138
64393136356266626463353137346263336133373737633338653032366236383861616563636438
36373538373431303833396130613066633635373336373134303133626363616239616239353634
36306132313262633536636130613266326239636636326561616332656561343131343935653261
38303335313236386365393739326333666562323464326430386533353961363332633261346536
36623732323166373663623761393265616531613361393764363638373961393037373966396133
34376430343937316461616163656234333836646232646234303865303764633563353666363236
34333630653238383861383336653062386336633935626461393838363233623361303866646431
30336432343238373066363738323837656362393639643664643830616434613036306535623666
31343264623639316165386533666261336138393135393238363332623438646639363563353238
38373761386561383339643231653137333235363862613638623762303632333066663937613261
34303632636336613364653263386538313835386265326530333839653265383236613663326336
64303834343035323164633864633331653536363436346131313439643135396633636536323830
33306537623763646135346539646136623731323634363131353239326439623261656564313361
38656339366634366265343262373966313435343862656630663033393835316637366264633038
30343466383535343962356530396635313563363232646166383465613338646164353761656265
66336233663637646163346436636637383238663666636164643634393939666164663630333637
66656365646432613961623464646433333966386266333866323433306564366165396164383263
36656438383130303239383365633030393334383633646265613561306561386562393739656565
64653832336537343331303836356432326662616237666135386533313232666535366337613366
65616337363634636365386166643133373331336333376430353663303563346236316532336532
62376530646231346237
zsk:
algorithm: 8
digest: 3
tag: 11346
public_key: AwEAAd9SkkrJQl4tOsK3zgtfZwmSJBzxU/NjApDZiKo6AVYVhDun6IIl Q/axOe901o+x/iUVwIs7cOMA5Z/h/8G8bq8=
private_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
37323036613735396364323363323464393731626466616262613033656264343765306238353934
6431333962333966623063336434306538633437656235390a383338383234643461626330373331
30653761343030646137373838363835313133303963303765323137306533653066613637356564
3632393530306466380a383936396466643535323163373736656236396463656633613634646638
35383939303333663763306135383338663261636434343061383761336164303138353439666337
35636636666530333138316564343331633735356266613739626332303331323062393233613236
35616538363364643435643930656534396262633566366334373831616233386230336163366130
32653234376533363065396564306339313965633765393064316562306466326235303739346233
65363164346231383338326531383565336138336230636661366538333131353434393530303536
37346464386332383966386166303637613636643431666666363739356661326562373538313164
36336562363166336434666236363931376330613661346362643334623831613461353930616462
64313930396631613430303832666332616166343232363636313831616235373935326166383262
63396264633933636664613939653739356439386230353431643065333936323430643764343663
39333433663662333565633161383937343538303062353035393431333765613834656631363834
64373431316333343338656532363263313232306662356436336639343365353934376532346537
34366661313663626561653961316238663238383536613539613363646537346535613033313836
64653236393235613031626536616333633336313837363936316536386435663562323937326161
33343337333032326331346663306466613537303038646662333839336130343035313039666230
33383036663466386162376464336333326433663537653039393865653865343139393164346234
39333033373435353534633336663835306438346239643363653033303361613537386533666234
36393662383439303565323032383637306464613137333838393162613137633739353765643031
38636264666131353133633666313766656164313236663831323432393834643663326435653832
31626663636636616361306136663930356661333338356436323431353136363833336365656635
32636132313335353638323330626531383165653338303438376262663661343935626464346664
36626434326433306366363534313334643435643562363766393439353136336638303862323435
64633134313331323465356462333435646564653033663962656536393732656337303234343035
38623438333766393230396238326463373339616532626563633661343531316166323266646136
32343062383736343833316430356164633134646335323230306238653834326565646261373063
35343139316361373339346533656230663933356539626134643037393062346131353037356664
63323139666365623838633665333130633338646435376564636638613933653433316132646331
66626636663632646361633838353666663361393064336262623535303464306166643431643538
36626134633664643332323866316665363235306163636135626563333663663532613131353730
62366336363466386339303939303334326136356639343961323133336536653432386563353665
35323065353365373165373631623365666463386536313361633335353430366139326462353061
38653039306430393564346636323966373265343032623430353765646639366536663566653836
32643931393165643236
bind_zones:
test.local:
allow_transfer:
@ -17,7 +105,6 @@
retry: 86400
expire: 2419200
negative_cache: 86400
dnssec: yes
options:
auto-dnssec: maintain
inline-signing: yes
@ -33,7 +120,6 @@
ns_primary: ns1.hello.local
mail: root@hello.local
serial: 2017092201
dnssec: no
records:
- { name: '@', type: mx, priority: 20, value: mail.test.local. }
- { name: '@', type: ns, value: localhost. }
@ -43,7 +129,6 @@
ns_primary: ns1.disabled.local
mail: root@disabled.local
serial: 2017092201
dnssec: no
state: disabled
records:
- { name: '@', type: mx, priority: 20, value: mail.test.local. }
@ -51,15 +136,10 @@
ns_primary: ns1.absent.local
mail: root@absent.local
serial: 2017092201
dnssec: no
state: absent
records:
- { name: '@', type: mx, priority: 20, value: mail.test.local. }
roles:
- ansible-role-bind


+ 1
- 0
test/integration/vault View File

@ -0,0 +1 @@
test

Loading…
Cancel
Save