From d78380f6bd1cbafdc607e31a475d5420b6131cda Mon Sep 17 00:00:00 2001 From: Tom Alexander Date: Mon, 19 Jun 2023 16:11:41 -0400 Subject: [PATCH] Generate tsig keys for dns updates. --- ansible/roles/public_dns/files/pdns.conf | 4 +++ ansible/roles/public_dns/tasks/freebsd.yaml | 36 +++++++++++++++++++++ 2 files changed, 40 insertions(+) diff --git a/ansible/roles/public_dns/files/pdns.conf b/ansible/roles/public_dns/files/pdns.conf index 92343a4..a8bb4ef 100644 --- a/ansible/roles/public_dns/files/pdns.conf +++ b/ansible/roles/public_dns/files/pdns.conf @@ -2,6 +2,10 @@ launch=gsqlite3,bind gsqlite3-database=/var/lib/powerdns/pdns.sqlite3 gsqlite3-pragma-foreign-keys=yes bind-config=/usr/local/etc/pdns/bind.conf +master=yes +allow-axfr-ips= +dnsupdate=yes +allow-dnsupdate-from= # Autogenerated configuration file template diff --git a/ansible/roles/public_dns/tasks/freebsd.yaml b/ansible/roles/public_dns/tasks/freebsd.yaml index 8e8b2db..e0eb54a 100644 --- a/ansible/roles/public_dns/tasks/freebsd.yaml +++ b/ansible/roles/public_dns/tasks/freebsd.yaml @@ -1,3 +1,4 @@ +# NOTE: I had to disable bind and manually create the fizz.buzz zone with the sqlite backend or else the metadata updates would have no effect. - name: Install packages package: name: @@ -53,3 +54,38 @@ loop: - src: master.db dest: /var/lib/powerdns/zones/ + +- name: Check TSIG keys + command: pdnsutil list-tsig-keys + register: tsigkeys + changed_when: false + check_mode: no + +- name: Generate key for Secure AXFR replication + command: pdnsutil generate-tsig-key secureaxfr hmac-sha512 + when: '"secureaxfr" not in tsigkeys.stdout' + +- name: Check allowed TSIG keys for AXFR + command: pdnsutil get-meta fizz.buzz TSIG-ALLOW-AXFR + register: tsigaxfr + changed_when: false + check_mode: no + +- name: Allow AXFR from the secureaxfr tsig key + command: pdnsutil add-meta fizz.buzz TSIG-ALLOW-AXFR secureaxfr + when: '"secureaxfr" not in tsigaxfr.stdout' + +- name: Generate key for kubernetes external dns + command: pdnsutil generate-tsig-key externaldns hmac-sha512 + when: '"externaldns" not in tsigkeys.stdout' + +- name: Check allowed TSIG keys for TSIG-ALLOW-DNSUPDATE + command: pdnsutil get-meta fizz.buzz TSIG-ALLOW-DNSUPDATE + register: tsigallowupdate + changed_when: false + check_mode: no + +- name: Allow AXFR from the secureaxfr tsig key + command: pdnsutil add-meta fizz.buzz TSIG-ALLOW-DNSUPDATE externaldns + when: '"externaldns" not in tsigallowupdate.stdout' +