Generate tsig keys for dns updates.

ansible/roles/public_dns/files/pdns.conf

@@ -2,6 +2,10 @@ launch=gsqlite3,bind
 gsqlite3-database=/var/lib/powerdns/pdns.sqlite3
 gsqlite3-pragma-foreign-keys=yes
 bind-config=/usr/local/etc/pdns/bind.conf
+master=yes
+allow-axfr-ips=
+dnsupdate=yes
+allow-dnsupdate-from=
 
 # Autogenerated configuration file template
 

ansible/roles/public_dns/tasks/freebsd.yaml

@@ -1,3 +1,4 @@
+# NOTE: I had to disable bind and manually create the fizz.buzz zone with the sqlite backend or else the metadata updates would have no effect.
 - name: Install packages
   package:
     name:
@@ -53,3 +54,38 @@
   loop:
     - src: master.db
       dest: /var/lib/powerdns/zones/
+
+- name: Check TSIG keys
+  command: pdnsutil list-tsig-keys
+  register: tsigkeys
+  changed_when: false
+  check_mode: no
+
+- name: Generate key for Secure AXFR replication
+  command: pdnsutil generate-tsig-key secureaxfr hmac-sha512
+  when: '"secureaxfr" not in tsigkeys.stdout'
+
+- name: Check allowed TSIG keys for AXFR
+  command: pdnsutil get-meta fizz.buzz TSIG-ALLOW-AXFR
+  register: tsigaxfr
+  changed_when: false
+  check_mode: no
+
+- name: Allow AXFR from the secureaxfr tsig key
+  command: pdnsutil add-meta fizz.buzz TSIG-ALLOW-AXFR secureaxfr
+  when: '"secureaxfr" not in tsigaxfr.stdout'
+
+- name: Generate key for kubernetes external dns
+  command: pdnsutil generate-tsig-key externaldns hmac-sha512
+  when: '"externaldns" not in tsigkeys.stdout'
+
+- name: Check allowed TSIG keys for TSIG-ALLOW-DNSUPDATE
+  command: pdnsutil get-meta fizz.buzz TSIG-ALLOW-DNSUPDATE
+  register: tsigallowupdate
+  changed_when: false
+  check_mode: no
+
+- name: Allow AXFR from the secureaxfr tsig key
+  command: pdnsutil add-meta fizz.buzz TSIG-ALLOW-DNSUPDATE externaldns
+  when: '"externaldns" not in tsigallowupdate.stdout'
+