From e755cb425189d4c748d37d16df66d8f30cf27340 Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Tue, 20 Jun 2023 00:24:47 -0400
Subject: [PATCH] Successfully notifying hurricane electric when DNS updates
 are pushed.

---
 ansible/roles/public_dns/files/master.db    | 12 +++---
 ansible/roles/public_dns/files/pdns.conf    |  9 +++--
 ansible/roles/public_dns/tasks/freebsd.yaml | 45 ++++++++++++++++++++-
 3 files changed, 54 insertions(+), 12 deletions(-)

diff --git a/ansible/roles/public_dns/files/master.db b/ansible/roles/public_dns/files/master.db
index 9587a4b..fb3728a 100644
--- a/ansible/roles/public_dns/files/master.db
+++ b/ansible/roles/public_dns/files/master.db
@@ -17,8 +17,8 @@ $ORIGIN fizz.buzz.
 	3600 IN NS ns1.he.net.
 
 ; Allow receiving mail at fizz.buzz
-IN MX 10 in1-smtp.messagingengine.com
-IN MX 20 in2-smtp.messagingengine.com
+  IN  MX 10 in1-smtp.messagingengine.com.
+  IN  MX 20 in2-smtp.messagingengine.com.
 
 ; Allows receivers to know you send your mail via Fastmail, and other servers
 IN TXT v=spf1 include:spf.messagingengine.com ?all
@@ -27,12 +27,12 @@ ns1     IN A     74.80.180.138
 ns2     IN A     74.80.180.138
 
 ; Allow receiving mail on subdomains
-* IN MX 10 in1-smtp.messagingengine.com
-* IN MX 20 in2-smtp.messagingengine.com
+* IN MX 10 in1-smtp.messagingengine.com.
+* IN MX 20 in2-smtp.messagingengine.com.
 
 ; The A-records for mail.fizz.buzz override the wildcard, so we have to manually re-create the MX records
-mail IN MX 10 in1-smtp.messagingengine.com
-mail IN MX 20 in2-smtp.messagingengine.com
+mail IN MX 10 in1-smtp.messagingengine.com.
+mail IN MX 20 in2-smtp.messagingengine.com.
 
 ; Access webmail at mail.fizz.buzz
 mail    IN A     103.168.172.47
diff --git a/ansible/roles/public_dns/files/pdns.conf b/ansible/roles/public_dns/files/pdns.conf
index 6e18f74..47492a1 100644
--- a/ansible/roles/public_dns/files/pdns.conf
+++ b/ansible/roles/public_dns/files/pdns.conf
@@ -1,12 +1,13 @@
 launch=gsqlite3
 gsqlite3-database=/var/lib/powerdns/pdns.sqlite3
 gsqlite3-pragma-foreign-keys=yes
-master=yes
+primary=yes
 allow-axfr-ips=
 dnsupdate=yes
-allow-dnsupdate-from=10.215.1.0/24
-# Only notify on ipv4
-only-notify=0.0.0.0/0
+allow-dnsupdate-from=
+# Only notify ns1.he.net
+only-notify=216.218.130.2/32, 10.215.1.0/24
+also-notify=216.218.130.2
 
 # Autogenerated configuration file template
 
diff --git a/ansible/roles/public_dns/tasks/freebsd.yaml b/ansible/roles/public_dns/tasks/freebsd.yaml
index 0011993..34a4843 100644
--- a/ansible/roles/public_dns/tasks/freebsd.yaml
+++ b/ansible/roles/public_dns/tasks/freebsd.yaml
@@ -23,6 +23,7 @@
     group: pdns
   loop:
     - /var/lib/powerdns
+    - /var/lib/powerdns/zones
 
 - name: Copy files
   copy:
@@ -37,6 +38,17 @@
     - src: bind.conf
       dest: /usr/local/etc/pdns/
 
+- name: Copy files
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0644
+    owner: pdns
+    group: pdns
+  loop:
+    - src: master.db
+      dest: /var/lib/powerdns/zones/
+
 - name: Initialize DB
   command: "sudo -u pdns sqlite3 -init /usr/local/share/doc/powerdns/schema.sqlite3.sql /var/lib/powerdns/pdns.sqlite3"
   register: initdb
@@ -47,8 +59,6 @@
   when: initdb.changed
   register: initsql
   command: "sudo -u pdns zone2sql zone2sql --gsqlite=yes --named-conf=/usr/local/etc/pdns/bind.conf --transactions=yes"
-  args:
-    stdin: "{{ lookup('file', 'master.db') }}"
 
 - name: Initialize DB
   when: initdb.changed
@@ -103,3 +113,34 @@
 - name: Allow AXFR from the externaldns tsig key
   command: pdnsutil add-meta fizz.buzz TSIG-ALLOW-AXFR externaldns
   when: '"externaldns" not in tsigaxfr.stdout'
+
+- name: Check AXFR-MASTER-TSIG
+  command: pdnsutil get-meta fizz.buzz AXFR-MASTER-TSIG
+  register: signnotify
+  changed_when: false
+  check_mode: no
+
+- name: Sign the notifications
+  command: pdnsutil set-meta fizz.buzz AXFR-MASTER-TSIG secureaxfr
+  when: '"secureaxfr" not in signnotify.stdout'
+
+- name: Check NOTIFY-DNSUPDATE
+  command: pdnsutil get-meta fizz.buzz NOTIFY-DNSUPDATE
+  register: notifydnsupdate
+  changed_when: false
+  check_mode: no
+
+- name: Send out notifications on dns update
+  command: pdnsutil set-meta fizz.buzz NOTIFY-DNSUPDATE 1
+  when: '"1" not in notifydnsupdate.stdout'
+
+- name: Check zone kind
+  command: pdnsutil show-zone fizz.buzz
+  register: showzone
+  changed_when: false
+  check_mode: no
+
+- name: Set to Master to enable pushing updates
+  command: pdnsutil set-kind fizz.buzz primary
+  when: '"Master" not in showzone.stdout'
+