DNS » History » Version 1
Marc Dequènes, 2018-05-04 15:03
| 1 | 1 | Marc Dequènes | h1. DNS |
|---|---|---|---|
| 2 | |||
| 3 | h2. Zone Management |
||
| 4 | |||
| 5 | On each DNS server, master zone can be created/updated on _/etc/bind/masters/_. The ownership needs to be: |
||
| 6 | * _banya:_ if a user zone which should be updatable via the Banya service |
||
| 7 | * _root:bind_ in all other cases |
||
| 8 | |||
| 9 | The zone is declared in _host_vars/_dnsserver_/dns.yml_ and the playbook _playbooks/tenants/duckcorp/dns.yml_ is in charge of updating all configurations. Only the zone content is not Ansible managed. |
||
| 10 | |||
| 11 | In case the zone is to be DNSSEC-signed, the publishing of keys in the parent zone is to be done manually (not automated yet); more details below. |
||
| 12 | |||
| 13 | h2. Secure Zone Transfers |
||
| 14 | |||
| 15 | To secure zone transfers, a TSIG key needs to be created and added on both sides. Beware the key name *must* be identical on both side. |
||
| 16 | |||
| 17 | DNS server groups (servers allowed to request transfer) and keys can be defined in _host_vars/<dnsserver>/dns.yml_ and _host_vars/<dnsserver>/dns.vault.yml_ respectively. If they are to be used on all servers, then you can declare them in _group_vars/dns_servers/dns.yml_ and _group_vars/dns_servers/dns.vault.yml_ respectively. |
||
| 18 | |||
| 19 | You can a new key using: |
||
| 20 | <pre> |
||
| 21 | dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST taiste |
||
| 22 | </pre> |
||
| 23 | Take the 'Key' part in 'Ktaiste.*.private' file, to put into the configuration. |
||
| 24 | |||
| 25 | The same playbook (_playbooks/tenants/duckcorp/dns.yml_) is used to update the configuration. |
||
| 26 | |||
| 27 | h2. DNSSEC |
||
| 28 | |||
| 29 | TODO |