Marc Dequènes, 2018-05-04 15:03
h2. Zone Management
On each DNS server, master zone can be created/updated on _/etc/bind/masters/_. The ownership needs to be:
* _banya:_ if a user zone which should be updatable via the Banya service
* _root:bind_ in all other cases
The zone is declared in _host_vars/_dnsserver_/dns.yml_ and the playbook _playbooks/tenants/duckcorp/dns.yml_ is in charge of updating all configurations. Only the zone content is not Ansible managed.
In case the zone is to be DNSSEC-signed, the publishing of keys in the parent zone is to be done manually (not automated yet); more details below.
h2. Secure Zone Transfers
To secure zone transfers, a TSIG key needs to be created and added on both sides. Beware the key name *must* be identical on both side.
DNS server groups (servers allowed to request transfer) and keys can be defined in _host_vars/<dnsserver>/dns.yml_ and _host_vars/<dnsserver>/dns.vault.yml_ respectively. If they are to be used on all servers, then you can declare them in _group_vars/dns_servers/dns.yml_ and _group_vars/dns_servers/dns.vault.yml_ respectively.
You can a new key using:
dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST taiste
Take the 'Key' part in 'Ktaiste.*.private' file, to put into the configuration.
The same playbook (_playbooks/tenants/duckcorp/dns.yml_) is used to update the configuration.