DNS¶

Zone Management¶

On each DNS server, master zone can be created/updated on /etc/bind/masters/. The ownership needs to be:

• banya: if a user zone which should be updatable via the Banya service
• root:bind in all other cases

The zone is declared in host_vars/_dnsserver/dns.yml_ and the playbook playbooks/tenants/duckcorp/dns.yml is in charge of updating all configurations. Only the zone content is not Ansible managed.

Better to check the file validity before updating the zone:

named-checkzone <zone-name> <zone-file>

Then to update the zone, if DNSSEC-signed:

ods-signer sign <zone-name>

else:

rndc reload <zone-name>

In case the zone is DNSSEC-signed, the publishing of keys in the parent zone is to be done manually (not automated yet); more details below.

Secure Zone Transfers¶

To secure zone transfers, a TSIG key needs to be created and added on both sides. Beware the key name must be identical on both side.

DNS server groups (servers allowed to request transfer) and keys can be defined in host_vars/<dnsserver>/dns.yml and host_vars/<dnsserver>/dns.vault.yml respectively. If they are to be used on all servers, then you can declare them in group_vars/dns_servers/dns.yml and group_vars/dns_servers/dns.vault.yml respectively.

You can a new key using:

dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST taiste

Take the 'Key' part in 'Ktaiste.*.private' file, to put into the configuration.

The same playbook (playbooks/tenants/duckcorp/dns.yml) is used to update the configuration.

DNSSEC¶

TODO