DuckCorp » DuckCorp Infrastructure

h1. DNS

h2. Zone Management

On each DNS server, master zone can be created/updated on _/etc/bind/masters/_. The ownership needs to be:

* _banya:_ if a user zone which should be updatable via the Banya service

* _root:bind_ in all other cases

The zone is declared in _host_vars/_dnsserver_/dns.yml_ and the playbook _playbooks/tenants/duckcorp/dns.yml_ is in charge of updating all configurations. Only the zone content is not Ansible managed.

Better to check the file validity before updating the zone:

<pre>

named-checkzone <zone-name> <zone-file>

</pre>

Then to update the zone, if DNSSEC-signed:

<pre>

ods-signer sign <zone-name>

</pre>

else:

<pre>

rndc reload <zone-name>

</pre>

In case the zone is DNSSEC-signed, the publishing of keys in the parent zone is to be done manually (not automated yet); more details below.

h2. Secure Zone Transfers

To secure zone transfers, a TSIG key needs to be created and added on both sides. Beware the key name *must* be identical on both side. 

DNS server groups (servers allowed to request transfer) and keys can be defined in _host_vars/<dnsserver>/dns.yml_ and _host_vars/<dnsserver>/dns.vault.yml_ respectively. If they are to be used on all servers, then you can declare them in _group_vars/dns_servers/dns.yml_ and _group_vars/dns_servers/dns.vault.yml_ respectively.

You can a new key using:

<pre>

dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST taiste

</pre>

Take the 'Key' part in 'Ktaiste.*.private' file, to put into the configuration.

The same playbook (_playbooks/tenants/duckcorp/dns.yml_) is used to update the configuration.

h2. DNSSEC

TODO