DNS » History » Revision 2
Revision 1 (Marc Dequènes, 2018-05-04 15:03) → Revision 2/28 (Marc Dequènes, 2018-05-04 15:24)
h1. DNS h2. Zone Management On each DNS server, master zone can be created/updated on _/etc/bind/masters/_. The ownership needs to be: * _banya:_ if a user zone which should be updatable via the Banya service * _root:bind_ in all other cases The zone is declared in _host_vars/_dnsserver_/dns.yml_ and the playbook _playbooks/tenants/duckcorp/dns.yml_ is in charge of updating all configurations. Only the zone content is not Ansible managed. Better to check the file validity before updating the zone: <pre> named-checkzone <zone-name> <zone-file> </pre> Then to update the zone, if DNSSEC-signed: <pre> ods-signer sign <zone-name> </pre> else: <pre> rndc reload <zone-name> </pre> In case the zone is to be DNSSEC-signed, the publishing of keys in the parent zone is to be done manually (not automated yet); more details below. h2. Secure Zone Transfers To secure zone transfers, a TSIG key needs to be created and added on both sides. Beware the key name *must* be identical on both side. DNS server groups (servers allowed to request transfer) and keys can be defined in _host_vars/<dnsserver>/dns.yml_ and _host_vars/<dnsserver>/dns.vault.yml_ respectively. If they are to be used on all servers, then you can declare them in _group_vars/dns_servers/dns.yml_ and _group_vars/dns_servers/dns.vault.yml_ respectively. You can a new key using: <pre> dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST taiste </pre> Take the 'Key' part in 'Ktaiste.*.private' file, to put into the configuration. The same playbook (_playbooks/tenants/duckcorp/dns.yml_) is used to update the configuration. h2. DNSSEC TODO