DNS » History » Version 3
Marc Dequènes, 2018-05-04 16:40
| 1 | 1 | Marc Dequènes | h1. DNS |
|---|---|---|---|
| 2 | |||
| 3 | h2. Zone Management |
||
| 4 | |||
| 5 | On each DNS server, master zone can be created/updated on _/etc/bind/masters/_. The ownership needs to be: |
||
| 6 | * _banya:_ if a user zone which should be updatable via the Banya service |
||
| 7 | * _root:bind_ in all other cases |
||
| 8 | |||
| 9 | The zone is declared in _host_vars/_dnsserver_/dns.yml_ and the playbook _playbooks/tenants/duckcorp/dns.yml_ is in charge of updating all configurations. Only the zone content is not Ansible managed. |
||
| 10 | |||
| 11 | 2 | Marc Dequènes | Better to check the file validity before updating the zone: |
| 12 | <pre> |
||
| 13 | named-checkzone <zone-name> <zone-file> |
||
| 14 | </pre> |
||
| 15 | |||
| 16 | Then to update the zone, if DNSSEC-signed: |
||
| 17 | <pre> |
||
| 18 | ods-signer sign <zone-name> |
||
| 19 | </pre> |
||
| 20 | else: |
||
| 21 | <pre> |
||
| 22 | rndc reload <zone-name> |
||
| 23 | </pre> |
||
| 24 | |||
| 25 | In case the zone is DNSSEC-signed, the publishing of keys in the parent zone is to be done manually (not automated yet); more details below. |
||
| 26 | 1 | Marc Dequènes | |
| 27 | h2. Secure Zone Transfers |
||
| 28 | |||
| 29 | To secure zone transfers, a TSIG key needs to be created and added on both sides. Beware the key name *must* be identical on both side. |
||
| 30 | |||
| 31 | DNS server groups (servers allowed to request transfer) and keys can be defined in _host_vars/<dnsserver>/dns.yml_ and _host_vars/<dnsserver>/dns.vault.yml_ respectively. If they are to be used on all servers, then you can declare them in _group_vars/dns_servers/dns.yml_ and _group_vars/dns_servers/dns.vault.yml_ respectively. |
||
| 32 | |||
| 33 | You can a new key using: |
||
| 34 | <pre> |
||
| 35 | dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST taiste |
||
| 36 | </pre> |
||
| 37 | Take the 'Key' part in 'Ktaiste.*.private' file, to put into the configuration. |
||
| 38 | |||
| 39 | The same playbook (_playbooks/tenants/duckcorp/dns.yml_) is used to update the configuration. |
||
| 40 | |||
| 41 | h2. DNSSEC |
||
| 42 | |||
| 43 | 3 | Marc Dequènes | h3. Introduction |
| 44 | |||
| 45 | Better read some documentation before fiddling with the controls: |
||
| 46 | * "Supported rollover methods with OpenDNSSEC":https://wiki.opendnssec.org/display/DOCS/Key+Rollovers |
||
| 47 | * "Explanation about the OpenDNSSEC key states":https://wiki.opendnssec.org/display/DOCS/Key+States |
||
| 48 | * "Deeper explanation about the OpenDNSSEC key states":https://wiki.opendnssec.org/display/DOCS20/Key+States+Explained |
||
| 49 | |||
| 50 | List of keys with states and IDs: |
||
| 51 | <pre> |
||
| 52 | ods-enforcer key list -v |
||
| 53 | </pre> |
||
| 54 | |||
| 55 | List of planned rollover dates: |
||
| 56 | <pre> |
||
| 57 | ods-enforcer rollover list |
||
| 58 | </pre> |
||
| 59 | |||
| 60 | h3. Key Rollover |
||
| 61 | |||
| 62 | The ZSK key rollover is handled automatically by OpenDNSSEC, so admins have nothing to do. |
||
| 63 | |||
| 64 | The KSK rollover implies contact with the parent zone and a manual step to get the DS entry in their zone is needed. |
||
| 65 | |||
| 66 | h3. KSK Rollover Workflow |
||
| 67 | |||
| 68 | Here are the states and what needs to be done: |
||
| 69 | * *publish* state: |
||
| 70 | ** when a new key is created, either for a new zone of to replace an old key, this key is added to the zone but not used to sign yet |
||
| 71 | ** action: wait |
||
| 72 | * *ready* state: |
||
| 73 | ** the new zone, containing the key, is considered propagated, but not used to sign yet |
||
| 74 | ** action: add the key to the parent zone (to get the key: *ods-enforcer key export -z <zone-name> --keytype KSK --keystate ready*) |
||
| 75 | ** action: wait for the key to appear in the parent zone (*host -t DS -r <zone-name> $(host -t NS <tld> | grep "name server" | head -n 1 | cut -d" " -f4)*) |
||
| 76 | |||
| 77 | 1 | Marc Dequènes | TODO |