Comments (5)
bertvv
commented on June 4, 2024
4
Initial implementation, genrates the .key and .private files and collects the keys:
# tasks/dnssec-keygen.yml
# Generate DNSSEC key, inspired by Michele Salerno (@mikysal78)
---
- name: DNSSEC keygen | Ensure keys directory is present
file:
path: "{{ bind_dnssec_key_dir }}"
state: directory
owner: "{{ bind_owner }}"
group: "{{ bind_group }}"
mode: '0750'
tags:
- bind
- dnssec_keygen
- name: DNSSEC keygen | Create key file for each zone (This may take a long time)
shell: >
dnssec-keygen -a HMAC-MD5 -b 512 -n HOST "{{ item.name }}"
args:
chdir: "{{ bind_dnssec_key_dir }}"
creates:
- "K{{ item.name }}.+[0-9][0-9][0-9].+[0-9][0-9][0-9][0-9][0-9].key"
- "K{{ item.name }}.+[0-9][0-9][0-9].+[0-9][0-9][0-9][0-9][0-9].private"
with_items:
- "{{ bind_zone_domains }}"
tags:
- bind
- dnssec_keygen
- name: DNSSEC keygen | Ensure proper permissions on DNSSEC keys
file:
path: "{{ item }}"
mode: '0640'
owner: "{{ bind_owner }}"
group: "{{ bind_group }}"
with_fileglob:
- "{{ bind_dnssec_key_dir }}/K*.{key,private}"
tags:
- bind
- dnssec_keygen
- name: DNSSEC keygen | Gather keys from key files
shell: >
set -o nounset -o pipefail -o errexit &&
grep 'Key:' "{{ bind_dnssec_key_dir }}/K{{ item.name }}".*.private | cut -d ' ' -f 2
args:
executable: /bin/bash
with_items: "{{ bind_zone_domains }}"
register:
bind_dnssec_keys
tags:
- bind
- dnssec_keygen
- name: DNSSEC keygen | Show keys (debug)
debug:
var: bind_dnssec_keys
Generating the configuration remains to be implemented.
from ansible-role-bind.
blofeldthefish
commented on June 4, 2024
1
Remember, this is a work in progress....
However, to address this, in the defaults/main.yml file, if you add something like:
bind_dnssec_key_dir: /etc/bind/keys
you should get a little further....
from ansible-role-bind.
mikysal78
commented on June 4, 2024
how-to run the task?
Thanks.
i have add in task/main.yml
- name: Set up dnssec-keygen
include_tasks: dnssec-keygen.yml
and error:
TASK [bind : DNSSEC keygen | Create key file for each zone (This may take a long time)] ***********************************
failed: [ns1.dns-nnxx.org] (item={u'also_notify': [u'176.9.204.50', u'176.9.187.218'], u'hosts': [{u'ip': [u'176.9.204.50', u'176.9.187.218'], u'ipv6': [u'2a01:4f8:13a:403:176:9:204:50', u'2a01:4f8:13a:403:176:9:187:218'], u'name': u'@', u'ttl': 900}, {u'ip': u'176.9.204.50', u'ttl': 900, u'name': u'ns1', u'ipv6': u'2a01:4f8:13a:403:176:9:204:50'}, {u'ip': u'176.9.187.218', u'ttl': 900, u'name': u'ns2', u'ipv6': u'2a01:4f8:13a:403:176:9:187:218'}, {u'ip': u'188.40.254.210', u'name': u'mail', u'ttl': 300}, {u'name': u'basilicata.ninux.org.', u'aliases': [u'www']}], u'name': u'dns-nnxx.org', u'name_servers': [u'ns1.dns-nnxx.org.', u'ns2.dns-nnxx.org.'], u'mail_servers': [{u'ttl': 300, u'name': u'mail', u'preference': u'10'}], u'networks': [u'176.9.204', u'176.9.187', u'2a01:4f8:13a:403::'], u'hostmaster_email': u'mikytux'}) => {"ansible_loop_var": "item", "changed": false, "item": {"also_notify": ["176.9.204.50", "176.9.187.218"], "hostmaster_email": "mikytux", "hosts": [{"ip": ["176.9.204.50", "176.9.187.218"], "ipv6": ["2a01:4f8:13a:403:176:9:204:50", "2a01:4f8:13a:403:176:9:187:218"], "name": "@", "ttl": 900}, {"ip": "176.9.204.50", "ipv6": "2a01:4f8:13a:403:176:9:204:50", "name": "ns1", "ttl": 900}, {"ip": "176.9.187.218", "ipv6": "2a01:4f8:13a:403:176:9:187:218", "name": "ns2", "ttl": 900}, {"ip": "188.40.254.210", "name": "mail", "ttl": 300}, {"aliases": ["www"], "name": "basilicata.ninux.org."}], "mail_servers": [{"name": "mail", "preference": "10", "ttl": 300}], "name": "dns-nnxx.org", "name_servers": ["ns1.dns-nnxx.org.", "ns2.dns-nnxx.org."], "networks": ["176.9.204", "176.9.187", "2a01:4f8:13a:403::"]}, "module_stderr": "Shared connection to 176.9.204.50 closed.\r\n", "module_stdout": "Traceback (most recent call last):\r\n File \"/root/.ansible/tmp/ansible-tmp-1562362917.27-50458547019638/AnsiballZ_command.py\", line 114, in <module>\r\n _ansiballz_main()\r\n File \"/root/.ansible/tmp/ansible-tmp-1562362917.27-50458547019638/AnsiballZ_command.py\", line 106, in _ansiballz_main\r\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n File \"/root/.ansible/tmp/ansible-tmp-1562362917.27-50458547019638/AnsiballZ_command.py\", line 49, in invoke_module\r\n imp.load_module('__main__', mod, module, MOD_DESC)\r\n File \"/tmp/ansible_command_payload_qaSQpZ/__main__.py\", line 327, in <module>\r\n File \"/tmp/ansible_command_payload_qaSQpZ/__main__.py\", line 269, in main\r\n File \"/usr/lib/python2.7/glob.py\", line 27, in glob\r\n return list(iglob(pathname))\r\n File \"/usr/lib/python2.7/glob.py\", line 49, in iglob\r\n for name in glob1(os.curdir, basename):\r\n File \"/usr/lib/python2.7/glob.py\", line 83, in glob1\r\n return fnmatch.filter(names, pattern)\r\n File \"/usr/lib/python2.7/fnmatch.py\", line 56, in filter\r\n _cache[pat] = re_pat = re.compile(res)\r\n File \"/usr/lib/python2.7/re.py\", line 194, in compile\r\n return _compile(pattern, flags)\r\n File \"/usr/lib/python2.7/re.py\", line 251, in _compile\r\n raise error, v # invalid expression\r\nsre_constants.error: bad character range\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
failed: [ns2.dns-nnxx.org] (item={u'also_notify': [u'176.9.204.50', u'176.9.187.218'], u'hosts': [{u'ip': [u'176.9.204.50', u'176.9.187.218'], u'ipv6': [u'2a01:4f8:13a:403:176:9:204:50', u'2a01:4f8:13a:403:176:9:187:218'], u'name': u'@', u'ttl': 900}, {u'ip': u'176.9.204.50', u'ttl': 900, u'name': u'ns1', u'ipv6': u'2a01:4f8:13a:403:176:9:204:50'}, {u'ip': u'176.9.187.218', u'ttl': 900, u'name': u'ns2', u'ipv6': u'2a01:4f8:13a:403:176:9:187:218'}, {u'ip': u'188.40.254.210', u'name': u'mail', u'ttl': 300}, {u'name': u'basilicata.ninux.org.', u'aliases': [u'www']}], u'name': u'dns-nnxx.org', u'name_servers': [u'ns1.dns-nnxx.org.', u'ns2.dns-nnxx.org.'], u'mail_servers': [{u'ttl': 300, u'name': u'mail', u'preference': u'10'}], u'networks': [u'176.9.204', u'176.9.187', u'2a01:4f8:13a:403::'], u'hostmaster_email': u'mikytux'}) => {"ansible_loop_var": "item", "changed": false, "item": {"also_notify": ["176.9.204.50", "176.9.187.218"], "hostmaster_email": "mikytux", "hosts": [{"ip": ["176.9.204.50", "176.9.187.218"], "ipv6": ["2a01:4f8:13a:403:176:9:204:50", "2a01:4f8:13a:403:176:9:187:218"], "name": "@", "ttl": 900}, {"ip": "176.9.204.50", "ipv6": "2a01:4f8:13a:403:176:9:204:50", "name": "ns1", "ttl": 900}, {"ip": "176.9.187.218", "ipv6": "2a01:4f8:13a:403:176:9:187:218", "name": "ns2", "ttl": 900}, {"ip": "188.40.254.210", "name": "mail", "ttl": 300}, {"aliases": ["www"], "name": "basilicata.ninux.org."}], "mail_servers": [{"name": "mail", "preference": "10", "ttl": 300}], "name": "dns-nnxx.org", "name_servers": ["ns1.dns-nnxx.org.", "ns2.dns-nnxx.org."], "networks": ["176.9.204", "176.9.187", "2a01:4f8:13a:403::"]}, "module_stderr": "Shared connection to 176.9.187.218 closed.\r\n", "module_stdout": "Traceback (most recent call last):\r\n File \"/root/.ansible/tmp/ansible-tmp-1562362917.3-172514252019133/AnsiballZ_command.py\", line 114, in <module>\r\n _ansiballz_main()\r\n File \"/root/.ansible/tmp/ansible-tmp-1562362917.3-172514252019133/AnsiballZ_command.py\", line 106, in _ansiballz_main\r\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n File \"/root/.ansible/tmp/ansible-tmp-1562362917.3-172514252019133/AnsiballZ_command.py\", line 49, in invoke_module\r\n imp.load_module('__main__', mod, module, MOD_DESC)\r\n File \"/tmp/ansible_command_payload_Aehpia/__main__.py\", line 327, in <module>\r\n File \"/tmp/ansible_command_payload_Aehpia/__main__.py\", line 269, in main\r\n File \"/usr/lib/python2.7/glob.py\", line 27, in glob\r\n return list(iglob(pathname))\r\n File \"/usr/lib/python2.7/glob.py\", line 49, in iglob\r\n for name in glob1(os.curdir, basename):\r\n File \"/usr/lib/python2.7/glob.py\", line 83, in glob1\r\n return fnmatch.filter(names, pattern)\r\n File \"/usr/lib/python2.7/fnmatch.py\", line 56, in filter\r\n _cache[pat] = re_pat = re.compile(res)\r\n File \"/usr/lib/python2.7/re.py\", line 194, in compile\r\n return _compile(pattern, flags)\r\n File \"/usr/lib/python2.7/re.py\", line 251, in _compile\r\n raise error, v # invalid expression\r\nsre_constants.error: bad character range\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
from ansible-role-bind.
bertvv
commented on June 4, 2024
Okay, this issue is more than a year old, sorry for neglecting this for so long. Having thought more about this, I think implementing this feature is not within the intended scope of this project.
Generating the keys is very time consuming, has a lot of options that can't reasonably be all implemented here, and should probably be done only once. Once the keys are generated, you would probably have to reuse the same key when you would rebuild the server instead of regenerating them.
My opinion is that it may make sense to add support for DNSSEC keys that were generated previously, but the generation itself is not something I feel comfortable implementing within the role.
from ansible-role-bind.
mike-19
commented on June 4, 2024
the shell module does not work as expected , looks like the "creates" parameter is not honouring the regex pattern
from ansible-role-bind.
Related Issues (20)
- AnsibleUndefinedVariable: '_type' is undefined
- Create forward lookup zone file: AnsibleUndefinedVariable: 'dict object' has no attribute 'serial' HOT 5
- Requirement to set primaries even if type=primary
- MX for subdomain HOT 7
- Changed default behaviour for allow-transfer
- ipv6 PTR zone invalid
- option 'dnssec-enable' no longer exists error on Ubuntu HOT 1
- BIND (9.x) only support a single key-name per server
- create_reverse_zones set to false still creates reverse zones.
- Fatal: msg: The ipaddr filter requires python's netaddr be installed on the ansible controller HOT 1
- Using TSIG and keys
- looping leaves only 1 entry in /etc/named.conf HOT 2
- Deprecation warning when creating main BIND config file HOT 1
- Use `$INCLUDE` in zone file
- Debian 11 name server have change
- Add support for turning on per-zone statistics
- Invalid package 'bind9-utils' selection based on os family HOT 1
- Reverse zones are not generated for hosts with multiple ips
- Feature Request: Support Views/Split DNS Configuration HOT 1
- Is this repo still active? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ansible-role-bind.