Enhancement: Reverse DNS Zone Support

- Incomplete
- Creates the directory for the Reverse DNS Zones
- Fails to copy the files and apply the db-reverse.js template
- Not sure if DNSSEC is applicable on the reverse zone or not
This commit is contained in:
Benjamen Meyer 2018-07-07 01:11:46 -04:00
parent 66a2e31c92
commit 8681f17bad
6 changed files with 107 additions and 7 deletions

View file

@ -5,6 +5,13 @@
when: item.value.dnssec is defined and item.value.dnssec
register: st
- name: check if key has been generated for reverse zones
stat:
path: '/etc/bind/keys/{{ item.key }}-ksk.key'
with_dict: '{{ bind_reverse_zones }}'
when: item.value.dnssec is defined and item.value.dnssec
register: st
- name: generated keys for dnssec 1/2
shell: 'dnssec-keygen -a RSASHA256 -b 2048 -r /dev/urandom -n ZONE {{ item.item.key }}'
args:

View file

@ -1,8 +1,3 @@
- set_fact:
bind_zones_play: '{{ bind_zones_play|default([]) + [ item ] }}'
with_dict: '{{ bind_zones }}'
when: (item.value.state is not defined or item.value.state != 'absent') and (bind_zones_subset is not defined or item.key in bind_zones_subset)
- name: create zone folder
file:
path: '/etc/bind/zones/{{ item.key }}'
@ -10,7 +5,8 @@
group: bind
mode: 0755
state: directory
with_items: '{{ bind_zones_play }}'
with_dict: '{{ bind_zones }}'
when: item.value.state is not defined or item.value.state != 'absent'
- name: copy zone files
template:
@ -19,8 +15,31 @@
owner: root
group: root
mode: 0644
with_items: '{{ bind_zones_play }}'
with_dict: '{{ bind_zones }}'
register: zone
when: item.value.state is not defined or item.value.state != 'absent'
notify: reload bind
- name: create reverse zone folder
file:
path: '/etc/bind/zones/{{ item.key }}'
owner: bind
group: bind
mode: 0755
state: directory
with_dict: '{{ bind_reverse_zones }}'
when: item.value.state is not defined or item.value.state != 'absent'
- name: copy reverse zone files
template:
src: db-reverse.j2
dest: '/etc/bind/zones/{{ item.key }}/db'
owner: root
group: root
mode: 0644
with_dict: '{{ bind_reverse_zones }}'
register: zone
when: item.value.state is not defined or item.value.state != 'absent'
notify: reload bind
- name: dnssec sign
@ -44,3 +63,10 @@
state: absent
with_items: '{{ zone_folders.files }}'
when: item.path|basename not in bind_zones or ('state' in bind_zones[item.path|basename] and bind_zones[item.path|basename].state == 'absent')
- name: delete old reverse zone file
file:
path: '{{ item.path }}'
state: absent
with_items: '{{ zone_folders.files }}'
when: item.path|basename not in bind_reverse_zones or ('state' in bind_reverse_zones[item.path|basename] and bind_reverse_zones[item.path|basename].state == 'absent')

17
templates/db-reverse.j2 Normal file
View file

@ -0,0 +1,17 @@
; {{ ansible_managed }}
$ORIGIN {{ item.value.key }}
$TTL {{ item.value.ttl|default(3600) }}
@ IN SOA {{ item.value.ns_primary }}. {{ item.value.mail|replace('@', '.') }}. (
{{ item.value.serial }} ; Serial
{{ item.value.refresh|default(14400) }} ; Refresh
{{ item.value.retry|default(86400) }} ; Retry
{{ item.value.expire|default(2419200) }} ; Expire
{{ item.value.negative_cache|default(86400) }} ; Negative Cache TTL
)
{% for record in item.value.records %}
{{ record.name }} {{ record.ttl|default(' ') }} IN {{ record.type|upper }} {{ record.value }}
{% endfor %}
{% endif %}

View file

@ -9,4 +9,10 @@ dnssec-signzone -3 $(head -n 1000 /dev/urandom | sha1sum | cut -b 1-16) -A -N IN
{% endif %}
{% endfor %}
{% for zone, value in bind_reverse_zones.iteritems() %}
{% if 'dnssec' in value and value.dnssec %}
dnssec-signzone -3 $(head -n 1000 /dev/urandom | sha1sum | cut -b 1-16) -A -N INCREMENT -o {{ zone }} -t /etc/bind/zones/db.{{ zone }}
{% endif %}
{% endfor %}
systemctl reload bind9

View file

@ -1,4 +1,30 @@
# {{ ansible_managed }}
{% for zone, value in bind_reverse_zones.iteritems() %}
{% if 'state' not in value or value.state|lower not in ['disabled', 'absent'] %}
zone "{{ zone }}" IN {
type master;
{% if 'dnssec' in value and value.dnssec %}
file "/etc/bind/zones/{{ zone }}/db.signed";
{% else %}
file "/etc/bind/zones/{{ zone }}/db";
{% endif %}
{% if 'allow_transfer' in value and value.dnssec %}
allow-transfer {
{% for ip in value.allow_transfer %}
{{ ip }};
{% endfor %}
};
{% endif %}
{% if 'options' in value %}
{% for option, opt_value in value.options.iteritems() %}
{{ option }} {% if opt_value == True %}yes{% elif opt_value == False %}no{% else %}{{ opt_value }}{% endif %};
{% endfor %}
{% endif %}
};
{% endif %}
{% endfor %}
{% for zone, value in bind_zones.iteritems() %}
{% if 'state' not in value or value.state|lower not in ['disabled', 'absent'] %}

View file

@ -5,6 +5,24 @@
bind_role: master
bind_options:
server-id: '"1"'
bind_reverse_zones:
3.2.1.in-addr.arpa:
ns_primary: ns1.test.local
mail: root@test.local
serial: 2017092202
ttl: 3600
refresh: 14400
retry: 86400
expire: 2419200
negative_cache: 86400
dnssec: yes
options:
auto-dnssec: maintain
inline-signing: yes
key-directory: '"/etc/bind/keys"'
records:
- { name: '@', type: ns, value: localhost. }
- { name: '4', type: ptr, value: hello.test.local }
bind_zones:
test.local:
allow_transfer: