From 8681f17badec27f2ba25f7680d1c0e0c855f19b3 Mon Sep 17 00:00:00 2001
From: Benjamen Meyer <bm_witness@yahoo.com>
Date: Sat, 7 Jul 2018 01:11:46 -0400
Subject: [PATCH] Enhancement: Reverse DNS Zone Support

- Incomplete
- Creates the directory for the Reverse DNS Zones
- Fails to copy the files and apply the db-reverse.js template
- Not sure if DNSSEC is applicable on the reverse zone or not
---
 tasks/keys.yml                    |  7 ++++++
 tasks/zones.yml                   | 40 +++++++++++++++++++++++++------
 templates/db-reverse.j2           | 17 +++++++++++++
 templates/dnssec.j2               |  6 +++++
 templates/named.conf.local.j2     | 26 ++++++++++++++++++++
 test/integration/bind/default.yml | 18 ++++++++++++++
 6 files changed, 107 insertions(+), 7 deletions(-)
 create mode 100644 templates/db-reverse.j2

diff --git a/tasks/keys.yml b/tasks/keys.yml
index 397c60b..fc8c34e 100644
--- a/tasks/keys.yml
+++ b/tasks/keys.yml
@@ -5,6 +5,13 @@
   when: item.value.dnssec is defined and item.value.dnssec
   register: st
 
+- name: check if key has been generated for reverse zones
+  stat:
+    path: '/etc/bind/keys/{{ item.key }}-ksk.key'
+  with_dict: '{{ bind_reverse_zones }}'
+  when: item.value.dnssec is defined and item.value.dnssec
+  register: st
+
 - name: generated keys for dnssec 1/2
   shell: 'dnssec-keygen -a RSASHA256 -b 2048 -r /dev/urandom -n ZONE {{ item.item.key }}'
   args:
diff --git a/tasks/zones.yml b/tasks/zones.yml
index d9471fd..549544a 100644
--- a/tasks/zones.yml
+++ b/tasks/zones.yml
@@ -1,8 +1,3 @@
-- set_fact:
-    bind_zones_play: '{{ bind_zones_play|default([]) + [ item ] }}'
-  with_dict: '{{ bind_zones }}'
-  when: (item.value.state is not defined or item.value.state != 'absent') and (bind_zones_subset is not defined or item.key in bind_zones_subset)
-
 - name: create zone folder
   file:
     path: '/etc/bind/zones/{{ item.key }}'
@@ -10,7 +5,8 @@
     group: bind
     mode: 0755
     state: directory
-  with_items: '{{ bind_zones_play }}'
+  with_dict: '{{ bind_zones }}'
+  when: item.value.state is not defined or item.value.state != 'absent'
 
 - name: copy zone files
   template:
@@ -19,8 +15,31 @@
     owner: root
     group: root
     mode: 0644
-  with_items: '{{ bind_zones_play }}'
+  with_dict: '{{ bind_zones }}'
   register: zone
+  when: item.value.state is not defined or item.value.state != 'absent'
+  notify: reload bind
+
+- name: create reverse zone folder
+  file:
+    path: '/etc/bind/zones/{{ item.key }}'
+    owner: bind
+    group: bind
+    mode: 0755
+    state: directory
+  with_dict: '{{ bind_reverse_zones }}'
+  when: item.value.state is not defined or item.value.state != 'absent'
+
+- name: copy reverse zone files
+  template:
+    src: db-reverse.j2
+    dest: '/etc/bind/zones/{{ item.key }}/db'
+    owner: root
+    group: root
+    mode: 0644
+  with_dict: '{{ bind_reverse_zones }}'
+  register: zone
+  when: item.value.state is not defined or item.value.state != 'absent'
   notify: reload bind
 
 - name: dnssec sign
@@ -44,3 +63,10 @@
     state: absent
   with_items: '{{ zone_folders.files }}'
   when: item.path|basename not in bind_zones or ('state' in bind_zones[item.path|basename] and bind_zones[item.path|basename].state == 'absent')
+
+- name: delete old reverse zone file
+  file:
+    path: '{{ item.path }}'
+    state: absent
+  with_items: '{{ zone_folders.files }}'
+  when: item.path|basename not in bind_reverse_zones or ('state' in bind_reverse_zones[item.path|basename] and bind_reverse_zones[item.path|basename].state == 'absent')
diff --git a/templates/db-reverse.j2 b/templates/db-reverse.j2
new file mode 100644
index 0000000..fd45f0c
--- /dev/null
+++ b/templates/db-reverse.j2
@@ -0,0 +1,17 @@
+; {{ ansible_managed }}
+
+$ORIGIN {{ item.value.key }}
+$TTL    {{ item.value.ttl|default(3600) }}
+@       IN      SOA    {{ item.value.ns_primary }}. {{ item.value.mail|replace('@', '.') }}. (
+  {{ item.value.serial }} ; Serial
+  {{ item.value.refresh|default(14400) }} ; Refresh
+  {{ item.value.retry|default(86400) }} ; Retry
+  {{ item.value.expire|default(2419200) }} ; Expire
+  {{ item.value.negative_cache|default(86400) }} ; Negative Cache TTL
+)
+
+{% for record in item.value.records %}
+{{ record.name }} {{ record.ttl|default(' ') }} IN {{ record.type|upper }} {{ record.value }}
+{% endfor %}
+
+{% endif %}
diff --git a/templates/dnssec.j2 b/templates/dnssec.j2
index bbfd28d..a0bed80 100644
--- a/templates/dnssec.j2
+++ b/templates/dnssec.j2
@@ -9,4 +9,10 @@ dnssec-signzone -3 $(head -n 1000 /dev/urandom | sha1sum | cut -b 1-16) -A -N IN
 {% endif %}
 {% endfor %}
 
+{% for zone, value in bind_reverse_zones.iteritems() %}
+{% if 'dnssec' in value and value.dnssec %}
+dnssec-signzone -3 $(head -n 1000 /dev/urandom | sha1sum | cut -b 1-16) -A -N INCREMENT -o {{ zone }} -t /etc/bind/zones/db.{{ zone }}
+{% endif %}
+{% endfor %}
+
 systemctl reload bind9
diff --git a/templates/named.conf.local.j2 b/templates/named.conf.local.j2
index 8079c05..0745f42 100644
--- a/templates/named.conf.local.j2
+++ b/templates/named.conf.local.j2
@@ -1,4 +1,30 @@
 # {{ ansible_managed }}
+{% for zone, value in bind_reverse_zones.iteritems() %}
+{% if 'state' not in value or value.state|lower not in ['disabled', 'absent'] %}
+
+zone "{{ zone }}" IN {
+  type master;
+{% if 'dnssec' in value and value.dnssec %}
+  file "/etc/bind/zones/{{ zone }}/db.signed";
+{% else %}
+  file "/etc/bind/zones/{{ zone }}/db";
+{% endif %}
+{% if 'allow_transfer' in value and value.dnssec %}
+  allow-transfer {
+{% for ip in value.allow_transfer %}
+    {{ ip }};
+{% endfor %}
+  };
+{% endif %}
+{% if 'options' in value %}
+{% for option,  opt_value in value.options.iteritems() %}
+  {{ option }} {% if opt_value == True %}yes{% elif opt_value == False %}no{% else %}{{ opt_value }}{% endif %};
+{% endfor %}
+{% endif %}
+};
+{% endif %}
+{% endfor %}
+
 {% for zone, value in bind_zones.iteritems() %}
 {% if 'state' not in value or value.state|lower not in ['disabled', 'absent'] %}
 
diff --git a/test/integration/bind/default.yml b/test/integration/bind/default.yml
index ba70323..c8940ad 100644
--- a/test/integration/bind/default.yml
+++ b/test/integration/bind/default.yml
@@ -5,6 +5,24 @@
     bind_role: master
     bind_options:
       server-id: '"1"'
+    bind_reverse_zones:
+      3.2.1.in-addr.arpa:
+        ns_primary: ns1.test.local
+        mail: root@test.local
+        serial: 2017092202
+        ttl: 3600
+        refresh: 14400
+        retry: 86400
+        expire: 2419200
+        negative_cache: 86400
+        dnssec: yes
+        options:
+          auto-dnssec: maintain
+          inline-signing: yes
+          key-directory: '"/etc/bind/keys"'
+        records:
+          - { name: '@', type: ns, value: localhost. }
+          - { name: '4', type: ptr, value: hello.test.local }
     bind_zones:
       test.local:
         allow_transfer: