Update config and add rndc keys in dnsserver role

5 files changed, 39 insertions, 18 deletions

diff --git a/.gitignore b/.gitignore
index 14e112d..265f60f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,4 @@
-roles/dnsserver/templates/keys.j2
+roles/dnsserver/vars/keys.yml
 roles/torrelay/templates/keys.j2
 roles/mtaserver/files/virtual
 roles/mtaserver/files/credentials
diff --git a/roles/dnsserver/tasks/config.yml b/roles/dnsserver/tasks/config.yml
index 73445e1..2b2dc27 100644
--- a/roles/dnsserver/tasks/config.yml
+++ b/roles/dnsserver/tasks/config.yml
@@ -1,10 +1,16 @@
 - name: Configuration de Bind
-  template: src=keys.j2 dest=/etc/named.conf
+  template: src=named.conf.j2 dest=/etc/named.conf
             owner=root
             group=named
             mode=640
   notify: restart named
 
+- name: Configuration de rndc
+  template: src=rndc.key.j2 dest=/etc/rndc.key
+            owner=root
+            group=named
+            mode=640
+
 - name: Installation des fichiers de zone
   copy:
     src: "{{ item }}.zone"
diff --git a/roles/dnsserver/tasks/main.yml b/roles/dnsserver/tasks/main.yml
index 7fe27b9..1fdbae9 100644
--- a/roles/dnsserver/tasks/main.yml
+++ b/roles/dnsserver/tasks/main.yml
@@ -1,3 +1,6 @@
+- name: Loading hidden variables
+  include_vars: keys.yml
+
 - name: Installation des paquets
   import_tasks: pkgs.yml
 
diff --git a/roles/dnsserver/templates/named.conf.j2 b/roles/dnsserver/templates/named.conf.j2
index 2e4f76b..5d95298 100644
--- a/roles/dnsserver/templates/named.conf.j2
+++ b/roles/dnsserver/templates/named.conf.j2
@@ -27,28 +27,39 @@ options {
 {% endif %}
 	directory 	"/var/named";
 	dump-file 	"/var/named/data/cache_dump.db";
-        statistics-file "/var/named/data/named_stats.txt";
-        memstatistics-file "/var/named/data/named_mem_stats.txt";
+	statistics-file "/var/named/data/named_stats.txt";
+	memstatistics-file "/var/named/data/named_mem_stats.txt";
+	secroots-file   "/var/named/data/named.secroots";
+	recursing-file  "/var/named/data/named.recursing";
 	allow-query     { any; };
+	/* 
+	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
+	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
+	   recursion. 
+	 - If your recursive DNS server has a public IP address, you MUST enable access 
+	   control to limit queries to your legitimate users. Failing to do so will
+	   cause your server to become part of large scale DNS amplification 
+	   attacks. Implementing BCP38 within your network would greatly
+	   reduce such attack surface 
+	 */
 	recursion yes;
 	allow-recursion { whitelist-recursion; };
 	allow-transfer { none; };
 	version "SECRET";
 {% if is_dnsmaster is not defined %}
-        forwarders { {{ master_ipv6 }}; {{ master_ipv4 }}; };
+	forwarders { {{ master_ipv6 }}; {{ master_ipv4 }}; };
 {% endif %}
 
 	dnssec-enable yes;
 	dnssec-validation yes;
-	dnssec-lookaside auto;
-
-	/* Path to ISC DLV key */
-	bindkeys-file "/etc/named.iscdlv.key";
 
 	managed-keys-directory "/var/named/dynamic";
 
 	pid-file "/run/named/named.pid";
 	session-keyfile "/run/named/session.key";
+
+	/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
+	include "/etc/crypto-policies/back-ends/bind.config";
 };
 
 logging {
@@ -105,15 +116,12 @@ logging {
 	category lame-servers { lame_servers_channel; };
 };
 
-// here are keys imported from ansible template keys.j2
-// like this:
-//
-//   key "rndc-key" {
-//         algorithm hmac-md5;
-//         secret "generated_string_here";
-//   };
-//
-{% block keys %}{% endblock %}
+{% for key in keylist %}
+key "{{ key.0 }}" {
+      algorithm {{ key.2 }};
+      secret "{{ key.1 }}";
+};
+{% endfor %}
 
 {% if is_dnsmaster is defined %}
 {% for item in slavelist %}
diff --git a/roles/dnsserver/templates/rndc.key.j2 b/roles/dnsserver/templates/rndc.key.j2
new file mode 100644
index 0000000..2caad4e
--- /dev/null
+++ b/roles/dnsserver/templates/rndc.key.j2
@@ -0,0 +1,4 @@
+key "rndc-key" {
+      algorithm {{ keylist.rndc.algo }};
+      secret "{{ keylist.rndc.secret }}";
+};