diff options
author | Matthieu Saulnier <fantom@fedoraproject.org> | 2018-11-25 19:16:49 +0100 |
---|---|---|
committer | Matthieu Saulnier <fantom@fedoraproject.org> | 2018-11-25 19:16:49 +0100 |
commit | 0188f70696bd24ea544dc439b7cc58c06d5e6ecb (patch) | |
tree | fa7122ffa43d842d496cf22c98251aa7ddec3cd9 | |
parent | 0c93133462594ed61ad1a911413542c29c736041 (diff) | |
download | playbooks-ansible-0188f70696bd24ea544dc439b7cc58c06d5e6ecb.tar.gz playbooks-ansible-0188f70696bd24ea544dc439b7cc58c06d5e6ecb.tar.xz playbooks-ansible-0188f70696bd24ea544dc439b7cc58c06d5e6ecb.zip |
Update config and add rndc keys in dnsserver role
-rw-r--r-- | .gitignore | 2 | ||||
-rw-r--r-- | roles/dnsserver/tasks/config.yml | 8 | ||||
-rw-r--r-- | roles/dnsserver/tasks/main.yml | 3 | ||||
-rw-r--r-- | roles/dnsserver/templates/named.conf.j2 | 40 | ||||
-rw-r--r-- | roles/dnsserver/templates/rndc.key.j2 | 4 |
5 files changed, 39 insertions, 18 deletions
@@ -1,4 +1,4 @@ -roles/dnsserver/templates/keys.j2 +roles/dnsserver/vars/keys.yml roles/torrelay/templates/keys.j2 roles/mtaserver/files/virtual roles/mtaserver/files/credentials diff --git a/roles/dnsserver/tasks/config.yml b/roles/dnsserver/tasks/config.yml index 73445e1..2b2dc27 100644 --- a/roles/dnsserver/tasks/config.yml +++ b/roles/dnsserver/tasks/config.yml @@ -1,10 +1,16 @@ - name: Configuration de Bind - template: src=keys.j2 dest=/etc/named.conf + template: src=named.conf.j2 dest=/etc/named.conf owner=root group=named mode=640 notify: restart named +- name: Configuration de rndc + template: src=rndc.key.j2 dest=/etc/rndc.key + owner=root + group=named + mode=640 + - name: Installation des fichiers de zone copy: src: "{{ item }}.zone" diff --git a/roles/dnsserver/tasks/main.yml b/roles/dnsserver/tasks/main.yml index 7fe27b9..1fdbae9 100644 --- a/roles/dnsserver/tasks/main.yml +++ b/roles/dnsserver/tasks/main.yml @@ -1,3 +1,6 @@ +- name: Loading hidden variables + include_vars: keys.yml + - name: Installation des paquets import_tasks: pkgs.yml diff --git a/roles/dnsserver/templates/named.conf.j2 b/roles/dnsserver/templates/named.conf.j2 index 2e4f76b..5d95298 100644 --- a/roles/dnsserver/templates/named.conf.j2 +++ b/roles/dnsserver/templates/named.conf.j2 @@ -27,28 +27,39 @@ options { {% endif %} directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; - statistics-file "/var/named/data/named_stats.txt"; - memstatistics-file "/var/named/data/named_mem_stats.txt"; + statistics-file "/var/named/data/named_stats.txt"; + memstatistics-file "/var/named/data/named_mem_stats.txt"; + secroots-file "/var/named/data/named.secroots"; + recursing-file "/var/named/data/named.recursing"; allow-query { any; }; + /* + - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. + - If you are building a RECURSIVE (caching) DNS server, you need to enable + recursion. + - If your recursive DNS server has a public IP address, you MUST enable access + control to limit queries to your legitimate users. Failing to do so will + cause your server to become part of large scale DNS amplification + attacks. Implementing BCP38 within your network would greatly + reduce such attack surface + */ recursion yes; allow-recursion { whitelist-recursion; }; allow-transfer { none; }; version "SECRET"; {% if is_dnsmaster is not defined %} - forwarders { {{ master_ipv6 }}; {{ master_ipv4 }}; }; + forwarders { {{ master_ipv6 }}; {{ master_ipv4 }}; }; {% endif %} dnssec-enable yes; dnssec-validation yes; - dnssec-lookaside auto; - - /* Path to ISC DLV key */ - bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; + + /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ + include "/etc/crypto-policies/back-ends/bind.config"; }; logging { @@ -105,15 +116,12 @@ logging { category lame-servers { lame_servers_channel; }; }; -// here are keys imported from ansible template keys.j2 -// like this: -// -// key "rndc-key" { -// algorithm hmac-md5; -// secret "generated_string_here"; -// }; -// -{% block keys %}{% endblock %} +{% for key in keylist %} +key "{{ key.0 }}" { + algorithm {{ key.2 }}; + secret "{{ key.1 }}"; +}; +{% endfor %} {% if is_dnsmaster is defined %} {% for item in slavelist %} diff --git a/roles/dnsserver/templates/rndc.key.j2 b/roles/dnsserver/templates/rndc.key.j2 new file mode 100644 index 0000000..2caad4e --- /dev/null +++ b/roles/dnsserver/templates/rndc.key.j2 @@ -0,0 +1,4 @@ +key "rndc-key" { + algorithm {{ keylist.rndc.algo }}; + secret "{{ keylist.rndc.secret }}"; +}; |