Ansible role. FreeBSD. Configure DNS.
No requiremenst.
Recommended: YAZVS (Yet Another Zone Validation Script)
TBD. Review the defaults and examples in vars.
By default named and dnssec are disabled.
bsd_named_enable: False
bsd_named_conf_dnssec_enable: 'no'
bsd_named_conf_dnssec_validation: 'no'
- Keys are needed to enable DNSSEC (see workflow).
- dnssec-keygen binary is needed to generate the keys.
- Change shell to /bin/sh.
# ansible host -e 'ansible_shell_type=csh ansible_shell_executable=/bin/csh' -a 'sudo pw usermod admin -s /bin/sh'
- Install role.
# ansible-galaxy install vbotka.freebsd_dns
- Fit variables.
# editor vbotka.freebsd_dns/vars/main.yml
- Create and run the playbook.
# cat freebsd-dns.yml
- hosts: ns1.example.com
roles:
- vbotka.freebsd_dns
# ansible-playbook freebsd-dns.yml
- If DNSSEC is enabled create keys as described in Authoritative DNS Server Configuration.
Example:
> cd /usr/local/etc/namedb/keys
> dnssec-keygen -f KSK -a RSASHA256 -b 2048 -n ZONE example.com
> ln -s Kexample.com.+008+20191.key Kexample.com.KSK.key
> ln -s Kexample.com.+008+20191.private Kexample.com.KSK.private
> dnssec-keygen -a RSASHA256 -b 2048 -n ZONE example.com
> ln -s Kexample.com.+008+35529.key Kexample.com.ZSK.key
> ln -s Kexample.com.+008+35529.private Kexample.com.ZSK.private
> chown bind K*
- Configure the zones.
Example of master zone
sd_named_conf_zone:
- zone: "example.com"
type: "master"
reverse: "yes"
zone_ip: "10.1.0.10"
zone_in: "0.1.10"
primary: "ns1.example.net"
primary_ip: "192.168.1.11"
secondary: "ns2.example.net"
secondary_ip: "192.168.1.12"
admin: "admin.example.com"
serial: "2016102401"
refresh: "10800"
retry: "3600"
expire: "1209600"
negative: "300"
server:
- "ns1.example.net"
- "ns2.example.net"
mx:
- { server: "srv.example.com", priority: "10" }
host:
- { host: "srv", ip: "10.1.0.10" }
alias:
- "www"
- "mail"
Example of slave zone
sd_named_conf_zone:
- zone: "example.com"
type: "slave"
masters: "192.168.1.11;"
reverse: "yes"
zone_in: "0.1.10"
- Run the playbook
# ansible-playbook freebsd-dns.yml
- Sign the zones, reload the server and test the server as described in Authoritative DNS Server Configuration. The zones can be signed when the DNSSEC keys are included in the zone files.
Sign the zone. Change to the keys directory. Otherwise full path to the keys is needed.
> cd /usr/local/etc/namedb/keys
> dnssec-signzone -o example.com -k Kexample.com.KSK /usr/local/etc/namedb/master/example.com Kexample.com.ZSK.key
> /usr/local/etc/rc.d/named reload
Test the server.
> dig @resolver +dnssec se ds
- Update registrar DS records.
- Add a DS record
- "Method used for encrypting the public key" can be found wit the command
dig type48 example.com
- Domain Name System Security (DNSSEC) Algorithm Numbers
- DS records at Godaddy with .co tld
- How To Setup DNSSEC on an Authoritative BIND DNS Server
- Consider to test the server with
- dnscheck.iis.se
- DNS Check in Pingdom Tools
- Pingdom. Failed to deliver email. Can safely ignore this failure.
- Veisign LABS
- DNS VIZ
-
In-line Signing works with the slave as expected, but not with the master.
-
Keys from master are copied to the slave manually.
- automate creation of the keys
- automate signing of the zones
- automate testing of the server
