unkinben/puppet-bind
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #59 from nerdlich/dnssec_more_secure

Browse Source 
use modern dnssec key algorithm and provide option to use NSEC3
This commit is contained in:
Nate Riffe 2015-12-19 09:26:51 -06:00
commit 40f7972dc8
2 changed files with 12 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
files/dnssec-init
View File

@ -5,7 +5,14 @@ NAME="$2"
DOMAIN="$3"
KEY_DIRECTORY="${4:-${CACHEDIR}/${NAME}}"
RANDOM_DEVICE="$5"
NSEC3_SALT="$6"
PATH=/bin:/sbin:/usr/bin:/usr/sbin
dnssec-keygen -r "${RANDOM_DEVICE}" -K "${KEY_DIRECTORY}" "${DOMAIN}"
dnssec-keygen -r "${RANDOM_DEVICE}" -f KSK -K "${KEY_DIRECTORY}" "${DOMAIN}"
dnssec-signzone -S -d "${CACHEDIR}" -K "${KEY_DIRECTORY}" -o "${DOMAIN}" "${CACHEDIR}/${NAME}/${DOMAIN}"
dnssec-keygen -a RSASHA256 -b 1024 -r "${RANDOM_DEVICE}" -K "${KEY_DIRECTORY}" "${DOMAIN}"
dnssec-keygen -a RSASHA256 -b 2048 -r "${RANDOM_DEVICE}" -f KSK -K "${KEY_DIRECTORY}" "${DOMAIN}"
if [ $NSEC3_SALT != '' ]; then
dnssec-signzone -S -u -3 ${NSEC3_SALT} -d "${CACHEDIR}" -K "${KEY_DIRECTORY}" -o "${DOMAIN}" "${CACHEDIR}/${NAME}/${DOMAIN}"
else
dnssec-signzone -S -d "${CACHEDIR}" -K "${KEY_DIRECTORY}" -o "${DOMAIN}" "${CACHEDIR}/${NAME}/${DOMAIN}"
fi

3
manifests/zone.pp
View File

@ -10,6 +10,7 @@ define bind::zone (
$update_policies = '',
$allow_transfers = '',
$dnssec = false,
$nsec3_salt = '',
$key_directory = '',
$ns_notify = true,
$also_notify = '',
@ -110,7 +111,7 @@ define bind::zone (
if $dnssec {
exec { "dnssec-keygen-${name}":
command => "/usr/local/bin/dnssec-init '${cachedir}' '${name}'\
'${_domain}' '${key_directory}' '${random_device}'",
'${_domain}' '${key_directory}' '${random_device}' '${nsec3_salt}'",
cwd => $cachedir,
user => $::bind::params::bind_user,
creates => "${cachedir}/${name}/${_domain}.signed",