Add support for DNSSEC signed zones (breaking)

This adds a 'dnssec' parameter to the bind::zone define which causes the module
to generate keys and sign the zone.  Some caveats and breaking changes:

1) Existing non-signed zones will have to be manually moved and signed
2) Signed zones are treated as dynamic
This commit is contained in:
Nate Riffe
2012-10-04 14:20:15 -05:00
parent 64f10b4774
commit f30747d10b
4 changed files with 71 additions and 15 deletions
+9
View File
@@ -0,0 +1,9 @@
#!/bin/bash
CACHEDIR="$1"
NAME="$2"
DOMAIN="$3"
PATH=/bin:/sbin:/usr/bin:/usr/sbin
dnssec-keygen -K "${CACHEDIR}/${NAME}" "${DOMAIN}"
dnssec-keygen -f KSK -K "${CACHEDIR}/${NAME}" "${DOMAIN}"
dnssec-signzone -S -d "${CACHEDIR}" -K "${CACHEDIR}/${NAME}" -o "${DOMAIN}" "${CACHEDIR}/${NAME}/${DOMAIN}"