inkblot/puppet-bind

Support Query via keyfile

Opened this issue · 0 comments

dwest-galois commented

I currently have a split horizon DNS server setup using TSIG keys to determine which "view" I am using when adding/removing/changing resource records. I basically have it setup with two views: 'internal' and 'world'. If nsupdate uses the internal-update key, it will apply the changes to zones included in the internal view. Otherwise, it will default to the world view using the external-update key for making changes. Here is an example of this:

view "internal" {
	match-clients {
		!key external-update;
		key internal-update;
		internal-clients;
		dns-servers;  #note, can not use localhost
	};
	recursion yes;
	allow-recursion {
		any;
	};
	allow-query {
		internal-clients;
		localhost;
		dns-servers;
	};
	allow-query-on {
		any;
	};
	allow-query-cache {
		any;
	};
	allow-query-cache-on {
		any;
	};
	include "/etc/named/zones/zone.com.example.conf";
};

view "world" {
	match-clients {
		!key internal-update;
		key external-update;
		any;
	};
	recursion no;
	include "/etc/named/zones/zone.com.example.external.conf";
};

The problem I have is that when the puppet module does a DNS query (via dig) to see if the record already exists, it is not finding anything in the Internal zone files. This is because the query function only supports TSIG keys provided inline (-y), while I am storing them in keyfiles. So DNS queries are only happening using the world view. The end result is that every time puppet runs, it performs a DNS query to see if a record exists. Then it does not find anything and correctively adds a new record.

Notice: /Stage[main]/Profile::Inkblot_bind/Resource_record[testing]/ensure: current_value 'absent', should be 'present' (corrective)

When making changes to existing records, this is resulting in duplicate records where one A record resolves to multiple IP's. It looks something like the following:

testing           A 10.0.0.10
                      A 10.0.0.11

I believe this is where the problem is:

puppet-bind/lib/puppet_bind/provider/nsupdate.rb

Line 163 in b365ddd

dig_text = dig("@#{server}", '+noall', '+nosearch', '+norecurse', "+#{query_section}", name, type, '-c', rrclass, '-y', tsig_param)

I think the fix for this is to support passing the keyfile as an argument (-k) in the query function. It looks like there are already functions setup to check if a keyfile was being declared, so I think we just need to add an condition to use it. I tested this in a fork of this repository and it seems to work well.

dwest-galois@2f08cdb

I can open a pull request to merge this in, but since the last commit was over 3 years ago, I wanted to ask first. Does this look like an acceptable solution? Did you have a better method for resolving this?

For informational purposes, I am using this module with CentOS 8-stream (not supported but works).