Extend to configure nsupdate?

Question

Extend to configure nsupdate?

Closed this issue 10 years ago · 5 comments

Hey there--I love this puppet module and want to incorporate it into a puppet module that I am working on. Here's what I would need:

Right now, you've got bind:key, which accepts an algorithm and a secret and generates a DNSSEC key file. This is awesome. One of the hosts that my puppet module configures will have bind installed on it, and this will automatically configure DNSSEC for that bind server.

The other hosts in my system will not have bind installed, but they will need to be configured with nsupdate settings that allow them to communicate with the bind service. Since you are already capturing the algorithm and the secret, you could theoretically use them to define the nsupdate configuration that those hosts need.

The net result would be a one-stop module that could both configure bind with DNSSEC and configure the hosts that want to push updates to that bind service.

Do you think this is feasible?

Answer 1 · 2014-06-04T18:29:28.000Z

I think that should be pretty feasible. I'll play with the idea on some VMs when I get a chance.

Answer 2 · 2014-06-15T15:53:30.000Z

I push a branch that hopefully makes this possible. It's the standalone-updater branch. Unfortunately, I haven't been able to test this, otherwise I'd put it on master and release a version. Here's how it should work... on your updater system do something like this:

class { 'bind::updater': }
bind::key { 'updater':
    algorithm => 'hmac-sha256',
    secret      => '012345678901234567890123456789=',
}
dns_rr { ..... }

The bind::updater class and bind class are mutually exclusive; use one or the other in a catalog. It accepts a 'keydir' parameter which configures the path where bind::key will put keys.

Let me know how this works out. Makes changes if you like. I'll try to get my VM setup working again so I can test this and make a release.

Answer 3 · 2014-06-16T13:42:20.000Z

This is totally awesome. I will try to test this out this week. Thank you very much for working on a solution to this problem; this is a huge win for large deployments!

Answer 4 · 2014-06-27T22:11:14.000Z

There were some bugs in the new work on the branch, but I got them worked out.

Here's a sample configuration using the bind::updater class:

$ddns_key_name = 'updater'
$ddns_secret = 'aLE5LA=='

node nameserver {
  class { 'bind': }

  bind::key { $ddns_key_name:
    algorithm => 'hmac-sha1',
    secret => $ddns_secret,
  }

  bind::zone { 'example.com':
    zone_type => 'master',
    allow_updates => [ "key ${ddns_key_name}" ],
  }
}

node updater {
  class { 'bind::updater': }

  dns_rr { "IN/A/${::hostname}.example.com":
    rrdata => $::ipaddress,
    server => 'ns1.example.com',
    zone => 'example.com',
    keyname => $ddns_key_name,
    hmac => 'hmac-sha1',
    secret => $ddns_secret,
  }
}

Answer 5 · 2014-06-30T12:52:21.000Z

This is tremendously helpful. Thanks again!