systemli / ansible-role-bind9

Ansible role to install and maintain the Bind9 nameserver on Debian
GNU General Public License v3.0
24 stars 26 forks source link

Fix DDNS keyfile creation and configuration #58

Closed 0xMattijs closed 1 year ago

0xMattijs commented 1 year ago

Problem

This Ansible role writes zone files to a hard coded /etc/bind/zones directory, which causes problems on systems with mandatory access control such as Apparmor. The profile for Apparmor does not allow the BIND process to create the necessary journal files and update the zone files under /etc/bind/zones.

Solution

Parameterize the zone directory and default to /var/lib/bind/zones, for which write access is allowed by the Apparmor profile.

PR

This PR parameterises the location for storing the zone files. It also includes code to generate DDNS keys using tsig-keygen if a configured update_keyfile does not exist already. Since tsig-keygen generates a full key configuration section, the named.conf.options.j2 template has been adjusted accordingly.