-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix DDNS keyfile creation, configuration and writeable zone location #59
Conversation
Dear @0xMattijs, thanks for your contribution! After a first look I have two comments:
|
…/zones` in order to preserve backwards compatibility Make DDNS key generation optional using `bind9_generate_ddns_key` (default: false) Make key location configurable using `bind9_local_keydir` (default: files/bind/zones)
Hi @doobry-systemli . Totally makes sense. I have processed your suggestions in the PR:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks a lot for adressing my comments @0xMattijs. Sorry for the delay with my response. The PR looks good to be merged now - just a minor comment.
Problem
This Ansible role writes zone files to a hard coded
/etc/bind/zones
directory, which causes problems on systems with mandatory access control such as Apparmor. The profile for Apparmor does not allow the BIND process to create the necessary journal files and update the zone files under/etc/bind/zones
.Solution
Parameterize the zone directory and default to
/var/lib/bind/zones
, for which write access is allowed by the Apparmor profile.PR
This PR parameterises the location for storing the zone files. It also includes code to generate DDNS keys using
tsig-keygen
if a configuredupdate_keyfile
does not exist already. Sincetsig-keygen
generates a fullkey
configuration section, thenamed.conf.options.j2
template has been adjusted accordingly.