Allow pdns4 backend to select tsigkey

Allow a new config item in pools.yaml to set the pdns tsigkey to use for AFXR queries. Change-Id: Ibb4fb604957286c6edfe85f72321f199eb3167a7 Closes-Bug: #1820089 Signed-off-by: Graham Hayes <gr@ham.ie>
2019-03-14 16:36:46 +00:00 · 2019-03-14 16:36:46 +00:00 · 7a1ba8ee9b
commit 7a1ba8ee9b
parent 59d8cab9bb
4 changed files with 42 additions and 0 deletions
--- a/designate/backend/impl_pdns4.py
+++ b/designate/backend/impl_pdns4.py
@ -35,6 +35,7 @@ class PDNS4Backend(base.Backend):

        self.api_endpoint = self.options.get('api_endpoint')
        self.api_token = self.options.get('api_token')
+        self.tsigkey_name = self.options.get('tsigkey_name', None)

    def _build_url(self, zone=''):
        r_url = urllib.parse.urlparse(self.api_endpoint)
@ -53,6 +54,8 @@ class PDNS4Backend(base.Backend):
            "masters": masters,

        }
+        if self.tsigkey_name:
+            data['slave_tsig_key_ids'] = [self.tsigkey_name]
        headers = {
            "X-API-Key": self.api_token
        }
--- a/doc/source/admin/backends/pdns4.rst
+++ b/doc/source/admin/backends/pdns4.rst
@ -55,4 +55,31 @@ See :ref:`designate_manage_pool` for further details on
 the ``designate-manage pool`` command, and :ref:`pools`
 for information about the yaml file syntax

+
+TSIG Key Configuration
+----------------------
+
+.. note:: This is only available in PowerDNS 4.2 or newer
+
+In some cases a deployer may need to use tsig keys to sign AXFR (zone transfer)
+requests. As pdns does not support a per host key setup, this needs to be set
+on a per zone basis, on creation.
+
+To do this, generate a tsigkey on the PowerDNS Server:
+
+.. code-block:: bash
+
+    $ pdnsutil generate-tsig-key <keyname> hmac-sha512
+    Create new TSIG key keyname hmac-sha512 4EJz00m4ZWe005HjLiXRedJbSnCUx5Dt+4wVYsBweG5HKAV6cqSVJ/oem/6mLgDNFAlLP3Jg0npbg1SkP7RMDg==
+
+Then insert it into Designate. Make sure the pool id is correct
+(the ``--resource-id`` below.)
+
+.. code-block:: bash
+
+    openstack tsigkey create --name <keyname> --algorithm hmac-sha512 --secret 4EJz00m4ZWe005HjLiXRedJbSnCUx5Dt+4wVYsBweG5HKAV6cqSVJ/oem/6mLgDNFAlLP3Jg0npbg1SkP7RMDg== --scope POOL --resource-id 794ccc2c-d751-44fe-b57f-8894c9f5c842
+
+Then add it to the ``pools.yaml`` file as shown in the example. The ID used is
+the name of the key in the PowerDNS server.
+
 .. _PowerDNS Docs: https://doc.powerdns.com/md/authoritative/installation/
--- a/doc/source/admin/backends/sample_yaml_snippets/pdns4.yaml
+++ b/doc/source/admin/backends/sample_yaml_snippets/pdns4.yaml
@ -14,3 +14,5 @@
        port: 53
        api_endpoint: http://127.0.0.1:8081
        api_token: changeme
+        # If a tsigkey is needed, uncomment the line below and insert the name
+        # tsigkey_name: <keyname>
--- a/releasenotes/notes/pdns4-tsig-1fda534c01d90138.yaml
+++ b/releasenotes/notes/pdns4-tsig-1fda534c01d90138.yaml
@ -0,0 +1,10 @@
+---
+features:
+  - |
+    Adds a new option for pools using the ``pdns4`` backend: ``tsigkey_name``.
+    This allows deployers to specify a tsig key that is installed in powerdns
+    to use for AFXR requests. This key name is the name used to create the key
+    in powerdns, not the Designate UUID based ID for the key.
+
+    .. note:: This is only available in the 4.2.x versions (and above) of pdns.
+