From 7a1ba8ee9bfb640b75d38a93d315a1a1b1b15ec8 Mon Sep 17 00:00:00 2001 From: Graham Hayes Date: Thu, 14 Mar 2019 16:36:46 +0000 Subject: [PATCH] Allow pdns4 backend to select tsigkey Allow a new config item in pools.yaml to set the pdns tsigkey to use for AFXR queries. Change-Id: Ibb4fb604957286c6edfe85f72321f199eb3167a7 Closes-Bug: #1820089 Signed-off-by: Graham Hayes --- designate/backend/impl_pdns4.py | 3 +++ doc/source/admin/backends/pdns4.rst | 27 +++++++++++++++++++ .../backends/sample_yaml_snippets/pdns4.yaml | 2 ++ .../notes/pdns4-tsig-1fda534c01d90138.yaml | 10 +++++++ 4 files changed, 42 insertions(+) create mode 100644 releasenotes/notes/pdns4-tsig-1fda534c01d90138.yaml diff --git a/designate/backend/impl_pdns4.py b/designate/backend/impl_pdns4.py index aceb9c3f4..bc04af380 100644 --- a/designate/backend/impl_pdns4.py +++ b/designate/backend/impl_pdns4.py @@ -35,6 +35,7 @@ class PDNS4Backend(base.Backend): self.api_endpoint = self.options.get('api_endpoint') self.api_token = self.options.get('api_token') + self.tsigkey_name = self.options.get('tsigkey_name', None) def _build_url(self, zone=''): r_url = urllib.parse.urlparse(self.api_endpoint) @@ -53,6 +54,8 @@ class PDNS4Backend(base.Backend): "masters": masters, } + if self.tsigkey_name: + data['slave_tsig_key_ids'] = [self.tsigkey_name] headers = { "X-API-Key": self.api_token } diff --git a/doc/source/admin/backends/pdns4.rst b/doc/source/admin/backends/pdns4.rst index a668d65a0..8120ab490 100644 --- a/doc/source/admin/backends/pdns4.rst +++ b/doc/source/admin/backends/pdns4.rst @@ -55,4 +55,31 @@ See :ref:`designate_manage_pool` for further details on the ``designate-manage pool`` command, and :ref:`pools` for information about the yaml file syntax + +TSIG Key Configuration +---------------------- + +.. note:: This is only available in PowerDNS 4.2 or newer + +In some cases a deployer may need to use tsig keys to sign AXFR (zone transfer) +requests. As pdns does not support a per host key setup, this needs to be set +on a per zone basis, on creation. + +To do this, generate a tsigkey on the PowerDNS Server: + +.. code-block:: bash + + $ pdnsutil generate-tsig-key hmac-sha512 + Create new TSIG key keyname hmac-sha512 4EJz00m4ZWe005HjLiXRedJbSnCUx5Dt+4wVYsBweG5HKAV6cqSVJ/oem/6mLgDNFAlLP3Jg0npbg1SkP7RMDg== + +Then insert it into Designate. Make sure the pool id is correct +(the ``--resource-id`` below.) + +.. code-block:: bash + + openstack tsigkey create --name --algorithm hmac-sha512 --secret 4EJz00m4ZWe005HjLiXRedJbSnCUx5Dt+4wVYsBweG5HKAV6cqSVJ/oem/6mLgDNFAlLP3Jg0npbg1SkP7RMDg== --scope POOL --resource-id 794ccc2c-d751-44fe-b57f-8894c9f5c842 + +Then add it to the ``pools.yaml`` file as shown in the example. The ID used is +the name of the key in the PowerDNS server. + .. _PowerDNS Docs: https://doc.powerdns.com/md/authoritative/installation/ diff --git a/doc/source/admin/backends/sample_yaml_snippets/pdns4.yaml b/doc/source/admin/backends/sample_yaml_snippets/pdns4.yaml index 0bd63fd35..53e2a1cd4 100644 --- a/doc/source/admin/backends/sample_yaml_snippets/pdns4.yaml +++ b/doc/source/admin/backends/sample_yaml_snippets/pdns4.yaml @@ -14,3 +14,5 @@ port: 53 api_endpoint: http://127.0.0.1:8081 api_token: changeme + # If a tsigkey is needed, uncomment the line below and insert the name + # tsigkey_name: diff --git a/releasenotes/notes/pdns4-tsig-1fda534c01d90138.yaml b/releasenotes/notes/pdns4-tsig-1fda534c01d90138.yaml new file mode 100644 index 000000000..1bc19d0f9 --- /dev/null +++ b/releasenotes/notes/pdns4-tsig-1fda534c01d90138.yaml @@ -0,0 +1,10 @@ +--- +features: + - | + Adds a new option for pools using the ``pdns4`` backend: ``tsigkey_name``. + This allows deployers to specify a tsig key that is installed in powerdns + to use for AFXR requests. This key name is the name used to create the key + in powerdns, not the Designate UUID based ID for the key. + + .. note:: This is only available in the 4.2.x versions (and above) of pdns. +