Merge "Allow pdns4 backend to select tsigkey" into stable/rocky
This commit is contained in:
commit
c95dbaa9af
|
@ -35,6 +35,7 @@ class PDNS4Backend(base.Backend):
|
||||||
|
|
||||||
self.api_endpoint = self.options.get('api_endpoint')
|
self.api_endpoint = self.options.get('api_endpoint')
|
||||||
self.api_token = self.options.get('api_token')
|
self.api_token = self.options.get('api_token')
|
||||||
|
self.tsigkey_name = self.options.get('tsigkey_name', None)
|
||||||
|
|
||||||
def _build_url(self, zone=''):
|
def _build_url(self, zone=''):
|
||||||
r_url = urllib.parse.urlparse(self.api_endpoint)
|
r_url = urllib.parse.urlparse(self.api_endpoint)
|
||||||
|
@ -53,6 +54,8 @@ class PDNS4Backend(base.Backend):
|
||||||
"masters": masters,
|
"masters": masters,
|
||||||
|
|
||||||
}
|
}
|
||||||
|
if self.tsigkey_name:
|
||||||
|
data['slave_tsig_key_ids'] = [self.tsigkey_name]
|
||||||
headers = {
|
headers = {
|
||||||
"X-API-Key": self.api_token
|
"X-API-Key": self.api_token
|
||||||
}
|
}
|
||||||
|
|
|
@ -55,4 +55,31 @@ See :ref:`designate_manage_pool` for further details on
|
||||||
the ``designate-manage pool`` command, and :ref:`pools`
|
the ``designate-manage pool`` command, and :ref:`pools`
|
||||||
for information about the yaml file syntax
|
for information about the yaml file syntax
|
||||||
|
|
||||||
|
|
||||||
|
TSIG Key Configuration
|
||||||
|
----------------------
|
||||||
|
|
||||||
|
.. note:: This is only available in PowerDNS 4.2 or newer
|
||||||
|
|
||||||
|
In some cases a deployer may need to use tsig keys to sign AXFR (zone transfer)
|
||||||
|
requests. As pdns does not support a per host key setup, this needs to be set
|
||||||
|
on a per zone basis, on creation.
|
||||||
|
|
||||||
|
To do this, generate a tsigkey on the PowerDNS Server:
|
||||||
|
|
||||||
|
.. code-block:: bash
|
||||||
|
|
||||||
|
$ pdnsutil generate-tsig-key <keyname> hmac-sha512
|
||||||
|
Create new TSIG key keyname hmac-sha512 4EJz00m4ZWe005HjLiXRedJbSnCUx5Dt+4wVYsBweG5HKAV6cqSVJ/oem/6mLgDNFAlLP3Jg0npbg1SkP7RMDg==
|
||||||
|
|
||||||
|
Then insert it into Designate. Make sure the pool id is correct
|
||||||
|
(the ``--resource-id`` below.)
|
||||||
|
|
||||||
|
.. code-block:: bash
|
||||||
|
|
||||||
|
openstack tsigkey create --name <keyname> --algorithm hmac-sha512 --secret 4EJz00m4ZWe005HjLiXRedJbSnCUx5Dt+4wVYsBweG5HKAV6cqSVJ/oem/6mLgDNFAlLP3Jg0npbg1SkP7RMDg== --scope POOL --resource-id 794ccc2c-d751-44fe-b57f-8894c9f5c842
|
||||||
|
|
||||||
|
Then add it to the ``pools.yaml`` file as shown in the example. The ID used is
|
||||||
|
the name of the key in the PowerDNS server.
|
||||||
|
|
||||||
.. _PowerDNS Docs: https://doc.powerdns.com/md/authoritative/installation/
|
.. _PowerDNS Docs: https://doc.powerdns.com/md/authoritative/installation/
|
||||||
|
|
|
@ -14,3 +14,5 @@
|
||||||
port: 53
|
port: 53
|
||||||
api_endpoint: http://127.0.0.1:8081
|
api_endpoint: http://127.0.0.1:8081
|
||||||
api_token: changeme
|
api_token: changeme
|
||||||
|
# If a tsigkey is needed, uncomment the line below and insert the name
|
||||||
|
# tsigkey_name: <keyname>
|
||||||
|
|
|
@ -0,0 +1,10 @@
|
||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
Adds a new option for pools using the ``pdns4`` backend: ``tsigkey_name``.
|
||||||
|
This allows deployers to specify a tsig key that is installed in powerdns
|
||||||
|
to use for AFXR requests. This key name is the name used to create the key
|
||||||
|
in powerdns, not the Designate UUID based ID for the key.
|
||||||
|
|
||||||
|
.. note:: This is only available in the 4.2.x versions (and above) of pdns.
|
||||||
|
|
Loading…
Reference in New Issue