✨: DNSSEC signing and auto-signing

roles/nsd/tasks/zones.yml

@@ -4,24 +4,47 @@
   ansible.builtin.template:
     src: "{{ 'zones/parking.zone.j2' if item.parking | default(false) else 'zones/' ~ item.name ~ '.zone.j2' }}"
     dest: "{{ nsd_default_etc_path }}zones/{{ item.name }}.zone"
-    owner: root
-    group: root
+    owner: nsd
+    group: nsd
     mode: "0o644"
   vars:
     # This generates 99 different serial per day
     dns_serial: "{{ ansible_date_time.epoch }}"
 
-- name: Force zone file modification time
+- name: Create zone key dir
   ansible.builtin.file:
-    path: "{{ nsd_default_etc_path }}zones/{{ item.name }}.zone"
-    state: touch
-    mode: "0o644"
+    path: "{{ nsd_default_etc_path }}keys/{{ item.name }}/"
+    owner: nsd
+    group: nsd
+    mode: "0o750"
+    state: directory
+
+- name: Create the associated keys
+  become: true
+  become_user: nsd
+  ansible.builtin.command:
+    cmd: "ldns-keygen -a ECDSAP256SHA256 -k -s {{ item.name }}"
+    chdir: "{{ nsd_default_etc_path }}/keys/{{ item.name }}/"
+    creates: "{{ nsd_default_etc_path }}/keys/{{ item.name }}/.ds"
 
 - name: Check zone file
   ansible.builtin.command:
     cmd: "nsd-checkzone {{ item.name }} {{ nsd_default_etc_path }}zones/{{ item.name }}.zone"
   changed_when: false
 
+- name: Stat associated keys
+  ansible.builtin.stat:
+    path: "{{ nsd_default_etc_path }}/keys/{{ item.name }}/.ds"
+  register: _stat_keys
+
+- name: Sign zone file
+  become: true
+  become_user: nsd
+  ansible.builtin.command:
+    chdir: "{{ nsd_default_etc_path }}/keys/{{ item.name }}/"
+    cmd: "ldns-signzone -o {{ item.name }} -u {{ nsd_default_etc_path }}/zones/{{ item.name }}.zone {{ (_stat_keys.stat.lnk_target | split('.'))[:-1] | join('.') }}"
+  changed_when: true
+
 - name: Reload zone
   ansible.builtin.command:
     cmd: "nsd-control reload {{ item.name }}"