Generating TSIG Keys for Bind server

Archives Ansible Project
1

I need to generate TSIG keys for use by nsupdate. dnssec-keygen creates two files after run:

`

  • name: generate TSIG keys
    command: “dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 512 -n HOST {{item.name}}”
    args:
    chdir: ‘{{ bind_base_zones_path }}/tsig/{{item.name}}/’
    with_items: ‘{{bind_config_master_zones}}’
    `

I need to copy the generated key in one of the files and insert it into a new file (named.conf.local):

`

  • name: populate TSIG key config
    command: “grep Key {{ bind_base_zones_path }}/tsig/{{item.name}}/K{{item.name}}.*.private | awk ‘{print $2}’”
    register: ‘key-{{ item.name }}’
    with_items: ‘{{bind_config_master_zones}}’
    `

My problem is that the grep returns “No such file or directory” even though a grep locally on the system returns the key. I suspect an issue with the regex. The other issue is with the dynamic nature of the variables.

How can I extract the key from the files generated and copy them into the config file?

2

When using pipe and I guess also with wildcard you must use the shell module.

Register doesn't support variables in them, so here you create the literal variable "key-{{ item.name }}".
You can only register to one variable, and since you are using with_items the variable will contain a list, one for each item.

3

Thanks!

Another question:

If I use with_dict to register the variable how do I access stdout from the shell command:

  • name: populate TSIG key config
    command: “grep Key {{ bind_base_zones_path }}/tsig/{{item.key}}/K{{item.key}}.*.private | awk ‘{print $2}’”
    register: ‘tsig_keys’
    with_items: ‘{{bind_config_master_zones}}’
4

Well, this task uses with_items and command module.

But when using with_* your result will be in {{ tsig_keys.results }}, this is a list, one list entry for each item.

tsig_keys.results.0.stdout is the first, tsig_keys.results.1.stdout is the second and so on.

I recommend using
  - debug: var=tsig_keys
this will show all the content of the variable in a human readable format.

5

I can extract the stdout from the shell command but ultimately I’m going to want to associate the stdout of the shell command with a zone. So if I use with_items and iterate over each result all I’ve got is a number. How do I re-associate that number with it’s corresponding zone.

Here’s an example of the zone variables:

vars: bind_config_master_zones: example.org: dnssec: yes mail: ops.example.org serial: 2017092200 refresh: 3600 retry: 1800 expire: 2419200 negative_cache: 300 example.com: dnssec: yes mail: ops.example.com serial: 2016102200 refresh: 3600 retry: 1800 expire: 2419200 negative_cache: 300

I’d want to set a fact from tsig_keys.results.0.stdout to example.org.key and tsig_keys.results.1.stdout to example.com.key. How can I do that?

6

I figured it:

I don’t need to set facts - I need to set the keys in config files. I can use templates to iterate over the zones and pull the values from the results. I’ll update with my answer once I tested it.