I am getting this kind of error fatal: [bobul-2]: FAILED! => {"changed": false, "msg": "TSIG update error (PeerBadKey): The peer didn't know the key we used"} when I am trying to create A record in the Bind9 zone using nsupdate module. I am sure that key is specified in the named.conf.local and named.conf.options because I am changing configuration there using template module.
- name: Set backup A record
community.general.nsupdate:
key_name: "nsupdate.key"
key_algorithm: "hmac-sha256"
key_secret: "{{ nsupdate_key_secret }}"
server: "bobul-2"
zone: "{{ startup_domain }}"
record: backup
value: "{{ backup_ip }}"
when: inventory_hostname in groups['dns_masters']
I have no idea why this error throws because my configs on managed are OK.
- name: Change bind9 configuration
ansible.builtin.template:
dest: /etc/bind/named.conf.{{ item }}
src: named.conf.{{ item }}.j2
loop:
- options
- local
notify: Restart bind9
- name: Configure master zone
ansible.builtin.template:
dest: /var/cache/bind/db.{{ startup_domain }}
src: zone.j2
force: no
notify: Rndc reload
when: inventory_hostname in groups['dns_masters']
- name: Configure ptr zone
ansible.builtin.template:
dest: /var/cache/bind/db.rev
src: zone.rev.j2
force: no
notify: Rndc reload
when: inventory_hostname in groups['dns_masters']
- name: Set backup A record
community.general.nsupdate:
key_name: "nsupdate.key"
key_algorithm: "hmac-sha256"
key_secret: "{{ nsupdate_key_secret }}"
server: "bobul-2"
zone: "{{ startup_domain }}"
record: backup
value: "{{ backup_ip }}"
when: inventory_hostname in groups['dns_masters']
I am expecting that module will create A record in my managed host.
named.conf.options:
acl {{ startup_name }} { {{ dns_local_network }}; {{ dns_localhost }}; 172.17.0.0/16; };
options {
directory "/var/cache/bind";
forwarders {
1.1.1.1;
8.8.8.8;
9.9.9.9;
};
allow-query { {{ startup_name }}; };
dnssec-validation no;
};
statistics-channels {
inet 127.0.0.1 port 8053 allow { 127.0.0.1; };
};
key "transfer.key" {
algorithm hmac-sha256;
secret "{{ transfer_key_secret }}";
};
key "nsupdate.key" {
algorithm hmac-sha256;
secret "{{ nsupdate_key_secret }}";
};
named.conf.local:
zone "{{ startup_domain }}" {
{% if inventory_hostname in groups['dns_masters'] %}
type primary;
allow-transfer { key transfer.key; };
allow-update { key nsupdate.key; };
{% else %}
type secondary;
masters {
{% for master in groups['dns_masters'] %}
{{ hostvars[master]['ansible_default_ipv4']['address'] }};
{% endfor %}
};
{% endif %}
file "/var/cache/bind/db.{{ startup_domain }}";
};
zone "168.192.in-addr.arpa." {
{% if inventory_hostname in groups['dns_masters'] %}
type primary;
allow-transfer {127.0.0.1; key transfer.key;};
allow-update { key nsupdate.key; };
{% else %}
type secondary;
masters {
{% for master in groups['dns_masters'] %}
{{ hostvars[master]['ansible_default_ipv4']['address'] }};
{% endfor %}
};
{% endif %}
file "/var/cache/bind/db.rev";
};
{% if inventory_hostname in groups['dns_slaves'] %}
{% for master in groups['dns_masters'] %}
server {{ hostvars[master]['ansible_default_ipv4']['address'] }} {
keys {
transfer.key;
};
};
{% endfor %}
{% endif %}