Dear all,
In my not used old approach I had my zones on my server and used vi to
update them if changes were required.
At this time, I just included required DKIM entries using an include
command in the zone:
|$INCLUDE fechner.net.dkim.txt |
This file is automatically generated on the server by rspamd and was
very convenient.
If the dkim key changed for whatever reason, I just bumped the serial of
the zone and reloaded it using rndc.
I decided some years ago to change that well working procedure due to
several reasons:
- usage of DNSSEC
- track changes on zones using git
- manage the zones on another machine and just update the zone on the
real server using nsdiff and nsupdate
- automatic zone updates based on commits in the zones repository
- usage of DNS-01 validation for wildcard SSL certificates
- and many other reasons
So I converted my zones into a "dynamic" zone so I can update it using
nsdiff and nsupdate approach which works very nicely.
To prevent dehydrated (which I use to manage my letsencrypt
certificates) that it can damage my zone I decided to delegate this acme
challenge into an extra zone file with an extra key file.
So it looks like this:
zone "fechner.net" {
type master;
file "/usr/local/etc/namedb/master/fechner.net/fechner.net";
allow-transfer { secondard-servers; key fechner.net;};
dnssec-policy "one-year-zsk";
inline-signing no;
allow-update { key fechner.net;};
};
zone "_acme-challenge.fechner.net" {
type master;
file
"/usr/local/etc/namedb/master/fechner.net/_acme-challenge.fechner.net";
masterfile-format text;
allow-update { key acme_fechner.net; };
};
Now I want to automate the complete management partly using saltstack.
What do you suggest, how should I handle the DKIM part?
I would like to have the keys on the server (and not in saltstack, as
they must not be permanent, they must only be consistent), so no need to
have even the public part in my git repository for the zones.
What kind of solution do you suggest?
Should I also delegate the DKIM part into its own zone file where I
maybe can use the $INCLUDE feature?
Any comments are welcome!
Thanks a lot
Matthias
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
