Resource Type: dnssec_key

Defined in:
lib/puppet/type/dnssec_key.rb
Providers:
dnssec_key

Summary

Create, delete and maintain DNSSEC key files on the DNS server

Overview

Notice: Automatic key rollover using this type is not thoroughly tested. Use ‘bind::dnssec_policy` to define a DNSSEC policy (available with Bind 9.16) and let Bind handle the heavy lifting instead of Puppet.

All intervals are interpreted as seconds if no unit is given. The following interval units can be used: ‘y` (year), `mo` (months), `w` (weeks), `d` (days), `h` (hours), `mi` (minutes).

Examples for valid intervals: ‘1y`, `12mo`, `1w`, `7d`, `24h`, `720mi`

The following diagram illustrates the lifecycle of the keys:

“‘ key-1 —- active ———-><– retired –><– deleted –

key-2 <— published —><———- active ———-><– retired

<----------------->
  prepublication
     interval

“‘

Key-2 is published with a prepublication interval while key-1 is still active. The activation time of key-2 matches the deactivation time of key-1. Key-1 changes state to retired when it is deactivated and is deleted eventually. The cycle continues with additional keys.

Examples:

Create a Key Signing Key using defaults

dnssec_key { 'example.com':
  key_directory => '/etc/bind/keys',
  ksk           => true,
}

Create a Zone Signing Key using a specified algorithm and key size

dnssec_key { 'ZSK/example.com':
  zone          => 'example.com',
  key_directory => '/etc/bind/keys',
  algorithm     => 'RSASHA256',
  bits          => 2048,
}

Create Zone Signing Keys using automatic key rollover

dnssec_key { 'ZSK/example.com':
  zone          => 'example.com',
  key_directory => '/etc/bind/keys',
  publish       => '2w',
  active        => '1y',
  retire        => '4w',
  delete        => '1w',
  successor     => true,
}

Properties

  • ensure (defaults to: present)

    Specifies whether the destination file should exist. Setting this to “absent” tells Puppet to delete the destination file if it exists, and negates the effect of any other parameters.

    Supported values:
    • present
    • absent

Parameters

  • active

    The time interval that the key will be used for signing the zone.

    Supported values:
    • %r{^[0-9]+(y|mo|w|d|h|mi)?$}
  • algorithm (defaults to: RSASHA1)

    The cryptographic algorithm that the key should use.

    Supported values:
    • DSA
    • ECCGOST
    • ECDSAP256SHA256
    • ECDSAP384SHA384
    • ED25519
    • ED448
    • NSEC3DSA
    • NSEC3RSASHA1
    • RSAMD5
    • RSASHA1
    • RSASHA256
    • RSASHA512
  • bits

    The number of bits in the key. The possible range depends on the selected algorithm:

    RSA : 512 .. 2048 DH : 128 .. 4096 DSA : 512 .. 1024 and an exact multiple of 64 HMAC : 1 .. 512

    Elliptic curve algorithms don’t need this parameter.

    Supported values:
    • %r{^[0-9]+$}
  • key_directory

    The directory where the key should be created. This parameter is mandatory.

  • ksk (defaults to: false)

    Whether the key should be a Key Signing Key.

    Supported values:
    • true
    • false
  • name (namevar)

    The name of the resource.

  • nsec3 (defaults to: false)

    Whether the key should be NSEC3-capable.

    Supported values:
    • true
    • false
  • precreate

    The time interval before prepublication in which the key will be created. The interval must be long enough to ensure Puppet will run during this interval.

    Supported values:
    • %r{^[0-9]+(y|mo|w|d|h|mi)?$}
  • prepublish

    The time interval before activation when the key will be published.

    Supported values:
    • %r{^[0-9]+(y|mo|w|d|h|mi)?$}
  • provider

    The specific backend to use for this ‘dnssec_key` resource. You will seldom need to specify this — Puppet will usually discover the appropriate provider for your platform.

  • purge (defaults to: false)

    Whether old keys should be purged after they are retired.

    Supported values:
    • true
    • false
  • retire

    The time interval that the key is still published after it became inactive.

    Supported values:
    • %r{^[0-9]+(y|mo|w|d|h|mi)?$}
  • revoke

    The time interval that the key will have the revoke bit set. This parameter may only be used for zone-signing keys.

    Supported values:
    • %r{^[0-9]+(y|mo|w|d|h|mi)?$}
  • rrtype (defaults to: DNSKEY)

    The resource record type to use for the key.

    Supported values:
    • DNSKEY
    • KEY
  • successor (defaults to: false)

    Whether the key should be created as an explicit successor to an existing key. In this case the name, algorithm, size and type of the key will be take from the existing key. The activation date will match the inactivation date of the existing key.

    Supported values:
    • true
    • false
  • zone

    The zone for which the key should be generated. This must be a valid domain name. Defaults to the resource title if unset.

    Supported values:
    • %r{^[a-zA-Z][a-zA-Z0-9.-]+\.[a-zA-Z]+$}