From 9cb7aae1b95ddfa7cb335451bf18955c113e2fcf Mon Sep 17 00:00:00 2001 From: Wolfgang Hottgenroth Date: Mon, 27 Oct 2025 17:01:42 +0100 Subject: [PATCH] key changes --- debug-pod.yaml | 8 +------- deployment/deploy-yml.tmpl | 6 ------ deployment/deploy.sh | 12 ------------ named.conf | 14 ++------------ zones.conf | 12 ++++++++++++ 5 files changed, 15 insertions(+), 37 deletions(-) diff --git a/debug-pod.yaml b/debug-pod.yaml index 85dd773..16d7fbf 100644 --- a/debug-pod.yaml +++ b/debug-pod.yaml @@ -21,13 +21,7 @@ spec: volumeMounts: - name: bind-zones mountPath: /mnt/zones - - name: transfer-key-secret - mountPath: /mnt/keys - readOnly: true volumes: - name: bind-zones persistentVolumeClaim: - claimName: bind-hidden-primary-zones - - name: transfer-key-secret - secret: - secretName: transfer-key \ No newline at end of file + claimName: bind-hidden-primary-zones \ No newline at end of file diff --git a/deployment/deploy-yml.tmpl b/deployment/deploy-yml.tmpl index a8c5a12..f65dce7 100644 --- a/deployment/deploy-yml.tmpl +++ b/deployment/deploy-yml.tmpl @@ -25,9 +25,6 @@ spec: volumeMounts: - name: bind-zones mountPath: /etc/named/zones - - name: transfer-key-secret - mountPath: /etc/named/keys - readOnly: true resources: requests: memory: "128Mi" @@ -49,9 +46,6 @@ spec: - name: bind-zones persistentVolumeClaim: claimName: bind-hidden-primary-zones - - name: transfer-key-secret - secret: - secretName: transfer-key --- apiVersion: v1 kind: Service diff --git a/deployment/deploy.sh b/deployment/deploy.sh index 2fbdb00..20d39ce 100755 --- a/deployment/deploy.sh +++ b/deployment/deploy.sh @@ -12,23 +12,11 @@ DEPLOYMENT_DIR=$PWD/deployment pushd $DEPLOYMENT_DIR > /dev/null -if [ ! -f transfer-key.conf ]; then - gpg --decrypt --passphrase $GPG_PASSPHRASE --yes --batch --homedir /tmp/.gnupg --output transfer-key.conf transfer-key.conf.asc -fi - kubectl create namespace $NAMESPACE \ --dry-run=client \ -o yaml | \ kubectl -f - apply -# Create secret for transfer-key -kubectl create secret generic transfer-key \ - --from-file=transfer-key.conf=transfer-key.conf \ - --namespace=$NAMESPACE \ - --dry-run=client \ - -o yaml | \ - kubectl apply -f - - cat $DEPLOYMENT_DIR/deploy-yml.tmpl | \ sed -e 's,%IMAGE%,'$IMAGE_NAME':'$IMAGE_TAG','g | \ diff --git a/named.conf b/named.conf index 356ecf1..05f4d5f 100644 --- a/named.conf +++ b/named.conf @@ -28,20 +28,10 @@ options { 193.47.99.3; }; - // Default transfer to secondary servers only - allow-transfer { secondaries; }; + // Default transfer disabled (zone-specific configuration) + allow-transfer { none; }; }; -// TSIG Key for secure transfers (loaded from separate file) -include "/etc/named/keys/transfer-key.conf"; - -// ACL for secondary servers (key-based only) -acl "secondaries" { - key transfer-key; -}; - -// Standard zone settings are defined per zone in zones.conf - // Zone configurations (loaded from separate file) include "/etc/named/zones/zones.conf"; diff --git a/zones.conf b/zones.conf index 26b2d4c..132d341 100644 --- a/zones.conf +++ b/zones.conf @@ -1,10 +1,22 @@ // Zone Configurations // This file contains all zone definitions +// TSIG Key for whiskeylimahotel.de zone transfers +key "whiskeylimahotel.de.93.241.86.156" { + algorithm hmac-sha256; + secret "REPLACE_WITH_YOUR_BASE64_ENCODED_KEY"; +}; + +// ACL for whiskeylimahotel.de zone transfers +acl "whiskeylimahotel-secondaries" { + key "whiskeylimahotel.de.93.241.86.156"; +}; + // Primary zones zone "whiskeylimahotel.de" { type primary; file "whiskeylimahotel.de.zone"; + allow-transfer { "whiskeylimahotel-secondaries"; }; }; // Add additional zones here following the same pattern: