[bind] Use zone for ACME

2020-04-26 19:32:12 +02:00 · 2020-04-26 19:32:12 +02:00 · 7e59fd079d
parent a99fd4616c
commit 7e59fd079d
1 changed files with 20 additions and 14 deletions
--- a/roles/bind-authoritative/templates/bind/named.conf.local.j2
+++ b/roles/bind-authoritative/templates/bind/named.conf.local.j2
@ -11,27 +11,17 @@
 {%- set is_master = ansible_all_ipv4_addresses | intersect(masters_ipv4) %}

 {% if is_master -%}
-// Let's Encrypt Challenge DNS-01
+// Let's Encrypt Challenge DNS-01 key
 key "certbot_challenge." {
 	algorithm hmac-sha512;
 	secret "{{ certbot_dns_secret }}";
 };
 {% endif %}

-// Crans zones
-{% for zone in bind.zones %}
-zone "{{ zone }}" {
-	{% if is_master -%}
+// Let's Encrypt Challenge DNS-01 zone
+zone "_acme-challenge.crans.org" {
 	type master;
-	file "/var/local/re2o-services/dns/generated/dns.{{ zone }}.zone";
-	forwarders {
-		{% for ip in slaves_ipv4 -%}
-		{{ ip }};
-		{% endfor -%}
-		{% for ip in slaves_ipv6 -%}
-		{{ ip }};
-	{% endfor -%}
-	};
+	file "bak._acme-challenge.db";
 	allow-transfer {
 		{% for ip in slaves_ipv4 -%}
 		{{ ip }};
@ -43,6 +33,22 @@ zone "{{ zone }}" {
 	update-policy {
 		grant certbot_challenge. name _acme-challenge.{{ zone }} txt;
 	};
+};
+
+// Crans zones
+{% for zone in bind.zones %}
+zone "{{ zone }}" {
+	{% if is_master -%}
+	type master;
+	file "/var/local/re2o-services/dns/generated/dns.{{ zone }}.zone";
+	allow-transfer {
+		{% for ip in slaves_ipv4 -%}
+		{{ ip }};
+		{% endfor -%}
+		{% for ip in slaves_ipv6 -%}
+		{{ ip }};
+	{% endfor -%}
+	};
 	notify yes;
 	{% else -%}
 	type slave;