Skip to content

Allow Route53 DNSSEC Signing #1976

New issue
New issue
Closed
#2421
#2412
Closed
Allow Route53 DNSSEC Signing#1976
#2421
#2412
Labels
featureThis issue/PR relates to a feature requestjira
@rvgate

Description

@rvgate
rvgate
opened on Feb 14, 2024

Summary

Route53 allows enabling DNSSEC keys on registered domain, and also enable DNSSEC signing per hosted zone. It would be amazing if this was configurable through Ansible as well.

It would probably be a combination of using kms module to create the key and then applying it to the zone.

kms_key: seems to be missing the action GetPublicKey to configure this correctly
route53_zone: allow DNSSEC to be enabled, referring to a key

the final step would be to enable the trust chain somehow, which is configured at the "Registered domains" section within AWS. I dont think there is currently an Ansible module for that.

Issue Type

Feature Idea

Component Name

route53_zone, route53, kms_key

Additional Information

The feature would combine multiple modules to fully enable DNSSEC signing for a domain.

Step 1)
Configure an KMS key using the kms_key module, ending up with the required policy (principal/serviceaccount masked):

{
    "Version": "2012-10-17",
    "Id": "dnssec-policy",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::XXX:YYY"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow Route 53 DNSSEC Service",
            "Effect": "Allow",
            "Principal": {
                "Service": "dnssec-route53.amazonaws.com"
            },
            "Action": [
                "kms:DescribeKey",
                "kms:GetPublicKey",
                "kms:Sign"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "XXX"
                },
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:route53:::hostedzone/*"
                }
            }
        },
        {
            "Sid": "Allow Route 53 DNSSEC to CreateGrant",
            "Effect": "Allow",
            "Principal": {
                "Service": "dnssec-route53.amazonaws.com"
            },
            "Action": "kms:CreateGrant",
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
}

Step 2)
Configure the hosted zone, enabling DNSSEC signing:

- name: create hosted zone
  amazon.aws.route53_zone:
    access_key: "{{ aws.access_key_id }}"
    aws_secret_access_key: "{{ aws.secret_access_key }}"
    zone: mydomain.com
    dnssec:
      enabled: yes
      ksk_name: "{{ ksk.name }}"
      signing_key: "{{ kms.arn }}"

Step 3)
Establish a chain of trust for the domain (i dont think there is a module currently available that does anything related to TLD requests)

- name: update chain
  amazon.aws.??????:
    access_key: "{{ aws.access_key_id }}"
    aws_secret_access_key: "{{ aws.secret_access_key }}"
    domain: mydomain.com
    dnssec_keys:
        - tag: 12345
          key_type:  "{{ kms.type }}"
          algorithm: "{{ kms.algorithm }}"
          public_key: "{{ kms.public_key }}"

Code of Conduct

  • I agree to follow the Ansible Code of Conduct

Metadata

Metadata

Assignees

No one assigned

    Labels

    featureThis issue/PR relates to a feature requestjira

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions