Tighten permissions on zone keys

Remove world-readable/traversable bits from permissions on the BIND DNSSEC keys directory and the keys themselves (not actually necessary for the public key files, but added for consistency as they share a directory with the private keys). Note that this matches the permissions and ownership of the existing adns1.openstack.org server. Change-Id: I015777ee346fefcaa92e64ad2ee88a41c7ea9bde
2018-11-14 12:44:09 +00:00 · 2018-11-14 12:44:09 +00:00 · 6c406f825b
commit 6c406f825b
parent 3bb6841b33
1 changed files with 9 additions and 0 deletions
--- a/playbooks/roles/master-nameserver/tasks/main.yaml
+++ b/playbooks/roles/master-nameserver/tasks/main.yaml
@ -46,17 +46,26 @@
  file:
    path: "/etc/bind/keys/{{ item.name }}"
    state: directory
+    owner: root
+    group: bind
+    mode: 0750
 - name: Install dnssec public keys
  loop: "{{ dnssec_keys | dict2items }}"
  copy:
    dest: "/etc/bind/keys/{{ item.value.zone }}/K{{ item.value.zone }}.+008+{{ item.key }}.key"
    content: "{{ item.value.public }}"
+    owner: root
+    group: bind
+    mode: 0440
 - name: Install dnssec private keys
  no_log: true
  loop: "{{ dnssec_keys | dict2items }}"
  copy:
    dest: "/etc/bind/keys/{{ item.value.zone }}/K{{ item.value.zone }}.+008+{{ item.key }}.private"
    content: "{{ item.value.private }}"
+    owner: root
+    group: bind
+    mode: 0440
 - name: Install bind config
  template:
    src: templates/named.conf.j2