-
Notifications
You must be signed in to change notification settings - Fork 319
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow Route53 DNSSEC Signing #1976
Comments
@rvgate Thanks for the feature idea! Is this something you'd be willing to open a pull request for? |
hakbailey
added
the
waiting_on_contributor
Needs help. Feel free to engage to get things unblocked
label
Feb 20, 2024
@hakbailey Personally I never touched these modules so would have no idea what the best way is to implement these features. Not sure if I'm the right person to make a PR on this request. |
@rvgate No problem, thanks for letting us know. We can add this to our backlog. |
hakbailey
added
jira
feature
This issue/PR relates to a feature request
and removed
needs_triage
labels
Feb 27, 2024
GomathiselviS
removed
the
waiting_on_contributor
Needs help. Feel free to engage to get things unblocked
label
May 20, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
Route53 allows enabling DNSSEC keys on registered domain, and also enable DNSSEC signing per hosted zone. It would be amazing if this was configurable through Ansible as well.
It would probably be a combination of using kms module to create the key and then applying it to the zone.
kms_key: seems to be missing the action GetPublicKey to configure this correctly
route53_zone: allow DNSSEC to be enabled, referring to a key
the final step would be to enable the trust chain somehow, which is configured at the "Registered domains" section within AWS. I dont think there is currently an Ansible module for that.
Issue Type
Feature Idea
Component Name
route53_zone, route53, kms_key
Additional Information
The feature would combine multiple modules to fully enable DNSSEC signing for a domain.
Step 1)
Configure an KMS key using the kms_key module, ending up with the required policy (principal/serviceaccount masked):
Step 2)
Configure the hosted zone, enabling DNSSEC signing:
Step 3)
Establish a chain of trust for the domain (i dont think there is a module currently available that does anything related to TLD requests)
Code of Conduct
The text was updated successfully, but these errors were encountered: