Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, July 22, 2019 12:55 PM
Hi Everyone,
We have internal AD integrated DNS domain.
Our Linux team want to have some DNS automation (Like creating and deleting A and CNAME records) automatically using Ansible.
For this we have created AD integrated Subdomain.
They wanted to use below link (nsupdate)
https://docs.ansible.com/ansible/latest/modules/nsupdate_module.html
For them to continue it require Secret Key. Can anybody help me to get this key.
Thanks
Anka
All replies (4)
Thursday, July 25, 2019 9:29 AM
Hi,
Can anybody help me on this..
Thanks
Anka
Monday, July 29, 2019 5:55 AM
Hello,
Please take a look at this article.
" TSIG . A resource record specified in the IETF Internet-Draft "Secret Key Transaction Signatures for DNS (TSIG)," to send and verify signature-protected messages.
To see the TKEY and TSIG records being passed across the network, you can use Network Monitor. Versions 6.12 and later decode the resource records. "
Best Regards,
Leon
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, July 31, 2019 2:32 AM
Hi,
Just checking in to see if the information provided was helpful.
Please let us know if you would like further assistance.
Best Regards,
Leon
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Sunday, September 8, 2019 10:32 PM | 1 vote
Hi Anka:
Despite the documentation, the nsupdate module does not support GSS-TSIG, apparently needed for interaction with modern versions of Microsoft DNS (https://github.com/ansible/ansible/issues/57294). I have used three different methods to accomplish the same thing, with pros and cons to each:
1. Use the shell module with "nsupdate -g" on the command line, as in:
- name: Add a record
delegate_to: localhost
shell: |
echo "server dc1.foo.bar
zone foo.bar
update add baz.foo.bar 3600 IN A 192.168.1.1
send
answer
quit " | nsupdate -g
Pros: easier to troubleshoot. Cons: Record is created with the default aging settings for dynamic updates, so it may not be static. Also, you'll need to run "kinit [email protected]" before running this task to get a Kerberos ticket.
2. Install Powershell on the Ansible controller and run a script locally. This is messy, but gives a lot of flexibility. I don't have an example on hand.
3. If you have an account that can log into a windows box, you can use the win_dns_record module. You don't necessarily need to be able to log into the domain controller, just something running PS on Windows where the "Add-DnsServerResourceRecord" cmdlet is available.
- name: Add a record
delegate_to: some-win-box.foo.bar
vars:
ansible_username: "{{ win_user }}@FOO.BAR"
ansible_password: "{{ win_pass }}"
ansible_connection: psrp
ansible_psrp_cert_validation: ignore
ansible_psrp_protocol: http
ansible_psrp_auth: kerberos
win_dns_record:
computer_name: dc1.foo.bar
name: baz
zone: foo.bar
type: A
value: 192.168.1.1
state: present
If you can log into the DC directly, you can set that for "delegate_to" and drop the "computer_name" parameter.
As an aside, the nsupdate module relies on dnspython, which itself doesn't support GSS-TSIG. So it may be a while before the upstream issue is worked out.