From 6c406f825b7e56310f95f178bcdd7fd3ced3beb8 Mon Sep 17 00:00:00 2001
From: Jeremy Stanley <fungi@yuggoth.org>
Date: Wed, 14 Nov 2018 12:44:09 +0000
Subject: [PATCH] Tighten permissions on zone keys

Remove world-readable/traversable bits from permissions on the BIND
DNSSEC keys directory and the keys themselves (not actually
necessary for the public key files, but added for consistency as
they share a directory with the private keys). Note that this
matches the permissions and ownership of the existing
adns1.openstack.org server.

Change-Id: I015777ee346fefcaa92e64ad2ee88a41c7ea9bde
---
 playbooks/roles/master-nameserver/tasks/main.yaml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/playbooks/roles/master-nameserver/tasks/main.yaml b/playbooks/roles/master-nameserver/tasks/main.yaml
index a248518bc0..4d6c59b420 100644
--- a/playbooks/roles/master-nameserver/tasks/main.yaml
+++ b/playbooks/roles/master-nameserver/tasks/main.yaml
@@ -46,17 +46,26 @@
   file:
     path: "/etc/bind/keys/{{ item.name }}"
     state: directory
+    owner: root
+    group: bind
+    mode: 0750
 - name: Install dnssec public keys
   loop: "{{ dnssec_keys | dict2items }}"
   copy:
     dest: "/etc/bind/keys/{{ item.value.zone }}/K{{ item.value.zone }}.+008+{{ item.key }}.key"
     content: "{{ item.value.public }}"
+    owner: root
+    group: bind
+    mode: 0440
 - name: Install dnssec private keys
   no_log: true
   loop: "{{ dnssec_keys | dict2items }}"
   copy:
     dest: "/etc/bind/keys/{{ item.value.zone }}/K{{ item.value.zone }}.+008+{{ item.key }}.private"
     content: "{{ item.value.private }}"
+    owner: root
+    group: bind
+    mode: 0440
 - name: Install bind config
   template:
     src: templates/named.conf.j2