Allow pdns4 backend to select tsigkey

Allow a new config item in pools.yaml to set the pdns tsigkey to use for
AFXR queries.

Change-Id: Ibb4fb604957286c6edfe85f72321f199eb3167a7
Closes-Bug: #1820089
Signed-off-by: Graham Hayes <gr@ham.ie>

4 files changed, 42 insertions, 0 deletions

diff --git a/designate/backend/impl_pdns4.py b/designate/backend/impl_pdns4.py
index aceb9c3f..bc04af38 100644
--- a/designate/backend/impl_pdns4.py
+++ b/designate/backend/impl_pdns4.py
@@ -35,6 +35,7 @@ class PDNS4Backend(base.Backend):
 
         self.api_endpoint = self.options.get('api_endpoint')
         self.api_token = self.options.get('api_token')
+        self.tsigkey_name = self.options.get('tsigkey_name', None)
 
     def _build_url(self, zone=''):
         r_url = urllib.parse.urlparse(self.api_endpoint)
@@ -53,6 +54,8 @@ class PDNS4Backend(base.Backend):
             "masters": masters,
 
         }
+        if self.tsigkey_name:
+            data['slave_tsig_key_ids'] = [self.tsigkey_name]
         headers = {
             "X-API-Key": self.api_token
         }
diff --git a/doc/source/admin/backends/pdns4.rst b/doc/source/admin/backends/pdns4.rst
index a668d65a..8120ab49 100644
--- a/doc/source/admin/backends/pdns4.rst
+++ b/doc/source/admin/backends/pdns4.rst
@@ -55,4 +55,31 @@ See :ref:`designate_manage_pool` for further details on
 the ``designate-manage pool`` command, and :ref:`pools`
 for information about the yaml file syntax
 
+
+TSIG Key Configuration
+----------------------
+
+.. note:: This is only available in PowerDNS 4.2 or newer
+
+In some cases a deployer may need to use tsig keys to sign AXFR (zone transfer)
+requests. As pdns does not support a per host key setup, this needs to be set
+on a per zone basis, on creation.
+
+To do this, generate a tsigkey on the PowerDNS Server:
+
+.. code-block:: bash
+
+    $ pdnsutil generate-tsig-key <keyname> hmac-sha512
+    Create new TSIG key keyname hmac-sha512 4EJz00m4ZWe005HjLiXRedJbSnCUx5Dt+4wVYsBweG5HKAV6cqSVJ/oem/6mLgDNFAlLP3Jg0npbg1SkP7RMDg==
+
+Then insert it into Designate. Make sure the pool id is correct
+(the ``--resource-id`` below.)
+
+.. code-block:: bash
+
+    openstack tsigkey create --name <keyname> --algorithm hmac-sha512 --secret 4EJz00m4ZWe005HjLiXRedJbSnCUx5Dt+4wVYsBweG5HKAV6cqSVJ/oem/6mLgDNFAlLP3Jg0npbg1SkP7RMDg== --scope POOL --resource-id 794ccc2c-d751-44fe-b57f-8894c9f5c842
+
+Then add it to the ``pools.yaml`` file as shown in the example. The ID used is
+the name of the key in the PowerDNS server.
+
 .. _PowerDNS Docs: https://doc.powerdns.com/md/authoritative/installation/
diff --git a/doc/source/admin/backends/sample_yaml_snippets/pdns4.yaml b/doc/source/admin/backends/sample_yaml_snippets/pdns4.yaml
index 0bd63fd3..53e2a1cd 100644
--- a/doc/source/admin/backends/sample_yaml_snippets/pdns4.yaml
+++ b/doc/source/admin/backends/sample_yaml_snippets/pdns4.yaml
@@ -14,3 +14,5 @@
         port: 53
         api_endpoint: http://127.0.0.1:8081
         api_token: changeme
+        # If a tsigkey is needed, uncomment the line below and insert the name
+        # tsigkey_name: <keyname>
diff --git a/releasenotes/notes/pdns4-tsig-1fda534c01d90138.yaml b/releasenotes/notes/pdns4-tsig-1fda534c01d90138.yaml
new file mode 100644
index 00000000..1bc19d0f
--- /dev/null
+++ b/releasenotes/notes/pdns4-tsig-1fda534c01d90138.yaml
@@ -0,0 +1,10 @@
+---
+features:
+  - |
+    Adds a new option for pools using the ``pdns4`` backend: ``tsigkey_name``.
+    This allows deployers to specify a tsig key that is installed in powerdns
+    to use for AFXR requests. This key name is the name used to create the key
+    in powerdns, not the Designate UUID based ID for the key.
+
+    .. note:: This is only available in the 4.2.x versions (and above) of pdns.
+