Tomi Cvetic пре 7 година
родитељ
комит
b10bc4f9cb
17 измењених фајлова са 313 додато и 44 уклоњено
  1. 2 0
      .gitignore
  2. 11 1
      Dockerfile
  3. 12 0
      db.0
  4. 13 0
      db.127
  5. 12 0
      db.255
  6. 14 0
      db.empty
  7. 14 0
      db.local
  8. 90 0
      db.root
  9. 1 1
      ddns.key
  10. 13 9
      docker-compose.yml
  11. 9 0
      generate_zone_keys.sh
  12. 8 3
      named.conf
  13. 32 0
      named.conf.default-zones
  14. 6 0
      sign_zone.sh
  15. 20 0
      zones.rfc1918
  16. 24 12
      zones/lan.reverse.zone
  17. 32 18
      zones/slurm.ch.zone

+ 2 - 0
.gitignore

@@ -0,0 +1,2 @@
+keys/
+*.jnl

+ 11 - 1
Dockerfile

@@ -5,6 +5,16 @@ RUN apk add --no-cache --update \
 
 EXPOSE 53:53/udp
 
+COPY ddns.key /etc/bind/ddns.key
+COPY db.0 /etc/bind/db.0
+COPY db.127 /etc/bind/db.127
+COPY db.255 /etc/bind/db.255
+COPY db.empty /etc/bind/db.empty
+COPY db.local /etc/bind/db.local
+COPY db.root /etc/bind/db.root
+COPY named.conf.default-zones /etc/bind/named.conf.default-zones
+COPY zones.rfc1918 /etc/bind/zones.rfc1918
+
 VOLUME ["/etc/bind/zones"]
 
-CMD ["/usr/sbin/named", "-g", "-u", "named"]
+CMD /usr/sbin/named -f -g -u named

+ 12 - 0
db.0

@@ -0,0 +1,12 @@
+;
+; BIND reverse data file for broadcast zone
+;
+$TTL	604800
+@	IN	SOA	localhost. root.localhost. (
+			      1		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.

+ 13 - 0
db.127

@@ -0,0 +1,13 @@
+;
+; BIND reverse data file for local loopback interface
+;
+$TTL	604800
+@	IN	SOA	localhost. root.localhost. (
+			      1		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.
+1.0.0	IN	PTR	localhost.

+ 12 - 0
db.255

@@ -0,0 +1,12 @@
+;
+; BIND reverse data file for broadcast zone
+;
+$TTL	604800
+@	IN	SOA	localhost. root.localhost. (
+			      1		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.

+ 14 - 0
db.empty

@@ -0,0 +1,14 @@
+; BIND reverse data file for empty rfc1918 zone
+;
+; DO NOT EDIT THIS FILE - it is used for multiple zones.
+; Instead, copy it, edit named.conf, and use that copy.
+;
+$TTL	86400
+@	IN	SOA	localhost. root.localhost. (
+			      1		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			  86400 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.

+ 14 - 0
db.local

@@ -0,0 +1,14 @@
+;
+; BIND data file for local loopback interface
+;
+$TTL	604800
+@	IN	SOA	localhost. root.localhost. (
+			      2		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.
+@	IN	A	127.0.0.1
+@	IN	AAAA	::1

+ 90 - 0
db.root

@@ -0,0 +1,90 @@
+;       This file holds the information on root name servers needed to
+;       initialize cache of Internet domain name servers
+;       (e.g. reference this file in the "cache  .  <file>"
+;       configuration file of BIND domain name servers).
+;
+;       This file is made available by InterNIC 
+;       under anonymous FTP as
+;           file                /domain/named.cache
+;           on server           FTP.INTERNIC.NET
+;       -OR-                    RS.INTERNIC.NET
+;
+;       last update:    February 17, 2016
+;       related version of root zone:   2016021701
+;
+; formerly NS.INTERNIC.NET
+;
+.                        3600000      NS    A.ROOT-SERVERS.NET.
+A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
+A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:ba3e::2:30
+;
+; FORMERLY NS1.ISI.EDU
+;
+.                        3600000      NS    B.ROOT-SERVERS.NET.
+B.ROOT-SERVERS.NET.      3600000      A     192.228.79.201
+B.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:84::b
+;
+; FORMERLY C.PSI.NET
+;
+.                        3600000      NS    C.ROOT-SERVERS.NET.
+C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
+C.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2::c
+;
+; FORMERLY TERP.UMD.EDU
+;
+.                        3600000      NS    D.ROOT-SERVERS.NET.
+D.ROOT-SERVERS.NET.      3600000      A     199.7.91.13
+D.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2d::d
+;
+; FORMERLY NS.NASA.GOV
+;
+.                        3600000      NS    E.ROOT-SERVERS.NET.
+E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
+;
+; FORMERLY NS.ISC.ORG
+;
+.                        3600000      NS    F.ROOT-SERVERS.NET.
+F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
+F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2f::f
+;
+; FORMERLY NS.NIC.DDN.MIL
+;
+.                        3600000      NS    G.ROOT-SERVERS.NET.
+G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
+;
+; FORMERLY AOS.ARL.ARMY.MIL
+;
+.                        3600000      NS    H.ROOT-SERVERS.NET.
+H.ROOT-SERVERS.NET.      3600000      A     198.97.190.53
+H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::53
+;
+; FORMERLY NIC.NORDU.NET
+;
+.                        3600000      NS    I.ROOT-SERVERS.NET.
+I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
+I.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fe::53
+;
+; OPERATED BY VERISIGN, INC.
+;
+.                        3600000      NS    J.ROOT-SERVERS.NET.
+J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
+J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:c27::2:30
+;
+; OPERATED BY RIPE NCC
+;
+.                        3600000      NS    K.ROOT-SERVERS.NET.
+K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
+K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fd::1
+;
+; OPERATED BY ICANN
+;
+.                        3600000      NS    L.ROOT-SERVERS.NET.
+L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
+L.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:3::42
+;
+; OPERATED BY WIDE
+;
+.                        3600000      NS    M.ROOT-SERVERS.NET.
+M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
+M.ROOT-SERVERS.NET.      3600000      AAAA  2001:dc3::35
+; End of file

+ 1 - 1
ddns.key

@@ -1,4 +1,4 @@
 key DDNS_UPDATE {
   algorithm HMAC-MD5.SIG-ALG.REG.INT;
   secret "o9mU3wsAZOuwHBmNEdynjA==";
-}
+};

+ 13 - 9
docker-compose.yml

@@ -1,9 +1,13 @@
-bind:
-  container_name: bind
-  build: .
-  volumes:
-    - ./named.conf:/etc/bind/named.conf
-    - ./zones:/etc/bind/zones
-  ports:
-    - "53:53/tcp"
-    - "53:53/udp"
+version: "3"
+
+services:
+  bind:
+    restart: always
+    container_name: bind
+    build: .
+    volumes:
+      - ./named.conf:/etc/bind/named.conf
+      - ./zones:/etc/bind/zones
+    ports:
+      - "53:53/tcp"
+      - "53:53/udp"

+ 9 - 0
generate_zone_keys.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+# From https://emanuelduss.ch/2014/09/dns-zonen-mit-dnssec-signieren/
+
+# 1. Generate a DNSSEC key signing key
+dnssec-keygen -3 -a RSASHA512 -b 4096 -r /dev/urandom -n ZONE -f KSK slurm.ch
+
+# 2. Generate a DNSSEC zone signing key 
+dnssec-keygen -3 -a NSEC3RSASHA1 -b 2048 -r /dev/urandom -n ZONE slurm.ch

+ 8 - 3
named.conf

@@ -1,3 +1,5 @@
+include "/etc/bind/zones.rfc1918";
+include "/etc/bind/named.conf.default-zones";
 include "/etc/bind/ddns.key";
 
 acl lan {
@@ -20,7 +22,7 @@ options {
 	allow-transfer { none; };
 	allow-update { none; };
 
-	recursion yes;
+	allow-recursion { lan; };
 	allow-query { lan; };
 };
 
@@ -28,27 +30,30 @@ zone "slurm.ch" IN {
 	type master;
 	notify no;
 	file "/etc/bind/zones/slurm.ch.zone";
-	allow-update { key DNS_UPDATE; };
+	allow-update { key DDNS_UPDATE; };
 };
 
 zone "10.in-addr.arpa" {
 	type master;
 	notify no;
 	file "/etc/bind/zones/lan.reverse.zone";
-	allow-update { key DNS_UPDATE; };
+	allow-update { key DDNS_UPDATE; };
 };
 
 zone "86.138.11.185.in-addr.arpa" {
 	type master;
+	notify no;
 	file "/etc/bind/zones/flexo.reverse.zone";
 };
 
 zone "145.168.214.91.in-addr.arpa" {
 	type master;
+	notify no;
 	file "/etc/bind/zones/fender.reverse.zone";
 };
 
 zone "104.92.33.178.in-addr.arpa" {
 	type master;
+	notify no;
 	file "/etc/bind/zones/fnog.reverse.zone";
 };

+ 32 - 0
named.conf.default-zones

@@ -0,0 +1,32 @@
+// prime the server with knowledge of the root servers
+zone "." {
+	type hint;
+	file "named.ca";
+};
+
+// be authoritative for the localhost forward and reverse zones, and for
+// broadcast zones as per RFC 1912
+
+zone "localhost" {
+	type master;
+	notify no;
+	file "pri/localhost.zone";
+};
+
+zone "127.in-addr.arpa" {
+	type master;
+	notify no;
+	file "pri/127.zone";
+};
+
+zone "0.in-addr.arpa" {
+	type master;
+	file "/etc/bind/db.0";
+};
+
+zone "255.in-addr.arpa" {
+	type master;
+	file "/etc/bind/db.255";
+};
+
+

+ 6 - 0
sign_zone.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+# From https://emanuelduss.ch/2014/09/dns-zonen-mit-dnssec-signieren/
+
+# 1. Generate a DNSSEC key signing key
+dnssec-signzone -3 `head -c 512 /dev/urandom | sha1sum | cut -b 1-16` -H 330 -t -o slurm.ch slurm.ch.zone

+ 20 - 0
zones.rfc1918

@@ -0,0 +1,20 @@
+//zone "10.in-addr.arpa"      { type master; file "/etc/bind/db.empty"; };
+ 
+zone "16.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "17.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "18.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "19.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "20.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "21.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "22.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "23.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "24.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "25.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "26.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "27.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "28.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "29.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "30.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "31.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+
+//zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };

+ 24 - 12
zones/lan.reverse.zone

@@ -1,12 +1,24 @@
-$TTL 1D
-@								IN	SOA	ns.slurm.ch.	root.slurm.ch. (
-			2018072001	; Serial
-			8h		; Refresh
-			2h		; Retry
-			4w		; Expire
-			2d )		; TTL Negative Cache
-
-@								IN	NS	ns.slurm.ch.
-
-1.0.0							IN	PTR	hubert.slurm.ch.
-
+$ORIGIN .
+$TTL 86400	; 1 day
+10.in-addr.arpa		IN SOA	ns.slurm.ch. root.slurm.ch. (
+				2018072043 ; serial
+				28800      ; refresh (8 hours)
+				7200       ; retry (2 hours)
+				2419200    ; expire (4 weeks)
+				172800     ; minimum (2 days)
+				)
+			NS	ns.slurm.ch.
+$ORIGIN 0.0.10.in-addr.arpa.
+1			PTR	hubert.slurm.ch.
+$TTL 3600	; 1 hour
+100			PTR	NWA1123-AC-PRO.slurm.ch.
+$TTL 300	; 5 minutes
+101			PTR	raspberrypi.slurm.ch.
+$ORIGIN 100.0.10.in-addr.arpa.
+1			PTR	raspberrypi.slurm.ch.
+$TTL 3600	; 1 hour
+3			PTR	NWA1123-AC-PRO.slurm.ch.
+$TTL 300	; 5 minutes
+6			PTR	TV-Box-ff7c79c601bacdee.slurm.ch.
+$ORIGIN 10.in-addr.arpa.
+4.100.10		PTR	fry.slurm.ch.

+ 32 - 18
zones/slurm.ch.zone

@@ -1,18 +1,32 @@
-$TTL 1d
-@ IN SOA ns.slurm.ch. root.slurm.ch. (
-        2018072001      ; serial
-        1d	        ; refresh (8 hours)
-        6h              ; retry (2 hours)
-        4w              ; expire (4 weeks)
-        1d              ; minimum (1 day)
-)
-@               IN      NS              hubert
-@               IN      MX      10      fender
-flexo           IN      A               185.11.138.86
-fender          IN      A               91.214.168.145
-fnog            IN      A               178.33.92.104
-mail            IN      CNAME           fender
-www             IN      CNAME   	flexo
-*		IN	CNAME		flexo
-
-hubert		IN	A		10.0.0.1
+$ORIGIN .
+$TTL 86400	; 1 day
+slurm.ch		IN SOA	ns.slurm.ch. root.slurm.ch. (
+				2018072059 ; serial
+				86400      ; refresh (1 day)
+				21600      ; retry (6 hours)
+				2419200    ; expire (4 weeks)
+				86400      ; minimum (1 day)
+				)
+			NS	hubert.slurm.ch.
+			MX	10 fender.slurm.ch.
+$ORIGIN slurm.ch.
+fender			A	91.214.168.145
+flexo			A	185.11.138.86
+fnog			A	178.33.92.104
+$TTL 300	; 5 minutes
+fry			A	10.10.100.4
+			TXT	"007b66c271b72e45e15c562ac919b16850"
+$TTL 86400	; 1 day
+git			CNAME	flexo
+hubert			A	10.0.0.1
+mail			CNAME	fender
+$TTL 3600	; 1 hour
+NWA1123-AC-PRO		A	10.0.100.3
+			TXT	"3195b54ef847ada6922598e66d06cb76ee"
+$TTL 300	; 5 minutes
+TV-Box-ff7c79c601bacdee	A	10.0.100.6
+			TXT	"31d19f5fa8ed4731235236e8a8bdcd7a50"
+$TTL 86400	; 1 day
+wiki			CNAME	flexo
+www			CNAME	flexo
+*                       CNAME   flexo