From 217a5b7d29f01fba37262196cf031b0bb1d0fa1c Mon Sep 17 00:00:00 2001 From: David Blacka Date: Fri, 24 Feb 2023 20:37:14 -0500 Subject: [PATCH] break up config; add run_rndc.sh --- cfg/named.conf | 86 ++------------- cfg/named.dnssec.conf | 7 ++ cfg/named.keys.conf | 4 + cfg/named.logging.conf | 40 +++++++ cfg/named.options.conf | 13 +++ cfg/named.primary.conf | 229 +++++++++++++++++++++++++++++++++++++++ cfg/named.rndc.conf | 9 ++ cfg/named.secondary.conf | 8 ++ cfg/named.zones.conf | 168 ---------------------------- run_rndc.sh | 4 + 10 files changed, 321 insertions(+), 247 deletions(-) create mode 100644 cfg/named.dnssec.conf create mode 100644 cfg/named.keys.conf create mode 100644 cfg/named.logging.conf create mode 100644 cfg/named.options.conf create mode 100644 cfg/named.primary.conf create mode 100644 cfg/named.rndc.conf create mode 100644 cfg/named.secondary.conf delete mode 100644 cfg/named.zones.conf create mode 100755 run_rndc.sh diff --git a/cfg/named.conf b/cfg/named.conf index 0b5176f..56a5e98 100644 --- a/cfg/named.conf +++ b/cfg/named.conf @@ -1,79 +1,7 @@ -options { - directory "/var/cache/bind"; - statistics-file "/var/cache/bind/named.stats.txt"; - session-keyfile "/var/cache/bind/session.key"; - pid-file "/var/cache/bind/named.pid"; - lock-file "/var/cache/bind/named.lock"; - - listen-on { 127.0.0.1; }; - listen-on-v6 { ::1; }; - allow-recursion { 127.0.0.1; ::1; }; - - dnssec-validation yes; -}; - -logging { - channel "dnssec" { - file "/var/log/named/dnssec.log"; - print-category yes; - print-severity yes; - print-time iso8601-utc; - }; - channel "security" { - file "/var/log/named/security.log"; - print-category yes; - print-severity yes; - print-time iso8601-utc; - }; - channel "xfr-in" { - file "/var/log/named/xfr-in.log"; - print-category yes; - print-severity yes; - print-time iso8601-utc; - }; - channel "xfr-out" { - file "/var/log/named/xfr-out.log"; - print-category yes; - print-severity yes; - print-time iso8601-utc; - }; - channel "default" { - file "/var/log/named/named.log"; - print-category yes; - print-severity yes; - print-time iso8601-utc; - }; - category dnssec { dnssec; }; - category security { security; }; - category xfer-in { xfr-in; }; - category xfer-out { xfr-out; }; - category general { default; }; - category config { default; }; - category notify { xfr-out; }; - category zoneload { default; }; -}; - -key "rndc-key" { - algorithm hmac-sha256; - secret "Divr3QQ1G6qBBuRAx1QPiE4hFwnC6of6z3o82PYf7TY="; -}; - -controls { - inet 127.0.0.1 port 953 - allow { 127.0.0.1; } keys { "rndc-key"; }; -}; - -include "/etc/bind/keys/zeke-tornado.keys"; -include "/etc/bind/keys/zeke-ogud.keys"; -include "/etc/bind/keys/named_hxr_us.keys"; -include "/etc/bind/keys/named_knitbot_org.keys"; - -dnssec-policy "custom" { - dnskey-ttl 7200; - keys { - csk lifetime unlimited algorithm ed25519; - }; - nsec3param iterations 0 optout no salt-length 0; -}; - -include "/etc/bind/named.zones.conf"; +include "/etc/bind/named.options.conf"; +include "/etc/bind/named.logging.conf"; +include "/etc/bind/named.dnssec.conf"; +include "/etc/bind/named.rndc.conf"; +include "/etc/bind/named.keys.conf"; +include "/etc/bind/named.primary.conf"; +include "/etc/bind/named.secondary.conf"; diff --git a/cfg/named.dnssec.conf b/cfg/named.dnssec.conf new file mode 100644 index 0000000..7e7795e --- /dev/null +++ b/cfg/named.dnssec.conf @@ -0,0 +1,7 @@ +dnssec-policy "simple_alg15" { + dnskey-ttl 7200; + keys { + csk lifetime unlimited algorithm ed25519; + }; + nsec3param iterations 0 optout no salt-length 0; +}; \ No newline at end of file diff --git a/cfg/named.keys.conf b/cfg/named.keys.conf new file mode 100644 index 0000000..994e5ff --- /dev/null +++ b/cfg/named.keys.conf @@ -0,0 +1,4 @@ +include "/etc/bind/keys/zeke-tornado.keys"; +include "/etc/bind/keys/zeke-ogud.keys"; +include "/etc/bind/keys/named_hxr_us.keys"; +include "/etc/bind/keys/named_knitbot_org.keys"; diff --git a/cfg/named.logging.conf b/cfg/named.logging.conf new file mode 100644 index 0000000..c33d4cd --- /dev/null +++ b/cfg/named.logging.conf @@ -0,0 +1,40 @@ +logging { + channel "dnssec" { + file "/var/log/named/dnssec.log"; + print-category yes; + print-severity yes; + print-time iso8601-utc; + }; + channel "security" { + file "/var/log/named/security.log"; + print-category yes; + print-severity yes; + print-time iso8601-utc; + }; + channel "xfr-in" { + file "/var/log/named/xfr-in.log"; + print-category yes; + print-severity yes; + print-time iso8601-utc; + }; + channel "xfr-out" { + file "/var/log/named/xfr-out.log"; + print-category yes; + print-severity yes; + print-time iso8601-utc; + }; + channel "default" { + file "/var/log/named/named.log"; + print-category yes; + print-severity yes; + print-time iso8601-utc; + }; + category dnssec { dnssec; }; + category security { security; }; + category xfer-in { xfr-in; }; + category xfer-out { xfr-out; }; + category general { default; }; + category config { default; }; + category notify { xfr-out; }; + category zoneload { default; }; +}; diff --git a/cfg/named.options.conf b/cfg/named.options.conf new file mode 100644 index 0000000..b469e4c --- /dev/null +++ b/cfg/named.options.conf @@ -0,0 +1,13 @@ +options { + directory "/var/cache/bind"; + statistics-file "/var/cache/bind/named.stats.txt"; + session-keyfile "/var/cache/bind/session.key"; + pid-file "/var/cache/bind/named.pid"; + lock-file "/var/cache/bind/named.lock"; + + listen-on { 127.0.0.1; 70.164.19.155; 70.164.19.156; }; + listen-on-v6 { ::1; }; + allow-recursion { 127.0.0.1; ::1; }; + + dnssec-validation yes; +}; diff --git a/cfg/named.primary.conf b/cfg/named.primary.conf new file mode 100644 index 0000000..0d351bf --- /dev/null +++ b/cfg/named.primary.conf @@ -0,0 +1,229 @@ +zone "blacka.com" { + type primary; + file "/var/lib/bind/blacka.com"; + dnssec-policy "simple_alg15"; + inline-signing yes; + + notify yes; + also-notify { + 66.92.146.115; + 204.109.61.194; + }; + allow-transfer { + 127.0.0.1; + key zeke-tornado.; + key zeke-ogud2.; + key zeke-ogud3; + }; +}; + +zone "ecotroph.net" { + type primary; + file "/var/lib/bind/ecotroph.net"; + notify yes; + allow-transfer { + 127.0.0.1; + key zeke-tornado.; + key zeke-ogud2.; + key zeke-ogud3; + }; +}; + +zone "nortonbertram.com" { + type primary; + file "/var/lib/bind/nortonbertram.com"; + notify yes; + allow-transfer { + 127.0.0.1; + 202.157.185.115; + 202.157.182.142; + 64.151.105.12; + }; +}; + +zone "hxr.us" { + type primary; + file "/var/lib/bind/hxr.us"; + notify yes; + allow-transfer { + 127.0.0.1; + 66.92.146.115; + 204.109.61.194; + 66.92.146.160; + 64.151.105.12; + }; +}; + +zone "fcdissident.us" { + type primary; + file "/var/lib/bind/fcdissident.us"; + notify yes; + allow-transfer { + 127.0.0.1; + 66.92.146.115; + 204.109.61.194; + 66.92.146.160; + 64.151.105.12; + }; +}; + +zone "fallschurchdissident.us" { + type primary; + file "/var/lib/bind/fallschurchdissident.us"; + notify yes; + allow-transfer { + 127.0.0.1; + 66.92.146.115; + 204.109.61.194; + 66.92.146.160; + 64.151.105.12; + }; +}; + +zone "fallschurchdissident.com" { + type primary; + file "/var/lib/bind/fallschurchdissident.com"; + notify yes; + allow-transfer { + 127.0.0.1; + 66.92.146.115; + 204.109.61.194; + 66.92.146.160; + 64.151.105.12; + }; +}; + +zone "t.hxr.us" { + type primary; + file "/var/lib/bind/t.hxr.us"; + allow-transfer { + 127.0.0.1; + 64.151.105.12; + }; +}; + +zone "dyn.hxr.us" { + type primary; + file "/var/lib/bind/dyn/dyn.hxr.us"; + allow-transfer { + 127.0.0.1; + 64.151.105.12; + }; + update-policy { grant * self * A; }; +}; + +zone "kosters.net" { + type primary; + file "/var/lib/bind/kosters.net"; + notify yes; + also-notify { + 65.201.175.12; + 66.92.146.115; + 204.109.61.194; + }; + allow-transfer { + 127.0.0.1; + 65.201.175.11; + 65.201.175.12; + 64.151.105.12; + 64.22.125.99; + 70.164.18.40; + 70.164.18.41; + 70.164.18.42; + 207.234.133.162; + key zeke-ogud2.; + key zeke-ogud3; + }; +}; + +zone "bjmk.com" { + type primary; + file "/var/lib/bind/bjmk.com"; + notify yes; + also-notify { + 65.201.175.12; + 66.92.146.115; + 204.109.61.194; + }; + allow-transfer { + 127.0.0.1; + 65.201.175.11; + 65.201.175.12; + 64.151.105.12; + 64.22.125.99; + 70.164.18.40; + 70.164.18.41; + 70.164.18.42; + 207.234.133.162; + key zeke-ogud2.; + key zeke-ogud3; + }; +}; + +zone "gracecrc.org" { + type primary; + file "/var/lib/bind/gracecrc.org"; + notify yes; + also-notify { + 65.201.175.12; + 66.92.146.115; + 204.109.61.194; + }; + allow-transfer { + 127.0.0.1; + 65.201.175.11; + 65.201.175.12; + 64.151.105.12; + 64.22.125.99; + 70.164.18.40; + 70.164.18.41; + 70.164.18.42; + 207.234.133.162; + key zeke-ogud2.; + key zeke-ogud3.; + }; +}; + +zone "toscano.org" { + type primary; + file "/var/lib/bind/toscano.org"; + notify yes; + allow-transfer { + 127.0.0.1; + 202.157.185.115; + 202.157.182.142; + }; +}; + +zone "prevelige.org" { + type primary; + file "/var/lib/bind/prevelige.org"; + notify yes; + allow-transfer { + 127.0.0.1; + 202.157.185.115; + 202.157.182.142; + }; +}; + +zone "duffyfamily.me" { + type primary; + file "/var/lib/bind/duffyfamily.me"; + notify yes; + allow-transfer { + 127.0.0.1; + 202.157.185.115; + 202.157.182.142; + }; +}; + +zone "littlebit.us" { + type primary; + file "/var/lib/bind/littlebit.us"; + notify yes; + allow-transfer { + 127.0.0.1; + 202.157.185.115; + 202.157.182.142; + }; +}; diff --git a/cfg/named.rndc.conf b/cfg/named.rndc.conf new file mode 100644 index 0000000..66114f4 --- /dev/null +++ b/cfg/named.rndc.conf @@ -0,0 +1,9 @@ +key "rndc-key" { + algorithm hmac-sha256; + secret "Divr3QQ1G6qBBuRAx1QPiE4hFwnC6of6z3o82PYf7TY="; +}; + +controls { + inet 127.0.0.1 port 953 + allow { 127.0.0.1; } keys { "rndc-key"; }; +}; diff --git a/cfg/named.secondary.conf b/cfg/named.secondary.conf new file mode 100644 index 0000000..d3941aa --- /dev/null +++ b/cfg/named.secondary.conf @@ -0,0 +1,8 @@ +zone "ogud.com" { + type secondary; + file "/var/lib/bind/secondary/ogud.com"; + masters { + 104.225.12.28; + #204.109.61.194; + }; +}; diff --git a/cfg/named.zones.conf b/cfg/named.zones.conf deleted file mode 100644 index 9f4bead..0000000 --- a/cfg/named.zones.conf +++ /dev/null @@ -1,168 +0,0 @@ -zone "blacka.com" { - type primary; - file "/var/lib/bind/blacka.com"; - dnssec-policy "custom"; - inline-signing yes; - - notify yes; - also-notify { 66.92.146.115; 204.109.61.194; }; - allow-transfer { 127.0.0.1; key zeke-tornado.; key zeke-ogud2.; key zeke-ogud3; }; -}; - -zone "ecotroph.net" { - type primary; - file "/var/lib/bind/ecotroph.net"; - notify yes; - allow-transfer { 127.0.0.1; key zeke-tornado.; key zeke-ogud2.; key zeke-ogud3; }; -}; - -zone "nortonbertram.com" { - type primary; - file "/var/lib/bind/nortonbertram.com"; - notify yes; - allow-transfer { 127.0.0.1; 202.157.185.115; 202.157.182.142; 64.151.105.12; }; -}; - -zone "hxr.us" { - type primary; - file "/var/lib/bind/hxr.us"; - notify yes; - allow-transfer { 127.0.0.1; 66.92.146.115; 204.109.61.194; 66.92.146.160; 64.151.105.12; }; -}; - -zone "fcdissident.us" { - type primary; - file "/var/lib/bind/fcdissident.us"; - notify yes; - allow-transfer { 127.0.0.1; 66.92.146.115; 204.109.61.194; 66.92.146.160; 64.151.105.12; }; -}; - -zone "fallschurchdissident.us" { - type primary; - file "/var/lib/bind/fallschurchdissident.us"; - notify yes; - allow-transfer { 127.0.0.1; 66.92.146.115; 204.109.61.194; 66.92.146.160; 64.151.105.12; }; -}; - -zone "fallschurchdissident.com" { - type primary; - file "/var/lib/bind/fallschurchdissident.com"; - notify yes; - allow-transfer { 127.0.0.1; 66.92.146.115; 204.109.61.194; 66.92.146.160; 64.151.105.12; }; -}; - -zone "t.hxr.us" { - type primary; - file "/var/lib/bind/t.hxr.us"; - allow-transfer { 127.0.0.1; 64.151.105.12; }; -}; - -zone "dyn.hxr.us" { - type primary; - file "/var/lib/bind/dyn/dyn.hxr.us"; - allow-transfer { 127.0.0.1; 64.151.105.12; }; - update-policy { grant * self * A; }; -}; - -zone "kosters.net" { - type primary; - file "/var/lib/bind/kosters.net"; - notify yes; - also-notify { 65.201.175.12; 66.92.146.115; 204.109.61.194; }; - allow-transfer { 127.0.0.1; - 65.201.175.11; - 65.201.175.12; - 64.151.105.12; - 64.22.125.99; - 70.164.18.40; - 70.164.18.41; - 70.164.18.42; - 207.234.133.162; - key zeke-ogud2.; key zeke-ogud3; - }; -}; - -zone "bjmk.com" { - type primary; - file "/var/lib/bind/bjmk.com"; - notify yes; - also-notify { 65.201.175.12; 66.92.146.115; 204.109.61.194; }; - allow-transfer { 127.0.0.1; - 65.201.175.11; - 65.201.175.12; - 64.151.105.12; - 64.22.125.99; - 70.164.18.40; - 70.164.18.41; - 70.164.18.42; - 207.234.133.162; - key zeke-ogud2.; key zeke-ogud3; - }; -}; - -zone "gracecrc.org" { - type primary; - file "/var/lib/bind/gracecrc.org"; - notify yes; - also-notify { 65.201.175.12; 66.92.146.115; 204.109.61.194; }; - allow-transfer { 127.0.0.1; - 65.201.175.11; - 65.201.175.12; - 64.151.105.12; - 64.22.125.99; - 70.164.18.40; - 70.164.18.41; - 70.164.18.42; - 207.234.133.162; - key zeke-ogud2.; key zeke-ogud3.; - }; -}; - -zone "toscano.org" { - type primary; - file "/var/lib/bind/toscano.org"; - notify yes; - allow-transfer { 127.0.0.1; - 202.157.185.115; - 202.157.182.142; - }; -}; - -zone "prevelige.org" { - type primary; - file "/var/lib/bind/prevelige.org"; - notify yes; - allow-transfer { 127.0.0.1; - 202.157.185.115; - 202.157.182.142; - }; -}; - -zone "duffyfamily.me" { - type primary; - file "/var/lib/bind/duffyfamily.me"; - notify yes; - allow-transfer { 127.0.0.1; - 202.157.185.115; - 202.157.182.142; - }; -}; - -zone "littlebit.us" { - type primary; - file "/var/lib/bind/littlebit.us"; - notify yes; - allow-transfer { 127.0.0.1; - 202.157.185.115; - 202.157.182.142; - }; -}; - -zone "ogud.com" { - type secondary; - file "/var/lib/bind/secondary/ogud.com"; - masters { - 104.225.12.28; - #204.109.61.194; - }; -}; diff --git a/run_rndc.sh b/run_rndc.sh new file mode 100755 index 0000000..8f1de2c --- /dev/null +++ b/run_rndc.sh @@ -0,0 +1,4 @@ +#! /bin/bash +[ -x "$(which docker)" ] && DOCKER=docker +[ -x "$(which podman)" ] && DOCKER=podman +$DOCKER exec bind9 rndc "$@" \ No newline at end of file