Initial commit
This commit is contained in:
commit
15758b864d
10 changed files with 165 additions and 0 deletions
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
|
|
@ -0,0 +1 @@
|
|||
*.sig
|
||||
10
Makefile
Normal file
10
Makefile
Normal file
|
|
@ -0,0 +1,10 @@
|
|||
sign: $(patsubst %,%.sig,$(wildcard *.zone))
|
||||
|
||||
%.sig: %
|
||||
gpg -o $@ --detach-sign $<
|
||||
|
||||
upload:
|
||||
printf 'put %s\n' *.zone *.sig | sftp dns.parabox.it-syndikat.org:zones/
|
||||
|
||||
clean:
|
||||
rm -f *.sig
|
||||
16
README
Normal file
16
README
Normal file
|
|
@ -0,0 +1,16 @@
|
|||
ITS DNS Zone Managment
|
||||
======================
|
||||
|
||||
This repo contains the primary copies of all our DNS zones.
|
||||
|
||||
If you have access to our primary DNS server (dns.parabox.it-syndikat.org),
|
||||
deploy them using this command:
|
||||
|
||||
$ make sign upload
|
||||
|
||||
This will sign the zones using gpg using your default key and upload them
|
||||
to the server using sftp. The server has incron running which will detect
|
||||
the upload, verify the gpg signature, copy the zones into knot's zone
|
||||
directory and reload the modified zones.
|
||||
|
||||
Note: Knot handles DNSSEC signing on the server side.
|
||||
35
it-syndik.at.zone
Normal file
35
it-syndik.at.zone
Normal file
|
|
@ -0,0 +1,35 @@
|
|||
; -*- tab-width: 16; indent-tabs-mode: t; -*-
|
||||
|
||||
@ SOA ( ns0.it-syndik.at.
|
||||
hostmaster.it-syndikat.org.
|
||||
1618291833 ; serial
|
||||
3h ; refresh
|
||||
1h ; retry
|
||||
4w ; expire
|
||||
5m ; negcache ttl
|
||||
)
|
||||
|
||||
$TTL 5m ; TODO: decrease when everything works, also negcache above
|
||||
|
||||
@ A 85.10.196.35
|
||||
AAAA 2a01:4f8:a0:6171:0:ff:fe00:5
|
||||
|
||||
@ NS ns0.it-syndik.at.
|
||||
NS ns6.gandi.net.
|
||||
|
||||
; Remember to update these on gandi under "Glue records"
|
||||
ns0 A 85.10.196.15
|
||||
ns0 AAAA 2a01:4f8:a0:6171:0:ff:fe00:1f
|
||||
|
||||
matrix A 85.10.196.35
|
||||
matrix AAAA 2a01:4f8:a0:6171:0:ff:fe00:5
|
||||
|
||||
riot A 85.10.196.35
|
||||
riot AAAA 2a01:4f8:a0:6171:0:ff:fe00:5
|
||||
|
||||
1.riot CNAME riot
|
||||
2.riot CNAME riot
|
||||
3.riot CNAME riot
|
||||
|
||||
synapse A 85.10.196.35
|
||||
synapse AAAA 2a01:4f8:a0:6171:0:ff:fe00:1b
|
||||
50
it-syndikat.org.zone
Normal file
50
it-syndikat.org.zone
Normal file
|
|
@ -0,0 +1,50 @@
|
|||
; -*- tab-width: 16; indent-tabs-mode: t; -*-
|
||||
|
||||
@ SOA ( ns0.it-syndikat.org.
|
||||
hostmaster.it-syndikat.org.
|
||||
1618293434 ; serial
|
||||
3h ; refresh
|
||||
1h ; retry
|
||||
4w ; expire
|
||||
5m ; negcache ttl
|
||||
)
|
||||
|
||||
$TTL 5m
|
||||
|
||||
@ A 85.10.196.35
|
||||
AAAA 2a01:4f8:a0:6171:0:ff:fe00:5
|
||||
MX 10 mail.it-syndikat.org.
|
||||
TXT "v=spf1 mx -all"
|
||||
NS ns0.it-syndikat.org.
|
||||
NS ns6.gandi.net.
|
||||
|
||||
; Remember to update these on gandi under "Glue records"
|
||||
ns0 A 85.10.196.15
|
||||
ns0 AAAA 2a01:4f8:a0:6171:0:ff:fe00:1f
|
||||
|
||||
|
||||
mail A 85.10.196.35
|
||||
AAAA 2a01:4f8:a0:6171:0:ff:fe00:6
|
||||
paramail A 85.10.196.35
|
||||
AAAA 2a01:4f8:a0:6171:0:ff:fe00:6
|
||||
|
||||
lux A 85.10.196.35
|
||||
AAAA 2a01:4f8:a0:6171:0:ff:fe00:5
|
||||
|
||||
mailtrain A 85.10.196.35
|
||||
AAAA 2a01:4f8:a0:6171:0:ff:fe00:5
|
||||
|
||||
meta A 85.10.196.35
|
||||
AAAA 2a01:4f8:a0:6171:0:ff:fe00:5
|
||||
MX 10 mail.it-syndikat.org.
|
||||
TXT "v=spf1 mx -all"
|
||||
|
||||
turn A 85.10.196.35
|
||||
www CNAME it-syndikat.org.
|
||||
|
||||
parabox A 85.10.196.35
|
||||
AAAA 2a01:4f8:a0:6171::2
|
||||
NS parabox.it-syndikat.org.
|
||||
|
||||
mailtrain MX 10 mailtrain.it-syndikat.org.
|
||||
|
||||
19
server/README
Normal file
19
server/README
Normal file
|
|
@ -0,0 +1,19 @@
|
|||
Server side setup
|
||||
-----------------
|
||||
|
||||
As root:
|
||||
|
||||
$ apt-get install incron
|
||||
$ echo <the user on the server> > /etc/incron.allow
|
||||
$ cp zone-admin.sshd_config /etc/ssh/sshd_config.d/zone-admin.conf
|
||||
$ cp zone-admin.sudoers /etc/sudoers.d/zone-admin
|
||||
|
||||
As the user:
|
||||
|
||||
$ sed 's/$USER/<the user on the server>/g' ./incrontab | incrontab -
|
||||
# install knot-gpgv-import into ~/
|
||||
$ mkdir zones/
|
||||
|
||||
# Paste your gpg public key + Ctrl-D
|
||||
$ gpg --no-default-keyring --keyring $HOME/trustedkeys.kbx -a --import
|
||||
|
||||
1
server/incrontab
Normal file
1
server/incrontab
Normal file
|
|
@ -0,0 +1 @@
|
|||
/home/$USER/zones IN_DELETE,IN_CLOSE_WRITE,IN_MOVED_TO /home/$USER/knot-gpgv-import $@/$#
|
||||
20
server/knot-gpgv-import
Normal file
20
server/knot-gpgv-import
Normal file
|
|
@ -0,0 +1,20 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -eu
|
||||
|
||||
file="$1"
|
||||
|
||||
case "$file" in
|
||||
# We don't control the order of the zone/sig upload so just try on both
|
||||
*.zone) ;;
|
||||
*.zone.sig) ;;
|
||||
|
||||
# Ignore everything else
|
||||
*) exit 0 ;;
|
||||
esac
|
||||
|
||||
[ -f "$file" ] || exit 1
|
||||
[ -f "$file".sig ] || exit 2
|
||||
gpgv --keyring $HOME/trustedkeys.kbx "$file".sig "$file" || exit 3
|
||||
cp -t /var/lib/knot "$file" || exit 4
|
||||
sudo -u knot knotc zone-reload "$(basename "${file%*.zone*}")"
|
||||
11
server/zone-admin.sshd_config
Normal file
11
server/zone-admin.sshd_config
Normal file
|
|
@ -0,0 +1,11 @@
|
|||
Match Group zone-admin
|
||||
ChrootDirectory %h
|
||||
ForceCommand internal-sftp
|
||||
AllowTcpForwarding no
|
||||
AllowStreamLocalForwarding no
|
||||
AllowAgentForwarding no
|
||||
AcceptEnv no
|
||||
X11Forwarding no
|
||||
PermitTunnel no
|
||||
PermitUserRC no
|
||||
PasswordAuthentication no
|
||||
2
server/zone-admin.sudoers
Normal file
2
server/zone-admin.sudoers
Normal file
|
|
@ -0,0 +1,2 @@
|
|||
Cmnd_Alias ZONE_RELOAD = /usr/sbin/knotc zone-reload *
|
||||
%zone-admin ALL = (knot) NOPASSWD: ZONE_RELOAD
|
||||
Reference in a new issue