Initial commit

This commit is contained in:
Daniel Gröber 2021-04-13 07:58:31 +02:00
commit 15758b864d
10 changed files with 165 additions and 0 deletions

1
.gitignore vendored Normal file
View file

@ -0,0 +1 @@
*.sig

10
Makefile Normal file
View file

@ -0,0 +1,10 @@
sign: $(patsubst %,%.sig,$(wildcard *.zone))
%.sig: %
gpg -o $@ --detach-sign $<
upload:
printf 'put %s\n' *.zone *.sig | sftp dns.parabox.it-syndikat.org:zones/
clean:
rm -f *.sig

16
README Normal file
View file

@ -0,0 +1,16 @@
ITS DNS Zone Managment
======================
This repo contains the primary copies of all our DNS zones.
If you have access to our primary DNS server (dns.parabox.it-syndikat.org),
deploy them using this command:
$ make sign upload
This will sign the zones using gpg using your default key and upload them
to the server using sftp. The server has incron running which will detect
the upload, verify the gpg signature, copy the zones into knot's zone
directory and reload the modified zones.
Note: Knot handles DNSSEC signing on the server side.

35
it-syndik.at.zone Normal file
View file

@ -0,0 +1,35 @@
; -*- tab-width: 16; indent-tabs-mode: t; -*-
@ SOA ( ns0.it-syndik.at.
hostmaster.it-syndikat.org.
1618291833 ; serial
3h ; refresh
1h ; retry
4w ; expire
5m ; negcache ttl
)
$TTL 5m ; TODO: decrease when everything works, also negcache above
@ A 85.10.196.35
AAAA 2a01:4f8:a0:6171:0:ff:fe00:5
@ NS ns0.it-syndik.at.
NS ns6.gandi.net.
; Remember to update these on gandi under "Glue records"
ns0 A 85.10.196.15
ns0 AAAA 2a01:4f8:a0:6171:0:ff:fe00:1f
matrix A 85.10.196.35
matrix AAAA 2a01:4f8:a0:6171:0:ff:fe00:5
riot A 85.10.196.35
riot AAAA 2a01:4f8:a0:6171:0:ff:fe00:5
1.riot CNAME riot
2.riot CNAME riot
3.riot CNAME riot
synapse A 85.10.196.35
synapse AAAA 2a01:4f8:a0:6171:0:ff:fe00:1b

50
it-syndikat.org.zone Normal file
View file

@ -0,0 +1,50 @@
; -*- tab-width: 16; indent-tabs-mode: t; -*-
@ SOA ( ns0.it-syndikat.org.
hostmaster.it-syndikat.org.
1618293434 ; serial
3h ; refresh
1h ; retry
4w ; expire
5m ; negcache ttl
)
$TTL 5m
@ A 85.10.196.35
AAAA 2a01:4f8:a0:6171:0:ff:fe00:5
MX 10 mail.it-syndikat.org.
TXT "v=spf1 mx -all"
NS ns0.it-syndikat.org.
NS ns6.gandi.net.
; Remember to update these on gandi under "Glue records"
ns0 A 85.10.196.15
ns0 AAAA 2a01:4f8:a0:6171:0:ff:fe00:1f
mail A 85.10.196.35
AAAA 2a01:4f8:a0:6171:0:ff:fe00:6
paramail A 85.10.196.35
AAAA 2a01:4f8:a0:6171:0:ff:fe00:6
lux A 85.10.196.35
AAAA 2a01:4f8:a0:6171:0:ff:fe00:5
mailtrain A 85.10.196.35
AAAA 2a01:4f8:a0:6171:0:ff:fe00:5
meta A 85.10.196.35
AAAA 2a01:4f8:a0:6171:0:ff:fe00:5
MX 10 mail.it-syndikat.org.
TXT "v=spf1 mx -all"
turn A 85.10.196.35
www CNAME it-syndikat.org.
parabox A 85.10.196.35
AAAA 2a01:4f8:a0:6171::2
NS parabox.it-syndikat.org.
mailtrain MX 10 mailtrain.it-syndikat.org.

19
server/README Normal file
View file

@ -0,0 +1,19 @@
Server side setup
-----------------
As root:
$ apt-get install incron
$ echo <the user on the server> > /etc/incron.allow
$ cp zone-admin.sshd_config /etc/ssh/sshd_config.d/zone-admin.conf
$ cp zone-admin.sudoers /etc/sudoers.d/zone-admin
As the user:
$ sed 's/$USER/<the user on the server>/g' ./incrontab | incrontab -
# install knot-gpgv-import into ~/
$ mkdir zones/
# Paste your gpg public key + Ctrl-D
$ gpg --no-default-keyring --keyring $HOME/trustedkeys.kbx -a --import

1
server/incrontab Normal file
View file

@ -0,0 +1 @@
/home/$USER/zones IN_DELETE,IN_CLOSE_WRITE,IN_MOVED_TO /home/$USER/knot-gpgv-import $@/$#

20
server/knot-gpgv-import Normal file
View file

@ -0,0 +1,20 @@
#!/bin/sh
set -eu
file="$1"
case "$file" in
# We don't control the order of the zone/sig upload so just try on both
*.zone) ;;
*.zone.sig) ;;
# Ignore everything else
*) exit 0 ;;
esac
[ -f "$file" ] || exit 1
[ -f "$file".sig ] || exit 2
gpgv --keyring $HOME/trustedkeys.kbx "$file".sig "$file" || exit 3
cp -t /var/lib/knot "$file" || exit 4
sudo -u knot knotc zone-reload "$(basename "${file%*.zone*}")"

View file

@ -0,0 +1,11 @@
Match Group zone-admin
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
AllowStreamLocalForwarding no
AllowAgentForwarding no
AcceptEnv no
X11Forwarding no
PermitTunnel no
PermitUserRC no
PasswordAuthentication no

View file

@ -0,0 +1,2 @@
Cmnd_Alias ZONE_RELOAD = /usr/sbin/knotc zone-reload *
%zone-admin ALL = (knot) NOPASSWD: ZONE_RELOAD