Browse Source

Initial commit

master
Daniel Gröber 8 months ago
commit
15758b864d
  1. 1
      .gitignore
  2. 10
      Makefile
  3. 16
      README
  4. 35
      it-syndik.at.zone
  5. 50
      it-syndikat.org.zone
  6. 19
      server/README
  7. 1
      server/incrontab
  8. 20
      server/knot-gpgv-import
  9. 11
      server/zone-admin.sshd_config
  10. 2
      server/zone-admin.sudoers

1
.gitignore

@ -0,0 +1 @@
*.sig

10
Makefile

@ -0,0 +1,10 @@
sign: $(patsubst %,%.sig,$(wildcard *.zone))
%.sig: %
gpg -o $@ --detach-sign $<
upload:
printf 'put %s\n' *.zone *.sig | sftp dns.parabox.it-syndikat.org:zones/
clean:
rm -f *.sig

16
README

@ -0,0 +1,16 @@
ITS DNS Zone Managment
======================
This repo contains the primary copies of all our DNS zones.
If you have access to our primary DNS server (dns.parabox.it-syndikat.org),
deploy them using this command:
$ make sign upload
This will sign the zones using gpg using your default key and upload them
to the server using sftp. The server has incron running which will detect
the upload, verify the gpg signature, copy the zones into knot's zone
directory and reload the modified zones.
Note: Knot handles DNSSEC signing on the server side.

35
it-syndik.at.zone

@ -0,0 +1,35 @@
; -*- tab-width: 16; indent-tabs-mode: t; -*-
@ SOA ( ns0.it-syndik.at.
hostmaster.it-syndikat.org.
1618291833 ; serial
3h ; refresh
1h ; retry
4w ; expire
5m ; negcache ttl
)
$TTL 5m ; TODO: decrease when everything works, also negcache above
@ A 85.10.196.35
AAAA 2a01:4f8:a0:6171:0:ff:fe00:5
@ NS ns0.it-syndik.at.
NS ns6.gandi.net.
; Remember to update these on gandi under "Glue records"
ns0 A 85.10.196.15
ns0 AAAA 2a01:4f8:a0:6171:0:ff:fe00:1f
matrix A 85.10.196.35
matrix AAAA 2a01:4f8:a0:6171:0:ff:fe00:5
riot A 85.10.196.35
riot AAAA 2a01:4f8:a0:6171:0:ff:fe00:5
1.riot CNAME riot
2.riot CNAME riot
3.riot CNAME riot
synapse A 85.10.196.35
synapse AAAA 2a01:4f8:a0:6171:0:ff:fe00:1b

50
it-syndikat.org.zone

@ -0,0 +1,50 @@
; -*- tab-width: 16; indent-tabs-mode: t; -*-
@ SOA ( ns0.it-syndikat.org.
hostmaster.it-syndikat.org.
1618293434 ; serial
3h ; refresh
1h ; retry
4w ; expire
5m ; negcache ttl
)
$TTL 5m
@ A 85.10.196.35
AAAA 2a01:4f8:a0:6171:0:ff:fe00:5
MX 10 mail.it-syndikat.org.
TXT "v=spf1 mx -all"
NS ns0.it-syndikat.org.
NS ns6.gandi.net.
; Remember to update these on gandi under "Glue records"
ns0 A 85.10.196.15
ns0 AAAA 2a01:4f8:a0:6171:0:ff:fe00:1f
mail A 85.10.196.35
AAAA 2a01:4f8:a0:6171:0:ff:fe00:6
paramail A 85.10.196.35
AAAA 2a01:4f8:a0:6171:0:ff:fe00:6
lux A 85.10.196.35
AAAA 2a01:4f8:a0:6171:0:ff:fe00:5
mailtrain A 85.10.196.35
AAAA 2a01:4f8:a0:6171:0:ff:fe00:5
meta A 85.10.196.35
AAAA 2a01:4f8:a0:6171:0:ff:fe00:5
MX 10 mail.it-syndikat.org.
TXT "v=spf1 mx -all"
turn A 85.10.196.35
www CNAME it-syndikat.org.
parabox A 85.10.196.35
AAAA 2a01:4f8:a0:6171::2
NS parabox.it-syndikat.org.
mailtrain MX 10 mailtrain.it-syndikat.org.

19
server/README

@ -0,0 +1,19 @@
Server side setup
-----------------
As root:
$ apt-get install incron
$ echo <the user on the server> > /etc/incron.allow
$ cp zone-admin.sshd_config /etc/ssh/sshd_config.d/zone-admin.conf
$ cp zone-admin.sudoers /etc/sudoers.d/zone-admin
As the user:
$ sed 's/$USER/<the user on the server>/g' ./incrontab | incrontab -
# install knot-gpgv-import into ~/
$ mkdir zones/
# Paste your gpg public key + Ctrl-D
$ gpg --no-default-keyring --keyring $HOME/trustedkeys.kbx -a --import

1
server/incrontab

@ -0,0 +1 @@
/home/$USER/zones IN_DELETE,IN_CLOSE_WRITE,IN_MOVED_TO /home/$USER/knot-gpgv-import $@/$#

20
server/knot-gpgv-import

@ -0,0 +1,20 @@
#!/bin/sh
set -eu
file="$1"
case "$file" in
# We don't control the order of the zone/sig upload so just try on both
*.zone) ;;
*.zone.sig) ;;
# Ignore everything else
*) exit 0 ;;
esac
[ -f "$file" ] || exit 1
[ -f "$file".sig ] || exit 2
gpgv --keyring $HOME/trustedkeys.kbx "$file".sig "$file" || exit 3
cp -t /var/lib/knot "$file" || exit 4
sudo -u knot knotc zone-reload "$(basename "${file%*.zone*}")"

11
server/zone-admin.sshd_config

@ -0,0 +1,11 @@
Match Group zone-admin
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
AllowStreamLocalForwarding no
AllowAgentForwarding no
AcceptEnv no
X11Forwarding no
PermitTunnel no
PermitUserRC no
PasswordAuthentication no

2
server/zone-admin.sudoers

@ -0,0 +1,2 @@
Cmnd_Alias ZONE_RELOAD = /usr/sbin/knotc zone-reload *
%zone-admin ALL = (knot) NOPASSWD: ZONE_RELOAD
Loading…
Cancel
Save