From 15758b864d7e5b2cecbcd60c4f99c42a8802143d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Gr=C3=B6ber?= Date: Tue, 13 Apr 2021 07:58:31 +0200 Subject: [PATCH] Initial commit --- .gitignore | 1 + Makefile | 10 +++++++ README | 16 +++++++++++ it-syndik.at.zone | 35 ++++++++++++++++++++++++ it-syndikat.org.zone | 50 +++++++++++++++++++++++++++++++++++ server/README | 19 +++++++++++++ server/incrontab | 1 + server/knot-gpgv-import | 20 ++++++++++++++ server/zone-admin.sshd_config | 11 ++++++++ server/zone-admin.sudoers | 2 ++ 10 files changed, 165 insertions(+) create mode 100644 .gitignore create mode 100644 Makefile create mode 100644 README create mode 100644 it-syndik.at.zone create mode 100644 it-syndikat.org.zone create mode 100644 server/README create mode 100644 server/incrontab create mode 100644 server/knot-gpgv-import create mode 100644 server/zone-admin.sshd_config create mode 100644 server/zone-admin.sudoers diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..4e54622 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +*.sig diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..f16532e --- /dev/null +++ b/Makefile @@ -0,0 +1,10 @@ +sign: $(patsubst %,%.sig,$(wildcard *.zone)) + +%.sig: % + gpg -o $@ --detach-sign $< + +upload: + printf 'put %s\n' *.zone *.sig | sftp dns.parabox.it-syndikat.org:zones/ + +clean: + rm -f *.sig diff --git a/README b/README new file mode 100644 index 0000000..68e8a48 --- /dev/null +++ b/README @@ -0,0 +1,16 @@ +ITS DNS Zone Managment +====================== + +This repo contains the primary copies of all our DNS zones. + +If you have access to our primary DNS server (dns.parabox.it-syndikat.org), +deploy them using this command: + + $ make sign upload + +This will sign the zones using gpg using your default key and upload them +to the server using sftp. The server has incron running which will detect +the upload, verify the gpg signature, copy the zones into knot's zone +directory and reload the modified zones. + +Note: Knot handles DNSSEC signing on the server side. diff --git a/it-syndik.at.zone b/it-syndik.at.zone new file mode 100644 index 0000000..3db4bbf --- /dev/null +++ b/it-syndik.at.zone @@ -0,0 +1,35 @@ +; -*- tab-width: 16; indent-tabs-mode: t; -*- + +@ SOA ( ns0.it-syndik.at. + hostmaster.it-syndikat.org. + 1618291833 ; serial + 3h ; refresh + 1h ; retry + 4w ; expire + 5m ; negcache ttl + ) + +$TTL 5m ; TODO: decrease when everything works, also negcache above + +@ A 85.10.196.35 + AAAA 2a01:4f8:a0:6171:0:ff:fe00:5 + +@ NS ns0.it-syndik.at. + NS ns6.gandi.net. + +; Remember to update these on gandi under "Glue records" +ns0 A 85.10.196.15 +ns0 AAAA 2a01:4f8:a0:6171:0:ff:fe00:1f + +matrix A 85.10.196.35 +matrix AAAA 2a01:4f8:a0:6171:0:ff:fe00:5 + +riot A 85.10.196.35 +riot AAAA 2a01:4f8:a0:6171:0:ff:fe00:5 + +1.riot CNAME riot +2.riot CNAME riot +3.riot CNAME riot + +synapse A 85.10.196.35 +synapse AAAA 2a01:4f8:a0:6171:0:ff:fe00:1b diff --git a/it-syndikat.org.zone b/it-syndikat.org.zone new file mode 100644 index 0000000..0581476 --- /dev/null +++ b/it-syndikat.org.zone @@ -0,0 +1,50 @@ +; -*- tab-width: 16; indent-tabs-mode: t; -*- + +@ SOA ( ns0.it-syndikat.org. + hostmaster.it-syndikat.org. + 1618293434 ; serial + 3h ; refresh + 1h ; retry + 4w ; expire + 5m ; negcache ttl + ) + +$TTL 5m + +@ A 85.10.196.35 + AAAA 2a01:4f8:a0:6171:0:ff:fe00:5 + MX 10 mail.it-syndikat.org. + TXT "v=spf1 mx -all" + NS ns0.it-syndikat.org. + NS ns6.gandi.net. + +; Remember to update these on gandi under "Glue records" +ns0 A 85.10.196.15 +ns0 AAAA 2a01:4f8:a0:6171:0:ff:fe00:1f + + +mail A 85.10.196.35 + AAAA 2a01:4f8:a0:6171:0:ff:fe00:6 +paramail A 85.10.196.35 + AAAA 2a01:4f8:a0:6171:0:ff:fe00:6 + +lux A 85.10.196.35 + AAAA 2a01:4f8:a0:6171:0:ff:fe00:5 + +mailtrain A 85.10.196.35 + AAAA 2a01:4f8:a0:6171:0:ff:fe00:5 + +meta A 85.10.196.35 + AAAA 2a01:4f8:a0:6171:0:ff:fe00:5 + MX 10 mail.it-syndikat.org. + TXT "v=spf1 mx -all" + +turn A 85.10.196.35 +www CNAME it-syndikat.org. + +parabox A 85.10.196.35 + AAAA 2a01:4f8:a0:6171::2 + NS parabox.it-syndikat.org. + +mailtrain MX 10 mailtrain.it-syndikat.org. + diff --git a/server/README b/server/README new file mode 100644 index 0000000..68a6fb7 --- /dev/null +++ b/server/README @@ -0,0 +1,19 @@ +Server side setup +----------------- + +As root: + + $ apt-get install incron + $ echo > /etc/incron.allow + $ cp zone-admin.sshd_config /etc/ssh/sshd_config.d/zone-admin.conf + $ cp zone-admin.sudoers /etc/sudoers.d/zone-admin + +As the user: + + $ sed 's/$USER//g' ./incrontab | incrontab - + # install knot-gpgv-import into ~/ + $ mkdir zones/ + + # Paste your gpg public key + Ctrl-D + $ gpg --no-default-keyring --keyring $HOME/trustedkeys.kbx -a --import + diff --git a/server/incrontab b/server/incrontab new file mode 100644 index 0000000..a1591e5 --- /dev/null +++ b/server/incrontab @@ -0,0 +1 @@ +/home/$USER/zones IN_DELETE,IN_CLOSE_WRITE,IN_MOVED_TO /home/$USER/knot-gpgv-import $@/$# diff --git a/server/knot-gpgv-import b/server/knot-gpgv-import new file mode 100644 index 0000000..b30c168 --- /dev/null +++ b/server/knot-gpgv-import @@ -0,0 +1,20 @@ +#!/bin/sh + +set -eu + +file="$1" + +case "$file" in + # We don't control the order of the zone/sig upload so just try on both + *.zone) ;; + *.zone.sig) ;; + + # Ignore everything else + *) exit 0 ;; +esac + +[ -f "$file" ] || exit 1 +[ -f "$file".sig ] || exit 2 +gpgv --keyring $HOME/trustedkeys.kbx "$file".sig "$file" || exit 3 +cp -t /var/lib/knot "$file" || exit 4 +sudo -u knot knotc zone-reload "$(basename "${file%*.zone*}")" diff --git a/server/zone-admin.sshd_config b/server/zone-admin.sshd_config new file mode 100644 index 0000000..c82df8b --- /dev/null +++ b/server/zone-admin.sshd_config @@ -0,0 +1,11 @@ +Match Group zone-admin + ChrootDirectory %h + ForceCommand internal-sftp + AllowTcpForwarding no + AllowStreamLocalForwarding no + AllowAgentForwarding no + AcceptEnv no + X11Forwarding no + PermitTunnel no + PermitUserRC no + PasswordAuthentication no diff --git a/server/zone-admin.sudoers b/server/zone-admin.sudoers new file mode 100644 index 0000000..1f18c66 --- /dev/null +++ b/server/zone-admin.sudoers @@ -0,0 +1,2 @@ +Cmnd_Alias ZONE_RELOAD = /usr/sbin/knotc zone-reload * +%zone-admin ALL = (knot) NOPASSWD: ZONE_RELOAD