support generating the Unbound config

author: Lexi Winter <lexi@le-fay.org> 2025-06-07 11:19:02 +0100
committer: Lexi Winter <lexi@le-fay.org> 2025-06-07 11:19:02 +0100
commit: 252adda53c507abbbe5d8e9f125fc174e84a2c02 (patch)
tree: 4ce803266a34239c4fc48d3e0101eae6c4f1dbb3
parent: 199c42f56eda6416d7094ce987124049ae3d8fde (diff)
download: dns-252adda53c507abbbe5d8e9f125fc174e84a2c02.tar.gz
dns-252adda53c507abbbe5d8e9f125fc174e84a2c02.tar.bz2
5 files changed, 266 insertions, 5 deletions
diff --git a/Makefile b/Makefile
index 3cd43c7..3b77e2d 100644
--- a/Makefile
+++ b/Makefile
@@ -1,7 +1,15 @@
+# Our local master server.
+MASTER=		hemlock.eden.le-fay.org
+MASTER_ADDR!=	getaddrinfo -f inet6 -p tcp -t stream hemlock.eden.le-fay.org|awk '{ print $$4 }'
+
+# The DN42 master server.
+DN42_MASTER=	fd42:4242:2601:ac53::1
+
 NSDIFF=		nsdiff
-NSDIFFFLAGS=	-Sserial -s hemlock.eden.le-fay.org
+NSDIFFFLAGS=	-Sserial -s ${MASTER}
 DIFF?=
 
+# The zones we serve.
 ZONES=	le-fay.org \
 	le-fay.org.uk \
 	le-fay.dn42 \
@@ -18,13 +26,64 @@ ZONES=	le-fay.org \
 	0/26.76.23.172.in-addr.arpa \
 	18.198.in-addr.arpa
 
+# These zones are used for DN42.
+DN42_ZONES= \
+	dn42 \
+	d.f.ip6.arpa \
+	20.172.in-addr.arpa \
+	21.172.in-addr.arpa \
+	22.172.in-addr.arpa \
+	23.172.in-addr.arpa \
+	24.172.in-addr.arpa \
+	25.172.in-addr.arpa \
+	26.172.in-addr.arpa \
+	27.172.in-addr.arpa \
+	28.172.in-addr.arpa \
+	29.172.in-addr.arpa \
+	30.172.in-addr.arpa \
+	31.172.in-addr.arpa
+
+# Our local networks.
+# TODO: Generate these from LDAP.
+LFNETWORKS= \
+	2001:8b0:aab5::/48 \
+	81.187.47.192/28 \
+	81.2.96.160/28 \
+	81.187.73.117/32 \
+	2a00:1098:6b::/48 \
+	2001:ba8:4015::/48 \
+	2001:ba8:404a::/48 \
+	fd5b:a83:b06b::/48 \
+	172.16.0.0/12 \
+	10.0.0.0/8 \
+	198.18.0.0/15
+
+UNBOUND_SERVERS= \
+	witch.le-fay.org \
+	turnera.le-fay.org
+
+UNBOUND_PROCESS_FLAGS= \
+	-Dconfdir=/usr/local/etc/unbound \
+	-Dmaster="${MASTER}" \
+	-Dmaster_addr="${MASTER_ADDR}" \
+	-Dlfnetworks="${LFNETWORKS}" \
+	-Dlocal_zones="${ZONES}" \
+	-Ddn42_zones="${DN42_ZONES}" \
+	-Ddn42_master="${DN42_MASTER}"
+UNBOUND_PROCESS_FLAGS.witch.le-fay.org=		-Dtls=yes
+UNBOUND_PROCESS_FLAGS.turnera.le-fay.org=	-Dtls=yes
+
 all:
 	@echo "Please specify a target:"
 	@echo "  make diff           show diff between zone files and online zone"
 	@echo "  make update-zones   update online zones"
+	@echo "  make unbound-update build and install Unbound configs"
+
+clean:
 
-.PATH: zones
-.PHONY: all update-zones
+.PATH: ${.CURDIR}/zones
+.OBJDIR: ${.CURDIR}/build
+.PHONY: all update-zones clean
 
 .for zone in ${ZONES}
 update-zones: ${zone}
@@ -46,4 +105,21 @@ ${zone}: ${zone:S,/,_,g}.zone
 .PHONY: diff
 
 diff:
-	@${MAKE} update-zones DIFF=yes
+	@${MAKE} -C ${.CURDIR} update-zones DIFF=yes
+
+unbound-update:
+
+.for server in ${UNBOUND_SERVERS}
+update-unbound: update-unbound-${server}
+update-unbound-${server}: unbound.conf.${server}
+	@echo "updating ${server}"
+unbound.conf.${server}: unbound.conf.erb
+	${.CURDIR}/bin/process				\
+		-Dservername=${server}			\
+		${UNBOUND_PROCESS_FLAGS}		\
+		${UNBOUND_PROCESS_FLAGS.${server}}	\
+		$> $@
+clean: clean-unbound-${server}
+clean-unbound-${server}:
+	rm -f ${.OBJDIR}/unbound.conf.${server}
+.endfor
diff --git a/bin/process b/bin/process
new file mode 100755
index 0000000..e95dbb9
--- /dev/null
+++ b/bin/process
@@ -0,0 +1,53 @@
+#! /usr/bin/env ruby
+
+require 'erb'
+require 'optparse'
+
+# Hash to store our -D variables
+template_vars = {}
+
+# Parse command line options
+OptionParser.new do |opts|
+	opts.banner = "Usage: #{$0} [options] <input> <output>"
+	
+	opts.on('-DVAR=VALUE', 'Define template variable') do |definition|
+		var, value = definition.split('=', 2)
+		if var && value
+			template_vars[var] = value
+		else
+			puts "Invalid -D format: #{definition}"
+			exit 1
+		end
+	end
+	
+	opts.on('-h', '--help', 'Show this help') do
+		puts opts
+		exit
+	end
+end.parse!
+
+# Check we have the right number of remaining args
+if ARGV.length != 2
+	puts "Usage: #{$0} [options] <input> <output>"
+	puts "Use -h for help"
+	exit 1
+end
+
+input_file = ARGV[0]
+output_file = ARGV[1]
+
+# Read the template
+template = File.read(input_file)
+
+# Create a binding with our variables
+binding_context = binding
+template_vars.each do |var, value|
+	binding_context.local_variable_set(var.to_sym, value)
+end
+
+# Process with ERB
+erb = ERB.new(template)
+result = erb.result(binding_context)
+
+# Write output
+File.write(output_file, result)
diff --git a/build/keep-me b/build/keep-me
new file mode 100644
index 0000000..d5e56b9
--- /dev/null
+++ b/build/keep-me
@@ -0,0 +1 @@
+Keep this normally empty directory, make(1) requires it.
diff --git a/unbound.conf.erb b/unbound.conf.erb
new file mode 100644
index 0000000..5c4ae46
--- /dev/null
+++ b/unbound.conf.erb
@@ -0,0 +1,131 @@
+<%# vim:set noet ts=8 sw=8 sts=8:
+
+# Standard unbound.conf for a resolver.
+
+%>
+
+server:
+	module-config: "validator iterator"
+
+	identity: <%= servername %>
+	hide-identity: no
+	hide-version: no
+	hide-http-user-agent: yes
+
+	auto-trust-anchor-file: "<%= confdir %>/secondary/root.key"
+
+	# The local config file configures listen addresses.
+	include: "<%= confdir %>/unbound.conf.local"
+
+	tls-upstream: no
+	pad-responses: yes
+<%#	quic-port: 853 %>
+
+	# Networks that shouldn't be found in public zones.
+	private-address: 169.254.0.0/16
+	private-address: fe80::/10
+	private-address: ::ffff:0:0/96
+	private-address: 64:ff9b::/96
+
+	# General tuning.
+	prefer-ip6: yes
+	rrset-cache-size: 128m
+	unwanted-reply-threshold: 10000
+	minimal-responses: yes
+
+	# Make Unbound be more lenient when resolving long CNAME chains.
+	max-query-restarts: 15
+	max-global-quota: 256
+
+	# Prefetch expiring records, and serve expired records if needed.
+	prefetch: yes
+	prefetch-key: yes
+
+	serve-expired: yes
+	serve-expired-ttl: 30
+	serve-expired-ttl-reset: yes
+	serve-expired-reply-ttl: 30
+	serve-expired-client-timeout: 1800
+	ede: yes
+	ede-serve-expired: yes
+
+<% if defined?(tls) %>
+	tls-service-key: "<%= confdir %>/tls/key.pem"
+	tls-service-pem: "<%= confdir %>/tls/cert.pem"
+
+	tls-use-sni: yes
+	tls-port: 853
+	https-port: 443
+<% end %>
+
+<% if defined?(nat64_prefix) %>
+	do-nat64: yes
+	nat64-prefix: <%= nat64_prefix %>
+<% end %>
+
+<% lfnetworks.split.each do |network| %>
+	private-address: <%= network %>
+	access-control: <%= network %> allow
+<% end %>
+
+	private-domain: sikol.co.uk
+
+# Local zones that we want to serve.  Mark these as both private and insecure
+# otherwise the validator will still try to validate them and (possibly) fail.
+<% local_zones.split.each do |zone| %>
+	private-domain: <%= zone %>
+	domain-insecure: <%= zone %>
+<% end %>
+
+# DN42 zones.  These don't need to be private, but should be insecure for now.
+# Ideally we'd have a way to validate these properly.
+<% dn42_zones.split.each do |zone| %>
+	local-zone: <%= zone %>. nodefault
+	domain-insecure: <%= zone %>.
+<% end %>
+
+remote-control:
+	control-enable: yes
+	control-interface: ::1
+
+	control-port: 8954
+
+	server-key-file: "<%= confdir %>/unbound_server.key"
+	server-cert-file: "<%= confdir %>/unbound_server.pem"
+	control-key-file: "<%= confdir %>/unbound_control.key"
+	control-cert-file: "<%= confdir %>/unbound_control.pem"
+
+# SiKol zones
+auth-zone:
+	name: "lethe.sikol.co.uk"
+	primary: <%= master_addr %>	# <%= master %>
+	fallback-enabled: yes
+	for-downstream: no
+	for-upstream: yes
+	zonefile: /usr/local/etc/unbound/secondary/lethe.sikol.co.uk
+
+auth-zone:
+	name: "_msdcs.lethe.sikol.co.uk"
+	primary: <%= master_addr %>	# <%= master %>
+	fallback-enabled: yes
+	for-downstream: no
+	for-upstream: yes
+	zonefile: /usr/local/etc/unbound/secondary/_msdcs.lethe.sikol.co.uk
+
+# Forward DNS zones
+<% local_zones.split.each do |zone| %>
+auth-zone:
+	name: <%= zone %>
+	primary: <%= master_addr %>	# <%= master %>
+	fallback-enabled: yes
+	for-downstream: no
+	for-upstream: yes
+	zonefile: <%= confdir %>/secondary/<%= zone.gsub('/', '_') %>
+<% end %>
+
+# DN42 zones
+<% dn42_zones.split.each do |zone| %>
+stub-zone:
+	name: <%= zone %>.
+	stub-addr: <%= dn42_master %>
+<% end %>
diff --git a/zones/5.b.a.a.0.b.8.0.1.0.0.2.ip6.arpa.zone b/zones/5.b.a.a.0.b.8.0.1.0.0.2.ip6.arpa.zone
index 7d9718c..2442ed3 100644
--- a/zones/5.b.a.a.0.b.8.0.1.0.0.2.ip6.arpa.zone
+++ b/zones/5.b.a.a.0.b.8.0.1.0.0.2.ip6.arpa.zone
@@ -26,7 +26,7 @@ e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0	PTR willow.eden.le-fay.org.
 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.0.3	PTR te1.core-1.inet.eden.le-fay.org.
 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.0.3	PTR ix0-3004.willow.eden.le-fay.org.
 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.4.c	PTR vlan401.core-1.inet.eden.le-fay.org.
-3.0.0.0.1.0.0.0.0.0.0.0.0.0.0.0.1.0.4.c	PTR witch.eden.le-fay.org.
+3.0.0.0.1.0.0.0.0.0.0.0.0.0.0.0.1.0.4.c	PTR witch.le-fay.org.
 4.0.0.0.1.0.0.0.0.0.0.0.0.0.0.0.1.0.4.c	PTR turnera.eden.le-fay.org.
 5.0.0.0.1.0.0.0.0.0.0.0.0.0.0.0.1.0.4.c	PTR hemlock.eden.le-fay.org.
 6.0.0.0.1.0.0.0.0.0.0.0.0.0.0.0.1.0.4.c	PTR freebsd15.eden.le-fay.org.
author	Lexi Winter <lexi@le-fay.org>	2025-06-07 11:19:02 +0100
committer	Lexi Winter <lexi@le-fay.org>	2025-06-07 11:19:02 +0100
commit	252adda53c507abbbe5d8e9f125fc174e84a2c02 (patch)
tree	4ce803266a34239c4fc48d3e0101eae6c4f1dbb3
parent	199c42f56eda6416d7094ce987124049ae3d8fde (diff)
download	dns-252adda53c507abbbe5d8e9f125fc174e84a2c02.tar.gz dns-252adda53c507abbbe5d8e9f125fc174e84a2c02.tar.bz2