aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--Makefile84
-rwxr-xr-xbin/process53
-rw-r--r--build/keep-me1
-rw-r--r--unbound.conf.erb131
-rw-r--r--zones/5.b.a.a.0.b.8.0.1.0.0.2.ip6.arpa.zone2
5 files changed, 266 insertions, 5 deletions
diff --git a/Makefile b/Makefile
index 3cd43c7..3b77e2d 100644
--- a/Makefile
+++ b/Makefile
@@ -1,7 +1,15 @@
+# Our local master server.
+MASTER= hemlock.eden.le-fay.org
+MASTER_ADDR!= getaddrinfo -f inet6 -p tcp -t stream hemlock.eden.le-fay.org|awk '{ print $$4 }'
+
+# The DN42 master server.
+DN42_MASTER= fd42:4242:2601:ac53::1
+
NSDIFF= nsdiff
-NSDIFFFLAGS= -Sserial -s hemlock.eden.le-fay.org
+NSDIFFFLAGS= -Sserial -s ${MASTER}
DIFF?=
+# The zones we serve.
ZONES= le-fay.org \
le-fay.org.uk \
le-fay.dn42 \
@@ -18,13 +26,64 @@ ZONES= le-fay.org \
0/26.76.23.172.in-addr.arpa \
18.198.in-addr.arpa
+# These zones are used for DN42.
+DN42_ZONES= \
+ dn42 \
+ d.f.ip6.arpa \
+ 20.172.in-addr.arpa \
+ 21.172.in-addr.arpa \
+ 22.172.in-addr.arpa \
+ 23.172.in-addr.arpa \
+ 24.172.in-addr.arpa \
+ 25.172.in-addr.arpa \
+ 26.172.in-addr.arpa \
+ 27.172.in-addr.arpa \
+ 28.172.in-addr.arpa \
+ 29.172.in-addr.arpa \
+ 30.172.in-addr.arpa \
+ 31.172.in-addr.arpa
+
+# Our local networks.
+# TODO: Generate these from LDAP.
+LFNETWORKS= \
+ 2001:8b0:aab5::/48 \
+ 81.187.47.192/28 \
+ 81.2.96.160/28 \
+ 81.187.73.117/32 \
+ 2a00:1098:6b::/48 \
+ 2001:ba8:4015::/48 \
+ 2001:ba8:404a::/48 \
+ fd5b:a83:b06b::/48 \
+ 172.16.0.0/12 \
+ 10.0.0.0/8 \
+ 198.18.0.0/15
+
+UNBOUND_SERVERS= \
+ witch.le-fay.org \
+ turnera.le-fay.org
+
+UNBOUND_PROCESS_FLAGS= \
+ -Dconfdir=/usr/local/etc/unbound \
+ -Dmaster="${MASTER}" \
+ -Dmaster_addr="${MASTER_ADDR}" \
+ -Dlfnetworks="${LFNETWORKS}" \
+ -Dlocal_zones="${ZONES}" \
+ -Ddn42_zones="${DN42_ZONES}" \
+ -Ddn42_master="${DN42_MASTER}"
+UNBOUND_PROCESS_FLAGS.witch.le-fay.org= -Dtls=yes
+UNBOUND_PROCESS_FLAGS.turnera.le-fay.org= -Dtls=yes
+
all:
@echo "Please specify a target:"
@echo " make diff show diff between zone files and online zone"
@echo " make update-zones update online zones"
+ @echo " make unbound-update build and install Unbound configs"
+
+clean:
-.PATH: zones
-.PHONY: all update-zones
+.PATH: ${.CURDIR}/zones
+.OBJDIR: ${.CURDIR}/build
+.PHONY: all update-zones clean
.for zone in ${ZONES}
update-zones: ${zone}
@@ -46,4 +105,21 @@ ${zone}: ${zone:S,/,_,g}.zone
.PHONY: diff
diff:
- @${MAKE} update-zones DIFF=yes
+ @${MAKE} -C ${.CURDIR} update-zones DIFF=yes
+
+unbound-update:
+
+.for server in ${UNBOUND_SERVERS}
+update-unbound: update-unbound-${server}
+update-unbound-${server}: unbound.conf.${server}
+ @echo "updating ${server}"
+unbound.conf.${server}: unbound.conf.erb
+ ${.CURDIR}/bin/process \
+ -Dservername=${server} \
+ ${UNBOUND_PROCESS_FLAGS} \
+ ${UNBOUND_PROCESS_FLAGS.${server}} \
+ $> $@
+clean: clean-unbound-${server}
+clean-unbound-${server}:
+ rm -f ${.OBJDIR}/unbound.conf.${server}
+.endfor
diff --git a/bin/process b/bin/process
new file mode 100755
index 0000000..e95dbb9
--- /dev/null
+++ b/bin/process
@@ -0,0 +1,53 @@
+#! /usr/bin/env ruby
+
+require 'erb'
+require 'optparse'
+
+# Hash to store our -D variables
+template_vars = {}
+
+# Parse command line options
+OptionParser.new do |opts|
+ opts.banner = "Usage: #{$0} [options] <input> <output>"
+
+ opts.on('-DVAR=VALUE', 'Define template variable') do |definition|
+ var, value = definition.split('=', 2)
+ if var && value
+ template_vars[var] = value
+ else
+ puts "Invalid -D format: #{definition}"
+ exit 1
+ end
+ end
+
+ opts.on('-h', '--help', 'Show this help') do
+ puts opts
+ exit
+ end
+end.parse!
+
+# Check we have the right number of remaining args
+if ARGV.length != 2
+ puts "Usage: #{$0} [options] <input> <output>"
+ puts "Use -h for help"
+ exit 1
+end
+
+input_file = ARGV[0]
+output_file = ARGV[1]
+
+# Read the template
+template = File.read(input_file)
+
+# Create a binding with our variables
+binding_context = binding
+template_vars.each do |var, value|
+ binding_context.local_variable_set(var.to_sym, value)
+end
+
+# Process with ERB
+erb = ERB.new(template)
+result = erb.result(binding_context)
+
+# Write output
+File.write(output_file, result)
diff --git a/build/keep-me b/build/keep-me
new file mode 100644
index 0000000..d5e56b9
--- /dev/null
+++ b/build/keep-me
@@ -0,0 +1 @@
+Keep this normally empty directory, make(1) requires it.
diff --git a/unbound.conf.erb b/unbound.conf.erb
new file mode 100644
index 0000000..5c4ae46
--- /dev/null
+++ b/unbound.conf.erb
@@ -0,0 +1,131 @@
+<%# vim:set noet ts=8 sw=8 sts=8:
+
+# Standard unbound.conf for a resolver.
+
+%>
+
+server:
+ module-config: "validator iterator"
+
+ identity: <%= servername %>
+ hide-identity: no
+ hide-version: no
+ hide-http-user-agent: yes
+
+ auto-trust-anchor-file: "<%= confdir %>/secondary/root.key"
+
+ # The local config file configures listen addresses.
+ include: "<%= confdir %>/unbound.conf.local"
+
+ tls-upstream: no
+ pad-responses: yes
+<%# quic-port: 853 %>
+
+ # Networks that shouldn't be found in public zones.
+ private-address: 169.254.0.0/16
+ private-address: fe80::/10
+ private-address: ::ffff:0:0/96
+ private-address: 64:ff9b::/96
+
+ # General tuning.
+ prefer-ip6: yes
+ rrset-cache-size: 128m
+ unwanted-reply-threshold: 10000
+ minimal-responses: yes
+
+ # Make Unbound be more lenient when resolving long CNAME chains.
+ max-query-restarts: 15
+ max-global-quota: 256
+
+ # Prefetch expiring records, and serve expired records if needed.
+ prefetch: yes
+ prefetch-key: yes
+
+ serve-expired: yes
+ serve-expired-ttl: 30
+ serve-expired-ttl-reset: yes
+ serve-expired-reply-ttl: 30
+ serve-expired-client-timeout: 1800
+ ede: yes
+ ede-serve-expired: yes
+
+<% if defined?(tls) %>
+ tls-service-key: "<%= confdir %>/tls/key.pem"
+ tls-service-pem: "<%= confdir %>/tls/cert.pem"
+
+ tls-use-sni: yes
+ tls-port: 853
+ https-port: 443
+<% end %>
+
+<% if defined?(nat64_prefix) %>
+ do-nat64: yes
+ nat64-prefix: <%= nat64_prefix %>
+<% end %>
+
+<% lfnetworks.split.each do |network| %>
+ private-address: <%= network %>
+ access-control: <%= network %> allow
+<% end %>
+
+ private-domain: sikol.co.uk
+
+# Local zones that we want to serve. Mark these as both private and insecure
+# otherwise the validator will still try to validate them and (possibly) fail.
+<% local_zones.split.each do |zone| %>
+ private-domain: <%= zone %>
+ domain-insecure: <%= zone %>
+<% end %>
+
+# DN42 zones. These don't need to be private, but should be insecure for now.
+# Ideally we'd have a way to validate these properly.
+<% dn42_zones.split.each do |zone| %>
+ local-zone: <%= zone %>. nodefault
+ domain-insecure: <%= zone %>.
+<% end %>
+
+remote-control:
+ control-enable: yes
+ control-interface: ::1
+
+ control-port: 8954
+
+ server-key-file: "<%= confdir %>/unbound_server.key"
+ server-cert-file: "<%= confdir %>/unbound_server.pem"
+ control-key-file: "<%= confdir %>/unbound_control.key"
+ control-cert-file: "<%= confdir %>/unbound_control.pem"
+
+# SiKol zones
+auth-zone:
+ name: "lethe.sikol.co.uk"
+ primary: <%= master_addr %> # <%= master %>
+ fallback-enabled: yes
+ for-downstream: no
+ for-upstream: yes
+ zonefile: /usr/local/etc/unbound/secondary/lethe.sikol.co.uk
+
+auth-zone:
+ name: "_msdcs.lethe.sikol.co.uk"
+ primary: <%= master_addr %> # <%= master %>
+ fallback-enabled: yes
+ for-downstream: no
+ for-upstream: yes
+ zonefile: /usr/local/etc/unbound/secondary/_msdcs.lethe.sikol.co.uk
+
+# Forward DNS zones
+<% local_zones.split.each do |zone| %>
+auth-zone:
+ name: <%= zone %>
+ primary: <%= master_addr %> # <%= master %>
+ fallback-enabled: yes
+ for-downstream: no
+ for-upstream: yes
+ zonefile: <%= confdir %>/secondary/<%= zone.gsub('/', '_') %>
+<% end %>
+
+# DN42 zones
+<% dn42_zones.split.each do |zone| %>
+stub-zone:
+ name: <%= zone %>.
+ stub-addr: <%= dn42_master %>
+<% end %>
diff --git a/zones/5.b.a.a.0.b.8.0.1.0.0.2.ip6.arpa.zone b/zones/5.b.a.a.0.b.8.0.1.0.0.2.ip6.arpa.zone
index 7d9718c..2442ed3 100644
--- a/zones/5.b.a.a.0.b.8.0.1.0.0.2.ip6.arpa.zone
+++ b/zones/5.b.a.a.0.b.8.0.1.0.0.2.ip6.arpa.zone
@@ -26,7 +26,7 @@ e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0 PTR willow.eden.le-fay.org.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.0.3 PTR te1.core-1.inet.eden.le-fay.org.
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.0.3 PTR ix0-3004.willow.eden.le-fay.org.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.4.c PTR vlan401.core-1.inet.eden.le-fay.org.
-3.0.0.0.1.0.0.0.0.0.0.0.0.0.0.0.1.0.4.c PTR witch.eden.le-fay.org.
+3.0.0.0.1.0.0.0.0.0.0.0.0.0.0.0.1.0.4.c PTR witch.le-fay.org.
4.0.0.0.1.0.0.0.0.0.0.0.0.0.0.0.1.0.4.c PTR turnera.eden.le-fay.org.
5.0.0.0.1.0.0.0.0.0.0.0.0.0.0.0.1.0.4.c PTR hemlock.eden.le-fay.org.
6.0.0.0.1.0.0.0.0.0.0.0.0.0.0.0.1.0.4.c PTR freebsd15.eden.le-fay.org.