diff options
| -rw-r--r-- | Makefile | 135 | ||||
| -rw-r--r-- | Makefile.inc.knot | 34 | ||||
| -rw-r--r-- | Makefile.inc.unbound | 34 | ||||
| -rw-r--r-- | Makefile.inc.zones | 53 | ||||
| -rwxr-xr-x | bin/process | 2 | ||||
| -rw-r--r-- | knot.conf.erb | 80 | ||||
| -rw-r--r-- | unbound.conf.erb | 6 |
7 files changed, 267 insertions, 77 deletions
@@ -1,8 +1,14 @@ +# This source code is released into the public domain. +# +# Primary makefile for DNS management. + + ### Our local master server. MASTER= hemlock.eden.le-fay.org MASTER_ADDR!= getaddrinfo -f inet6 -p tcp -t stream ${MASTER} \ | awk '{ print $$4 }' + ### Default SOA values. # Serial is always 1; nsdiff handles this magically. SOA_MNAME= ${MASTER}. @@ -19,14 +25,10 @@ NAMESERVERS= ns1.le-fay.org \ ns2.le-fay.org \ ns3.le-fay.org + ### The DN42 master server. DN42_MASTER= fd42:4242:2601:ac53::1 -NSUPDATE?= nsupdate -NSUPDATE_FLAGS?=-g -NSDIFF?= nsdiff -NSDIFFFLAGS?= -Sserial -s ${MASTER} -DIFF?= # The zones we serve. ZONES= le-fay.org \ @@ -45,6 +47,7 @@ ZONES= le-fay.org \ 0/26.76.23.172.in-addr.arpa \ 18.198.in-addr.arpa + # Template variables for primary zones. ZONE_PROCESS_FLAGS= \ -Dttl=${TTL} \ @@ -92,9 +95,13 @@ LFNETWORKS= \ # All servers which run Unbound. UNBOUND_SERVERS= \ - witch.le-fay.org \ - turnera.le-fay.org \ hemlock.eden.le-fay.org +# witch.le-fay.org \ +# turnera.le-fay.org \ +# hemlock.eden.le-fay.org + +UNBOUND_CONF_DIR=/usr/local/etc/unbound +UNBOUND_CONF_FILE=${UNBOUND_CONF_DIR}/unbound.conf # Forwarder addresses for Unbound forwarders. UNBOUND_FORWARDERS= \ @@ -113,79 +120,63 @@ UNBOUND_PROCESS_FLAGS.hemlock.eden.le-fay.org= -Dforwarder=yes UNBOUND_PROCESS_FLAGS.witch.le-fay.org= -Dtls=yes UNBOUND_PROCESS_FLAGS.turnera.le-fay.org= -Dtls=yes +####################################################################### +# Knot configuration for primary servers. +# + +KNOT_CONF_DIR=/usr/local/etc/knot +KNOT_CONF_FILE=${KNOT_CONF_DIR}/knot.conf + +# Global options. +KNOT_SERVERS?= \ + yarrow.le-fay.org \ + amaranth.le-fay.org \ + fuchsia.eden.le-fay.org + +KNOT_PROCESS_FLAGS= \ + -Dmaster=${MASTER} \ + -Dmaster_addr=${MASTER_ADDR} \ + -Dzones="${ZONES}" + +# Server-specific options. +KNOT_LISTEN.yarrow.le-fay.org= \ + 2a00:1098:6b:100::2@53 \ + 176.126.243.79@53 + +KNOT_LISTEN.amaranth.le-fay.org= \ + 2001:ba8:4015:100::2@53 \ + 185.73.44.74@53 + +KNOT_LISTEN.fuchsia.eden.le-fay.org= \ + 2001:8b0:aab5:4::9@53 \ + 81.187.47.195@53 \ + fd5b:a83:b06b:4::9@53 \ + fd5b:a83:b06b:600::5@53 + +####################################################################### # The default target doesn't do anything. +# + all: @echo "Please specify a target:" @echo " make diff show diff between zone files and online zone" @echo " make update-zones update online zones" - @echo " make unbound-update build and install Unbound configs" + @echo " make unbound build and install Unbound configs" + @echo " make knot build and install Knot configs" +.PHONY: all -# Define the clean target to do nothing; we add dependencies to this below. +# Individual targets add dependencies to clean. clean: +.PHONY: clean + +.include "Makefile.inc.knot" +.include "Makefile.inc.unbound" +.include "Makefile.inc.zones" + # File paths. -ZONEDIR=${.CURDIR}/zones .PATH: ${ZONEDIR} .OBJDIR: ${.CURDIR}/build -.SUFFIXES: .zone.erb .czone -.PHONY: all update-zones clean - -### Define targets for primary zones. - -.for zone in ${ZONES} -# Update this zone when running update-zones. -update-zones: ${zone} - -# The zone itself is not a real file. -.PHONY: ${zone} - -# How to build a processed zone from an ERB zonefile. -${zone:S,/,_,g}.czone: Makefile ${zone:S,/,_,g}.zone.erb - ${.CURDIR}/bin/process \ - -Dzone=${zone} \ - ${ZONE_PROCESS_FLAGS} \ - ${ZONEDIR}/${zone:S,/,_,g}.zone.erb $@ - -# Take the built .czone file and send it to nsdiff. -# If DIFF is set, just print the diff instead of sending it to nsupdate. -${zone}: ${zone:S,/,_,g}.czone -.if ${DIFF} != "" - @if ! ${NSDIFF} ${NSDIFFFLAGS} ${zone} ${.ALLSRC} >/dev/null 2>&1; then \ - tmpfile="$$(mktemp dns.XXXXXX)"; \ - ${NSDIFF} ${NSDIFFFLAGS} ${zone} ${.ALLSRC} || true; \ - rm "$$tmpfile"; \ - fi -.else - ${NSDIFF} ${NSDIFFFLAGS} ${zone} $> | ${NSUPDATE} ${NSUPDATE_FLAGS} -.endif - -# Delete the czone for this zone when cleaning. -clean-zone-${zone}: - rm -f ${zone:S,/,_,g}.czone -clean: clean-zone-${zone} -.endfor - -# For easy of use, 'make diff' runs update-zone with DIFF set. -.PHONY: diff - -diff: - @${MAKE} -C ${.CURDIR} DIFF=yes update-zones - -### Unbound configuration files. - -unbound-update: - -.for server in ${UNBOUND_SERVERS} -update-unbound: update-unbound-${server} -update-unbound-${server}: unbound.conf.${server} - @echo "updating ${server}" -unbound.conf.${server}: unbound.conf.erb - ${.CURDIR}/bin/process \ - -Dservername=${server} \ - ${UNBOUND_PROCESS_FLAGS} \ - ${UNBOUND_PROCESS_FLAGS.${server}} \ - $> $@ -clean: clean-unbound-${server} -clean-unbound-${server}: - rm -f ${.OBJDIR}/unbound.conf.${server} -.endfor + +BINDIR= ${.CURDIR}/bin +PROCESS= ${BINDIR}/process diff --git a/Makefile.inc.knot b/Makefile.inc.knot new file mode 100644 index 0000000..c57ffa4 --- /dev/null +++ b/Makefile.inc.knot @@ -0,0 +1,34 @@ +# This source code is released into the public domain. +# +# Make targets for Knot. + +.PHONY: knot + +knot: + +.for server in ${KNOT_SERVERS} + +knot.conf.${server}: knot.conf.erb + ${.CURDIR}/bin/process \ + ${KNOT_PROCESS_FLAGS} \ + -Dlisten="${KNOT_LISTEN.${server}}" \ + ${KNOT_PROCESS_FLAGS.${server}} \ + $> $@ + +knot: knot-${server} +knot-${server}: knot.conf.${server} + @echo "" + @echo "===> updating ${server}" + @echo "" + scp -q $> root@${server}:${KNOT_CONF_DIR} + ssh root@${server} service knot restart + +.PHONY: update-knot-${server} + +clean: clean-knot-${server} +clean-knot-${server}: + rm -f ${.OBJDIR}/knot.conf.${server} +.PHONY: clean-knot-${server} + +.endfor + diff --git a/Makefile.inc.unbound b/Makefile.inc.unbound new file mode 100644 index 0000000..7437149 --- /dev/null +++ b/Makefile.inc.unbound @@ -0,0 +1,34 @@ +# This source code is released into the public domain. + +### Unbound configuration files. + +unbound: +.PHONY: unbound + +.for server in ${UNBOUND_SERVERS} + +unbound.conf.${server}: unbound.conf.erb + ${.CURDIR}/bin/process \ + -Dservername=${server} \ + ${UNBOUND_PROCESS_FLAGS} \ + ${UNBOUND_PROCESS_FLAGS.${server}} \ + $> $@ + +unbound: unbound-${server} +unbound-${server}: unbound.conf.${server} + @echo "updating ${server}" + @echo "" + @echo "===> updating ${server}" + @echo "" + scp -q $> root@${server}:${UNBOUND_CONF_FILE} + ssh root@${server} service unbound restart + +.PHONY: unbound-${server} + +clean: clean-unbound-${server} +clean-unbound-${server}: + rm -f ${.OBJDIR}/unbound.conf.${server} +.PHONY: clean-unbound-${server} + +.endfor + diff --git a/Makefile.inc.zones b/Makefile.inc.zones new file mode 100644 index 0000000..fdcbfcd --- /dev/null +++ b/Makefile.inc.zones @@ -0,0 +1,53 @@ +# This source code is released into the public domain. + +DIFF?= +ZONEDIR= ${.CURDIR}/zones +NSUPDATE?= nsupdate +NSUPDATE_FLAGS?=-g +NSDIFF?= nsdiff +NSDIFFFLAGS?= -Sserial -s ${MASTER} + +.SUFFIXES: .zone.erb .czone + +update-zones: +.PHONY: update-zones + +.for zone in ${ZONES} + +# Update this zone when running update-zones. +update-zones: ${zone} + +# How to build a processed zone from an ERB zonefile. +${zone:S,/,_,g}.czone: Makefile ${zone:S,/,_,g}.zone.erb + ${PROCESS} \ + -Dzone=${zone} \ + ${ZONE_PROCESS_FLAGS} \ + ${ZONEDIR}/${zone:S,/,_,g}.zone.erb $@ + +# Take the built .czone file and send it to nsdiff. +# If DIFF is set, just print the diff instead of sending it to nsupdate. +${zone}: ${zone:S,/,_,g}.czone +.if ${DIFF} != "" + @if ! ${NSDIFF} ${NSDIFFFLAGS} ${zone} ${.ALLSRC} >/dev/null 2>&1; then \ + tmpfile="$$(mktemp dns.XXXXXX)"; \ + ${NSDIFF} ${NSDIFFFLAGS} ${zone} ${.ALLSRC} || true; \ + rm "$$tmpfile"; \ + fi +.else + ${NSDIFF} ${NSDIFFFLAGS} ${zone} $> | ${NSUPDATE} ${NSUPDATE_FLAGS} +.endif + +.PHONY: ${zone} + +# Delete the czone for this zone when cleaning. +clean-zone-${zone}: + rm -f ${zone:S,/,_,g}.czone +.PHONY: Clean-zone-${zone} +clean: clean-zone-${zone} +.endfor + +# For easy of use, 'make diff' runs update-zone with DIFF set. +diff: + @${MAKE} -C ${.CURDIR} DIFF=yes update-zones +.PHONY: diff + diff --git a/bin/process b/bin/process index 4effb17..91456b4 100755 --- a/bin/process +++ b/bin/process @@ -88,7 +88,7 @@ template_vars.each do |var, value| end # Process with ERB -erb = ERB.new(template) +erb = ERB.new(template, trim_mode: '-') result = erb.result(binding_context) # Write output diff --git a/knot.conf.erb b/knot.conf.erb new file mode 100644 index 0000000..6ff719b --- /dev/null +++ b/knot.conf.erb @@ -0,0 +1,80 @@ +<%# vim:set noet ts=2 sw=2 sts=2: + # Standard knot.conf for a resolver. + %> + +server: + rundir: "/var/run/knot" + user: knot:knot + automatic-acl: off + version: "" + listen: [<%= listen.split.join(", ") %>] + +log: +- target: syslog + any: info + +database: + storage: "/var/db/knot" + +remote: +- id: master + address: <%= master_addr %> + +acl: +- id: allow-master + remote: master + action: notify + +# Response Rate Limiting +mod-rrl: +- id: default + rate-limit: 50 + slip: 2 + +# Synthetic reverse DNS +mod-synthrecord: +- id: v6-forward + type: forward + network: 2001:8b0:aab5:c000::/52 + +- id: v6-forward-dn42 + type: forward + network: fd5b:a83:b06b:c000::/52 + +- id: v6-reverse + type: reverse + origin: dyn.le-fay.org + network: 2001:8b0:aab5:c000::/52 + reverse-short: off + +- id: v6-reverse-dn42 + type: reverse + origin: dyn.le-fay.dn42 + network: fd5b:a83:b06b:c000::/52 + reverse-short: off + +template: +- id: default + storage: "/var/db/knot" + file: "%s.zone" + master: master + global-module: [mod-cookies, mod-rrl/default] + acl: [allow-master] + +zone: +<% zones.split.each do |zone| -%> +- domain: <%= zone %> +<%# This should really be done in Makefile. -%> +<% if zone == 'le-fay.org' -%> + module: mod-synthrecord/v6-forward +<% end -%> +<% if zone == '5.b.a.a.0.b.8.0.1.0.0.2.ip6.arpa' -%> + module: mod-synthrecord/v6-reverse +<% end -%> +<% if zone == 'le-fay.dn42' -%> + module: mod-synthrecord/v6-forward-dn42 +<% end -%> +<% if zone == 'b.6.0.b.3.8.a.0.b.5.d.f.ip6.arpa' -%> + module: mod-synthrecord/v6-reverse-dn42 +<% end -%> +<% end -%> diff --git a/unbound.conf.erb b/unbound.conf.erb index b2f1f6e..1b63458 100644 --- a/unbound.conf.erb +++ b/unbound.conf.erb @@ -1,8 +1,6 @@ <%# vim:set noet ts=8 sw=8 sts=8: - -# Standard unbound.conf for a resolver. - -%> + # Standard unbound.conf for a resolver. + %> server: module-config: "validator iterator" |