commit 071b33aec21beec348b329f14dfed9dd7f776a28 Author: sudoers Date: Fri Aug 23 11:35:13 2019 +0000 Current bind9 diff --git a/bind.keys b/bind.keys new file mode 100644 index 0000000..5e5a32b --- /dev/null +++ b/bind.keys @@ -0,0 +1,50 @@ +# The bind.keys file is used to override the built-in DNSSEC trust anchors +# which are included as part of BIND 9. The only trust anchors it contains +# are for the DNS root zone ("."). Trust anchors for any other zones MUST +# be configured elsewhere; if they are configured here, they will not be +# recognized or used by named. +# +# The built-in trust anchors are provided for convenience of configuration. +# They are not activated within named.conf unless specifically switched on. +# To use the built-in key, use "dnssec-validation auto;" in the +# named.conf options. Without this option being set, the keys in this +# file are ignored. +# +# This file is NOT expected to be user-configured. +# +# These keys are current as of October 2017. If any key fails to +# initialize correctly, it may have expired. In that event you should +# replace this file with a current version. The latest version of +# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys. +# +# See https://data.iana.org/root-anchors/root-anchors.xml +# for current trust anchor information for the root zone. + +managed-keys { + # This key (19036) is to be phased out starting in 2017. It will + # remain in the root zone for some time after its successor key + # has been added. It will remain this file until it is removed from + # the root zone. + . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF + FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX + bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD + X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz + W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS + Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq + QxA+Uk1ihz0="; + + # This key (20326) was published in the root zone in 2017. + # Servers which were already using the old key (19036) should + # roll seamlessly to this new one via RFC 5011 rollover. Servers + # being set up for the first time can use the contents of this + # file as initializing keys; thereafter, the keys in the + # managed key database will be trusted and maintained + # automatically. + . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 + +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv + ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF + 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e + oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd + RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN + R1AkUTV74bU="; +}; diff --git a/db.0 b/db.0 new file mode 100644 index 0000000..e3aabdb --- /dev/null +++ b/db.0 @@ -0,0 +1,12 @@ +; +; BIND reverse data file for broadcast zone +; +$TTL 604800 +@ IN SOA localhost. root.localhost. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS localhost. diff --git a/db.127 b/db.127 new file mode 100644 index 0000000..cd05bef --- /dev/null +++ b/db.127 @@ -0,0 +1,13 @@ +; +; BIND reverse data file for local loopback interface +; +$TTL 604800 +@ IN SOA localhost. root.localhost. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS localhost. +1.0.0 IN PTR localhost. diff --git a/db.255 b/db.255 new file mode 100644 index 0000000..e3aabdb --- /dev/null +++ b/db.255 @@ -0,0 +1,12 @@ +; +; BIND reverse data file for broadcast zone +; +$TTL 604800 +@ IN SOA localhost. root.localhost. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS localhost. diff --git a/db.empty b/db.empty new file mode 100644 index 0000000..8a12858 --- /dev/null +++ b/db.empty @@ -0,0 +1,14 @@ +; BIND reverse data file for empty rfc1918 zone +; +; DO NOT EDIT THIS FILE - it is used for multiple zones. +; Instead, copy it, edit named.conf, and use that copy. +; +$TTL 86400 +@ IN SOA localhost. root.localhost. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 86400 ) ; Negative Cache TTL +; +@ IN NS localhost. diff --git a/db.local b/db.local new file mode 100644 index 0000000..2f272d4 --- /dev/null +++ b/db.local @@ -0,0 +1,14 @@ +; +; BIND data file for local loopback interface +; +$TTL 604800 +@ IN SOA localhost. root.localhost. ( + 2 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS localhost. +@ IN A 127.0.0.1 +@ IN AAAA ::1 diff --git a/db.tilde.best b/db.tilde.best new file mode 100644 index 0000000..1152004 --- /dev/null +++ b/db.tilde.best @@ -0,0 +1,20 @@ +;; SOA Record +tilde.best. 3600 IN SOA ns1.tilde.best. root.tilde.best. 2031808184 7200 3600 86400 3600 + +;; A Records +tilde.best. 120 IN A 51.15.111.54 +*.tilde.best. 120 IN A 51.15.111.54 +ns1 IN A 51.15.111.54 +ns2 IN A 85.119.82.111 + +;; MX Records +mail.tilde.best. 120 IN MX 1 51.15.111.54. +tilde.best. 120 IN MX 1 51.15.111.54. + +;; TXT Records +tilde.best. 120 IN TXT "v=spf1 mx -all" +_acme-challange. 120 IN TXT "kpfS0Ca2Wv27nL9WjppkOt-39fJhw6GczEfH8Pt863A" + +;; NS Records +@ IN NS ns1 +@ IN NS ns2 diff --git a/keys/Ktilde.best.+008+00286.key b/keys/Ktilde.best.+008+00286.key new file mode 100644 index 0000000..7ad6887 --- /dev/null +++ b/keys/Ktilde.best.+008+00286.key @@ -0,0 +1,5 @@ +; This is a key-signing key, keyid 286, for tilde.best. +; Created: 20190823110734 (Fri Aug 23 11:07:34 2019) +; Publish: 20190823110734 (Fri Aug 23 11:07:34 2019) +; Activate: 20190823110734 (Fri Aug 23 11:07:34 2019) +tilde.best. IN DNSKEY 257 3 8 AwEAAbRK7EBLyphHR1sC1g/GQnmHV6eqkgzoFoRB1pS5clJy5WZVe0wL z2iOYepVztRnjRW+IleEbvsEB//cqlNr7aP57V5BRVqSiFIld1ufeOrd 7y0TE88Kog2zJIMubJ/vTEtM+k9YizJHkRllArqk/gdEW58jQwRmAIEU ZT4txOCd3yvNRPUP0q2MI325ark5/TKsY8NSAW8IkDX9/uG9l2beLtwq jCRzoyWudVFfPw5YSR3eLNxgqzhxSij8d4efqdSDcejRqvM/oO1rU4an U0jMoLZAJxTPf1kOHnvkKaOBc/Ngd6YVERJh3oG0ByMc1jGCj++C/qQu 4oGi7ctXgR8= diff --git a/keys/Ktilde.best.+008+18234.key b/keys/Ktilde.best.+008+18234.key new file mode 100644 index 0000000..29b2d3e --- /dev/null +++ b/keys/Ktilde.best.+008+18234.key @@ -0,0 +1,5 @@ +; This is a zone-signing key, keyid 18234, for tilde.best. +; Created: 20190823110743 (Fri Aug 23 11:07:43 2019) +; Publish: 20190823110743 (Fri Aug 23 11:07:43 2019) +; Activate: 20190823110743 (Fri Aug 23 11:07:43 2019) +tilde.best. IN DNSKEY 256 3 8 AwEAAbu7uVZotssjzg4eYK04D7JeSVcgQ0K0x1uLcO8jmg+oSsgIJIfi mlGbwub+Xqknt+cyj7qsVpCC5ZjnqaiEUShqbW6YW7zcv7iBTLFFZSlD H5uJZG2NkPneRg2T5MeZGUlbjtLlbj0riky0w43ZzXe70zJNbXqiG5jX R02fCZ8R diff --git a/named.conf b/named.conf new file mode 100644 index 0000000..880786a --- /dev/null +++ b/named.conf @@ -0,0 +1,11 @@ +// This is the primary configuration file for the BIND DNS server named. +// +// Please read /usr/share/doc/bind9/README.Debian.gz for information on the +// structure of BIND configuration files in Debian, *BEFORE* you customize +// this configuration file. +// +// If you are just adding zones, please do that in /etc/bind/named.conf.local + +include "/etc/bind/named.conf.options"; +include "/etc/bind/named.conf.local"; +include "/etc/bind/named.conf.default-zones"; diff --git a/named.conf.default-zones b/named.conf.default-zones new file mode 100644 index 0000000..1a85ad3 --- /dev/null +++ b/named.conf.default-zones @@ -0,0 +1,30 @@ +// prime the server with knowledge of the root servers +zone "." { + type hint; + file "/usr/share/dns/root.hints"; +}; + +// be authoritative for the localhost forward and reverse zones, and for +// broadcast zones as per RFC 1912 + +zone "localhost" { + type master; + file "/etc/bind/db.local"; +}; + +zone "127.in-addr.arpa" { + type master; + file "/etc/bind/db.127"; +}; + +zone "0.in-addr.arpa" { + type master; + file "/etc/bind/db.0"; +}; + +zone "255.in-addr.arpa" { + type master; + file "/etc/bind/db.255"; +}; + + diff --git a/named.conf.local b/named.conf.local new file mode 100644 index 0000000..8aed775 --- /dev/null +++ b/named.conf.local @@ -0,0 +1,16 @@ +// +// Do any local configuration here +// + +// Consider adding the 1918 zones here, if they are not used in your +// organization +//include "/etc/bind/zones.rfc1918"; + +zone "tilde.best" { + type master; + file "/etc/bind/db.tilde.best"; + allow-transfer { 85.119.82.111; }; + key-directory "/etc/bind/keys"; + auto-dnssec maintain; + inline-signing yes; +}; diff --git a/named.conf.options b/named.conf.options new file mode 100644 index 0000000..cfb601a --- /dev/null +++ b/named.conf.options @@ -0,0 +1,38 @@ +options { + directory "/var/cache/bind"; + + // If there is a firewall between you and nameservers you want + // to talk to, you may need to fix the firewall to allow multiple + // ports to talk. See http://www.kb.cert.org/vuls/id/800113 + + // If your ISP provided one or more IP addresses for stable + // nameservers, you probably want to use them as forwarders. + // Uncomment the following block, and insert the addresses replacing + // the all-0's placeholder. + + // forwarders { + // 0.0.0.0; + // }; + + //======================================================================== + // If BIND logs error messages about the root key being expired, + // you will need to update your keys. See https://www.isc.org/bind-keys + //======================================================================== + dnssec-enable yes; + dnssec-validation yes; + dnssec-lookaside auto; + key-directory "/etc/bind/keys/"; + listen-on-v6 { any; }; + + // hide version number from clients for security reasons. + version "not currently available"; + + // disable recursion on authoritative DNS server. + recursion no; + + // enable the query log + querylog yes; + + // disallow zone transfer + allow-transfer { none; }; +}; diff --git a/rndc.key b/rndc.key new file mode 100644 index 0000000..c4bbbf5 --- /dev/null +++ b/rndc.key @@ -0,0 +1,4 @@ +key "rndc-key" { + algorithm hmac-md5; + secret "ZlQhXmewdjnBMBP+3pvfYw=="; +}; diff --git a/zones.rfc1918 b/zones.rfc1918 new file mode 100644 index 0000000..03b5546 --- /dev/null +++ b/zones.rfc1918 @@ -0,0 +1,20 @@ +zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; + +zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; + +zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };