From 071b33aec21beec348b329f14dfed9dd7f776a28 Mon Sep 17 00:00:00 2001 From: sudoers Date: Fri, 23 Aug 2019 11:35:13 +0000 Subject: [PATCH] Current bind9 --- bind.keys | 50 +++++++++++++++++++++++++++++++++ db.0 | 12 ++++++++ db.127 | 13 +++++++++ db.255 | 12 ++++++++ db.empty | 14 +++++++++ db.local | 14 +++++++++ db.tilde.best | 20 +++++++++++++ keys/Ktilde.best.+008+00286.key | 5 ++++ keys/Ktilde.best.+008+18234.key | 5 ++++ named.conf | 11 ++++++++ named.conf.default-zones | 30 ++++++++++++++++++++ named.conf.local | 16 +++++++++++ named.conf.options | 38 +++++++++++++++++++++++++ rndc.key | 4 +++ zones.rfc1918 | 20 +++++++++++++ 15 files changed, 264 insertions(+) create mode 100644 bind.keys create mode 100644 db.0 create mode 100644 db.127 create mode 100644 db.255 create mode 100644 db.empty create mode 100644 db.local create mode 100644 db.tilde.best create mode 100644 keys/Ktilde.best.+008+00286.key create mode 100644 keys/Ktilde.best.+008+18234.key create mode 100644 named.conf create mode 100644 named.conf.default-zones create mode 100644 named.conf.local create mode 100644 named.conf.options create mode 100644 rndc.key create mode 100644 zones.rfc1918 diff --git a/bind.keys b/bind.keys new file mode 100644 index 0000000..5e5a32b --- /dev/null +++ b/bind.keys @@ -0,0 +1,50 @@ +# The bind.keys file is used to override the built-in DNSSEC trust anchors +# which are included as part of BIND 9. The only trust anchors it contains +# are for the DNS root zone ("."). Trust anchors for any other zones MUST +# be configured elsewhere; if they are configured here, they will not be +# recognized or used by named. +# +# The built-in trust anchors are provided for convenience of configuration. +# They are not activated within named.conf unless specifically switched on. +# To use the built-in key, use "dnssec-validation auto;" in the +# named.conf options. Without this option being set, the keys in this +# file are ignored. +# +# This file is NOT expected to be user-configured. +# +# These keys are current as of October 2017. If any key fails to +# initialize correctly, it may have expired. In that event you should +# replace this file with a current version. The latest version of +# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys. +# +# See https://data.iana.org/root-anchors/root-anchors.xml +# for current trust anchor information for the root zone. + +managed-keys { + # This key (19036) is to be phased out starting in 2017. It will + # remain in the root zone for some time after its successor key + # has been added. It will remain this file until it is removed from + # the root zone. + . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF + FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX + bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD + X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz + W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS + Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq + QxA+Uk1ihz0="; + + # This key (20326) was published in the root zone in 2017. + # Servers which were already using the old key (19036) should + # roll seamlessly to this new one via RFC 5011 rollover. Servers + # being set up for the first time can use the contents of this + # file as initializing keys; thereafter, the keys in the + # managed key database will be trusted and maintained + # automatically. + . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 + +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv + ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF + 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e + oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd + RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN + R1AkUTV74bU="; +}; diff --git a/db.0 b/db.0 new file mode 100644 index 0000000..e3aabdb --- /dev/null +++ b/db.0 @@ -0,0 +1,12 @@ +; +; BIND reverse data file for broadcast zone +; +$TTL 604800 +@ IN SOA localhost. root.localhost. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS localhost. diff --git a/db.127 b/db.127 new file mode 100644 index 0000000..cd05bef --- /dev/null +++ b/db.127 @@ -0,0 +1,13 @@ +; +; BIND reverse data file for local loopback interface +; +$TTL 604800 +@ IN SOA localhost. root.localhost. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS localhost. +1.0.0 IN PTR localhost. diff --git a/db.255 b/db.255 new file mode 100644 index 0000000..e3aabdb --- /dev/null +++ b/db.255 @@ -0,0 +1,12 @@ +; +; BIND reverse data file for broadcast zone +; +$TTL 604800 +@ IN SOA localhost. root.localhost. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS localhost. diff --git a/db.empty b/db.empty new file mode 100644 index 0000000..8a12858 --- /dev/null +++ b/db.empty @@ -0,0 +1,14 @@ +; BIND reverse data file for empty rfc1918 zone +; +; DO NOT EDIT THIS FILE - it is used for multiple zones. +; Instead, copy it, edit named.conf, and use that copy. +; +$TTL 86400 +@ IN SOA localhost. root.localhost. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 86400 ) ; Negative Cache TTL +; +@ IN NS localhost. diff --git a/db.local b/db.local new file mode 100644 index 0000000..2f272d4 --- /dev/null +++ b/db.local @@ -0,0 +1,14 @@ +; +; BIND data file for local loopback interface +; +$TTL 604800 +@ IN SOA localhost. root.localhost. ( + 2 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS localhost. +@ IN A 127.0.0.1 +@ IN AAAA ::1 diff --git a/db.tilde.best b/db.tilde.best new file mode 100644 index 0000000..1152004 --- /dev/null +++ b/db.tilde.best @@ -0,0 +1,20 @@ +;; SOA Record +tilde.best. 3600 IN SOA ns1.tilde.best. root.tilde.best. 2031808184 7200 3600 86400 3600 + +;; A Records +tilde.best. 120 IN A 51.15.111.54 +*.tilde.best. 120 IN A 51.15.111.54 +ns1 IN A 51.15.111.54 +ns2 IN A 85.119.82.111 + +;; MX Records +mail.tilde.best. 120 IN MX 1 51.15.111.54. +tilde.best. 120 IN MX 1 51.15.111.54. + +;; TXT Records +tilde.best. 120 IN TXT "v=spf1 mx -all" +_acme-challange. 120 IN TXT "kpfS0Ca2Wv27nL9WjppkOt-39fJhw6GczEfH8Pt863A" + +;; NS Records +@ IN NS ns1 +@ IN NS ns2 diff --git a/keys/Ktilde.best.+008+00286.key b/keys/Ktilde.best.+008+00286.key new file mode 100644 index 0000000..7ad6887 --- /dev/null +++ b/keys/Ktilde.best.+008+00286.key @@ -0,0 +1,5 @@ +; This is a key-signing key, keyid 286, for tilde.best. +; Created: 20190823110734 (Fri Aug 23 11:07:34 2019) +; Publish: 20190823110734 (Fri Aug 23 11:07:34 2019) +; Activate: 20190823110734 (Fri Aug 23 11:07:34 2019) +tilde.best. IN DNSKEY 257 3 8 AwEAAbRK7EBLyphHR1sC1g/GQnmHV6eqkgzoFoRB1pS5clJy5WZVe0wL z2iOYepVztRnjRW+IleEbvsEB//cqlNr7aP57V5BRVqSiFIld1ufeOrd 7y0TE88Kog2zJIMubJ/vTEtM+k9YizJHkRllArqk/gdEW58jQwRmAIEU ZT4txOCd3yvNRPUP0q2MI325ark5/TKsY8NSAW8IkDX9/uG9l2beLtwq jCRzoyWudVFfPw5YSR3eLNxgqzhxSij8d4efqdSDcejRqvM/oO1rU4an U0jMoLZAJxTPf1kOHnvkKaOBc/Ngd6YVERJh3oG0ByMc1jGCj++C/qQu 4oGi7ctXgR8= diff --git a/keys/Ktilde.best.+008+18234.key b/keys/Ktilde.best.+008+18234.key new file mode 100644 index 0000000..29b2d3e --- /dev/null +++ b/keys/Ktilde.best.+008+18234.key @@ -0,0 +1,5 @@ +; This is a zone-signing key, keyid 18234, for tilde.best. +; Created: 20190823110743 (Fri Aug 23 11:07:43 2019) +; Publish: 20190823110743 (Fri Aug 23 11:07:43 2019) +; Activate: 20190823110743 (Fri Aug 23 11:07:43 2019) +tilde.best. IN DNSKEY 256 3 8 AwEAAbu7uVZotssjzg4eYK04D7JeSVcgQ0K0x1uLcO8jmg+oSsgIJIfi mlGbwub+Xqknt+cyj7qsVpCC5ZjnqaiEUShqbW6YW7zcv7iBTLFFZSlD H5uJZG2NkPneRg2T5MeZGUlbjtLlbj0riky0w43ZzXe70zJNbXqiG5jX R02fCZ8R diff --git a/named.conf b/named.conf new file mode 100644 index 0000000..880786a --- /dev/null +++ b/named.conf @@ -0,0 +1,11 @@ +// This is the primary configuration file for the BIND DNS server named. +// +// Please read /usr/share/doc/bind9/README.Debian.gz for information on the +// structure of BIND configuration files in Debian, *BEFORE* you customize +// this configuration file. +// +// If you are just adding zones, please do that in /etc/bind/named.conf.local + +include "/etc/bind/named.conf.options"; +include "/etc/bind/named.conf.local"; +include "/etc/bind/named.conf.default-zones"; diff --git a/named.conf.default-zones b/named.conf.default-zones new file mode 100644 index 0000000..1a85ad3 --- /dev/null +++ b/named.conf.default-zones @@ -0,0 +1,30 @@ +// prime the server with knowledge of the root servers +zone "." { + type hint; + file "/usr/share/dns/root.hints"; +}; + +// be authoritative for the localhost forward and reverse zones, and for +// broadcast zones as per RFC 1912 + +zone "localhost" { + type master; + file "/etc/bind/db.local"; +}; + +zone "127.in-addr.arpa" { + type master; + file "/etc/bind/db.127"; +}; + +zone "0.in-addr.arpa" { + type master; + file "/etc/bind/db.0"; +}; + +zone "255.in-addr.arpa" { + type master; + file "/etc/bind/db.255"; +}; + + diff --git a/named.conf.local b/named.conf.local new file mode 100644 index 0000000..8aed775 --- /dev/null +++ b/named.conf.local @@ -0,0 +1,16 @@ +// +// Do any local configuration here +// + +// Consider adding the 1918 zones here, if they are not used in your +// organization +//include "/etc/bind/zones.rfc1918"; + +zone "tilde.best" { + type master; + file "/etc/bind/db.tilde.best"; + allow-transfer { 85.119.82.111; }; + key-directory "/etc/bind/keys"; + auto-dnssec maintain; + inline-signing yes; +}; diff --git a/named.conf.options b/named.conf.options new file mode 100644 index 0000000..cfb601a --- /dev/null +++ b/named.conf.options @@ -0,0 +1,38 @@ +options { + directory "/var/cache/bind"; + + // If there is a firewall between you and nameservers you want + // to talk to, you may need to fix the firewall to allow multiple + // ports to talk. See http://www.kb.cert.org/vuls/id/800113 + + // If your ISP provided one or more IP addresses for stable + // nameservers, you probably want to use them as forwarders. + // Uncomment the following block, and insert the addresses replacing + // the all-0's placeholder. + + // forwarders { + // 0.0.0.0; + // }; + + //======================================================================== + // If BIND logs error messages about the root key being expired, + // you will need to update your keys. See https://www.isc.org/bind-keys + //======================================================================== + dnssec-enable yes; + dnssec-validation yes; + dnssec-lookaside auto; + key-directory "/etc/bind/keys/"; + listen-on-v6 { any; }; + + // hide version number from clients for security reasons. + version "not currently available"; + + // disable recursion on authoritative DNS server. + recursion no; + + // enable the query log + querylog yes; + + // disallow zone transfer + allow-transfer { none; }; +}; diff --git a/rndc.key b/rndc.key new file mode 100644 index 0000000..c4bbbf5 --- /dev/null +++ b/rndc.key @@ -0,0 +1,4 @@ +key "rndc-key" { + algorithm hmac-md5; + secret "ZlQhXmewdjnBMBP+3pvfYw=="; +}; diff --git a/zones.rfc1918 b/zones.rfc1918 new file mode 100644 index 0000000..03b5546 --- /dev/null +++ b/zones.rfc1918 @@ -0,0 +1,20 @@ +zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; + +zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; + +zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };