diff --git a/.gitignore b/.gitignore index 1259f44..a4f7972 100644 --- a/.gitignore +++ b/.gitignore @@ -1,7 +1,14 @@ #alle Dateie ignorieren... -* +/secrets.conf +*.private +*.key +/bind.keys +db* +/slave/ffa.zone +/zones.rfc1918 #ausser... +!named.conf !/master !/master/* !.gitignore diff --git a/ffhh.conf b/ffhh.conf new file mode 100644 index 0000000..d76cdab --- /dev/null +++ b/ffhh.conf @@ -0,0 +1,87 @@ +# Keys we allow for editing + +include "/etc/bind/secrets.conf"; + +#Zones WE have authority over! + +#Apperantly for ffhh. +zone "ffhh" IN { + type master; + file "/etc/bind/master/db.ffhh"; + allow-transfer { any; }; + also-notify { + 10.112.14.1; fd51:2bb2:fd0d::e01; #gw01 + 10.112.18.1; fd51:2bb2:fd0d::d01; #gw05 + 10.112.16.1; fd51:2bb2:fd0d::a01; #gw07 + 10.112.22.1; fd51:2bb2:fd0d::b01; #gw08 + 10.112.24.1; fd51:2bb2:fd0d::901; #gw09 + 10.112.30.1; fd51:2bb2:fd0d::501; #gw12 + 10.112.32.1; fd51:2bb2:fd0d::401; #gw13 + }; + allow-update { key srv01-zone-key.; key srv01-userdomain-key.; }; +}; + +zone "hamburg.freifunk.net" IN { + type master; + allow-transfer { + 10.112.14.1; fd51:2bb2:fd0d::e01; #gw01 + 10.112.18.1; fd51:2bb2:fd0d::d01; #gw05 + 10.112.16.1; fd51:2bb2:fd0d::a01; #gw07 + 10.112.22.1; fd51:2bb2:fd0d::b01; #gw08 + 10.112.24.1; fd51:2bb2:fd0d::901; #gw09 + 10.112.30.1; fd51:2bb2:fd0d::501; #gw12 + 10.112.32.1; fd51:2bb2:fd0d::401; #gw13 + 81.7.15.101; # named.exosphere.de + 78.47.49.236; # ns.ohrensessel.net + }; + also-notify { + 10.112.14.1; fd51:2bb2:fd0d::e01; #gw01 + 10.112.18.1; fd51:2bb2:fd0d::d01; #gw05 + 10.112.16.1; fd51:2bb2:fd0d::a01; #gw07 + 10.112.22.1; fd51:2bb2:fd0d::b01; #gw08 + 10.112.24.1; fd51:2bb2:fd0d::901; #gw09 + 10.112.30.1; fd51:2bb2:fd0d::501; #gw12 + 10.112.32.1; fd51:2bb2:fd0d::401; #gw13 + 81.7.15.101; # named.exosphere.de + 78.47.49.236; # ns.ohrensessel.net + }; + file "/etc/bind/master/db.net.freifunk.hamburg"; +}; + +#And the reverse Zone for our IPv4 subnet +zone "112.10.in-addr.arpa" IN { + type master; + file "/etc/bind/master/db.arpa.in-addr.10.112"; + allow-transfer { any; }; + also-notify { + 10.112.14.1; fd51:2bb2:fd0d::e01; #gw01 + 10.112.18.1; fd51:2bb2:fd0d::d01; #gw05 + 10.112.16.1; fd51:2bb2:fd0d::a01; #gw07 + 10.112.22.1; fd51:2bb2:fd0d::b01; #gw08 + 10.112.24.1; fd51:2bb2:fd0d::901; #gw09 + 10.112.30.1; fd51:2bb2:fd0d::501; #gw12 + 10.112.32.1; fd51:2bb2:fd0d::401; #gw13 + }; + allow-update { key srv01-zone-key.; }; +}; + +#And the reverse Zone for our IPv6 prefix +zone "d.0.d.f.2.b.b.2.1.5.d.f.ip6.arpa" IN { + type master; + file "/etc/bind/master/db.arpa.ip6.f.d.5.1.2.b.b.2.f.d.0.d"; + allow-transfer { any; }; + also-notify { + 10.112.14.1; fd51:2bb2:fd0d::e01; #gw01 + 10.112.18.1; fd51:2bb2:fd0d::d01; #gw05 + 10.112.16.1; fd51:2bb2:fd0d::a01; #gw07 + 10.112.22.1; fd51:2bb2:fd0d::b01; #gw08 + 10.112.24.1; fd51:2bb2:fd0d::901; #gw09 + 10.112.30.1; fd51:2bb2:fd0d::501; #gw12 + 10.112.32.1; fd51:2bb2:fd0d::401; #gw13 + }; + allow-update { key srv01-zone-key.; }; +}; + +include "/etc/bind/forward-zones.conf"; +include "/etc/bind/mirror-zones.conf"; + diff --git a/forward-zones.conf b/forward-zones.conf new file mode 100644 index 0000000..ba40755 --- /dev/null +++ b/forward-zones.conf @@ -0,0 +1,50 @@ +## Freifunk Augsburg +zone "ffa" in { + type forward; + forwarders { 10.11.10.15; 10.11.0.8; }; +}; + +#DN42 +zone "dn42" { + type forward; + forwarders { 172.22.0.53; }; +}; +zone "22.172.in-addr.arpa" { + type forward; + forwarders { 172.22.0.53; }; +}; +zone "23.172.in-addr.arpa" { + type forward; + forwarders { 172.22.0.53; }; +}; + +zone "hack" IN { + type static-stub; + server-addresses { 172.31.0.5; }; +}; +zone "31.172.in-addr.arpa" IN { + type static-stub; + server-addresses { 172.31.0.5; }; +}; +zone "100.10.in-addr.arpa" IN { + type static-stub; + server-addresses { 172.31.0.5; }; +}; +zone "101.10.in-addr.arpa" IN { + type static-stub; + server-addresses { 172.31.0.5; }; +}; +zone "102.10.in-addr.arpa" IN { + type static-stub; + server-addresses { 172.31.0.5; }; +}; +zone "103.10.in-addr.arpa" IN { + type static-stub; + server-addresses { 172.31.0.5; }; +}; +//Freifunk Chemnitz .ffc +zone "ffc" in { + type forward; + forwarders { 10.8.6.6; }; +}; + diff --git a/mirror-zones.conf b/mirror-zones.conf new file mode 100644 index 0000000..2043e87 --- /dev/null +++ b/mirror-zones.conf @@ -0,0 +1,18 @@ +#Freifunk Luebeck +zone "ffhl" IN { + type slave; + file "/etc/bind/slave/db.ffhl"; + masters { fdef:ffc0:3dd7::a01; fdef:ffc0:3dd7::c01; fdef:ffc0:3dd7::e01; 10.130.10.1; 10.130.12.1; 10.130.14.1; }; + allow-transfer { any; }; + forwarders { }; +}; + +#Freifunk Kiel +zone "ffki" IN { + type slave; + file "/etc/bind/slave/db.ffki"; + masters { fda1:384a:74de:4242::1; fda1:384a:74de:4242::2; }; + allow-transfer { any; }; + forwarders { }; +}; + diff --git a/named.conf b/named.conf new file mode 100644 index 0000000..511c24b --- /dev/null +++ b/named.conf @@ -0,0 +1,12 @@ +// This is the primary configuration file for the BIND DNS server named. +// +// Please read /usr/share/doc/bind9/README.Debian.gz for information on the +// structure of BIND configuration files in Debian, *BEFORE* you customize +// this configuration file. +// +// If you are just adding zones, please do that in /etc/bind/named.conf.local + +include "/etc/bind/named.conf.options"; +include "/etc/bind/named.conf.local"; +include "/etc/bind/named.conf.default-zones"; +include "/etc/bind/ffhh.conf"; diff --git a/named.conf.default-zones b/named.conf.default-zones new file mode 100644 index 0000000..355338b --- /dev/null +++ b/named.conf.default-zones @@ -0,0 +1,30 @@ +// prime the server with knowledge of the root servers +zone "." { + type hint; + file "/etc/bind/db.root"; +}; + +// be authoritative for the localhost forward and reverse zones, and for +// broadcast zones as per RFC 1912 + +zone "localhost" { + type master; + file "/etc/bind/db.local"; +}; + +zone "127.in-addr.arpa" { + type master; + file "/etc/bind/db.127"; +}; + +zone "0.in-addr.arpa" { + type master; + file "/etc/bind/db.0"; +}; + +zone "255.in-addr.arpa" { + type master; + file "/etc/bind/db.255"; +}; + + diff --git a/named.conf.local b/named.conf.local new file mode 100644 index 0000000..d91dddf --- /dev/null +++ b/named.conf.local @@ -0,0 +1,8 @@ +// +// Do any local configuration here +// + +// Consider adding the 1918 zones here, if they are not used in your +// organization +//include "/etc/bind/zones.rfc1918"; +# Conflicts with DN42 diff --git a/named.conf.options b/named.conf.options new file mode 100644 index 0000000..14e1973 --- /dev/null +++ b/named.conf.options @@ -0,0 +1,29 @@ +options { + directory "/var/cache/bind"; + + // If there is a firewall between you and nameservers you want + // to talk to, you may need to fix the firewall to allow multiple + // ports to talk. See http://www.kb.cert.org/vuls/id/800113 + + // If your ISP provided one or more IP addresses for stable + // nameservers, you probably want to use them as forwarders. + // Uncomment the following block, and insert the addresses replacing + // the all-0's placeholder. + + // forwarders { + // 0.0.0.0; + // }; + + //======================================================================== + // If BIND logs error messages about the root key being expired, + // you will need to update your keys. See https://www.isc.org/bind-keys + //======================================================================== + dnssec-validation no; + + auth-nxdomain no; # conform to RFC1035 + listen-on-v6 { any; }; + + edns-udp-size 512; + max-udp-size 512; +}; +