[#4] ddns wip

- ddns zone - ddns user - pdnssec.sqlite - validate.tsig - rcctl - tsig user
vedetta-com · May 21, 2019 · 79d8f87 · 79d8f87
1 parent d0f9769
commit 79d8f87
Show file tree

Hide file tree

Showing 7 changed files with 72 additions and 33 deletions.
diff --git a/Makefile b/Makefile
@@ -18,7 +18,7 @@ EGRESS =	vio0
 
 MASTER =	yes
 DOMAIN_NAME =	example.com
-DDNS =		ddns
+DDNS_NAME =	ddns
 
 MASTER_HOST =	dot
 MASTER_IPv4 =	203.0.113.3
@@ -82,7 +82,6 @@ NSDCONF =	${VARBASE:S|^/||}/nsd/etc/nsd.conf \
 		${VARBASE:S|^/||}/nsd/etc/nsd.conf.master.${DOMAIN_NAME} \
 		${VARBASE:S|^/||}/nsd/etc/nsd.conf.slave.PowerDNS \
 		${VARBASE:S|^/||}/nsd/etc/nsd.conf.slave.${DOMAIN_NAME} \
-		${VARBASE:S|^/||}/nsd/etc/nsd.conf.zone.${DDNS}.${DOMAIN_NAME} \
 		${VARBASE:S|^/||}/nsd/etc/nsd.conf.zone.${DOMAIN_NAME}
 
 FREECONF =	${VARBASE:S|^/||}/nsd/etc/nsd.conf.slave.1984.is \
@@ -121,6 +120,10 @@ PKG =		powerdns \
 SYSCONF +=	${BASESYSCONFDIR:S|^/||}/weekly.local
 .endif
 
+.if !empty(DDNS_NAME)
+NSDCONF +=	${VARBASE:S|^/||}/nsd/etc/nsd.conf.zone.${DDNS_NAME}.${DOMAIN_NAME}
+.endif
+
 .if defined(UPGRADE) && ${UPGRADE} == "yes"
 upgrade: config .WAIT ${DITHEMATIC}
 	@echo Upgrade
@@ -135,14 +138,18 @@ config:
 	find ${WRKSRC} -type f -exec sed -i \
 		-e 's|vio0|${EGRESS}|g' \
 		-e 's|example.com|${DOMAIN_NAME}|g' \
-		-e 's|ddns|${DDNS}|g' \
 		-e 's|dot|${MASTER_HOST}|g' \
 		-e 's|203.0.113.3|${MASTER_IPv4}|g' \
 		-e 's|2001:0db8::3|${MASTER_IPv6}|g' \
 		-e 's|dig|${SLAVE_HOST}|g' \
 		-e 's|203.0.113.4|${SLAVE_IPv4}|g' \
 		-e 's|2001:0db8::4|${SLAVE_IPv6}|g' \
 		{} +
+.if !empty(DDNS_NAME)
+	find ${WRKSRC} -type f -exec sed -i \
+		-e 's|ddns|${DDNS_NAME}|g' \
+		{} +
+.endif
 .if ${MASTER} != "yes"
 	sed -i \
 		-e 's|^master=yes|#master=yes|' \
@@ -167,8 +174,13 @@ config:
 	@echo Super-Master
 .endif
 .for _NSDCONF in ${NSDCONF:N*nsd.conf:N*.PowerDNS}
-	cp -p ${_NSDCONF:S|${DOMAIN_NAME}|example.com|:S|${DDNS}|ddns|:S|^|${WRKSRC}/|} \
+. if !empty(DDNS_NAME)
+	cp -p ${_NSDCONF:S|${DOMAIN_NAME}|example.com|:S|${DDNS_NAME}|ddns|:S|^|${WRKSRC}/|} \
+		${_NSDCONF:S|^|${WRKSRC}/|}
+. else
+	cp -p ${_NSDCONF:S|${DOMAIN_NAME}|example.com|:S|^|${WRKSRC}/|} \
 		${_NSDCONF:S|^|${WRKSRC}/|}
+. endif
 .endfor
 	@echo Configured
 
@@ -185,6 +197,7 @@ clean:
 	@rm -r ${WRKSRC}
 
 beforeinstall: upgrade
+	rcctl stop nsd pdns_server || [[ "$$?" -eq 1 ]]
 .for _PKG in ${PKG}
 	env PKG_PATH= pkg_info ${_PKG} > /dev/null || pkg_add ${_PKG}
 .endfor
@@ -217,24 +230,26 @@ afterinstall:
 .endif
 	[[ -r ${VARBASE}/nsd/etc/nsd_control.pem ]] || nsd-control-setup
 	[[ -r ${VARBASE}/pdns/pdns.sqlite ]] \
-	|| sqlite3 ${VARBASE}/pdns/pdns.sqlite \
-		-init ${PREFIX}/share/doc/pdns/schema.sqlite3.sql ".exit"
-	[[ -r ${VARBASE}/pdns/pdnssec.sqlite ]] \
-	|| sqlite3 ${VARBASE}/pdns/pdnssec.sqlite \
-		-init ${PREFIX}/share/doc/pdns/dnssec-3.x_to_3.4.0_schema.sqlite3.sql ".exit"
+		|| sqlite3 ${VARBASE}/pdns/pdns.sqlite \
+			-init ${PREFIX}/share/doc/pdns/schema.sqlite3.sql ".exit"
 	group info -e tsig || user info -e tsig \
-	|| { user add -u 25353 -g =uid -c "TSIG Wizard" -s /bin/ksh -m tsig; \
-		mkdir -m700 /home/tsig/.key; chown tsig:tsig /home/tsig/.key; }
+		|| { user add -u 25353 -g =uid -c "TSIG Wizard" -s /bin/ksh -m tsig; \
+			mkdir -m700 /home/tsig/.key; chown tsig:tsig /home/tsig/.key; }
 	[[ -r ${BASESYSCONFDIR}/changelist-${RELEASE} ]] \
-	|| cp ${BASESYSCONFDIR}/changelist ${BASESYSCONFDIR}/changelist-${RELEASE}
+		|| cp ${BASESYSCONFDIR}/changelist ${BASESYSCONFDIR}/changelist-${RELEASE}
 	sed -i '/changelist.local/,$$d' ${BASESYSCONFDIR}/changelist
 	cat ${BASESYSCONFDIR}/changelist.local >> ${BASESYSCONFDIR}/changelist
 	sed -i '/^console/s/ secure//' ${BASESYSCONFDIR}/ttys
 	mtree -qef ${BASESYSCONFDIR}/mtree/special -p / -U
 	mtree -qef ${BASESYSCONFDIR}/mtree/special.local -p / -U
+	[[ -r ${BASESYSCONFDIR}/ssl/dns/private/tsig.${DOMAIN_NAME} ]] \
+		|| ${PREFIX}/bin/tsig-secret tsig.${DOMAIN_NAME}
+	[[ -r ${VARBASE}/nsd/etc/tsig.${DOMAIN_NAME} ]] \
+		|| ${PREFIX}/bin/tsig-change tsig.${DOMAIN_NAME}
 	pfctl -f /etc/pf.conf
 	rcctl disable check_quotas sndiod
-	rcctl check unbound || { rcctl enable unbound; rcctl restart unbound; }
+	rcctl enable unbound nsd pdns_server
+	rcctl restart unbound nsd pdns_server
 
 .PHONY: upgrade
 .USE: upgrade

diff --git a/README.md b/README.md
@@ -22,37 +22,39 @@ Grab a copy of this repository, and put overrides in "[Makefile](Makefile).local
 make install
 ```
 
+*n.b.* rename and place [zone templates](https://github.com/vedetta-com/dithematic/tree/master/src/usr/local/share/examples/dithematic) in `/var/nsd/zones/master` (or start with a blank slate.)
+
 Install DNS zone(s), e.g. on master: `example.com` and `ddns.example.com`
 ```console
 env ROLE=master DDNS=false zoneadd example.com
 env ROLE=master DDNS=true zoneadd ddns.example.com
 ```
 
-n.b.: place [zone templates](https://github.com/vedetta-com/dithematic/tree/master/src/usr/local/share/examples/dithematic) in `/var/nsd/zones/master` (or start with a blank slate.)
-
-n.b.: place existing TSIG key as `tsig.example.com`, CSK (or ZSK) as `example.com.CSK` in `/etc/ssl/dns/private` (or let `zoneadd` generate new keys.)
+*n.b.* place existing TSIG key as `tsig.example.com`, CSK (or ZSK) as `example.com.CSK` in `/etc/ssl/dns/private` (or let [`zoneadd`](src/usr/local/bin/zoneadd) generate new keys.)
 
-Add a [DDNS](https://tools.ietf.org/html/rfc2136) user, e.g.: `puffy`
-```console
-user add -L authpf -G authdns -c "DDNS user" -s /sbin/nologin -m puffy
-```
-
-Setup the [TSIG](https://tools.ietf.org/html/rfc2845) user on all nameservers, i.e.: `tsig`
+Setup the [TSIG](https://tools.ietf.org/html/rfc2845) user on all dithematic nameservers, i.e. `tsig`
 ```console
 su - tsig
 ssh-keygen -t ed25519 -C tsig@example.com
 exit
-ssh -i /home/tsig/.ssh/id_ed25519 -l tsig $IP \
-	"cat - >> /home/tsig/.ssh/authorized_keys" \
-	< /home/tsig/.ssh/id_ed25519.pub
-rcctl restart sshd
+```
+
+Share TSIG user's public key with all dithematic slave nameservers, and update "known_hosts"
+```console
+sh -4 -i /home/tsig/.ssh/id_ed25519 -l tsig dig.example.com "exit"
+sh -4 -i /home/tsig/.ssh/id_ed25519 -l tsig dig.example.com "exit"
 ```
 
 Share master TSIG secret with nameservers, e.g.: `dig.example.com`
 ```console
 env NS="dig.example.com" tsig-share tsig.example.com
 ```
 
+[DNS UPDATE](https://tools.ietf.org/html/rfc2136) allowed IPs are managed with authpf(8) i.e. user "puffy" first needs to SSH login on the master name server host to authenticate the IP from which they will next update ddns.example.com zone using e.g. nsupdate (pkg_add ics-bind) or dnspython (pkg_add py-dnspython) on their device (skip if not using dynamic DNS)
+```console
+user add -L authpf -G authdns -c "DDNS user" -s /sbin/nologin -m puffy
+```
+
 Enjoy:
 ```console
 rcctl enable nsd pdns_server

diff --git a/src/etc/mtree/special.local b/src/etc/mtree/special.local
@@ -108,6 +108,26 @@ bin		type=dir mode=0755
 # ./usr/local/bin
 ..
 
+
+# ./usr/local/share
+share		type=dir mode=0755
+
+# ./usr/local/share/doc
+doc		type=dir mode=0755
+
+# ./usr/local/share/doc/dithematic
+dithematic	type=dir mode=0755
+    validate.tsig \
+		mode=0644
+# ./usr/local/share/doc/dithematic
+..
+
+# ./usr/local/share/doc
+..
+
+# ./usr/local/share
+..
+
 # ./usr/local
 ..
 
@@ -142,7 +162,7 @@ db		type=dir gname=_nsd mode=0775
 
 # ./var/nsd/etc
 etc		type=dir gname=_nsd mode=0750
-    nsd.conf.*	gname=_nsd mode=0640
+    nsd.conf*	gname=_nsd mode=0640
 # ./var/nsd/etc
 ..
 

diff --git a/src/etc/pdns/pdns.conf b/src/etc/pdns/pdns.conf
@@ -18,11 +18,8 @@ setuid=_powerdns
 #gpgsql-password=pdns
 
 # SQLite 3
-#launch=gsqlite3
-#gsqlite3-database=<path to your SQLite database>
 launch=gsqlite3
 gsqlite3-database=/var/pdns/pdns.sqlite
-gsqlite3-dnssec=/var/pdns/pdnssec.sqlite
 
 # BIND zone files
 #launch=bind

diff --git a/src/usr/local/bin/pdns-backup b/src/usr/local/bin/pdns-backup
@@ -10,7 +10,7 @@ set -o nounset
 KEY_DIR="${KEY_DIR:-/etc/ssl/dns}"
 ZONE_DIR="${ZONE_DIR:-/var/nsd/zones/master}"
 DB_DIR="${DB_DIR:-/var/pdns}"
-PDNS_DB="pdns.sqlite pdnssec.sqlite"
+PDNS_DB="pdns.sqlite"
 
 mkdir -p ${KEY_DIR}/private
 chmod 755 ${KEY_DIR}

diff --git a/src/usr/local/bin/zoneadd b/src/usr/local/bin/zoneadd
@@ -25,6 +25,9 @@ DNSKEY="${DNSKEY:-${ZONE_NAME}.DNSKEY}"
 
 # NSD
 #
+[ ${ZONE_NAME} = ${DOMAIN} ] &&
+  sed -i '/zone.${DOMAIN}/ s|^#include|include|' ${NSD_DIR}/etc/nsd.conf
+
 if [ ! -r ${NSD_DIR}/etc/nsd.conf.zone.${ZONE_NAME} ]
   then
     cp -p ${NSD_DIR}/etc/nsd.conf.zone.${DOMAIN} \
@@ -34,6 +37,8 @@ if [ ! -r ${NSD_DIR}/etc/nsd.conf.zone.${ZONE_NAME} ]
     grep zone.${ZONE_NAME} ${NSD_DIR}/etc/nsd.conf ||
       echo include: ${NSD_DIR}/etc/nsd.conf.zone.${ZONE_NAME} \
         >> ${NSD_DIR}/etc/nsd.conf
+  else
+    sed -i '/zone.${DOMAIN}/ s|^#include|include|' ${NSD_DIR}/etc/nsd.conf
 fi
 
 # PowerDNS

diff --git a/src/var/nsd/etc/nsd.conf b/src/var/nsd/etc/nsd.conf
@@ -28,6 +28,6 @@ remote-control:
 	control-key-file: /var/nsd/etc/nsd_control.key
 	control-cert-file: /var/nsd/etc/nsd_control.pem
 
-include: /var/nsd/etc/nsd.conf.zone.example.com
-include: /var/nsd/etc/nsd.conf.zone.ddns.example.com
+#include: /var/nsd/etc/nsd.conf.zone.example.com
+#include: /var/nsd/etc/nsd.conf.zone.ddns.example.com