diff --git a/Makefile b/Makefile index 4f131ba..ed22cf1 100644 --- a/Makefile +++ b/Makefile @@ -18,7 +18,7 @@ EGRESS = vio0 MASTER = yes DOMAIN_NAME = example.com -DDNS = ddns +DDNS_NAME = ddns MASTER_HOST = dot MASTER_IPv4 = 203.0.113.3 @@ -82,7 +82,6 @@ NSDCONF = ${VARBASE:S|^/||}/nsd/etc/nsd.conf \ ${VARBASE:S|^/||}/nsd/etc/nsd.conf.master.${DOMAIN_NAME} \ ${VARBASE:S|^/||}/nsd/etc/nsd.conf.slave.PowerDNS \ ${VARBASE:S|^/||}/nsd/etc/nsd.conf.slave.${DOMAIN_NAME} \ - ${VARBASE:S|^/||}/nsd/etc/nsd.conf.zone.${DDNS}.${DOMAIN_NAME} \ ${VARBASE:S|^/||}/nsd/etc/nsd.conf.zone.${DOMAIN_NAME} FREECONF = ${VARBASE:S|^/||}/nsd/etc/nsd.conf.slave.1984.is \ @@ -121,6 +120,10 @@ PKG = powerdns \ SYSCONF += ${BASESYSCONFDIR:S|^/||}/weekly.local .endif +.if !empty(DDNS_NAME) +NSDCONF += ${VARBASE:S|^/||}/nsd/etc/nsd.conf.zone.${DDNS_NAME}.${DOMAIN_NAME} +.endif + .if defined(UPGRADE) && ${UPGRADE} == "yes" upgrade: config .WAIT ${DITHEMATIC} @echo Upgrade @@ -135,7 +138,6 @@ config: find ${WRKSRC} -type f -exec sed -i \ -e 's|vio0|${EGRESS}|g' \ -e 's|example.com|${DOMAIN_NAME}|g' \ - -e 's|ddns|${DDNS}|g' \ -e 's|dot|${MASTER_HOST}|g' \ -e 's|203.0.113.3|${MASTER_IPv4}|g' \ -e 's|2001:0db8::3|${MASTER_IPv6}|g' \ @@ -143,6 +145,11 @@ config: -e 's|203.0.113.4|${SLAVE_IPv4}|g' \ -e 's|2001:0db8::4|${SLAVE_IPv6}|g' \ {} + +.if !empty(DDNS_NAME) + find ${WRKSRC} -type f -exec sed -i \ + -e 's|ddns|${DDNS_NAME}|g' \ + {} + +.endif .if ${MASTER} != "yes" sed -i \ -e 's|^master=yes|#master=yes|' \ @@ -167,8 +174,13 @@ config: @echo Super-Master .endif .for _NSDCONF in ${NSDCONF:N*nsd.conf:N*.PowerDNS} - cp -p ${_NSDCONF:S|${DOMAIN_NAME}|example.com|:S|${DDNS}|ddns|:S|^|${WRKSRC}/|} \ +. if !empty(DDNS_NAME) + cp -p ${_NSDCONF:S|${DOMAIN_NAME}|example.com|:S|${DDNS_NAME}|ddns|:S|^|${WRKSRC}/|} \ + ${_NSDCONF:S|^|${WRKSRC}/|} +. else + cp -p ${_NSDCONF:S|${DOMAIN_NAME}|example.com|:S|^|${WRKSRC}/|} \ ${_NSDCONF:S|^|${WRKSRC}/|} +. endif .endfor @echo Configured @@ -185,6 +197,7 @@ clean: @rm -r ${WRKSRC} beforeinstall: upgrade + rcctl stop nsd pdns_server || [[ "$$?" -eq 1 ]] .for _PKG in ${PKG} env PKG_PATH= pkg_info ${_PKG} > /dev/null || pkg_add ${_PKG} .endfor @@ -217,24 +230,26 @@ afterinstall: .endif [[ -r ${VARBASE}/nsd/etc/nsd_control.pem ]] || nsd-control-setup [[ -r ${VARBASE}/pdns/pdns.sqlite ]] \ - || sqlite3 ${VARBASE}/pdns/pdns.sqlite \ - -init ${PREFIX}/share/doc/pdns/schema.sqlite3.sql ".exit" - [[ -r ${VARBASE}/pdns/pdnssec.sqlite ]] \ - || sqlite3 ${VARBASE}/pdns/pdnssec.sqlite \ - -init ${PREFIX}/share/doc/pdns/dnssec-3.x_to_3.4.0_schema.sqlite3.sql ".exit" + || sqlite3 ${VARBASE}/pdns/pdns.sqlite \ + -init ${PREFIX}/share/doc/pdns/schema.sqlite3.sql ".exit" group info -e tsig || user info -e tsig \ - || { user add -u 25353 -g =uid -c "TSIG Wizard" -s /bin/ksh -m tsig; \ - mkdir -m700 /home/tsig/.key; chown tsig:tsig /home/tsig/.key; } + || { user add -u 25353 -g =uid -c "TSIG Wizard" -s /bin/ksh -m tsig; \ + mkdir -m700 /home/tsig/.key; chown tsig:tsig /home/tsig/.key; } [[ -r ${BASESYSCONFDIR}/changelist-${RELEASE} ]] \ - || cp ${BASESYSCONFDIR}/changelist ${BASESYSCONFDIR}/changelist-${RELEASE} + || cp ${BASESYSCONFDIR}/changelist ${BASESYSCONFDIR}/changelist-${RELEASE} sed -i '/changelist.local/,$$d' ${BASESYSCONFDIR}/changelist cat ${BASESYSCONFDIR}/changelist.local >> ${BASESYSCONFDIR}/changelist sed -i '/^console/s/ secure//' ${BASESYSCONFDIR}/ttys mtree -qef ${BASESYSCONFDIR}/mtree/special -p / -U mtree -qef ${BASESYSCONFDIR}/mtree/special.local -p / -U + [[ -r ${BASESYSCONFDIR}/ssl/dns/private/tsig.${DOMAIN_NAME} ]] \ + || ${PREFIX}/bin/tsig-secret tsig.${DOMAIN_NAME} + [[ -r ${VARBASE}/nsd/etc/tsig.${DOMAIN_NAME} ]] \ + || ${PREFIX}/bin/tsig-change tsig.${DOMAIN_NAME} pfctl -f /etc/pf.conf rcctl disable check_quotas sndiod - rcctl check unbound || { rcctl enable unbound; rcctl restart unbound; } + rcctl enable unbound nsd pdns_server + rcctl restart unbound nsd pdns_server .PHONY: upgrade .USE: upgrade diff --git a/README.md b/README.md index 606e837..4cb7fcb 100644 --- a/README.md +++ b/README.md @@ -22,30 +22,27 @@ Grab a copy of this repository, and put overrides in "[Makefile](Makefile).local make install ``` +*n.b.* rename and place [zone templates](https://github.com/vedetta-com/dithematic/tree/master/src/usr/local/share/examples/dithematic) in `/var/nsd/zones/master` (or start with a blank slate.) + Install DNS zone(s), e.g. on master: `example.com` and `ddns.example.com` ```console env ROLE=master DDNS=false zoneadd example.com env ROLE=master DDNS=true zoneadd ddns.example.com ``` -n.b.: place [zone templates](https://github.com/vedetta-com/dithematic/tree/master/src/usr/local/share/examples/dithematic) in `/var/nsd/zones/master` (or start with a blank slate.) - -n.b.: place existing TSIG key as `tsig.example.com`, CSK (or ZSK) as `example.com.CSK` in `/etc/ssl/dns/private` (or let `zoneadd` generate new keys.) +*n.b.* place existing TSIG key as `tsig.example.com`, CSK (or ZSK) as `example.com.CSK` in `/etc/ssl/dns/private` (or let [`zoneadd`](src/usr/local/bin/zoneadd) generate new keys.) -Add a [DDNS](https://tools.ietf.org/html/rfc2136) user, e.g.: `puffy` -```console -user add -L authpf -G authdns -c "DDNS user" -s /sbin/nologin -m puffy -``` - -Setup the [TSIG](https://tools.ietf.org/html/rfc2845) user on all nameservers, i.e.: `tsig` +Setup the [TSIG](https://tools.ietf.org/html/rfc2845) user on all dithematic nameservers, i.e. `tsig` ```console su - tsig ssh-keygen -t ed25519 -C tsig@example.com exit -ssh -i /home/tsig/.ssh/id_ed25519 -l tsig $IP \ - "cat - >> /home/tsig/.ssh/authorized_keys" \ - < /home/tsig/.ssh/id_ed25519.pub -rcctl restart sshd +``` + +Share TSIG user's public key with all dithematic slave nameservers, and update "known_hosts" +```console +sh -4 -i /home/tsig/.ssh/id_ed25519 -l tsig dig.example.com "exit" +sh -4 -i /home/tsig/.ssh/id_ed25519 -l tsig dig.example.com "exit" ``` Share master TSIG secret with nameservers, e.g.: `dig.example.com` @@ -53,6 +50,11 @@ Share master TSIG secret with nameservers, e.g.: `dig.example.com` env NS="dig.example.com" tsig-share tsig.example.com ``` +[DNS UPDATE](https://tools.ietf.org/html/rfc2136) allowed IPs are managed with authpf(8) i.e. user "puffy" first needs to SSH login on the master name server host to authenticate the IP from which they will next update ddns.example.com zone using e.g. nsupdate (pkg_add ics-bind) or dnspython (pkg_add py-dnspython) on their device (skip if not using dynamic DNS) +```console +user add -L authpf -G authdns -c "DDNS user" -s /sbin/nologin -m puffy +``` + Enjoy: ```console rcctl enable nsd pdns_server diff --git a/src/etc/mtree/special.local b/src/etc/mtree/special.local index cb9580b..2fd598d 100644 --- a/src/etc/mtree/special.local +++ b/src/etc/mtree/special.local @@ -108,6 +108,26 @@ bin type=dir mode=0755 # ./usr/local/bin .. + +# ./usr/local/share +share type=dir mode=0755 + +# ./usr/local/share/doc +doc type=dir mode=0755 + +# ./usr/local/share/doc/dithematic +dithematic type=dir mode=0755 + validate.tsig \ + mode=0644 +# ./usr/local/share/doc/dithematic +.. + +# ./usr/local/share/doc +.. + +# ./usr/local/share +.. + # ./usr/local .. @@ -142,7 +162,7 @@ db type=dir gname=_nsd mode=0775 # ./var/nsd/etc etc type=dir gname=_nsd mode=0750 - nsd.conf.* gname=_nsd mode=0640 + nsd.conf* gname=_nsd mode=0640 # ./var/nsd/etc .. diff --git a/src/etc/pdns/pdns.conf b/src/etc/pdns/pdns.conf index f8e7cc9..0296a30 100644 --- a/src/etc/pdns/pdns.conf +++ b/src/etc/pdns/pdns.conf @@ -18,11 +18,8 @@ setuid=_powerdns #gpgsql-password=pdns # SQLite 3 -#launch=gsqlite3 -#gsqlite3-database= launch=gsqlite3 gsqlite3-database=/var/pdns/pdns.sqlite -gsqlite3-dnssec=/var/pdns/pdnssec.sqlite # BIND zone files #launch=bind diff --git a/src/usr/local/bin/pdns-backup b/src/usr/local/bin/pdns-backup index f3014e9..0cd02f9 100644 --- a/src/usr/local/bin/pdns-backup +++ b/src/usr/local/bin/pdns-backup @@ -10,7 +10,7 @@ set -o nounset KEY_DIR="${KEY_DIR:-/etc/ssl/dns}" ZONE_DIR="${ZONE_DIR:-/var/nsd/zones/master}" DB_DIR="${DB_DIR:-/var/pdns}" -PDNS_DB="pdns.sqlite pdnssec.sqlite" +PDNS_DB="pdns.sqlite" mkdir -p ${KEY_DIR}/private chmod 755 ${KEY_DIR} diff --git a/src/usr/local/bin/zoneadd b/src/usr/local/bin/zoneadd index b36e45a..d6d0bef 100644 --- a/src/usr/local/bin/zoneadd +++ b/src/usr/local/bin/zoneadd @@ -25,6 +25,9 @@ DNSKEY="${DNSKEY:-${ZONE_NAME}.DNSKEY}" # NSD # +[ ${ZONE_NAME} = ${DOMAIN} ] && + sed -i '/zone.${DOMAIN}/ s|^#include|include|' ${NSD_DIR}/etc/nsd.conf + if [ ! -r ${NSD_DIR}/etc/nsd.conf.zone.${ZONE_NAME} ] then cp -p ${NSD_DIR}/etc/nsd.conf.zone.${DOMAIN} \ @@ -34,6 +37,8 @@ if [ ! -r ${NSD_DIR}/etc/nsd.conf.zone.${ZONE_NAME} ] grep zone.${ZONE_NAME} ${NSD_DIR}/etc/nsd.conf || echo include: ${NSD_DIR}/etc/nsd.conf.zone.${ZONE_NAME} \ >> ${NSD_DIR}/etc/nsd.conf + else + sed -i '/zone.${DOMAIN}/ s|^#include|include|' ${NSD_DIR}/etc/nsd.conf fi # PowerDNS diff --git a/src/var/nsd/etc/nsd.conf b/src/var/nsd/etc/nsd.conf index 877e793..df3d431 100644 --- a/src/var/nsd/etc/nsd.conf +++ b/src/var/nsd/etc/nsd.conf @@ -28,6 +28,6 @@ remote-control: control-key-file: /var/nsd/etc/nsd_control.key control-cert-file: /var/nsd/etc/nsd_control.pem -include: /var/nsd/etc/nsd.conf.zone.example.com -include: /var/nsd/etc/nsd.conf.zone.ddns.example.com +#include: /var/nsd/etc/nsd.conf.zone.example.com +#include: /var/nsd/etc/nsd.conf.zone.ddns.example.com