~bitfehler/bitfehler-ns

ad77eb1e98fd7980497c848d020994eba99cff6b — Conrad Hoffmann 1 year, 5 months ago 47c6bda
Implement DNS UPDATE infrastructure
3 files changed, 37 insertions(+), 3 deletions(-)

M IMGBUILD
M files/etc/knot/knot.conf.makeimg.template
A secrets/+tsig_txt
M IMGBUILD => IMGBUILD +3 -1
@@ 1,5 1,5 @@
# The name of this image. Mostly cosmetic, e.g. for output file naming.
imgname=bfy
imgname=bfxy

# Build an Alpine Linux image
target=alpine


@@ 133,6 133,8 @@ services="
"

# Custom stuff
dns_primary="81.171.24.121"
dns_secondary="185.17.144.15"
case "$BF_HOST" in
x)
	hostname="x"

M files/etc/knot/knot.conf.makeimg.template => files/etc/knot/knot.conf.makeimg.template +33 -2
@@ 5,6 5,12 @@ server:
    user: knot:knot
    listen: [ ${host_ipv4}@53, ${host_ipv6}@53 ]

remote:
  - id: primary
    address: ${dns_primary}@53
  - id: secondary
    address: ${dns_secondary}@53

log:
  - target: /var/log/knotd.log
    any: info


@@ 19,16 25,41 @@ mod-stats:
    edns-presence: on
    query-type: on

key:
  - id: txtkey
    algorithm: hmac-sha256
    secret: $(makeimg -S +tsig_txt)

acl:
  - id: txt_updates
    action: update
    update-type: [TXT]
    key: txtkey
  - id: notify
    address: ${dns_primary}
    action: notify
  - id: transfer
    address: ${dns_secondary}
    action: transfer

template:
  - id: default
    storage: "/var/lib/knot"
    file: "%s.zone"
    module: mod-stats/default
    dnssec-policy: manual
    acl: [notify, transfer, txt_updates]
    $(if [ "$hostname" = "x" ]; then
      printf "notify: secondary"
    else
      printf "master: primary"
    fi)

zone:
  - domain: bitfehler.net
  - domain: bitfehler.org
  - domain: bitfehler.com
  - domain: anemos.io
    dnssec-signing: on
    dnssec-policy: manual
    $(if [ "$hostname" = "x" ]; then
      printf "dnssec-signing: on\n"
    fi)

A secrets/+tsig_txt => secrets/+tsig_txt +1 -0
@@ 0,0 1,1 @@
pass show bitfehler/dns/tsig/bfcomtxt