From ad77eb1e98fd7980497c848d020994eba99cff6b Mon Sep 17 00:00:00 2001 From: Conrad Hoffmann Date: Tue, 20 Jun 2023 21:01:49 +0200 Subject: [PATCH] Implement DNS UPDATE infrastructure --- IMGBUILD | 4 ++- files/etc/knot/knot.conf.makeimg.template | 35 +++++++++++++++++++++-- secrets/+tsig_txt | 1 + 3 files changed, 37 insertions(+), 3 deletions(-) create mode 100644 secrets/+tsig_txt diff --git a/IMGBUILD b/IMGBUILD index e99a7ce..7d4134e 100644 --- a/IMGBUILD +++ b/IMGBUILD @@ -1,5 +1,5 @@ # The name of this image. Mostly cosmetic, e.g. for output file naming. -imgname=bfy +imgname=bfxy # Build an Alpine Linux image target=alpine @@ -133,6 +133,8 @@ services=" " # Custom stuff +dns_primary="81.171.24.121" +dns_secondary="185.17.144.15" case "$BF_HOST" in x) hostname="x" diff --git a/files/etc/knot/knot.conf.makeimg.template b/files/etc/knot/knot.conf.makeimg.template index 52a0b81..b5822bd 100644 --- a/files/etc/knot/knot.conf.makeimg.template +++ b/files/etc/knot/knot.conf.makeimg.template @@ -5,6 +5,12 @@ server: user: knot:knot listen: [ ${host_ipv4}@53, ${host_ipv6}@53 ] +remote: + - id: primary + address: ${dns_primary}@53 + - id: secondary + address: ${dns_secondary}@53 + log: - target: /var/log/knotd.log any: info @@ -19,16 +25,41 @@ mod-stats: edns-presence: on query-type: on +key: + - id: txtkey + algorithm: hmac-sha256 + secret: $(makeimg -S +tsig_txt) + +acl: + - id: txt_updates + action: update + update-type: [TXT] + key: txtkey + - id: notify + address: ${dns_primary} + action: notify + - id: transfer + address: ${dns_secondary} + action: transfer + template: - id: default storage: "/var/lib/knot" file: "%s.zone" module: mod-stats/default + dnssec-policy: manual + acl: [notify, transfer, txt_updates] + $(if [ "$hostname" = "x" ]; then + printf "notify: secondary" + else + printf "master: primary" + fi) zone: - domain: bitfehler.net - domain: bitfehler.org - domain: bitfehler.com - domain: anemos.io - dnssec-signing: on - dnssec-policy: manual + $(if [ "$hostname" = "x" ]; then + printf "dnssec-signing: on\n" + fi) diff --git a/secrets/+tsig_txt b/secrets/+tsig_txt new file mode 100644 index 0000000..adbd79d --- /dev/null +++ b/secrets/+tsig_txt @@ -0,0 +1 @@ +pass show bitfehler/dns/tsig/bfcomtxt -- 2.45.2