diff options
| author | Ben Harris <ben@tilde.team> | 2019-12-30 11:47:59 -0500 |
|---|---|---|
| committer | Ben Harris <ben@tilde.team> | 2019-12-30 11:47:59 -0500 |
| commit | 2dbd6d7840f3cbbd634ab0def9b80763f4502213 (patch) | |
| tree | 53484fb5ae53c429a75843a77bea6d97a6a47555 | |
| parent | 321794ca3255135189eb12eb1db64a0b5a691657 (diff) | |
use acl and master lists
| -rw-r--r-- | named.conf.local | 90 | ||||
| -rw-r--r-- | named.conf.mydomains | 43 | ||||
| -rw-r--r-- | named.conf.slave | 10 | ||||
| -rw-r--r-- | named.conf.tilde | 45 |
4 files changed, 107 insertions, 81 deletions
diff --git a/named.conf.local b/named.conf.local index 07b6cb3..2fd1700 100644 --- a/named.conf.local +++ b/named.conf.local @@ -19,12 +19,22 @@ include "/etc/bind/bsd.tilde.team.key"; server 89.163.145.170 { keys { tilde_msT; }; }; // ns1.envs.net server 78.31.64.115 { keys { tilde_msT; }; }; // ns2.envs.net +masters "notifylist" { + 167.114.154.31; + 89.163.145.170; + 78.31.64.115; +}; + +acl "transferto" { + 167.114.154.31; + key tilde_msT; +}; zone "tildeverse.net" { type master; file "/etc/bind/zones/db.tildeverse.net"; - also-notify { 167.114.154.31; 89.163.145.170; 78.31.64.115; }; - allow-transfer { 167.114.154.31; key tilde_msT;}; + also-notify { "notifylist"; }; + allow-transfer { "transferto";}; update-policy { grant certbot name _acme-challenge.tildeverse.net. txt; }; @@ -33,8 +43,8 @@ zone "tildeverse.net" { zone "tildeverse.org" { type master; file "/etc/bind/zones/db.tildeverse.org"; - allow-transfer { 167.114.154.31; key tilde_msT; }; - also-notify { 167.114.154.31; 89.163.145.170; 78.31.64.115; }; + allow-transfer { "transferto"; }; + also-notify { "notifylist"; }; update-policy { grant certbot name _acme-challenge.tildeverse.org. txt; }; @@ -43,8 +53,8 @@ zone "tildeverse.org" { zone "fuckup.club" { type master; file "/etc/bind/zones/db.fuckup.club"; - allow-transfer { 167.114.154.31; key tilde_msT; }; - also-notify { 167.114.154.31; 89.163.145.170; 78.31.64.115; }; + allow-transfer { "transferto"; }; + also-notify { "notifylist"; }; update-policy { grant certbot name _acme-challenge.fuckup.club. txt; }; @@ -53,8 +63,8 @@ zone "fuckup.club" { zone "nand.sh" { type master; file "/etc/bind/zones/db.nand.sh"; - allow-transfer { 167.114.154.31; key tilde_msT; }; - also-notify { 167.114.154.31; 89.163.145.170; 78.31.64.115; }; + allow-transfer { "transferto"; }; + also-notify { "notifylist"; }; update-policy { grant certbot name _acme-challenge.nand.sh. txt; }; @@ -63,8 +73,8 @@ zone "nand.sh" { zone "tild3.org" { type master; file "/etc/bind/zones/db.tild3.org"; - allow-transfer { 167.114.154.31; key tilde_msT; }; - also-notify { 167.114.154.31; 89.163.145.170; 78.31.64.115; }; + allow-transfer { "transferto"; }; + also-notify { "notifylist"; }; update-policy { grant certbot name _acme-challenge.tild3.org. txt; }; @@ -73,8 +83,8 @@ zone "tild3.org" { zone "tilde.chat" { type master; file "/etc/bind/zones/db.tilde.chat"; - allow-transfer { 167.114.154.31; key tilde_msT; }; - also-notify { 167.114.154.31; 89.163.145.170; 78.31.64.115; }; + allow-transfer { "transferto"; }; + also-notify { "notifylist"; }; update-policy { grant certbot name _acme-challenge.tilde.chat. txt; }; @@ -83,8 +93,8 @@ zone "tilde.chat" { zone "tildegit.org" { type master; file "/etc/bind/zones/db.tildegit.org"; - allow-transfer { 167.114.154.31; key tilde_msT; }; - also-notify { 167.114.154.31; 89.163.145.170; 78.31.64.115; }; + allow-transfer { "transferto"; }; + also-notify { "notifylist"; }; update-policy { grant certbot name _acme-challenge.tildegit.org. txt; }; @@ -93,8 +103,8 @@ zone "tildegit.org" { zone "tilde.life" { type master; file "/etc/bind/zones/db.tilde.life"; - allow-transfer { 167.114.154.31; key tilde_msT; }; - also-notify { 167.114.154.31; 89.163.145.170; 78.31.64.115; }; + allow-transfer { "transferto"; }; + also-notify { "notifylist"; }; update-policy { grant certbot name _acme-challenge.tilde.life. txt; }; @@ -103,8 +113,8 @@ zone "tilde.life" { zone "tildenet.org" { type master; file "/etc/bind/zones/db.tildenet.org"; - allow-transfer { 167.114.154.31; key tilde_msT; }; - also-notify { 167.114.154.31; 89.163.145.170; 78.31.64.115; }; + allow-transfer { "transferto"; }; + also-notify { "notifylist"; }; update-policy { grant certbot name _acme-challenge.tildenet.org. txt; }; @@ -113,8 +123,8 @@ zone "tildenet.org" { zone "tilde.news" { type master; file "/etc/bind/zones/db.tilde.news"; - allow-transfer { 167.114.154.31; key tilde_msT; }; - also-notify { 167.114.154.31; 89.163.145.170; 78.31.64.115; }; + allow-transfer { "transferto"; }; + also-notify { "notifylist"; }; update-policy { grant certbot name _acme-challenge.tilde.news. txt; }; @@ -123,8 +133,8 @@ zone "tilde.news" { zone "tilde.ninja" { type master; file "/etc/bind/zones/db.tilde.ninja"; - allow-transfer { 167.114.154.31; key tilde_msT; }; - also-notify { 167.114.154.31; 89.163.145.170; 78.31.64.115; }; + allow-transfer { "transferto"; }; + also-notify { "notifylist"; }; update-policy { grant certbot name _acme-challenge.tilde.ninja. txt; }; @@ -133,8 +143,8 @@ zone "tilde.ninja" { zone "tilde.pizza" { type master; file "/etc/bind/zones/db.tilde.pizza"; - allow-transfer { 167.114.154.31; key tilde_msT; }; - also-notify { 167.114.154.31; 89.163.145.170; 78.31.64.115; }; + allow-transfer { "transferto"; }; + also-notify { "notifylist"; }; update-policy { grant certbot name _acme-challenge.tilde.pizza. txt; }; @@ -143,8 +153,8 @@ zone "tilde.pizza" { zone "tilderadio.org" { type master; file "/etc/bind/zones/db.tilderadio.org"; - allow-transfer { 167.114.154.31; key tilde_msT; }; - also-notify { 167.114.154.31; 89.163.145.170; 78.31.64.115; }; + allow-transfer { "transferto"; }; + also-notify { "notifylist"; }; update-policy { grant certbot name _acme-challenge.tilderadio.org. txt; }; @@ -153,8 +163,8 @@ zone "tilderadio.org" { zone "tilde.site" { type master; file "/etc/bind/zones/db.tilde.site"; - allow-transfer { 167.114.154.31; key tilde_msT; }; - also-notify { 167.114.154.31; 89.163.145.170; 78.31.64.115; }; + allow-transfer { "transferto"; }; + also-notify { "notifylist"; }; update-policy { grant certbot name _acme-challenge.tilde.site. txt; }; @@ -163,8 +173,8 @@ zone "tilde.site" { zone "tilde.team" { type master; file "/etc/bind/zones/db.tilde.team"; - allow-transfer { 167.114.154.31; key tilde_msT; }; - also-notify { 167.114.154.31; 89.163.145.170; 78.31.64.115; }; + allow-transfer { "transferto"; }; + also-notify { "notifylist"; }; update-policy { grant certbot name _acme-challenge.tilde.team. txt; grant bsd.tilde.team name _acme-challenge.bsd.tilde.team. txt; @@ -174,8 +184,8 @@ zone "tilde.team" { zone "tildeteam.org" { type master; file "/etc/bind/zones/db.tildeteam.org"; - allow-transfer { 167.114.154.31; key tilde_msT; }; - also-notify { 167.114.154.31; 89.163.145.170; 78.31.64.115; }; + allow-transfer { "transferto"; }; + also-notify { "notifylist"; }; update-policy { grant certbot name _acme-challenge.tildeteam.org. txt; }; @@ -184,8 +194,8 @@ zone "tildeteam.org" { zone "tildeteam.net" { type master; file "/etc/bind/zones/db.tildeteam.net"; - allow-transfer { 167.114.154.31; key tilde_msT; }; - also-notify { 167.114.154.31; 89.163.145.170; 78.31.64.115; }; + allow-transfer { "transferto"; }; + also-notify { "notifylist"; }; update-policy { grant certbot name _acme-challenge.tildeteam.net. txt; }; @@ -194,8 +204,8 @@ zone "tildeteam.net" { zone "tilde.wiki" { type master; file "/etc/bind/zones/db.tilde.wiki"; - allow-transfer { 167.114.154.31; key tilde_msT; }; - also-notify { 167.114.154.31; 89.163.145.170; 78.31.64.115; }; + allow-transfer { "transferto"; }; + also-notify { "notifylist"; }; update-policy { grant certbot name _acme-challenge.tilde.wiki. txt; }; @@ -204,8 +214,8 @@ zone "tilde.wiki" { zone "tilde.zone" { type master; file "/etc/bind/zones/db.tilde.zone"; - allow-transfer { 167.114.154.31; key tilde_msT; }; - also-notify { 167.114.154.31; 89.163.145.170; 78.31.64.115; }; + allow-transfer { "transferto"; }; + also-notify { "notifylist"; }; update-policy { grant certbot name _acme-challenge.tilde.zone. txt; }; @@ -214,8 +224,8 @@ zone "tilde.zone" { zone "ttm.sh" { type master; file "/etc/bind/zones/db.ttm.sh"; - allow-transfer { 167.114.154.31; key tilde_msT; }; - also-notify { 167.114.154.31; 89.163.145.170; 78.31.64.115; }; + allow-transfer { "transferto"; }; + also-notify { "notifylist"; }; update-policy { grant certbot name _acme-challenge.ttm.sh. txt; }; diff --git a/named.conf.mydomains b/named.conf.mydomains index 499bb4e..f87382e 100644 --- a/named.conf.mydomains +++ b/named.conf.mydomains @@ -1,11 +1,14 @@ // my domains include "/etc/bind/pi.key"; +acl ns2 { 167.114.154.31; }; +masters ns2 { 167.114.154.31; }; + zone "benharri.com" { type master; file "/etc/bind/zones/mydomains/db.benharri.com"; - allow-transfer { 167.114.154.31; }; - also-notify { 167.114.154.31; }; + allow-transfer { ns2; }; + also-notify { ns2; }; update-policy { grant certbot name _acme-challenge.benharri.com. txt; }; @@ -14,8 +17,8 @@ zone "benharri.com" { zone "benharr.is" { type master; file "/etc/bind/zones/mydomains/db.benharr.is"; - allow-transfer { 167.114.154.31; }; - also-notify { 167.114.154.31; }; + allow-transfer { ns2; }; + also-notify { ns2; }; update-policy { grant certbot name _acme-challenge.benharr.is. txt; }; @@ -24,8 +27,8 @@ zone "benharr.is" { zone "ben.o" { type master; file "/etc/bind/zones/mydomains/db.ben.o"; - allow-transfer { 167.114.154.31; }; - also-notify { 167.114.154.31; }; + allow-transfer { ns2; }; + also-notify { ns2; }; update-policy { grant certbot name _acme-challenge.ben.o. txt; }; @@ -34,8 +37,8 @@ zone "ben.o" { zone "benharri.dev" { type master; file "/etc/bind/zones/mydomains/db.benharri.dev"; - allow-transfer { 167.114.154.31; }; - also-notify { 167.114.154.31; }; + allow-transfer { ns2; }; + also-notify { ns2; }; update-policy { grant certbot name _acme-challenge.benharri.dev. txt; }; @@ -44,8 +47,8 @@ zone "benharri.dev" { zone "benhh.com" { type master; file "/etc/bind/zones/mydomains/db.benhh.com"; - allow-transfer { 167.114.154.31; }; - also-notify { 167.114.154.31; }; + allow-transfer { ns2; }; + also-notify { ns2; }; update-policy { grant certbot name _acme-challenge.benhh.com. txt; }; @@ -54,8 +57,8 @@ zone "benhh.com" { zone "bhh.sh" { type master; file "/etc/bind/zones/mydomains/db.bhh.sh"; - allow-transfer { 167.114.154.31; }; - also-notify { 167.114.154.31; }; + allow-transfer { ns2; }; + also-notify { ns2; }; update-policy { grant certbot name _acme-challenge.bhh.sh. txt; grant pi name pi.bhh.sh. A; @@ -65,8 +68,8 @@ zone "bhh.sh" { zone "esthersedibles.net" { type master; file "/etc/bind/zones/mydomains/db.esthersedibles.net"; - allow-transfer { 167.114.154.31; }; - also-notify { 167.114.154.31; }; + allow-transfer { ns2; }; + also-notify { ns2; }; update-policy { grant certbot name _acme-challenge.esthersedibles.net. txt; }; @@ -75,8 +78,8 @@ zone "esthersedibles.net" { zone "harris.team" { type master; file "/etc/bind/zones/mydomains/db.harris.team"; - allow-transfer { 167.114.154.31; }; - also-notify { 167.114.154.31; }; + allow-transfer { ns2; }; + also-notify { ns2; }; update-policy { grant certbot name _acme-challenge.harris.team. txt; }; @@ -85,8 +88,8 @@ zone "harris.team" { zone "itsreallynot.com" { type master; file "/etc/bind/zones/mydomains/db.itsreallynot.com"; - allow-transfer { 167.114.154.31; }; - also-notify { 167.114.154.31; }; + allow-transfer { ns2; }; + also-notify { ns2; }; update-policy { grant certbot name _acme-challenge.itsreallynot.com. txt; }; @@ -95,8 +98,8 @@ zone "itsreallynot.com" { zone "hmm.st" { type master; file "/etc/bind/zones/mydomains/db.hmm.st"; - allow-transfer { 167.114.154.31; }; - also-notify { 167.114.154.31; }; + allow-transfer { ns2; }; + also-notify { ns2; }; update-policy { grant certbot name _acme-challenge.hmm.st. txt; }; diff --git a/named.conf.slave b/named.conf.slave index 332c895..6b27414 100644 --- a/named.conf.slave +++ b/named.conf.slave @@ -1,24 +1,26 @@ +masters envs { 89.163.145.170; }; + zone "envs.net" { type slave; file "/var/cache/bind/fwd.envs.net"; - masters { 89.163.145.170; }; + masters { envs; }; }; zone "envs.sh" { type slave; file "/var/cache/bind/fwd.envs.sh"; - masters { 89.163.145.170; }; + masters { envs; }; }; zone "envs.o" { type slave; file "/var/cache/bind/fwd.envs.o"; - masters { 89.163.145.170; }; + masters { envs; }; }; zone "envs.tilde" { type slave; file "/var/cache/bind/fwd.envs.tilde"; - masters { 89.163.145.170; }; + masters { envs; }; }; diff --git a/named.conf.tilde b/named.conf.tilde index 3c79b99..fa9b376 100644 --- a/named.conf.tilde +++ b/named.conf.tilde @@ -1,62 +1,73 @@ +acl "tildenameservers" { + 213.239.234.117; + 149.56.184.112; + 192.95.3.29; +}; +masters "tildenameservers" { + 213.239.234.117; + 149.56.184.112; + 192.95.3.29; +}; + zone "tilde" IN { type forward; forward only; - forwarders { 213.239.234.117; 149.56.184.112; }; + forwarders { 213.239.234.117; 149.56.184.112; 192.95.3.29; }; }; zone "team.tilde" { type master; file "/etc/bind/zones/tilde/db.team.tilde"; - allow-transfer { 213.239.234.117; 149.56.184.112; }; - also-notify { 213.239.234.117; 149.56.184.112; }; + allow-transfer { "tildenameservers"; }; + also-notify { "tildenameservers"; }; }; zone "git.tilde" { type master; file "/etc/bind/zones/tilde/db.git.tilde"; - allow-transfer { 213.239.234.117; 149.56.184.112; }; - also-notify { 213.239.234.117; 149.56.184.112; }; + allow-transfer { "tildenameservers"; }; + also-notify { "tildenameservers"; }; }; zone "mastodon.tilde" { type master; file "/etc/bind/zones/tilde/db.mastodon.tilde"; - allow-transfer { 213.239.234.117; 149.56.184.112; }; - also-notify { 213.239.234.117; 149.56.184.112; }; + allow-transfer { "tildenameservers"; }; + also-notify { "tildenameservers"; }; }; zone "lists.tilde" { type master; file "/etc/bind/zones/tilde/db.lists.tilde"; - allow-transfer { 213.239.234.117; 149.56.184.112; }; - also-notify { 213.239.234.117; 149.56.184.112; }; + allow-transfer { "tildenameservers"; }; + also-notify { "tildenameservers"; }; }; zone "chat.tilde" { type master; file "/etc/bind/zones/tilde/db.chat.tilde"; - allow-transfer { 213.239.234.117; 149.56.184.112; }; - also-notify { 213.239.234.117; 149.56.184.112; }; + allow-transfer { "tildenameservers"; }; + also-notify { "tildenameservers"; }; }; zone "ci.tilde" { type master; file "/etc/bind/zones/tilde/db.ci.tilde"; - allow-transfer { 213.239.234.117; 149.56.184.112; }; - also-notify { 213.239.234.117; 149.56.184.112; }; + allow-transfer { "tildenameservers"; }; + also-notify { "tildenameservers"; }; }; zone "pleroma.tilde" { type master; file "/etc/bind/zones/tilde/db.pleroma.tilde"; - allow-transfer { 213.239.234.117; 149.56.184.112; }; - also-notify { 213.239.234.117; 149.56.184.112; }; + allow-transfer { "tildenameservers"; }; + also-notify { "tildenameservers"; }; }; zone "news.tilde" { type master; file "/etc/bind/zones/tilde/db.news.tilde"; - allow-transfer { 213.239.234.117; 149.56.184.112; }; - also-notify { 213.239.234.117; 149.56.184.112; }; + allow-transfer { "tildenameservers"; }; + also-notify { "tildenameservers"; }; }; |