vedetta-com / dithematic Goto Github PK

View Code? Open in Web Editor NEW

21.0 3.0 1.0 119 KB

OpenBSD DNS name server

License: ISC License

Makefile 34.84% Shell 58.67% DIGITAL Command Language 6.49%

openbsd nsd powerdns nameserver

dithematic's Introduction

dithematic (alpha)

OpenBSD DNS name server

About

autoritative nameserver for domain names

Dithematic configuration and guide for self-hosting DNS

Features

PowerDNS features on OpenBSD's NSD shoulders

Getting started

Minimum requirements

512MB RAM, 10GB SSD
reverse DNS (record type PTR) for each nameserver IP configured on hosting provider, with the primary DOMAIN_NAME

Grab a copy of this repository, and put overrides in "Makefile.local" e.g.

# Makefile.local

EGRESS =	vio0

DOMAIN_NAME =	example.com

MASTER =	yes
MASTER_HOST =	dot

IPv4 =		203.0.113.3
IPv6 =		2001:0db8::3

UPGRADE =	yes

n.b. UPGRADE uses sdiff side-by-side diff (with new on the right side)

Test

make beforeinstall

Install

make install

Edit zoneadd to match (or use env)

# Dithematic IP
MASTER_IP="${MASTER_IP:-\
 203.0.113.3 \
 2001:0db8::3 \
 }"
SLAVE_IP="${SLAVE_IP:-\
 203.0.113.4 \
 2001:0db8::4 \
 }" # empty to disable

# Vendor
FREE_SLAVE="${FREE_SLAVE:-\
 1984.is \
 FreeDNS.afraid.org \
 GratisDNS.com \
 HE.net \
 Puck.nether.net \
 }" # empty to disable

n.b. rename and place zone templates in /var/nsd/zones/master (or start with a blank slate.)

Install DNS zone(s), e.g. on master: example.com and ddns.example.com

zoneadd example.com
env DDNS=true zoneadd ddns.example.com

Edit a zone

env EDITOR="${EDITOR:-vi}" pdnsutil edit-zone example.com

n.b. place existing TSIG key as tsig.example.com, CSK (or ZSK) as example.com.CSK in /etc/ssl/dns/private (or let zoneadd generate new keys.)

Setup the TSIG user on all dithematic nameservers, i.e. tsig

su - tsig
ssh-keygen -t ed25519 -C [email protected]
exit

Share TSIG user's public key with all dithematic slave nameservers, and update "known_hosts"

ssh -4 -i /home/tsig/.ssh/id_ed25519 -l tsig dig.example.com "exit"
ssh -6 -i /home/tsig/.ssh/id_ed25519 -l tsig dig.example.com "exit"

Edit tsig-share on master to add slave nameserver names

NS="${NS:-dig.example.com}" # (space-separated) domain name(s), or IP(s)

Share master TSIG secret with slave nameservers, e.g.: dig.example.com

env NS="dig.example.com" tsig-share tsig.example.com

DNS UPDATE allowed IPs are managed with authpf(8) i.e. user "puffy" first needs to SSH login on the master name server host to authenticate the IP from which they will next update ddns.example.com zone using e.g. nsupdate (pkg_add isc-bind) or dnspython (pkg_add py-dnspython) on their device (skip if not using dynamic DNS)

user add -L authpf -G authdns -c "DDNS user" -s /sbin/nologin -m puffy

Edit "smtpd.conf" and "secrets"

Edit pf table "msa" to add Message Submission Agent IP(s)

Enjoy

dig example.com any

Support

Issues

Contribute

Contributions welcome, fork

dithematic's People

Contributors

Stargazers

Watchers

Forkers

bsd-ac

dithematic's Issues

Question ddns

Hey Horia,
is the ddns zone and user required to operate properly ( All my servers are static). Also do both nameservers get treated the same as far as the directions for installation (other than switching Master and Slave in Makefile). Thanks!

Makefile.local

I have 2 VPS from Vultr NS1 (Master) and NS2 (Slave). How do I fill in the overrides for NS2 in the Makefile.local, do I leave the MASTER and MASTER_HOST blank to designate that NS2 is slave? Is the slave set up with the same exact procedure as the master other than different overrides in Makefile.local. Thanks

Update SRV records as per RFC 8314

Namaste,

As per RFC 8314 [1], the use of STARTTLS is to be deprecated in favour of Implicit TLS. Further, there is a new "_submissions" SRV record for the 465 port.

We may want to change src/usr/local/share/examples/dithematic/example.com.zone from

_submission._tcp.example.com.	86400	IN	SRV	0 1 465 mercury.example.com.
_submission._tcp.example.com.	86400	IN	SRV	5 1 587 mercury.example.com.

_submissions._tcp.example.com.	86400	IN	SRV	0 1 465 mercury.example.com.
_submission._tcp.example.com.	86400	IN	SRV	0 0 0   .

Dhanyavaad.

[1] - https://tools.ietf.org/html/rfc8314

fresh install failures...

So im really trying to just get this rolled out on one of my hosts, however im getting nowhere

tsig-secret tsig.example.com && tsig-change tsig.example.com && tsig-share tsig.example.com
tsig-secret tsig.ddns.example.com && tsig-change tsig.ddns.example.com

as per the readme... however this does nothing..... because

ns1# which tsig-secret
/usr/local/bin/tsig-secret
ns1# cat /usr/local/bin/tsig-secret
#!/bin/sh

and again.... frresh install

missing: ./etc/ssl/dns/.DNSKEY
missing: ./etc/ssl/dns/private/.SK
missing: ./etc/ssl/dns/private/tsig.
missing: ./var/unbound/db/root.key
missing: ./var/unbound/etc/root.hints

ns1# rcctl enable nsd unbound pdns_server
ns1# rcctl restart nsd unbound pdns_server
nsd(failed)
unbound(ok)
unbound(ok)
pdns_server(failed)

nsd-checkconf /var/nsd/etc/nsd.conf
/var/nsd/etc/nsd.conf:20: error: cannot open include file '/var/nsd/etc/tsig.example.com': No such file or directory
/var/nsd/etc/nsd.conf:22: at 'remote-control:': error: syntax error
/var/nsd/etc/nsd.conf:22: error: last key has no secret blob
read /var/nsd/etc/nsd.conf failed: 3 errors in configuration file

and /etc/pdns/pdnsd.conf has no sqlite configuration

not sure whats wrong ....... but this is what happens with a make install

missing: ./etc/ssl/dns/.DNSKEY
missing: ./etc/ssl/dns/private/.SK
missing: ./etc/ssl/dns/private/tsig.
missing: ./usr/local/bin/nsec3salt
missing: ./var/unbound/db/root.key
missing: ./var/unbound/etc/root.hints

Syntax error

zoneadd example.com

Imported TSIG key tsig.example.com hmac-sha512
reconfig start, read /etc/nsd.conf
/etc/nsd.conf:2: at 'control-enable:': error: syntax error
read /etc/nsd.conf failed: 1 errors in configuration file

ssh -4 -i /home/tsig/.ssh/id_ed25519 -l tsig dig.example.com "exit"

Warning: Permanently added '111.222.333.444' (ECDSA) to the list of known hosts.
PTY allocation request failed on channel 0
/usr/local/share/doc/dithematic/validate.tsig:6: error: syntax error
/usr/local/share/doc/dithematic/validate.tsig:6: error: last key has no secret blob
read /usr/local/share/doc/dithematic/validate.tsig failed: 2 errors in configuration file
Connection to 111.222.333.444 closed

env NS="dig.example.com" tsig-share tsig.example.com

Warning: Permanently added '104.156.237.135' (ECDSA) to the list of known hosts.
Imported TSIG key tsig.example.com hmac-sha512
reconfig start, read /etc/nsd.conf
/etc/nsd.conf:20: error: cannot open include file '/etc/tsig.example.com': Permission denied
/etc/nsd.conf:22: at 'remote-control:': error: syntax error
/etc/nsd.conf:22: error: last key has no secret blob
read /etc/nsd.conf failed: 3 errors in configuration file

I do not see these syntax errors was hoping you might know what they are.
Thanks!

why ip-address: 127.0.0.1@10053

why ever change port number
ip-address: 127.0.0.1@10053
why not
ip-address: 127.0.0.53@53
for example