OpenBSD DNS name server

autoritative nameserver for domain names

Dithematic configuration and guide for self-hosting DNS

PowerDNS features on OpenBSD's NSD shoulders

Minimum requirements

• 512MB RAM, 10GB SSD
• reverse DNS (record type PTR) for each nameserver IP configured on hosting provider, with the primary DOMAIN_NAME

Grab a copy of this repository, and put overrides in "Makefile.local" e.g.

# Makefile.local

EGRESS =	vio0

DOMAIN_NAME =	example.com

MASTER =	yes
MASTER_HOST =	dot

IPv4 =		203.0.113.3
IPv6 =		2001:0db8::3

UPGRADE =	yes

n.b. UPGRADE uses sdiff side-by-side diff (with new on the right side)

Test

make beforeinstall

Install

make install

Edit zoneadd to match (or use env)

# Dithematic IP
MASTER_IP="${MASTER_IP:-\
 203.0.113.3 \
 2001:0db8::3 \
 }"
SLAVE_IP="${SLAVE_IP:-\
 203.0.113.4 \
 2001:0db8::4 \
 }" # empty to disable

# Vendor
FREE_SLAVE="${FREE_SLAVE:-\
 1984.is \
 FreeDNS.afraid.org \
 GratisDNS.com \
 HE.net \
 Puck.nether.net \
 }" # empty to disable

n.b. rename and place zone templates in /var/nsd/zones/master (or start with a blank slate.)

Install DNS zone(s), e.g. on master: example.com and ddns.example.com

zoneadd example.com
env DDNS=true zoneadd ddns.example.com

Edit a zone

env EDITOR="${EDITOR:-vi}" pdnsutil edit-zone example.com

n.b. place existing TSIG key as tsig.example.com, CSK (or ZSK) as example.com.CSK in /etc/ssl/dns/private (or let zoneadd generate new keys.)

Setup the TSIG user on all dithematic nameservers, i.e. tsig

su - tsig
ssh-keygen -t ed25519 -C [email protected]
exit

Share TSIG user's public key with all dithematic slave nameservers, and update "known_hosts"

ssh -4 -i /home/tsig/.ssh/id_ed25519 -l tsig dig.example.com "exit"
ssh -6 -i /home/tsig/.ssh/id_ed25519 -l tsig dig.example.com "exit"

Edit tsig-share on master to add slave nameserver names

NS="${NS:-dig.example.com}" # (space-separated) domain name(s), or IP(s)

Share master TSIG secret with slave nameservers, e.g.: dig.example.com

env NS="dig.example.com" tsig-share tsig.example.com

DNS UPDATE allowed IPs are managed with authpf(8) i.e. user "puffy" first needs to SSH login on the master name server host to authenticate the IP from which they will next update ddns.example.com zone using e.g. nsupdate (pkg_add isc-bind) or dnspython (pkg_add py-dnspython) on their device (skip if not using dynamic DNS)

user add -L authpf -G authdns -c "DDNS user" -s /sbin/nologin -m puffy

Edit "smtpd.conf" and "secrets"

Edit pf table "msa" to add Message Submission Agent IP(s)

Enjoy

dig example.com any

Issues

Contributions welcome, fork