# notify no;
#};
+// Unfortunately, AFAICT we need to list the Linode IPs as an ACL (so they
+// can make the requests) *and* as masters (so they get the notify).
+acl "linode" {
+ // Linode
+ // https://www.linode.com/docs/products/networking/dns-manager/guides/incoming-dns-zone-transfers/#operate-as-a-secondary-read-only-dns-service
+ 104.237.137.10;
+ 45.79.109.10;
+ 74.207.225.10;
+ 207.192.70.10;
+ 109.74.194.10;
+ 2600:3c00::a;
+ 2600:3c01::a;
+ 2600:3c02::a;
+ 2600:3c03::a;
+ 2a01:7e00::a;
+ // Import
+ // https://www.linode.com/docs/products/networking/dns-manager/guides/incoming-dns-zone-transfers/#import-a-dns-zone
+ 96.126.114.97;
+ 96.126.114.98;
+ 2600:3c00::5e;
+ 2600:3c00::5f;
+};
+
+masters "linode" {
+ // Linode
+ // https://www.linode.com/docs/products/networking/dns-manager/guides/incoming-dns-zone-transfers/#operate-as-a-secondary-read-only-dns-service
+ 104.237.137.10;
+ 45.79.109.10;
+ 74.207.225.10;
+ 207.192.70.10;
+ 109.74.194.10;
+ 2600:3c00::a;
+ 2600:3c01::a;
+ 2600:3c02::a;
+ 2600:3c03::a;
+ 2a01:7e00::a;
+ // Import
+ // https://www.linode.com/docs/products/networking/dns-manager/guides/incoming-dns-zone-transfers/#import-a-dns-zone
+ 96.126.114.97;
+ 96.126.114.98;
+ 2600:3c00::5e;
+ 2600:3c00::5f;
+};
+
+// The actual ACL building blocks
+acl "transfer-allowed" {
+ localhost;
+ 207.29.250.54; // ???
+ 18.4.60.36; // charon
+ 18.49.3.1; // charon4
+ 18.25.131.1; // charon4
+ 74.207.246.137; // arctic
+ 66.92.29.156; // copan
+ 18.18.208.12; // olinda
+ 18.25.129.162; // adehnert3.xvm
+ 130.44.166.3; // DD
+ 18.18.208.22; // chankillo
+ "linode";
+};
+
+masters "primary-ns" {
+ 18.18.208.22; // chankillo
+};
+
+masters "secondary-ns" {
+ 18.25.129.162; // adehnert3.xvm
+ 18.18.208.12; // olinda
+ linode;
+};
+
+include "/etc/bind/named.conf.per-host";
+
+zone "dynamic.dehnert.arctic.org" IN {
+ // DNAME to the real, dynamic.dehnerts.com, zone
+ type master;
+ file "/etc/bind/pri/arctic-dynamic.zone";
+ allow-update { none; };
+ allow-transfer { "transfer-allowed"; };
+ allow-query { any; };
+ //notify no;
+};
+
zone "dehnert.arctic.org" IN {
type master;
file "/etc/bind/pri/combined-dehnerts.zone";
- allow-update { none; };
- allow-transfer { localhost; 207.29.250.54; 18.181.0.36; 74.207.246.137; 66.92.29.156; 18.102.208.15; };
+ allow-update { none; };
+ allow-transfer { "transfer-allowed"; };
allow-query { any; };
- notify no;
+ //notify no;
};
zone "dehnerts.com" IN {
type master;
file "/etc/bind/pri/combined-dehnerts.zone";
- allow-update { none; };
- allow-transfer { localhost; 207.29.250.54; 18.181.0.36; 74.207.246.137; 66.92.29.156; 18.102.208.15; };
+ #update-policy { grant * selfsub * A TXT;};
+ allow-update { none; };
+ allow-transfer { "transfer-allowed"; };
allow-query { any; };
- notify no;
+ also-notify { "secondary-ns"; };
};
logging {
channel query.log {
- file "/var/log/bind/query.log" versions 10 size 100M;
+ file "/var/log/named/query.log" versions 10 size 100M;
// Set the severity to dynamic to see all the debug messages.
severity debug 3;
print-category yes;
projects / sysconfig / bind.git / blobdiff