X-Git-Url: https://dehnerts.com/gitweb/?a=blobdiff_plain;f=named.conf.local;h=1cf559faedaf47be0cb93cdb2e6c471ac8f2b512;hb=c2da31ba0a190023dfb754bf29e7a714bc896b5c;hp=d0e1f7598d77c524dacc0e30c33b730070f7e31b;hpb=3ae79e96c30a28b80510e3c8aa4220fb21a21455;p=sysconfig%2Fbind.git

diff --git a/named.conf.local b/named.conf.local
index d0e1f75..1cf559f 100644
--- a/named.conf.local
+++ b/named.conf.local
@@ -12,26 +12,109 @@
 #        notify no;
 #};
 
+// Unfortunately, AFAICT we need to list the Linode IPs as an ACL (so they
+// can make the requests) *and* as masters (so they get the notify).
+acl "linode" {
+    // Linode
+    // https://www.linode.com/docs/products/networking/dns-manager/guides/incoming-dns-zone-transfers/#operate-as-a-secondary-read-only-dns-service
+    104.237.137.10;
+    45.79.109.10;
+    74.207.225.10;
+    207.192.70.10;
+    109.74.194.10;
+    2600:3c00::a;
+    2600:3c01::a;
+    2600:3c02::a;
+    2600:3c03::a;
+    2a01:7e00::a;
+    // Import
+    // https://www.linode.com/docs/products/networking/dns-manager/guides/incoming-dns-zone-transfers/#import-a-dns-zone
+    96.126.114.97;
+    96.126.114.98;
+    2600:3c00::5e;
+    2600:3c00::5f;
+};
+
+masters "linode" {
+    // Linode
+    // https://www.linode.com/docs/products/networking/dns-manager/guides/incoming-dns-zone-transfers/#operate-as-a-secondary-read-only-dns-service
+    104.237.137.10;
+    45.79.109.10;
+    74.207.225.10;
+    207.192.70.10;
+    109.74.194.10;
+    2600:3c00::a;
+    2600:3c01::a;
+    2600:3c02::a;
+    2600:3c03::a;
+    2a01:7e00::a;
+    // Import
+    // https://www.linode.com/docs/products/networking/dns-manager/guides/incoming-dns-zone-transfers/#import-a-dns-zone
+    96.126.114.97;
+    96.126.114.98;
+    2600:3c00::5e;
+    2600:3c00::5f;
+};
+
+// The actual ACL building blocks
+acl "transfer-allowed" {
+    localhost;
+    207.29.250.54;  // ???
+    18.4.60.36;     // charon
+    18.49.3.1;      // charon4
+    18.25.131.1;    // charon4
+    74.207.246.137; // arctic
+    66.92.29.156;   // copan
+    18.18.208.12;   // olinda
+    18.25.129.162;  // adehnert3.xvm
+    130.44.166.3;   // DD
+    18.18.208.22;   // chankillo
+    "linode";
+};
+
+masters "primary-ns" {
+    18.18.208.22;   // chankillo
+};
+
+masters "secondary-ns" {
+    18.25.129.162;  // adehnert3.xvm
+    18.18.208.12;   // olinda
+    linode;
+};
+
+include "/etc/bind/named.conf.per-host";
+
+zone "dynamic.dehnert.arctic.org" IN {
+	// DNAME to the real, dynamic.dehnerts.com, zone
+	type master;
+	file "/etc/bind/pri/arctic-dynamic.zone";
+	allow-update { none; };
+	allow-transfer { "transfer-allowed"; };
+	allow-query { any; };
+	//notify no;
+};
+
 zone "dehnert.arctic.org" IN {
 	type master;
 	file "/etc/bind/pri/combined-dehnerts.zone";
-	allow-update { none; };
-	allow-transfer { localhost;  207.29.250.54; 18.181.0.36; 74.207.246.137; 66.92.29.156; 18.102.208.15; };
+        allow-update { none; };
+	allow-transfer { "transfer-allowed"; };
 	allow-query { any; };
-	notify no;
+	//notify no;
 };
 zone "dehnerts.com" IN {
 	type master;
 	file "/etc/bind/pri/combined-dehnerts.zone";
-	allow-update { none; };
-	allow-transfer { localhost;  207.29.250.54; 18.181.0.36; 74.207.246.137; 66.92.29.156; 18.102.208.15; };
+	#update-policy { grant * selfsub * A TXT;};
+        allow-update { none; };
+	allow-transfer { "transfer-allowed"; };
 	allow-query { any; };
-	notify no;
+	also-notify { "secondary-ns"; };
 };
 
 logging {
     channel query.log {
-        file "/var/log/query.log" versions 10 size 100M;
+        file "/var/log/named/query.log" versions 10 size 100M;
         // Set the severity to dynamic to see all the debug messages.
         severity debug 3;
         print-category yes;