From 34248f2a336ed0aa3aae0b8a725a34986719b2b9 Mon Sep 17 00:00:00 2001
From: Alex Dehnert <alex@dehnerts.com>
Date: Thu, 27 Jul 2023 18:27:06 +0000
Subject: [PATCH] Refactor list of IPs for masters and ACLs

---
 named.conf.local | 98 ++++++++++++++++++++++++++++++------------------
 1 file changed, 61 insertions(+), 37 deletions(-)

diff --git a/named.conf.local b/named.conf.local
index fd8724f..4883755 100644
--- a/named.conf.local
+++ b/named.conf.local
@@ -12,50 +12,74 @@
 #        notify no;
 #};
 
+// Unfortunately, AFAICT we need to list the Linode IPs as an ACL (so they
+// can make the requests) *and* as masters (so they get the notify).
+acl "linode" {
+    // Linode
+    // https://www.linode.com/docs/products/networking/dns-manager/guides/incoming-dns-zone-transfers/#operate-as-a-secondary-read-only-dns-service
+    104.237.137.10;
+    45.79.109.10;
+    74.207.225.10;
+    207.192.70.10;
+    109.74.194.10;
+    2600:3c00::a;
+    2600:3c01::a;
+    2600:3c02::a;
+    2600:3c03::a;
+    2a01:7e00::a;
+    // Import
+    // https://www.linode.com/docs/products/networking/dns-manager/guides/incoming-dns-zone-transfers/#import-a-dns-zone
+    96.126.114.97;
+    96.126.114.98;
+    2600:3c00::5e;
+    2600:3c00::5f;
+};
+
+masters "linode" {
+    // Linode
+    // https://www.linode.com/docs/products/networking/dns-manager/guides/incoming-dns-zone-transfers/#operate-as-a-secondary-read-only-dns-service
+    104.237.137.10;
+    45.79.109.10;
+    74.207.225.10;
+    207.192.70.10;
+    109.74.194.10;
+    2600:3c00::a;
+    2600:3c01::a;
+    2600:3c02::a;
+    2600:3c03::a;
+    2a01:7e00::a;
+    // Import
+    // https://www.linode.com/docs/products/networking/dns-manager/guides/incoming-dns-zone-transfers/#import-a-dns-zone
+    96.126.114.97;
+    96.126.114.98;
+    2600:3c00::5e;
+    2600:3c00::5f;
+};
+
+// The actual ACL building blocks
 acl "transfer-allowed" {
-	localhost;
-	207.29.250.54;  // ???
-	18.4.60.36;     // charon
-	18.49.3.1;      // charon4
-	18.25.131.1;    // charon4
-	74.207.246.137; // arctic
-	66.92.29.156;   // copan
-	18.18.208.12;   // olinda
-	18.25.129.162;  // adehnert3.xvm
-	130.44.166.3;   // DD
-	18.18.208.22;   // chankillo
-	// Linode
-	104.237.137.10;
-	45.79.109.10;
-	74.207.225.10;
-	207.192.70.10;
-	109.74.194.10;
-	2600:3c00::a;
-	2600:3c01::a;
-	2600:3c02::a;
-	2600:3c03::a;
-	2a01:7e00::a;
+    localhost;
+    207.29.250.54;  // ???
+    18.4.60.36;     // charon
+    18.49.3.1;      // charon4
+    18.25.131.1;    // charon4
+    74.207.246.137; // arctic
+    66.92.29.156;   // copan
+    18.18.208.12;   // olinda
+    18.25.129.162;  // adehnert3.xvm
+    130.44.166.3;   // DD
+    18.18.208.22;   // chankillo
+    "linode";
 };
 
 masters "primary-ns" {
-	18.18.208.22;   // chankillo
+    18.18.208.22;   // chankillo
 };
 
 masters "secondary-ns" {
-	18.25.129.162;  // adehnert3.xvm
-	18.18.208.22;   // chankillo
-	// Linode
-	// https://www.linode.com/docs/products/networking/dns-manager/guides/incoming-dns-zone-transfers/#operate-as-a-secondary-read-only-dns-service
-	104.237.137.10;
-	45.79.109.10;
-	74.207.225.10;
-	207.192.70.10;
-	109.74.194.10;
-	2600:3c00::a;
-	2600:3c01::a;
-	2600:3c02::a;
-	2600:3c03::a;
-	2a01:7e00::a;
+    18.25.129.162;  // adehnert3.xvm
+    18.18.208.12;   // olinda
+    linode;
 };
 
 include "/etc/bind/named.conf.per-host";
-- 
2.34.1