From 7fd24f337919fc881b555bb8a452b76a6550daca Mon Sep 17 00:00:00 2001 From: Alex Dehnert Date: Mon, 29 May 2023 00:55:27 -0400 Subject: [PATCH 01/16] Allow Linode to act as a secondary DNS server --- named.conf.local | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/named.conf.local b/named.conf.local index 99714d1..cffad2e 100644 --- a/named.conf.local +++ b/named.conf.local @@ -22,6 +22,18 @@ acl "transfer-allowed" { 66.92.29.156; // copan 18.18.208.12; // olinda 18.25.129.162; // adehnert3.xvm + 130.44.166.3; // DD + // Linode + 104.237.137.10; + 45.79.109.10; + 74.207.225.10; + 207.192.70.10; + 109.74.194.10; + 2600:3c00::a; + 2600:3c01::a; + 2600:3c02::a; + 2600:3c03::a; + 2a01:7e00::a; }; masters "primary-ns" { @@ -30,6 +42,18 @@ masters "primary-ns" { masters "secondary-ns" { 18.25.129.162; // adehnert3.xvm + // Linode + // https://www.linode.com/docs/products/networking/dns-manager/guides/incoming-dns-zone-transfers/#operate-as-a-secondary-read-only-dns-service + 104.237.137.10; + 45.79.109.10; + 74.207.225.10; + 207.192.70.10; + 109.74.194.10; + 2600:3c00::a; + 2600:3c01::a; + 2600:3c02::a; + 2600:3c03::a; + 2a01:7e00::a; }; include "/etc/bind/named.conf.per-host"; -- 2.34.1 From 03c4635c97c1274df603bba7e027b4fde6122858 Mon Sep 17 00:00:00 2001 From: Alex Dehnert Date: Mon, 29 May 2023 00:56:56 -0400 Subject: [PATCH 02/16] Add linode, update augsburg IP --- pri/combined-dehnerts.zone | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pri/combined-dehnerts.zone b/pri/combined-dehnerts.zone index 7503690..226d61e 100644 --- a/pri/combined-dehnerts.zone +++ b/pri/combined-dehnerts.zone @@ -1,6 +1,6 @@ $TTL 300 @ IN SOA ns root ( - 2023052301 ; Serial + 2023052901 ; Serial 4h ; slave refresh 15m ; slave retry time in case of a problem 4w ; slave expiration time @@ -44,7 +44,8 @@ novgorod IN CNAME novgorod.mit.edu. olinda IN A 18.18.208.12 wieliczka IN CNAME wieliczka.mit.edu. virunga IN CNAME virunga.mit.edu. -augsburg IN A 192.168.3.21 +augsburg IN CNAME augsburg.mit.edu. +linode IN A 23.92.18.48 ; external IP for Soviet Russia soviet-russia IN A 73.219.64.71 -- 2.34.1 From 2fdbc678ff20c1e701877a29c65f933cdeeee5fc Mon Sep 17 00:00:00 2001 From: Alex Dehnert Date: Sun, 11 Jun 2023 15:00:38 -0400 Subject: [PATCH 03/16] Add new machines --- pri/combined-dehnerts.zone | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pri/combined-dehnerts.zone b/pri/combined-dehnerts.zone index 226d61e..91de6e5 100644 --- a/pri/combined-dehnerts.zone +++ b/pri/combined-dehnerts.zone @@ -1,6 +1,6 @@ $TTL 300 @ IN SOA ns root ( - 2023052901 ; Serial + 2023061101 ; Serial 4h ; slave refresh 15m ; slave retry time in case of a problem 4w ; slave expiration time @@ -45,6 +45,8 @@ olinda IN A 18.18.208.12 wieliczka IN CNAME wieliczka.mit.edu. virunga IN CNAME virunga.mit.edu. augsburg IN CNAME augsburg.mit.edu. +augsburg-monitor IN CNAME augsburg-monitor.dynamic +chankillo IN A 18.18.208.22 linode IN A 23.92.18.48 ; external IP for Soviet Russia -- 2.34.1 From 99d4a43d552a36a5575bdb74ba617dbdfbf37c2a Mon Sep 17 00:00:00 2001 From: Alex Dehnert Date: Sun, 11 Jun 2023 15:05:54 -0400 Subject: [PATCH 04/16] Remove a bunch of hostnames that haven't been used in years --- pri/combined-dehnerts.zone | 46 +++++++------------------------------- 1 file changed, 8 insertions(+), 38 deletions(-) diff --git a/pri/combined-dehnerts.zone b/pri/combined-dehnerts.zone index 91de6e5..207a893 100644 --- a/pri/combined-dehnerts.zone +++ b/pri/combined-dehnerts.zone @@ -1,6 +1,6 @@ $TTL 300 @ IN SOA ns root ( - 2023061101 ; Serial + 2023061102 ; Serial 4h ; slave refresh 15m ; slave retry time in case of a problem 4w ; slave expiration time @@ -28,15 +28,6 @@ _dmarc IN TXT "v=DMARC1;p=none;sp=none;pct=100;rua=mailto:dmarcreports ; Servers -angkor IN A 192.168.1.18 -*.angkor IN CNAME angkor -copan IN A 66.92.29.156 -*.copan IN CNAME copan -borobudur IN A 192.168.1.15 -borobudur IN MX 10 mail -*.borobudur IN CNAME borobudur -gwynedd IN A 192.168.1.16 -*.gwynedd IN CNAME gwynedd lushan IN CNAME lushan2.mit.edu. lushan-monitor IN CNAME lushan-monitor.dynamic masada IN A 18.18.208.15 @@ -49,15 +40,14 @@ augsburg-monitor IN CNAME augsburg-monitor.dynamic chankillo IN A 18.18.208.22 linode IN A 23.92.18.48 -; external IP for Soviet Russia -soviet-russia IN A 73.219.64.71 ; external IP for Duck Dacha(?) duck-dacha IN A 130.44.166.3 -adehnert-pi4 IN A 192.168.3.10 + +; In-house systems xidi IN A 192.168.3.10 -homeassistant IN CNAME adehnert-pi4 -pihole IN CNAME adehnert-pi4 -unifi IN CNAME adehnert-pi4 +homeassistant IN CNAME xidi +pihole IN CNAME xidi +unifi IN CNAME xidi _acme-challenge.adehnert-pi4 IN CNAME _acme-challenge.adehnert-pi4.dynamic _acme-challenge.xidi IN CNAME _acme-challenge.xidi.dynamic _acme-challenge.duck-dacha IN CNAME _acme-challenge.duck-dacha.dynamic @@ -66,6 +56,7 @@ _acme-challenge.pihole IN CNAME _acme-challenge.pihole.dynamic _acme-challenge.unifi IN CNAME _acme-challenge.unifi.dynamic dd-printer IN A 192.168.2.11 +; In CA tikal IN A 192.168.1.27 ; Most services @@ -92,20 +83,11 @@ roost-api IN CNAME adehnert-roost-api.mit.edu. adehnert-roost-api IN CNAME adehnert-roost-api.mit.edu. _acme-challenge.roost-api IN CNAME _acme-challenge.roost-api.dynamic salt IN CNAME wieliczka +vault IN CNAME virunga alex IN CNAME olinda -linux IN CNAME olinda -paly IN CNAME olinda -voice IN CNAME olinda -scouts IN CNAME olinda -troop57 IN CNAME olinda -mathcamp IN CNAME olinda -mc IN CNAME olinda webapps IN CNAME olinda -extern IN A 66.92.29.156 -vault IN CNAME virunga - *.olinda-proxy IN CNAME olinda squaresdb IN CNAME squaresdb.olinda-proxy @@ -136,18 +118,6 @@ dynamic IN NS ns3.dehnerts.com. dynamic IN NS olinda.mit.edu. about.dynamic IN TXT "static zone updates for dehnerts.com" -; Admin services -monitoring IN CNAME borobudur - -; Local development services -blog.dubrovnik IN CNAME dubrovnik-l.intern -dubrovnik IN CNAME philacad.andover.edu -dubrovnik-l IN CNAME philacad.andover.edu -dubrovnik-l.intern IN A 192.168.1.17 - -; Bridge -borobudur.intern-extern-bridge IN A 192.168.2.2 - ; Miscellaneous extra services dns2tcp IN NS novgorod.mit.edu. -- 2.34.1 From 599c7234e6e4296393137bcbd293fdffeed079ce Mon Sep 17 00:00:00 2001 From: Alex Dehnert Date: Thu, 25 May 2023 07:01:32 +0000 Subject: [PATCH 05/16] New server config for test server --- named.conf.adehnert-test-d | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 named.conf.adehnert-test-d diff --git a/named.conf.adehnert-test-d b/named.conf.adehnert-test-d new file mode 100644 index 0000000..eb9e510 --- /dev/null +++ b/named.conf.adehnert-test-d @@ -0,0 +1,8 @@ +zone "dynamic.dehnerts.com" IN { + // secondary is equivalent, starting in bind-9.15.8 + // https://github.com/isc-projects/bind9/commit/79c2400d91b818e66a45494784cea17f46e807f2 + type secondary; + file "/var/lib/bind/dynamic.dehnerts.zone"; + masters { "primary-ns"; }; + allow-query { any; }; +}; -- 2.34.1 From 405d98df5f76c7deea6c9d8ecf8b76148893705b Mon Sep 17 00:00:00 2001 From: Alex Dehnert Date: Thu, 25 May 2023 07:01:41 +0000 Subject: [PATCH 06/16] Ignore dpkg files --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index 37c6566..493cfdc 100644 --- a/.gitignore +++ b/.gitignore @@ -3,5 +3,7 @@ pri/dynamic.keys dyn/*.zone dyn/*.zone.jnl +*.dpkg-dist + # This should be a symlink to named.conf.$host named.conf.per-host -- 2.34.1 From a53bc010d3493400be76ed59671ba5b5b076e657 Mon Sep 17 00:00:00 2001 From: Alex Dehnert Date: Tue, 18 Jul 2023 14:20:16 +0000 Subject: [PATCH 07/16] Add chankillo server config --- named.conf.chankillo | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 named.conf.chankillo diff --git a/named.conf.chankillo b/named.conf.chankillo new file mode 100644 index 0000000..eb9e510 --- /dev/null +++ b/named.conf.chankillo @@ -0,0 +1,8 @@ +zone "dynamic.dehnerts.com" IN { + // secondary is equivalent, starting in bind-9.15.8 + // https://github.com/isc-projects/bind9/commit/79c2400d91b818e66a45494784cea17f46e807f2 + type secondary; + file "/var/lib/bind/dynamic.dehnerts.zone"; + masters { "primary-ns"; }; + allow-query { any; }; +}; -- 2.34.1 From d69b016cc6b54c814653af3446c28ed37b9e3130 Mon Sep 17 00:00:00 2001 From: Alex Dehnert Date: Tue, 18 Jul 2023 10:19:38 -0400 Subject: [PATCH 08/16] Progress towards setting up chankillo --- named.conf.local | 2 ++ named.conf.olinda | 1 + pri/combined-dehnerts.zone | 8 ++++++-- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/named.conf.local b/named.conf.local index cffad2e..c42339d 100644 --- a/named.conf.local +++ b/named.conf.local @@ -23,6 +23,7 @@ acl "transfer-allowed" { 18.18.208.12; // olinda 18.25.129.162; // adehnert3.xvm 130.44.166.3; // DD + 18.18.208.22; // chankillo // Linode 104.237.137.10; 45.79.109.10; @@ -42,6 +43,7 @@ masters "primary-ns" { masters "secondary-ns" { 18.25.129.162; // adehnert3.xvm + 18.18.208.22; // chankillo // Linode // https://www.linode.com/docs/products/networking/dns-manager/guides/incoming-dns-zone-transfers/#operate-as-a-secondary-read-only-dns-service 104.237.137.10; diff --git a/named.conf.olinda b/named.conf.olinda index ab3fa11..cdf1537 100644 --- a/named.conf.olinda +++ b/named.conf.olinda @@ -13,6 +13,7 @@ zone "dynamic.dehnerts.com" IN { grant xidi.dynamic.dehnerts.com name _acme-challenge.homeassistant.dynamic.dehnerts.com TXT; grant xidi.dynamic.dehnerts.com name _acme-challenge.pihole.dynamic.dehnerts.com TXT; grant xidi.dynamic.dehnerts.com name _acme-challenge.unifi.dynamic.dehnerts.com TXT; + grant adehnert-test-d.dynamic.dehnerts.com name _acme-challenge.squaresdb.dynamic.dehnerts.com TXT; }; allow-transfer { "transfer-allowed"; }; allow-query { any; }; diff --git a/pri/combined-dehnerts.zone b/pri/combined-dehnerts.zone index 207a893..1e6e40f 100644 --- a/pri/combined-dehnerts.zone +++ b/pri/combined-dehnerts.zone @@ -1,6 +1,6 @@ $TTL 300 @ IN SOA ns root ( - 2023061102 ; Serial + 2023071801 ; Serial 4h ; slave refresh 15m ; slave retry time in case of a problem 4w ; slave expiration time @@ -12,7 +12,7 @@ $TTL 300 IN NS olinda.mit.edu. IN A 18.18.208.12 IN MX 10 mail - IN MX 20 adehnert3.xvm.mit.edu. +; IN MX 20 adehnert3.xvm.mit.edu. ; SPF IN TXT "v=spf1 mx a ~all" ; dehnerts.com @@ -24,6 +24,9 @@ $TTL 300 olinda-202207._domainkey IN TXT ( "v=DKIM1; t=y; h=sha256; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmY9SdH535aHo7xO2TdTTzvJJiGe5YRonZpoAJNJjNRmGuzYEr3CPeJ1wkVbAWIbYg4ZQXlWMaUpbS63UI1widngx+r5sUIBc1Ib/Vyg/XgSND5ZQ/QksNEFobnGafWh+0cd6GKcgBfFi2KZaYdGjsToD0Kosl7fZI4dOocG9yKdLP7PbwFN87cyKHC9y7/XvytphjomHxUDtRp" "saKFHa5N5F1oASmW4gnnyNWHcmVpanknlTmiTHLrNPcTDhC0ODYAB5RFmeO49+fHBaK1q4ZE9jnSHraPm8lz0wba9XCaUs9CJ1MEh+SJNjE/td5p2m9LR0HxX6N6mC0zzN+VDPdwIDAQAB" ) ; ----- DKIM key olinda-202207 for localhost +adehnert-test-d-202307._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; " + "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2BG4abdXLgH3S2PuVWWXdukSQiGbHwsk0MnDGcAQOGivH3vAtwJ42nS8rgzV8QJfnGLvAeo4E0Mg5OPeMMrFcqaBE6gNg2u88HREcv7ExhXWGDirlqPI2zc1fNzHOjlTXkJ+B1cJApeqJQl/mpfybWj9cUIJjeO+jj0XhAEYI95kpdWqhPRdVglWQ8OLVmhL4nCQuISiLBHyZk" + "d97nqJz+ni7t5dv2lSIrsvyJ92zV0Lfeqe3rlwX2UW79x+hF6VCGaBGSNwkl+jfLKzqiG4VVIlARjQJTMJpiohxX+7Evdw2s+Y3vDVpHwbUcBbZtTW+EdxFgsXN3m10vdvy9cjpQIDAQAB" ) ; ----- DKIM key adehnert-test-d-202307 for localhost _dmarc IN TXT "v=DMARC1;p=none;sp=none;pct=100;rua=mailto:dmarcreports@dehnerts.com;" @@ -38,6 +41,7 @@ virunga IN CNAME virunga.mit.edu. augsburg IN CNAME augsburg.mit.edu. augsburg-monitor IN CNAME augsburg-monitor.dynamic chankillo IN A 18.18.208.22 +_acme-challenge.chankillo IN CNAME _acme-challenge.chankillo.dynamic linode IN A 23.92.18.48 ; external IP for Duck Dacha(?) -- 2.34.1 From d546284681ca267bd1a7a4e0816b54cc35a97d38 Mon Sep 17 00:00:00 2001 From: Alex Dehnert Date: Wed, 26 Jul 2023 23:00:41 -0400 Subject: [PATCH 09/16] chankillo migration continues New nameservers, remove hostnames corresponding to olinda-only services, switch some over to chankillo, etc. --- pri/combined-dehnerts.zone | 43 ++++++++++++++++++++++---------------- 1 file changed, 25 insertions(+), 18 deletions(-) diff --git a/pri/combined-dehnerts.zone b/pri/combined-dehnerts.zone index 1e6e40f..e1b986e 100644 --- a/pri/combined-dehnerts.zone +++ b/pri/combined-dehnerts.zone @@ -1,16 +1,21 @@ $TTL 300 @ IN SOA ns root ( - 2023071801 ; Serial + 2023072502 ; Serial 4h ; slave refresh 15m ; slave retry time in case of a problem 4w ; slave expiration time 300 ; maximum caching time in case of failed lookups (5 minutes) ) + IN NS ns1.dehnerts.com. IN NS ns3.dehnerts.com. - IN NS adehnert3.xvm.mit.edu. IN NS ns1.sipb.org. - IN NS olinda.mit.edu. - IN A 18.18.208.12 + IN NS chankillo.mit.edu. + IN NS ns1.linode.com. + IN NS ns2.linode.com. + IN NS ns3.linode.com. + IN NS ns4.linode.com. + IN NS ns5.linode.com. + IN A 18.18.208.22 IN MX 10 mail ; IN MX 20 adehnert3.xvm.mit.edu. ; SPF @@ -72,29 +77,31 @@ imap IN CNAME olinda pop IN CNAME olinda *.pop IN CNAME olinda smtp IN A 18.18.208.12 -ns IN A 18.18.208.12 +ns IN A 18.18.208.22 +ns1 IN A 18.18.208.22 ns3 IN A 18.18.208.12 -www IN CNAME olinda -rcs IN CNAME olinda -svn IN CNAME olinda -git IN CNAME olinda +www IN CNAME chankillo +;rcs IN CNAME olinda +;svn IN CNAME olinda +git IN CNAME chankillo ldap IN CNAME copan -jabber IN CNAME olinda -xmpp IN CNAME olinda +;jabber IN CNAME olinda +;xmpp IN CNAME olinda kdc IN CNAME masada -roost IN CNAME olinda +;roost IN CNAME olinda roost-api IN CNAME adehnert-roost-api.mit.edu. adehnert-roost-api IN CNAME adehnert-roost-api.mit.edu. _acme-challenge.roost-api IN CNAME _acme-challenge.roost-api.dynamic salt IN CNAME wieliczka vault IN CNAME virunga -alex IN CNAME olinda -webapps IN CNAME olinda +alex IN CNAME chankillo +webapps IN CNAME chankillo *.olinda-proxy IN CNAME olinda +*.chankillo-proxy IN CNAME chankillo -squaresdb IN CNAME squaresdb.olinda-proxy +squaresdb IN CNAME squaresdb.chankillo-proxy _acme-challenge.squaresdb IN CNAME _acme-challenge.squaresdb.dynamic squaresdb-google IN CNAME tech-squares-photos.mit.edu. @@ -126,9 +133,9 @@ about.dynamic IN TXT "static zone updates for dehnerts.com" dns2tcp IN NS novgorod.mit.edu. ; SRV records -_xmpp-client._tcp.jabber 3600 IN SRV 10 0 5222 jabber.dehnerts.com. -_xmpp-client._tcp 3600 IN SRV 10 0 5222 jabber.dehnerts.com. -_xmpp-server._tcp 3600 IN SRV 10 0 5269 jabber.dehnerts.com. +;_xmpp-client._tcp.jabber 3600 IN SRV 10 0 5222 jabber.dehnerts.com. +;_xmpp-client._tcp 3600 IN SRV 10 0 5222 jabber.dehnerts.com. +;_xmpp-server._tcp 3600 IN SRV 10 0 5269 jabber.dehnerts.com. _kerberos TXT "DEHNERTS.COM" _kerberos._tcp SRV 0 0 88 kdc.dehnerts.com. _kerberos-adm._tcp SRV 0 0 749 kdc.dehnerts.com. -- 2.34.1 From 8a1892eba22fd101043f999e27d90a2d4917aae4 Mon Sep 17 00:00:00 2001 From: Alex Dehnert Date: Thu, 27 Jul 2023 16:56:48 +0000 Subject: [PATCH 10/16] chankillo dyndns setup --- named.conf.chankillo | 20 ++++++++++++++++---- pri/combined-dehnerts.zone | 10 ++++++---- 2 files changed, 22 insertions(+), 8 deletions(-) diff --git a/named.conf.chankillo b/named.conf.chankillo index eb9e510..0786a25 100644 --- a/named.conf.chankillo +++ b/named.conf.chankillo @@ -1,8 +1,20 @@ +include "/etc/bind/pri/dynamic.keys"; + zone "dynamic.dehnerts.com" IN { - // secondary is equivalent, starting in bind-9.15.8 - // https://github.com/isc-projects/bind9/commit/79c2400d91b818e66a45494784cea17f46e807f2 - type secondary; + type master; file "/var/lib/bind/dynamic.dehnerts.zone"; - masters { "primary-ns"; }; + update-policy { + grant * selfsub * A TXT; + grant xidi.dynamic.dehnerts.com name _acme-challenge.duck-dacha.dynamic.dehnerts.com TXT; + grant xidi.dynamic.dehnerts.com name _acme-challenge.homeassistant.dynamic.dehnerts.com TXT; + grant xidi.dynamic.dehnerts.com name _acme-challenge.pihole.dynamic.dehnerts.com TXT; + grant xidi.dynamic.dehnerts.com name _acme-challenge.unifi.dynamic.dehnerts.com TXT; + grant chankillo.dynamic.dehnerts.com name _acme-challenge.mail.dynamic.dehnerts.com TXT; + grant chankillo.dynamic.dehnerts.com name _acme-challenge.smtp.dynamic.dehnerts.com TXT; + grant chankillo.dynamic.dehnerts.com name _acme-challenge.imap.dynamic.dehnerts.com TXT; + grant chankillo.dynamic.dehnerts.com name _acme-challenge.pop.dynamic.dehnerts.com TXT; + }; + allow-transfer { "transfer-allowed"; }; allow-query { any; }; + also-notify { "secondary-ns"; }; }; diff --git a/pri/combined-dehnerts.zone b/pri/combined-dehnerts.zone index e1b986e..d97530e 100644 --- a/pri/combined-dehnerts.zone +++ b/pri/combined-dehnerts.zone @@ -1,6 +1,6 @@ $TTL 300 @ IN SOA ns root ( - 2023072502 ; Serial + 2023072702 ; Serial 4h ; slave refresh 15m ; slave retry time in case of a problem 4w ; slave expiration time @@ -9,7 +9,6 @@ $TTL 300 IN NS ns1.dehnerts.com. IN NS ns3.dehnerts.com. IN NS ns1.sipb.org. - IN NS chankillo.mit.edu. IN NS ns1.linode.com. IN NS ns2.linode.com. IN NS ns3.linode.com. @@ -70,13 +69,17 @@ tikal IN A 192.168.1.27 ; Most services mail IN A 18.18.208.12 +_acme-challenge.mail IN CNAME _acme-challenge.mail.dynamic mail2 IN CNAME adehnert3.xvm.mit.edu. mail-pi IN CNAME duck-dacha imap IN CNAME olinda *.imap IN CNAME olinda +_acme-challenge.imap IN CNAME _acme-challenge.imap.dynamic pop IN CNAME olinda *.pop IN CNAME olinda +_acme-challenge.pop IN CNAME _acme-challenge.pop.dynamic smtp IN A 18.18.208.12 +_acme-challenge.smtp IN CNAME _acme-challenge.smtp.dynamic ns IN A 18.18.208.22 ns1 IN A 18.18.208.22 ns3 IN A 18.18.208.12 @@ -125,8 +128,7 @@ _gitlab-pages-verification-code.gametex TXT gitlab-pages-verification-code=400a2 wind.squares CNAME tech-squares.gitlab.io. _gitlab-pages-verification-code.wind.squares TXT gitlab-pages-verification-code=be2402e968b6d7125f60994be82f2653 -dynamic IN NS ns3.dehnerts.com. -dynamic IN NS olinda.mit.edu. +dynamic IN NS ns1.dehnerts.com. about.dynamic IN TXT "static zone updates for dehnerts.com" ; Miscellaneous extra services -- 2.34.1 From 040e719506a23e33278ee498fcba327728a9e703 Mon Sep 17 00:00:00 2001 From: Alex Dehnert Date: Thu, 27 Jul 2023 13:18:13 -0400 Subject: [PATCH 11/16] Continue swapping DNS primary over to chankillo --- config/dyndehnerts-secondary.conf | 8 ++++++++ named.conf.local | 2 +- named.conf.olinda | 22 +--------------------- 3 files changed, 10 insertions(+), 22 deletions(-) create mode 100644 config/dyndehnerts-secondary.conf diff --git a/config/dyndehnerts-secondary.conf b/config/dyndehnerts-secondary.conf new file mode 100644 index 0000000..dad5d9f --- /dev/null +++ b/config/dyndehnerts-secondary.conf @@ -0,0 +1,8 @@ +zone "dynamic.dehnerts.com" IN { + // secondary is equivalent, starting in bind-9.15.8 + // https://github.com/isc-projects/bind9/commit/79c2400d91b818e66a45494784cea17f46e807f2 + type slave; + file "/var/lib/bind/dynamic.dehnerts.zone"; + masters { "primary-ns"; }; + allow-query { any; }; +}; diff --git a/named.conf.local b/named.conf.local index c42339d..fd8724f 100644 --- a/named.conf.local +++ b/named.conf.local @@ -38,7 +38,7 @@ acl "transfer-allowed" { }; masters "primary-ns" { - 18.18.208.12; // olinda + 18.18.208.22; // chankillo }; masters "secondary-ns" { diff --git a/named.conf.olinda b/named.conf.olinda index cdf1537..4f8db2b 100644 --- a/named.conf.olinda +++ b/named.conf.olinda @@ -1,21 +1 @@ -include "/etc/bind/pri/dynamic.keys"; - -zone "dynamic.dehnerts.com" IN { - type master; - file "/etc/bind/dyn/dynamic.zone"; - update-policy { - grant * selfsub * A TXT; - grant adehnert-pi4.dynamic.dehnerts.com name _acme-challenge.duck-dacha.dynamic.dehnerts.com TXT; - grant adehnert-pi4.dynamic.dehnerts.com name _acme-challenge.homeassistant.dynamic.dehnerts.com TXT; - grant adehnert-pi4.dynamic.dehnerts.com name _acme-challenge.pihole.dynamic.dehnerts.com TXT; - grant adehnert-pi4.dynamic.dehnerts.com name _acme-challenge.unifi.dynamic.dehnerts.com TXT; - grant xidi.dynamic.dehnerts.com name _acme-challenge.duck-dacha.dynamic.dehnerts.com TXT; - grant xidi.dynamic.dehnerts.com name _acme-challenge.homeassistant.dynamic.dehnerts.com TXT; - grant xidi.dynamic.dehnerts.com name _acme-challenge.pihole.dynamic.dehnerts.com TXT; - grant xidi.dynamic.dehnerts.com name _acme-challenge.unifi.dynamic.dehnerts.com TXT; - grant adehnert-test-d.dynamic.dehnerts.com name _acme-challenge.squaresdb.dynamic.dehnerts.com TXT; - }; - allow-transfer { "transfer-allowed"; }; - allow-query { any; }; - also-notify { "secondary-ns"; }; -}; +include "/etc/bind/config/dyndehnerts-secondary.conf"; -- 2.34.1 From 34248f2a336ed0aa3aae0b8a725a34986719b2b9 Mon Sep 17 00:00:00 2001 From: Alex Dehnert Date: Thu, 27 Jul 2023 18:27:06 +0000 Subject: [PATCH 12/16] Refactor list of IPs for masters and ACLs --- named.conf.local | 98 ++++++++++++++++++++++++++++++------------------ 1 file changed, 61 insertions(+), 37 deletions(-) diff --git a/named.conf.local b/named.conf.local index fd8724f..4883755 100644 --- a/named.conf.local +++ b/named.conf.local @@ -12,50 +12,74 @@ # notify no; #}; +// Unfortunately, AFAICT we need to list the Linode IPs as an ACL (so they +// can make the requests) *and* as masters (so they get the notify). +acl "linode" { + // Linode + // https://www.linode.com/docs/products/networking/dns-manager/guides/incoming-dns-zone-transfers/#operate-as-a-secondary-read-only-dns-service + 104.237.137.10; + 45.79.109.10; + 74.207.225.10; + 207.192.70.10; + 109.74.194.10; + 2600:3c00::a; + 2600:3c01::a; + 2600:3c02::a; + 2600:3c03::a; + 2a01:7e00::a; + // Import + // https://www.linode.com/docs/products/networking/dns-manager/guides/incoming-dns-zone-transfers/#import-a-dns-zone + 96.126.114.97; + 96.126.114.98; + 2600:3c00::5e; + 2600:3c00::5f; +}; + +masters "linode" { + // Linode + // https://www.linode.com/docs/products/networking/dns-manager/guides/incoming-dns-zone-transfers/#operate-as-a-secondary-read-only-dns-service + 104.237.137.10; + 45.79.109.10; + 74.207.225.10; + 207.192.70.10; + 109.74.194.10; + 2600:3c00::a; + 2600:3c01::a; + 2600:3c02::a; + 2600:3c03::a; + 2a01:7e00::a; + // Import + // https://www.linode.com/docs/products/networking/dns-manager/guides/incoming-dns-zone-transfers/#import-a-dns-zone + 96.126.114.97; + 96.126.114.98; + 2600:3c00::5e; + 2600:3c00::5f; +}; + +// The actual ACL building blocks acl "transfer-allowed" { - localhost; - 207.29.250.54; // ??? - 18.4.60.36; // charon - 18.49.3.1; // charon4 - 18.25.131.1; // charon4 - 74.207.246.137; // arctic - 66.92.29.156; // copan - 18.18.208.12; // olinda - 18.25.129.162; // adehnert3.xvm - 130.44.166.3; // DD - 18.18.208.22; // chankillo - // Linode - 104.237.137.10; - 45.79.109.10; - 74.207.225.10; - 207.192.70.10; - 109.74.194.10; - 2600:3c00::a; - 2600:3c01::a; - 2600:3c02::a; - 2600:3c03::a; - 2a01:7e00::a; + localhost; + 207.29.250.54; // ??? + 18.4.60.36; // charon + 18.49.3.1; // charon4 + 18.25.131.1; // charon4 + 74.207.246.137; // arctic + 66.92.29.156; // copan + 18.18.208.12; // olinda + 18.25.129.162; // adehnert3.xvm + 130.44.166.3; // DD + 18.18.208.22; // chankillo + "linode"; }; masters "primary-ns" { - 18.18.208.22; // chankillo + 18.18.208.22; // chankillo }; masters "secondary-ns" { - 18.25.129.162; // adehnert3.xvm - 18.18.208.22; // chankillo - // Linode - // https://www.linode.com/docs/products/networking/dns-manager/guides/incoming-dns-zone-transfers/#operate-as-a-secondary-read-only-dns-service - 104.237.137.10; - 45.79.109.10; - 74.207.225.10; - 207.192.70.10; - 109.74.194.10; - 2600:3c00::a; - 2600:3c01::a; - 2600:3c02::a; - 2600:3c03::a; - 2a01:7e00::a; + 18.25.129.162; // adehnert3.xvm + 18.18.208.12; // olinda + linode; }; include "/etc/bind/named.conf.per-host"; -- 2.34.1 From c2da31ba0a190023dfb754bf29e7a714bc896b5c Mon Sep 17 00:00:00 2001 From: Alex Dehnert Date: Thu, 27 Jul 2023 18:27:25 +0000 Subject: [PATCH 13/16] Notify secondaries for dehnerts.com This probably speeds up change propagation --- named.conf.local | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/named.conf.local b/named.conf.local index 4883755..1cf559f 100644 --- a/named.conf.local +++ b/named.conf.local @@ -109,7 +109,7 @@ zone "dehnerts.com" IN { allow-update { none; }; allow-transfer { "transfer-allowed"; }; allow-query { any; }; - //notify no; + also-notify { "secondary-ns"; }; }; logging { -- 2.34.1 From 65152949186366d2a7196de03a9cd3e6432eb005 Mon Sep 17 00:00:00 2001 From: Alex Dehnert Date: Thu, 27 Jul 2023 18:27:52 +0000 Subject: [PATCH 14/16] Swap over email to chankillo --- pri/combined-dehnerts.zone | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/pri/combined-dehnerts.zone b/pri/combined-dehnerts.zone index d97530e..109a01d 100644 --- a/pri/combined-dehnerts.zone +++ b/pri/combined-dehnerts.zone @@ -1,6 +1,6 @@ $TTL 300 @ IN SOA ns root ( - 2023072702 ; Serial + 2023072706 ; Serial 4h ; slave refresh 15m ; slave retry time in case of a problem 4w ; slave expiration time @@ -15,7 +15,7 @@ $TTL 300 IN NS ns4.linode.com. IN NS ns5.linode.com. IN A 18.18.208.22 - IN MX 10 mail + IN MX 10 smtp ; IN MX 20 adehnert3.xvm.mit.edu. ; SPF IN TXT "v=spf1 mx a ~all" @@ -26,11 +26,11 @@ $TTL 300 ; Spam filtering olinda-202207._domainkey IN TXT ( "v=DKIM1; t=y; h=sha256; k=rsa; " - "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmY9SdH535aHo7xO2TdTTzvJJiGe5YRonZpoAJNJjNRmGuzYEr3CPeJ1wkVbAWIbYg4ZQXlWMaUpbS63UI1widngx+r5sUIBc1Ib/Vyg/XgSND5ZQ/QksNEFobnGafWh+0cd6GKcgBfFi2KZaYdGjsToD0Kosl7fZI4dOocG9yKdLP7PbwFN87cyKHC9y7/XvytphjomHxUDtRp" - "saKFHa5N5F1oASmW4gnnyNWHcmVpanknlTmiTHLrNPcTDhC0ODYAB5RFmeO49+fHBaK1q4ZE9jnSHraPm8lz0wba9XCaUs9CJ1MEh+SJNjE/td5p2m9LR0HxX6N6mC0zzN+VDPdwIDAQAB" ) ; ----- DKIM key olinda-202207 for localhost -adehnert-test-d-202307._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; " - "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2BG4abdXLgH3S2PuVWWXdukSQiGbHwsk0MnDGcAQOGivH3vAtwJ42nS8rgzV8QJfnGLvAeo4E0Mg5OPeMMrFcqaBE6gNg2u88HREcv7ExhXWGDirlqPI2zc1fNzHOjlTXkJ+B1cJApeqJQl/mpfybWj9cUIJjeO+jj0XhAEYI95kpdWqhPRdVglWQ8OLVmhL4nCQuISiLBHyZk" - "d97nqJz+ni7t5dv2lSIrsvyJ92zV0Lfeqe3rlwX2UW79x+hF6VCGaBGSNwkl+jfLKzqiG4VVIlARjQJTMJpiohxX+7Evdw2s+Y3vDVpHwbUcBbZtTW+EdxFgsXN3m10vdvy9cjpQIDAQAB" ) ; ----- DKIM key adehnert-test-d-202307 for localhost + "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmY9SdH535aHo7xO2TdTTzvJJiGe5YRonZpoAJNJjNRmGuzYEr3CPeJ1wkVbAWIbYg4ZQXlWMaUpbS63UI1widngx+r5sUIBc1Ib/Vyg/XgSND5ZQ/QksNEFobnGafWh+0cd6GKcgBfFi2KZaYdGjsToD0Kosl7fZI4dOocG9yKdLP7PbwFN87cyKHC9y7/XvytphjomHxUDtRp" + "saKFHa5N5F1oASmW4gnnyNWHcmVpanknlTmiTHLrNPcTDhC0ODYAB5RFmeO49+fHBaK1q4ZE9jnSHraPm8lz0wba9XCaUs9CJ1MEh+SJNjE/td5p2m9LR0HxX6N6mC0zzN+VDPdwIDAQAB" ) ; ----- DKIM key olinda-202207 for localhost +chankillo-202307._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; " + "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiJbpbveUiOmnI5h5Lc7w0OGZ5cVD8ODsp23MKtHDK5WmNel4+9K1zROEGBx60UaG09oIJqyy97QDZYXhmvOCtJlrXnqe5dOLmvHUJps6whw8iGygAvhBkkit9w0T9EcCAZS32g333B8MDJlKboNZiwBQxIBd6mXvoLvns+NFY083422XsWNq7BgTiNfzS0SZG5QJWpAbdYUZPh" + "aqokmQllHogRfPgrfmz68otJvnVGX6WzW+LDBI+a58BJleTd5NYKmbKkbvFvhT7n+Ynenjo6ksisFvQ4dHIcoyBlVFxFYPWHUvYSKCt7ysMrmTNOyvX2SEFqY6TlktNlo6ojJTcwIDAQAB" ) ; ----- DKIM key chankillo-202307 for localhost _dmarc IN TXT "v=DMARC1;p=none;sp=none;pct=100;rua=mailto:dmarcreports@dehnerts.com;" @@ -68,17 +68,17 @@ dd-printer IN A 192.168.2.11 tikal IN A 192.168.1.27 ; Most services -mail IN A 18.18.208.12 +mail IN A 18.18.208.22 _acme-challenge.mail IN CNAME _acme-challenge.mail.dynamic mail2 IN CNAME adehnert3.xvm.mit.edu. mail-pi IN CNAME duck-dacha -imap IN CNAME olinda -*.imap IN CNAME olinda +imap IN CNAME chankillo _acme-challenge.imap IN CNAME _acme-challenge.imap.dynamic -pop IN CNAME olinda -*.pop IN CNAME olinda +*.imap IN CNAME chankillo +pop IN CNAME chankillo _acme-challenge.pop IN CNAME _acme-challenge.pop.dynamic -smtp IN A 18.18.208.12 +*.pop IN CNAME chankillo +smtp IN A 18.18.208.22 _acme-challenge.smtp IN CNAME _acme-challenge.smtp.dynamic ns IN A 18.18.208.22 ns1 IN A 18.18.208.22 -- 2.34.1 From 99a5b167910c19e0de1fa408923298b4c37f7728 Mon Sep 17 00:00:00 2001 From: Alex Dehnert Date: Mon, 31 Jul 2023 21:54:27 +0000 Subject: [PATCH 15/16] Migrate zulip to chankillo and fix DNS issues - Update `zulip` DNS to point at chankillo and support the DNS-01 challenge for wildcard certs - MxToolbox identifies some issues, and they mostly seem fairly harmless, but also fairly harmless to fix, and making MxToolbox alerting more useful is good: - Use ns1, not ns, as the primary nameserver in the zone - Remove Linode nameserver that shares a subnet with another one - Remove ns3 (olinda), which isn't running right now and is on the same subnet as ns1 (chankillo) --- named.conf.chankillo | 1 + pri/combined-dehnerts.zone | 13 +++++++------ 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/named.conf.chankillo b/named.conf.chankillo index 0786a25..26de59e 100644 --- a/named.conf.chankillo +++ b/named.conf.chankillo @@ -13,6 +13,7 @@ zone "dynamic.dehnerts.com" IN { grant chankillo.dynamic.dehnerts.com name _acme-challenge.smtp.dynamic.dehnerts.com TXT; grant chankillo.dynamic.dehnerts.com name _acme-challenge.imap.dynamic.dehnerts.com TXT; grant chankillo.dynamic.dehnerts.com name _acme-challenge.pop.dynamic.dehnerts.com TXT; + grant chankillo.dynamic.dehnerts.com name _acme-challenge.zulip.dynamic.dehnerts.com TXT; }; allow-transfer { "transfer-allowed"; }; allow-query { any; }; diff --git a/pri/combined-dehnerts.zone b/pri/combined-dehnerts.zone index 109a01d..e89c191 100644 --- a/pri/combined-dehnerts.zone +++ b/pri/combined-dehnerts.zone @@ -1,19 +1,19 @@ $TTL 300 -@ IN SOA ns root ( - 2023072706 ; Serial +@ IN SOA ns1 root ( + 2023073101 ; Serial 4h ; slave refresh 15m ; slave retry time in case of a problem 4w ; slave expiration time 300 ; maximum caching time in case of failed lookups (5 minutes) ) IN NS ns1.dehnerts.com. - IN NS ns3.dehnerts.com. IN NS ns1.sipb.org. IN NS ns1.linode.com. IN NS ns2.linode.com. IN NS ns3.linode.com. IN NS ns4.linode.com. - IN NS ns5.linode.com. + ; Same subnet as ns2, which mxtoolbox.com thinks is bad + ;IN NS ns5.linode.com. IN A 18.18.208.22 IN MX 10 smtp ; IN MX 20 adehnert3.xvm.mit.edu. @@ -116,8 +116,9 @@ adehnert-test-d IN CNAME adehnert-test-d.mit.edu. _acme-challenge.adehnert-test-d IN CNAME _acme-challenge.adehnert-test-d.dynamic ; Zulip -zulip IN CNAME olinda -*.zulip IN CNAME olinda +zulip IN CNAME chankillo +_acme-challenge.zulip IN CNAME _acme-challenge.zulip.dynamic +*.zulip IN CNAME chankillo em3230.zulip IN CNAME u22946278.wl029.sendgrid.net. s1._domainkey.zulip IN CNAME s1.domainkey.u22946278.wl029.sendgrid.net. s2._domainkey.zulip IN CNAME s2.domainkey.u22946278.wl029.sendgrid.net. -- 2.34.1 From d4a2f6d5eee31a1dfa2efd0985ca900ebd2c67a5 Mon Sep 17 00:00:00 2001 From: Alex Dehnert Date: Fri, 29 Dec 2023 22:34:57 +0000 Subject: [PATCH 16/16] Printer has a wired and wireless name&IP now --- pri/combined-dehnerts.zone | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/pri/combined-dehnerts.zone b/pri/combined-dehnerts.zone index e89c191..620f814 100644 --- a/pri/combined-dehnerts.zone +++ b/pri/combined-dehnerts.zone @@ -1,6 +1,6 @@ $TTL 300 @ IN SOA ns1 root ( - 2023073101 ; Serial + 2023120501 ; Serial 4h ; slave refresh 15m ; slave retry time in case of a problem 4w ; slave expiration time @@ -62,7 +62,9 @@ _acme-challenge.duck-dacha IN CNAME _acme-challenge.duck-dacha.dynamic _acme-challenge.homeassistant IN CNAME _acme-challenge.homeassistant.dynamic _acme-challenge.pihole IN CNAME _acme-challenge.pihole.dynamic _acme-challenge.unifi IN CNAME _acme-challenge.unifi.dynamic -dd-printer IN A 192.168.2.11 +dd-printer IN CNAME dd-printer-wired +dd-printer-wifi IN A 192.168.2.11 +dd-printer-wired IN A 192.168.2.15 ; In CA tikal IN A 192.168.1.27 -- 2.34.1