From bf8ffb190482a995cd0eb86edacd8d9faad7f2d5 Mon Sep 17 00:00:00 2001 From: Jacob Hrbek Date: Fri, 30 Oct 2020 23:08:53 +0100 Subject: [PATCH] Kreyrenized: Hopefully configured as requested Configures the name daemon bind to run authoritative server with option for recursive server configuratble in named.conf as `recursive`. Helper functions submitted in bin/binder files Signed-off-by: Jacob Hrbek --- .gitignore | 2 + bin/binder | 96 +++++++++++++++++++++ bind.keys | 0 master/dotya.ml | 0 named.conf | 133 +++++++++++++++++++++++++++++ zonefiles/ml/dotya/master.zonefile | 28 ++++++ 6 files changed, 259 insertions(+) create mode 100644 .gitignore create mode 100644 bin/binder delete mode 100644 bind.keys delete mode 100644 master/dotya.ml create mode 100644 zonefiles/ml/dotya/master.zonefile diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..eb86242 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +# SECURITY(Krey): NEVER INCLUDE secret.rndc-key as leak would allow anyone to take control over the domain(s) +secret.rndc-key \ No newline at end of file diff --git a/bin/binder b/bin/binder new file mode 100644 index 0000000..7a0918e --- /dev/null +++ b/bin/binder @@ -0,0 +1,96 @@ +#!/bin/sh +# shellcheck shell=sh # Written to comply with POSIX IEEE Std 1003.1-2017 + +# NOTE(Krey): Define die() +command -v die 1>/dev/null || die() { ${PRINTF:-printf} "${DIE_FORMAT_STRING:-"%s\\n"}" "$2"; ${EXIT:-exit} "$1";} + +# NOTE(Krey): Functions are a rewrite of https://git.dotya.ml/RXT0112/Exheredrey/src/branch/master/packages/net-dns/bind/bind.exher#L247 designed for Mokleus GNU/Linux + +###! Binder function that signs the zonefiles for provided domain assuming FSH3_0 standard followed +###! SYNOPSIS: binder_signzone [DOMAIN(dotya.ml)] +###! Copyright: Created by Jacob Hrbek identified using a GPG key assigned to the electronic mail based on the keyserver as GPLv3 license in 30/10/2020-EU +binder_signzone() { + # Define input + domainInput="$1" # Expects domains alike 'dotya.ml' + + for domain in $domainInput; do + # NOTE(Krey): Make sure that all zonefiles are valid + for zonefile in /etc/bind/zonefiles/"${domain##*.}"/"${domain%%.*}"/*.zonefile; do + ${NAMED_CHECKZONE:-named-checkzone} domain "$zonefile" || die 1 "Check for zonefile '$zonefile' of domain '$domain' failed" + + # NOTE(Krey): Sign the zone + ${DNSSEC_SIGNZONE:-dnssec-signzone} \ + -g \ + -K "/var/cache/named/bind/keys/${domain##*.}/${domain%%.*}" \ + -T 300 \ + -n "$(nproc 2>/dev/null || printf 1)" \ + "/etc/bind/zonefiles/${domain##*.}/${domain%%.*}/$zonefile" || { + case "$LANG" in + # NOTE-TRANSLATE(Krey): Translated via youtube(https://www.youtube.com/watch?v=ZIdrH9p8wek), might need spellcheck + sk-*) die 1 "ČOBOLO! AHO! AHO!" ;; + en-*|*) die 1 "Signing zone dotya.ml failed" + esac + } + done + done +} + +###! Generate the rndc.conf and secret.rndc-key +###! Copyright: Created by Jacob Hrbek identified using a GPG key assigned to the electronic mail based on the keyserver as GPLv3 license in 30/10/2020-EU +binder_generate_rndc_key() { + # NOTE(Krey): rndc.key is harder to manage for public review + [ ! -f /etc/bind/rndc.key ] || ${MV:mv} /etc/bind/rndc.key /etc/bind/rndc.key.bk + + # Generate the rndc.conf + [ -s /etc/bind/rndc.conf ] || { ${RNDC_CONFGEN:-rndc-confgen} \ + -A hmac-sha512 \ + -b 512 \ + -u bind \ + -p 953 \ + > /etc/bind/rndc.conf ;} || { + case "$LANG" in + en-*|*) die 1 "Command '${RNDC_CONFGEN:-rndc-confgen}' was unable to generate the '/etc/bind/rndc.conf' file" + esac + } + [ -s "/etc/bind/secret.rndc-key" ] || { + { ${GREP:-grep} "^#" "/etc/bind/rndc.conf" | ${GREP:-grep} "^# key" -A 3 | ${SED:-sed} "s/# //" > "/etc/bind/secret.rndc-key" + } || die 1 "Unable to generate 'secret.rndc-key'" ;} + + # FIXME-QA(Krey): Sanitize + # SECURITY(Krey): Set the apropriate perms on secret.rndc-key + ${CHMOD:-chmod} 0640 "/etc/bind/secret.rndc-key" || die 1 "Unable to set the expected permission on file '/etc/bind/secret.rndc-key'" + + # FIXME-QA(Krey): Sanitize + # SECURITY(Krey): Set the apropriate perms on secret.rndc-key + ${CHOWN:-chown} bind:bind "/etc/bind/secret.rndc-key" || die 1 "Unable to set the expected ownership on file '/etc/bind/secret.rndc-key'" + + # SECURITY(Krey): By default rndc.conf has CONFIDENTIAL INFORMATIONS, this will strip them + ${GREP:-grep} "^# " "/etc/bind/rndc.conf" >/dev/null || { { ${PRINTF:-printf} 'g/# .*/d\nw\nq\n' | ${ED:-ed} -s "/etc/bind/rndc.conf" ;} || die 28 "SECURITY WARNING UNABLE TO REMOVE CONFIDENTIAL INFORMATIONS FROM FILE '/etc/bind/rndc.conf'" ;} +} + +###! Function used to generate the KSK and ZSK +###! SYNOPSIS: binder_generate_keys [DOMAIN(dotya.ml)] +###! Copyright: Created by Jacob Hrbek identified using a GPG key assigned to the electronic mail based on the keyserver as GPLv3 license in 30/10/2020-EU +binder_generate_keys() { + # Define input + domainInput="$1" # Expects domains alike 'dotya.ml' + + for domain in $domainInput; do + # FIXME-QA(Krey): Sanitize + # Generate Key-Signing Key (KSK) + ${DNSSEC_KEYGEN:-dnssec-keygen} \ + -a "ECDSAP384SHA384" \ + -f KSK \ + -c IN \ + -L 300 \ + -K "/var/cache/named/bind/keys/${domain##*.}/${domain%%.*}" "$domain" || die 1 "Unable to generate Key-Signing Key (KSK) for domain '$domain'" + + # Generate Zone-Signing Key (ZSK) + ${DNSSEC_KEYGEN:-dnssec-keygen} \ + -a ECDSAP384SHA384\ + -n ZONE \ + -c IN \ + -L 300 \ + -K "/var/cache/named/bind/keys/${domain##*.}/${domain%%.*}" "$domain" || die 1 "Unable to generate Zone-Signing Key (ZSK) for domain '$domain'" + done +} \ No newline at end of file diff --git a/bind.keys b/bind.keys deleted file mode 100644 index e69de29..0000000 diff --git a/master/dotya.ml b/master/dotya.ml deleted file mode 100644 index e69de29..0000000 diff --git a/named.conf b/named.conf index e69de29..761aaca 100644 --- a/named.conf +++ b/named.conf @@ -0,0 +1,133 @@ +# Comment +// Comment +/* Comment */ + +# Relevant Administrator Reference Manual (ARM): https://downloads.isc.org/isc/bind9/9.16.8/doc/arm/Bv9ARM.pdf +# FIXME-DOCS(Krey): Provide best practices reference + +# NOTE(Krey): The key has to be included in named.conf +include "/etc/bind/secret.rndc-key" + +options { + // Set directory CWD (Current Working Directory) + directory "/var/named/bind"; + + // Path configuration + dump-file "/bind_dump.db"; // _PATH_DUMPFILE + pid-file "/run/named/bind.pid"; // _PATH_PIDFILE + statistics-file "bind.stats"; // _PATH_STATS + memstatistics-file "bind.memstats"; // _PATH_MEMSTATS + + // Sets Random Device + random-device "/dev/random"; + + // uncomment the following lines to turn on DNS forwarding, + // and change the forwarding ip address(es) : + //forward first; + //forwarders { + // 123.123.123.123; + // 123.123.123.123; + //}; + + # NOTE(Krey): Open port 53 reserved for name deamon + listen-on port 53 { any; }; + + # NOTE(Krey): Close IPv6 ports as current dotya.ml doesn't have IPv6 + listen-on-v6 { none; }; + + # NOTE(Krey): Set this to allow only specific hosts to use the recursive server + //allow-query { + // 127.0.0.1; + //}; + + // Cache configuration + min-cache-ttl "60"; + max-cache-ttl "600"; + + # NOTE(Krey): Disable recursion server as it's not needed + recursion no; + + // if you have problems and are behind a firewall: + //query-source address * port 53; + + // NOTE(Krey): Set the PID file location + pid-file "/run/named/bind.pid"; + + // DNSSEC validation + dnssec-validation "auto"; + + // Automatically sign zones + auto-dnssec "maintain"; +}; + +controls { + inet 127.0.0.1 port 953 + allow { 127.0.0.1; } keys { "rndc-key"; }; +}; + +logging { + channel named_log{ + file "/var/log/named/bind.log" versions 3 size 2m; + severity info; + print-severity yes; + print-time yes; + print-category yes; + }; + category default { + named_log; + }; + category lame-servers { + null; + }; +}; + + +// Briefly, a zone which has been declared delegation-only will be effectively +// limited to containing NS RRs for subdomains, but no actual data beyond its +// own apex (for example, its SOA RR and apex NS RRset). This can be used to +// filter out "wildcard" or "synthesized" data from NAT boxes or from +// authoritative name servers whose undelegated (in-zone) data is of no +// interest. +// See http://www.isc.org/products/BIND/delegation-only.html for more info + +zone "dotya.ml" { + type master; + file "/etc/bind/zonefiles/ml/dotya/master.zonefile.signed"; + key-directory "/var/cache/named/bind/keys/ml/dotya/"; + update-policy { + grant ddns-key zonesub ANY; + }; + allow-transfer { + // Current Server IP + 144.91.70.62; + }; + allow-update { 144.91.70.62; }; + inline-signing yes; + dnssec-dnskey-kskonly yes; + # expiration time 21d, refresh period 16d + sig-validity-interval 21 16; + auto-dnssec maintain; + serial-update-method unixtime; +}; + +zone "COM" { type delegation-only; }; +zone "NET" { type delegation-only; }; + +zone "." IN { + type hint; + file "named.cache"; +}; + +zone "localhost" IN { + type master; + file "pri/localhost.zone"; + allow-update { none; }; + notify no; +}; + +zone "127.in-addr.arpa" IN { + type master; + file "pri/127.zone"; + allow-update { none; }; + notify no; +}; \ No newline at end of file diff --git a/zonefiles/ml/dotya/master.zonefile b/zonefiles/ml/dotya/master.zonefile new file mode 100644 index 0000000..bb77f10 --- /dev/null +++ b/zonefiles/ml/dotya/master.zonefile @@ -0,0 +1,28 @@ +;; Tested using: named-checkzone dotya.ml /etc/bind/zonefiles/ml/dotya/*.zonefile +;; Signed using: dnssec-signzone -g -K "/var/cache/named/bind/keys/ml/dotya" -T 300 -n "$(nproc || printf 1)" /etc/zonefiles/ml/dotya/main.zonefile +$TTL 300 +$ORIGIN dotya.ml. +;; NameServer (NS) +@ IN NS ns.nebula.dotya.ml. +;; Start Of Authority (SOA) +@ IN SOA ( + ns.nebula.dotya.ml. ; MNAME + hostmaster.nebula.dotya.ml. ; RNAME + 2020103022 ; SERIAL (YYYYMMDDHH) + 8H ; REFRESH + 2H ; RETRY + 1W ; EXPIRY + 2H ; MINIMUM Negative Cache TTL +) +;; DEFAULT +nebula.dotya.ml. IN A 144.91.70.62 +ns.nebula.dotya.ml. IN A 144.91.70.62 + +;; Include other files here +;; $INCLUDE "PATH" DOMAIN + +;; Zone-Signing key (ZSK) +$INCLUDE "/var/cache/named/bind/keys/" dotya.ml + +;; Key-Signing key (KSK) +$INCLUDE "/var/cache/named/bind/keys/" dotya.ml \ No newline at end of file