.gitignore

@@ -0,0 +1,2 @@
+# SECURITY(Krey): NEVER INCLUDE secret.rndc-key as leak would allow anyone to take control over the domain(s)
+secret.rndc-key

bin/binder

@@ -0,0 +1,94 @@
+#!/bin/sh
+# shellcheck shell=sh # Written to comply with POSIX IEEE Std 1003.1-2017
+
+# NOTE(Krey): Define die()
+command -v die 1>/dev/null || die() { ${PRINTF:-printf} "${DIE_FORMAT_STRING:-"%s\\n"}" "$2"; ${EXIT:-exit} "$1";}
+
+# NOTE(Krey): Functions are a rewrite of https://git.dotya.ml/RXT0112/Exheredrey/src/branch/master/packages/net-dns/bind/bind.exher#L247 designed for Mokleus GNU/Linux
+
+###! Binder function that signs the zonefiles for provided domain assuming FSH3_0 standard followed
+###! SYNOPSIS: binder_signzone [DOMAIN(dotya.ml)]
+###! Copyright: Created by Jacob Hrbek identified using a GPG key assigned to the electronic mail <kreyren@rixotstudio.cz> based on the keyserver <https://keys.openpgp.org> as GPLv3 license <https://www.gnu.org/licenses/gpl-3.0.en.html> in 30/10/2020-EU
+binder_signzone() {
+	# Define input
+	domainInput="$1" # Expects domains alike 'dotya.ml'
+
+	for domain in $domainInput; do
+		# NOTE(Krey): Make sure that all zonefiles are valid
+		for zonefile in /etc/bind/zonefiles/"${domain##*.}"/"${domain%%.*}"/*.zonefile; do
+			${NAMED_CHECKZONE:-named-checkzone} domain "$zonefile" || die 1 "Check for zonefile '$zonefile' of domain '$domain' failed"
+
+			# NOTE(Krey): Sign the zone
+			${DNSSEC_SIGNZONE:-dnssec-signzone} \
+				-g \
+				-K "/var/cache/named/bind/keys/${domain##*.}/${domain%%.*}" \
+				-T 300 \
+				-n "$(nproc 2>/dev/null || printf 1)" \
+				"/etc/bind/zonefiles/${domain##*.}/${domain%%.*}/$zonefile" || {
+					case "$LANG" in
+						en-*|*) die 1 "Signing zone dotya.ml failed"
+					esac
+			}
+		done
+	done
+}
+
+###! Generate the rndc.conf and secret.rndc-key
+###! Copyright: Created by Jacob Hrbek identified using a GPG key assigned to the electronic mail <kreyren@rixotstudio.cz> based on the keyserver <https://keys.openpgp.org> as GPLv3 license <https://www.gnu.org/licenses/gpl-3.0.en.html> in 30/10/2020-EU
+binder_generate_rndc_key() {
+	# NOTE(Krey): rndc.key is harder to manage for public review
+	[ ! -f /etc/bind/rndc.key ] || ${MV:mv} /etc/bind/rndc.key /etc/bind/rndc.key.bk
+
+	# Generate the rndc.conf
+	[ -s /etc/bind/rndc.conf ] || { ${RNDC_CONFGEN:-rndc-confgen} \
+		-A hmac-sha512 \
+		-b 512 \
+		-u bind \
+		-p 953 \
+			> /etc/bind/rndc.conf ;} || {
+				case "$LANG" in
+					en-*|*) die 1 "Command '${RNDC_CONFGEN:-rndc-confgen}' was unable to generate the '/etc/bind/rndc.conf' file"
+				esac
+			}
+	[ -s "/etc/bind/secret.rndc-key" ] || {
+		{ ${GREP:-grep} "^#" "/etc/bind/rndc.conf" | ${GREP:-grep} "^# key" -A 3 | ${SED:-sed} "s/# //" > "/etc/bind/secret.rndc-key"
+	} || die 1 "Unable to generate 'secret.rndc-key'" ;}
+
+	# FIXME-QA(Krey): Sanitize
+	# SECURITY(Krey): Set the apropriate perms on secret.rndc-key
+	${CHMOD:-chmod} 0640 "/etc/bind/secret.rndc-key" || die 1 "Unable to set the expected permission on file '/etc/bind/secret.rndc-key'"
+
+	# FIXME-QA(Krey): Sanitize
+	# SECURITY(Krey): Set the apropriate perms on secret.rndc-key
+	${CHOWN:-chown} bind:bind "/etc/bind/secret.rndc-key" || die 1 "Unable to set the expected ownership on file '/etc/bind/secret.rndc-key'"
+
+	# SECURITY(Krey): By default rndc.conf has CONFIDENTIAL INFORMATIONS, this will strip them
+	${GREP:-grep} "^# " "/etc/bind/rndc.conf" >/dev/null || { { ${PRINTF:-printf} 'g/# .*/d\nw\nq\n' | ${ED:-ed} -s "/etc/bind/rndc.conf" ;} || die 28 "SECURITY WARNING UNABLE TO REMOVE CONFIDENTIAL INFORMATIONS FROM FILE '/etc/bind/rndc.conf'" ;}
+}
+
+###! Function used to generate the KSK and ZSK
+###! SYNOPSIS: binder_generate_keys [DOMAIN(dotya.ml)]
+###! Copyright: Created by Jacob Hrbek identified using a GPG key assigned to the electronic mail <kreyren@rixotstudio.cz> based on the keyserver <https://keys.openpgp.org> as GPLv3 license <https://www.gnu.org/licenses/gpl-3.0.en.html> in 30/10/2020-EU
+binder_generate_keys() {
+	# Define input
+	domainInput="$1" # Expects domains alike 'dotya.ml'
+
+	for domain in $domainInput; do
+		# FIXME-QA(Krey): Sanitize
+		# Generate Key-Signing Key (KSK)
+		${DNSSEC_KEYGEN:-dnssec-keygen} \
+			-a "ECDSAP384SHA384" \
+			-f KSK \
+			-c IN \
+			-L 300 \
+			-K "/var/cache/named/bind/keys/${domain##*.}/${domain%%.*}" "$domain" || die 1 "Unable to generate Key-Signing Key (KSK) for domain '$domain'" 
+					
+		# Generate Zone-Signing Key (ZSK)
+		${DNSSEC_KEYGEN:-dnssec-keygen} \
+			-a ECDSAP384SHA384\
+			-n ZONE \
+			-c IN \
+			-L 300 \
+			-K "/var/cache/named/bind/keys/${domain##*.}/${domain%%.*}" "$domain" || die 1 "Unable to generate Zone-Signing Key (ZSK) for domain '$domain'" 
+	done
+}

named.conf

@@ -0,0 +1,133 @@
+# Comment
+// Comment
+/* Comment */
+
+# Relevant Administrator Reference Manual (ARM): https://downloads.isc.org/isc/bind9/9.16.8/doc/arm/Bv9ARM.pdf
+# FIXME-DOCS(Krey): Provide best practices reference
+
+# NOTE(Krey): The key has to be included in named.conf 
+include "/etc/bind/secret.rndc-key"
+
+options {
+	// Set directory CWD (Current Working Directory)
+	directory "/var/named/bind";
+
+	// Path configuration
+	dump-file "/bind_dump.db";              // _PATH_DUMPFILE
+	pid-file "/run/named/bind.pid";                  // _PATH_PIDFILE
+	statistics-file "bind.stats";          // _PATH_STATS
+	memstatistics-file "bind.memstats";    // _PATH_MEMSTATS
+
+	// Sets Random Device
+	random-device "/dev/random";
+
+	// uncomment the following lines to turn on DNS forwarding,
+	// and change the forwarding ip address(es) :
+	//forward first;
+	//forwarders {
+	//	123.123.123.123;
+	//	123.123.123.123;
+	//};
+
+	# NOTE(Krey): Open port 53 reserved for name deamon
+	listen-on port 53 { any; };
+
+	# NOTE(Krey): Close IPv6 ports as current dotya.ml doesn't have IPv6
+	listen-on-v6 { none; };
+
+	# NOTE(Krey): Set this to allow only specific hosts to use the recursive server
+	//allow-query {
+	//	127.0.0.1;
+	//};
+
+	// Cache configuration
+	min-cache-ttl "60";
+	max-cache-ttl "600";
+
+	# NOTE(Krey): Disable recursion server as it's not needed
+	recursion no;
+
+	// if you have problems and are behind a firewall:
+	//query-source address * port 53;
+
+	// NOTE(Krey): Set the PID file location
+	pid-file "/run/named/bind.pid";
+
+	// DNSSEC validation
+	dnssec-validation "auto";
+
+	// Automatically sign zones
+	auto-dnssec "maintain";
+};
+
+controls {
+   inet 127.0.0.1 port 953
+       allow { 127.0.0.1; } keys { "rndc-key"; };
+};
+
+logging {
+   channel named_log{
+      file "/var/log/named/bind.log" versions 3 size 2m;
+      severity info;
+      print-severity yes;
+      print-time yes;
+      print-category yes;
+   };
+   category default {
+      named_log;
+   };
+   category lame-servers {
+      null;
+   };
+};
+
+
+// Briefly, a zone which has been declared delegation-only will be effectively
+// limited to containing NS RRs for subdomains, but no actual data beyond its
+// own apex (for example, its SOA RR and apex NS RRset). This can be used to
+// filter out "wildcard" or "synthesized" data from NAT boxes or from
+// authoritative name servers whose undelegated (in-zone) data is of no
+// interest.
+// See http://www.isc.org/products/BIND/delegation-only.html for more info
+
+zone "dotya.ml" {
+	type master;
+	file "/etc/bind/zonefiles/ml/dotya/master.zonefile.signed";
+	key-directory "/var/cache/named/bind/keys/ml/dotya/";
+	update-policy {
+		grant ddns-key zonesub ANY;
+	};
+	allow-transfer {
+		// Current Server IP
+		144.91.70.62;
+	};
+	allow-update { 144.91.70.62; };
+	inline-signing yes;
+	dnssec-dnskey-kskonly yes;
+	# expiration time 21d, refresh period 16d
+	sig-validity-interval 21 16;
+	auto-dnssec maintain;
+	serial-update-method unixtime;
+};
+
+zone "COM" { type delegation-only; };
+zone "NET" { type delegation-only; };
+
+zone "." IN {
+	type hint;
+	file "named.cache";
+};
+
+zone "localhost" IN {
+	type master;
+	file "pri/localhost.zone";
+	allow-update { none; };
+	notify no;
+};
+
+zone "127.in-addr.arpa" IN {
+	type master;
+	file "pri/127.zone";
+	allow-update { none; };
+	notify no;
+};

zonefiles/ml/dotya/master.zonefile

@@ -0,0 +1,28 @@
+;; Tested using: named-checkzone dotya.ml /etc/bind/zonefiles/ml/dotya/*.zonefile
+;; Signed using: dnssec-signzone -g -K "/var/cache/named/bind/keys/ml/dotya" -T 300 -n "$(nproc || printf 1)" /etc/zonefiles/ml/dotya/main.zonefile
+$TTL	300
+$ORIGIN dotya.ml.
+;; NameServer (NS)
+@	IN	NS	ns.nebula.dotya.ml.
+;; Start Of Authority (SOA)
+@	IN	SOA	(
+	ns.nebula.dotya.ml.         ; MNAME
+	hostmaster.nebula.dotya.ml. ; RNAME
+	2020103022                  ; SERIAL (YYYYMMDDHH)
+	8H                          ; REFRESH
+	2H                          ; RETRY
+	1W                          ; EXPIRY
+	2H                          ; MINIMUM Negative Cache TTL
+)
+;; DEFAULT
+nebula.dotya.ml.    IN  A  144.91.70.62
+ns.nebula.dotya.ml. IN  A  144.91.70.62
+
+;; Include other files here
+;; $INCLUDE "PATH" DOMAIN
+
+;; Zone-Signing key (ZSK)
+$INCLUDE "/var/cache/named/bind/keys/<YOUR_KEY_HERE>" dotya.ml
+
+;; Key-Signing key (KSK)
+$INCLUDE "/var/cache/named/bind/keys/<YOUR_KEY_HERE>" dotya.ml