bind-configs/named.conf
kreyren 35ab911ad2
Add bind configurations and helper scripts (#1)
Remove angry slovak translate

Signed-off-by: Jacob Hrbek <kreyren@rixotstudio.cz>

Kreyrenized: Hopefully configured as requested

Configures the name daemon bind to run authoritative server with option for recursive server configuratble in named.conf as `recursive`.

Helper functions submitted in bin/binder files

Signed-off-by: Jacob Hrbek <kreyren@rixotstudio.cz>

Co-authored-by: Jacob Hrbek <kreyren@rixotstudio.cz>
Reviewed-on: #1
Co-Authored-By: kreyren <kreyren@noreply.git.dotya.ml>
Co-Committed-By: kreyren <kreyren@noreply.git.dotya.ml>
2020-11-01 09:52:45 +01:00

133 lines
3.2 KiB
Plaintext

# Comment
// Comment
/* Comment */
# Relevant Administrator Reference Manual (ARM): https://downloads.isc.org/isc/bind9/9.16.8/doc/arm/Bv9ARM.pdf
# FIXME-DOCS(Krey): Provide best practices reference
# NOTE(Krey): The key has to be included in named.conf
include "/etc/bind/secret.rndc-key"
options {
// Set directory CWD (Current Working Directory)
directory "/var/named/bind";
// Path configuration
dump-file "/bind_dump.db"; // _PATH_DUMPFILE
pid-file "/run/named/bind.pid"; // _PATH_PIDFILE
statistics-file "bind.stats"; // _PATH_STATS
memstatistics-file "bind.memstats"; // _PATH_MEMSTATS
// Sets Random Device
random-device "/dev/random";
// uncomment the following lines to turn on DNS forwarding,
// and change the forwarding ip address(es) :
//forward first;
//forwarders {
// 123.123.123.123;
// 123.123.123.123;
//};
# NOTE(Krey): Open port 53 reserved for name deamon
listen-on port 53 { any; };
# NOTE(Krey): Close IPv6 ports as current dotya.ml doesn't have IPv6
listen-on-v6 { none; };
# NOTE(Krey): Set this to allow only specific hosts to use the recursive server
//allow-query {
// 127.0.0.1;
//};
// Cache configuration
min-cache-ttl "60";
max-cache-ttl "600";
# NOTE(Krey): Disable recursion server as it's not needed
recursion no;
// if you have problems and are behind a firewall:
//query-source address * port 53;
// NOTE(Krey): Set the PID file location
pid-file "/run/named/bind.pid";
// DNSSEC validation
dnssec-validation "auto";
// Automatically sign zones
auto-dnssec "maintain";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
logging {
channel named_log{
file "/var/log/named/bind.log" versions 3 size 2m;
severity info;
print-severity yes;
print-time yes;
print-category yes;
};
category default {
named_log;
};
category lame-servers {
null;
};
};
// Briefly, a zone which has been declared delegation-only will be effectively
// limited to containing NS RRs for subdomains, but no actual data beyond its
// own apex (for example, its SOA RR and apex NS RRset). This can be used to
// filter out "wildcard" or "synthesized" data from NAT boxes or from
// authoritative name servers whose undelegated (in-zone) data is of no
// interest.
// See http://www.isc.org/products/BIND/delegation-only.html for more info
zone "dotya.ml" {
type master;
file "/etc/bind/zonefiles/ml/dotya/master.zonefile.signed";
key-directory "/var/cache/named/bind/keys/ml/dotya/";
update-policy {
grant ddns-key zonesub ANY;
};
allow-transfer {
// Current Server IP
144.91.70.62;
};
allow-update { 144.91.70.62; };
inline-signing yes;
dnssec-dnskey-kskonly yes;
# expiration time 21d, refresh period 16d
sig-validity-interval 21 16;
auto-dnssec maintain;
serial-update-method unixtime;
};
zone "COM" { type delegation-only; };
zone "NET" { type delegation-only; };
zone "." IN {
type hint;
file "named.cache";
};
zone "localhost" IN {
type master;
file "pri/localhost.zone";
allow-update { none; };
notify no;
};
zone "127.in-addr.arpa" IN {
type master;
file "pri/127.zone";
allow-update { none; };
notify no;
};