forked from dotya.ml/bind-configs
Jacob Hrbek
bf8ffb1904
Configures the name daemon bind to run authoritative server with option for recursive server configuratble in named.conf as `recursive`. Helper functions submitted in bin/binder files Signed-off-by: Jacob Hrbek <kreyren@rixotstudio.cz>
133 lines
3.2 KiB
Plaintext
133 lines
3.2 KiB
Plaintext
# Comment
|
|
// Comment
|
|
/* Comment */
|
|
|
|
# Relevant Administrator Reference Manual (ARM): https://downloads.isc.org/isc/bind9/9.16.8/doc/arm/Bv9ARM.pdf
|
|
# FIXME-DOCS(Krey): Provide best practices reference
|
|
|
|
# NOTE(Krey): The key has to be included in named.conf
|
|
include "/etc/bind/secret.rndc-key"
|
|
|
|
options {
|
|
// Set directory CWD (Current Working Directory)
|
|
directory "/var/named/bind";
|
|
|
|
// Path configuration
|
|
dump-file "/bind_dump.db"; // _PATH_DUMPFILE
|
|
pid-file "/run/named/bind.pid"; // _PATH_PIDFILE
|
|
statistics-file "bind.stats"; // _PATH_STATS
|
|
memstatistics-file "bind.memstats"; // _PATH_MEMSTATS
|
|
|
|
// Sets Random Device
|
|
random-device "/dev/random";
|
|
|
|
// uncomment the following lines to turn on DNS forwarding,
|
|
// and change the forwarding ip address(es) :
|
|
//forward first;
|
|
//forwarders {
|
|
// 123.123.123.123;
|
|
// 123.123.123.123;
|
|
//};
|
|
|
|
# NOTE(Krey): Open port 53 reserved for name deamon
|
|
listen-on port 53 { any; };
|
|
|
|
# NOTE(Krey): Close IPv6 ports as current dotya.ml doesn't have IPv6
|
|
listen-on-v6 { none; };
|
|
|
|
# NOTE(Krey): Set this to allow only specific hosts to use the recursive server
|
|
//allow-query {
|
|
// 127.0.0.1;
|
|
//};
|
|
|
|
// Cache configuration
|
|
min-cache-ttl "60";
|
|
max-cache-ttl "600";
|
|
|
|
# NOTE(Krey): Disable recursion server as it's not needed
|
|
recursion no;
|
|
|
|
// if you have problems and are behind a firewall:
|
|
//query-source address * port 53;
|
|
|
|
// NOTE(Krey): Set the PID file location
|
|
pid-file "/run/named/bind.pid";
|
|
|
|
// DNSSEC validation
|
|
dnssec-validation "auto";
|
|
|
|
// Automatically sign zones
|
|
auto-dnssec "maintain";
|
|
};
|
|
|
|
controls {
|
|
inet 127.0.0.1 port 953
|
|
allow { 127.0.0.1; } keys { "rndc-key"; };
|
|
};
|
|
|
|
logging {
|
|
channel named_log{
|
|
file "/var/log/named/bind.log" versions 3 size 2m;
|
|
severity info;
|
|
print-severity yes;
|
|
print-time yes;
|
|
print-category yes;
|
|
};
|
|
category default {
|
|
named_log;
|
|
};
|
|
category lame-servers {
|
|
null;
|
|
};
|
|
};
|
|
|
|
|
|
// Briefly, a zone which has been declared delegation-only will be effectively
|
|
// limited to containing NS RRs for subdomains, but no actual data beyond its
|
|
// own apex (for example, its SOA RR and apex NS RRset). This can be used to
|
|
// filter out "wildcard" or "synthesized" data from NAT boxes or from
|
|
// authoritative name servers whose undelegated (in-zone) data is of no
|
|
// interest.
|
|
// See http://www.isc.org/products/BIND/delegation-only.html for more info
|
|
|
|
zone "dotya.ml" {
|
|
type master;
|
|
file "/etc/bind/zonefiles/ml/dotya/master.zonefile.signed";
|
|
key-directory "/var/cache/named/bind/keys/ml/dotya/";
|
|
update-policy {
|
|
grant ddns-key zonesub ANY;
|
|
};
|
|
allow-transfer {
|
|
// Current Server IP
|
|
144.91.70.62;
|
|
};
|
|
allow-update { 144.91.70.62; };
|
|
inline-signing yes;
|
|
dnssec-dnskey-kskonly yes;
|
|
# expiration time 21d, refresh period 16d
|
|
sig-validity-interval 21 16;
|
|
auto-dnssec maintain;
|
|
serial-update-method unixtime;
|
|
};
|
|
|
|
zone "COM" { type delegation-only; };
|
|
zone "NET" { type delegation-only; };
|
|
|
|
zone "." IN {
|
|
type hint;
|
|
file "named.cache";
|
|
};
|
|
|
|
zone "localhost" IN {
|
|
type master;
|
|
file "pri/localhost.zone";
|
|
allow-update { none; };
|
|
notify no;
|
|
};
|
|
|
|
zone "127.in-addr.arpa" IN {
|
|
type master;
|
|
file "pri/127.zone";
|
|
allow-update { none; };
|
|
notify no;
|
|
}; |