init

.gitignore

@@ -0,0 +1,5 @@
+keys
+slaves
+*.key
+*.keys
+*.private

README.md

@@ -0,0 +1,21 @@
+# envs.net | DNS - bind9 config files
+
+This is the envs.net DNS-Server.
+
+## NS list
+| Name | Address | Location | Type |
+| --- | --- | --- | --- |
+| envs.net			 | 89.163.145.170			| Düsseldorf	| master |
+| | | | |
+| ns1.tildeverse.net | 51.79.32.63				| Montréal		| slave	|
+| ns1.tildeverse.net | 2607:5300:60:823f::63	| Montréal		| slave	|
+| ns2.tildeverse.net | 167.114.154.31			| Montréal		| slave	|
+
+## master-zones:
+- envs.net
+- envs.sh
+- envs.tilde
+
+## slave server for:
+- tildeverse.org
+- tilde.team

db.0

@@ -0,0 +1,12 @@
+;
+; BIND reverse data file for broadcast zone
+;
+$TTL	604800
+@	IN	SOA	localhost. root.localhost. (
+			      1		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.

db.127

@@ -0,0 +1,13 @@
+;
+; BIND reverse data file for local loopback interface
+;
+$TTL	604800
+@	IN	SOA	localhost. root.localhost. (
+			      1		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.
+1.0.0	IN	PTR	localhost.

db.255

@@ -0,0 +1,12 @@
+;
+; BIND reverse data file for broadcast zone
+;
+$TTL	604800
+@	IN	SOA	localhost. root.localhost. (
+			      1		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.

db.empty

@@ -0,0 +1,14 @@
+; BIND reverse data file for empty rfc1918 zone
+;
+; DO NOT EDIT THIS FILE - it is used for multiple zones.
+; Instead, copy it, edit named.conf, and use that copy.
+;
+$TTL	86400
+@	IN	SOA	localhost. root.localhost. (
+			      1		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			  86400 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.

db.local

@@ -0,0 +1,14 @@
+;
+; BIND data file for local loopback interface
+;
+$TTL	604800
+@	IN	SOA	localhost. root.localhost. (
+			      2		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.
+@	IN	A	127.0.0.1
+@	IN	AAAA	::1

make_perms.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+PREFIX='/etc'
+BINDIR="$PREFIX/bind"
+
+chown root:bind "$BINDIR"/named.conf
+chown root:bind "$BINDIR"/named.conf.default-zones
+chown root:bind "$BINDIR"/named.conf.local
+chown root:bind "$BINDIR"/named.conf.forward
+chown root:bind "$BINDIR"/named.conf.slaves
+chown root:bind "$BINDIR"/named.conf.options
+
+chown bind:bind rndc.key
+chown bind:bind envs_msT.key tilde_msT.key letsencrypt_U.key
+chmod 400 envs_msT.key tilde_msT.key letsencrypt_U.key
+chmod 600 Kenvs_mst.* Ktilde_mst.* Kletsencrypt_u.*
+
+chown root:bind "$BINDIR"/slave_tilde
+
+test ! -d "$BINDIR"/keys && mkdir -p "$BINDIR"/keys
+test ! -d "$BINDIR"/zones && mkdir -p "$BINDIR"/zones
+test ! -d "$BINDIR"/slaves && mkdir -p "$BINDIR"/slaves
+chown -R bind:bind "$BINDIR"/zones "$BINDIR"/slaves
+chmod 755 "$BINDIR"/zones
+chmod 755 "$BINDIR"/slaves
+
+chown -R root:bind "$BINDIR"/keys
+chmod 755 "$BINDIR"/keys
+chmod 644 "$BINDIR"/keys/*.key
+chmod 640 "$BINDIR"/keys/*.private
+
+test ! -d /var/log/named && mkdir -p /var/log/named
+chown -R bind:root /var/log/named
+
+#
+exit 0

named.conf

@@ -0,0 +1,13 @@
+// This is the primary configuration file for the BIND DNS server named.
+//
+// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
+// structure of BIND configuration files in Debian, *BEFORE* you customize
+// this configuration file.
+//
+// If you are just adding zones, please do that in /etc/bind/named.conf.local
+
+include "/etc/bind/named.conf.options";
+include "/etc/bind/named.conf.local";
+include "/etc/bind/named.conf.slaves";
+include "/etc/bind/named.conf.forward";
+include "/etc/bind/named.conf.default-zones";

named.conf.default-zones

@@ -0,0 +1,28 @@
+// prime the server with knowledge of the root servers
+zone "." {
+	type hint;
+	file "/usr/share/dns/root.hints";
+};
+
+// be authoritative for the localhost forward and reverse zones, and for
+// broadcast zones as per RFC 1912
+
+zone "localhost" {
+	type master;
+	file "/etc/bind/db.local";
+};
+
+zone "127.in-addr.arpa" {
+	type master;
+	file "/etc/bind/db.127";
+};
+
+zone "0.in-addr.arpa" {
+	type master;
+	file "/etc/bind/db.0";
+};
+
+zone "255.in-addr.arpa" {
+	type master;
+	file "/etc/bind/db.255";
+};

named.conf.forward

@@ -0,0 +1,9 @@
+//
+// Forward Zones
+
+
+zone "tilde." IN {
+	type forward;
+	forward only;
+	forwarders { 139.59.215.24; 149.56.184.112; };
+};

named.conf.local

@@ -0,0 +1,65 @@
+//
+// Do any local configuration here
+//
+
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+//include "/etc/bind/zones.rfc1918";
+
+// ACL
+
+acl internals {
+	127.0.0.1;
+	192.168.1.0/24;
+};
+
+
+// KEY
+include "/etc/bind/envs_msT.key";
+include "/etc/bind/tilde_msT.key";
+
+include "/etc/bind/letsencrypt_U.key";
+
+
+// SERVER
+server 51.79.32.63 { keys { tilde_msT; }; };      // ns1.tildeverse.net
+//server 167.114.154.31 use "ownercheck"-record   // ns2.tildeverse.net
+
+server 139.59.215.24 { keys { envs_msT; }; };     // ns1.tildenic.org
+server 149.56.184.112 { keys { envs_msT; }; };    // ns2.tildenic.org
+
+
+// ZONES
+
+zone "envs.net" {
+	type master;
+	file "/etc/bind/zones/db.envs.net";
+	//auto-dnssec maintain;
+	//inline-signing yes;
+	notify explicit;
+	also-notify { 51.79.32.63; 167.114.154.31; };
+	allow-transfer { 127.0.0.1; 167.114.154.31; key tilde_msT; };
+	update-policy { grant letsencrypt_U name _acme-challenge.envs.net. txt; };
+};
+
+zone "envs.sh" {
+	type master;
+	file "/etc/bind/zones/db.envs.sh";
+	//auto-dnssec maintain;
+	//inline-signing yes;
+	notify explicit;
+	also-notify { 51.79.32.63; 167.114.154.31; };
+	allow-transfer { 127.0.0.1; 167.114.154.31; key tilde_msT; };
+	update-policy { grant letsencrypt_U name _acme-challenge.envs.sh. txt; };
+};
+
+zone "envs.tilde" {
+	type master;
+	file "/etc/bind/zones/db.envs.tilde";
+	//auto-dnssec maintain;
+	//inline-signing yes;
+	notify explicit;
+	also-notify { 51.79.32.63; 167.114.154.31; 139.59.215.24; 149.56.184.112; };
+	allow-transfer { 127.0.0.1; key envs_msT; key tilde_msT; };
+	update-policy { grant letsencrypt_U name _acme-challenge.envs.tilde. txt; };
+};

named.conf.options

@@ -0,0 +1,64 @@
+options {
+	directory "/var/cache/bind";
+
+	managed-keys-directory "/var/cache/bind";
+	dump-file 	"/var/cache/bind/cache_dump.db";
+	statistics-file "/var/cache/bind/bind_stats.txt";
+	memstatistics-file "/var/cache/bind/bind_mem_stats.txt";
+
+	// If there is a firewall between you and nameservers you want
+	// to talk to, you may need to fix the firewall to allow multiple
+	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113
+
+	// If your ISP provided one or more IP addresses for stable
+	// nameservers, you probably want to use them as forwarders.
+	// Uncomment the following block, and insert the addresses replacing
+	// the all-0's placeholder.
+
+	// forwarders {
+	// 	0.0.0.0;
+	// };
+
+	//========================================================================
+	// If BIND logs error messages about the root key being expired,
+	// you will need to update your keys.  See https://www.isc.org/bind-keys
+	//========================================================================
+	dnssec-enable yes;
+	dnssec-validation auto;
+
+	key-directory "/etc/bind/keys/";
+
+	// Do not make public version of BIND
+	version none;
+
+	auth-nxdomain no; # conform to RFC1035
+
+	recursive-clients 4096;
+
+//	edns-udp-size 4096;
+//	max-udp-size 512;
+
+	listen-on-v6 { none; };
+	listen-on { any; };
+
+
+	allow-transfer { none; };
+	allow-update { none; };
+
+	allow-query { any; };
+	allow-query-cache { internals; };
+	allow-recursion { internals; };
+};
+
+logging{
+	channel simple_log {
+		file "/var/log/named/bind.log" versions 3 size 5m;
+		severity warning;
+		print-time yes;
+		print-severity yes;
+		print-category yes;
+	};
+	category default{
+		simple_log;
+	};
+};

named.conf.slaves

@@ -0,0 +1,6 @@
+//
+// Slave Zones
+
+
+// Tilde Zones - ( [email protected] )
+include "/etc/bind/slave_tilde";