--- /dev/null
+cf
+Makefile
+named.conf
+bin/shell-env
+dss
+hash
+keys
+khash
+ver
+zone
+Version 5.0 [2019-01-30]
+
+ Added support for DNSSEC. See section 8 of README.
+
+ It turned out that configurability of directory names (e.g., HASHDIR)
+ was incomplete and it made all scripts unnecessarily complicated.
+ We replaced the configuration variables by hard-coded names equal
+ to the previous default settings which hopefully nobody ever needed
+ to change.
+
+ Also, ROOTHINT() became obsolete as BIND packages now regularly come
+ with a well updated root hint file. Please set up the root hints in
+ the master bind configuration file before you include named.conf
+ generated by NSC.
+
Version 4.0 [2011-10-22]
This version brings several incompatible changes with a common
Blackhole zones in example cf/domains updated to use this macro.
o When contents of a zone do not change, the version number is
not incremented. Unfortunately, BIND tends to produce a warning
- in such cases, and it be turned off.
+ in such cases, and it cannot be turned off.
Version 3.1 [2008-05-21]
- Domain Name Server Configuration Utilities -- NSC 4.0
+ Domain Name Server Configuration Utilities -- NSC 5.0
- (c) 1997--2011 Martin Mares <mj@ucw.cz>
+ (c) 1997--2019 Martin Mares <mj@ucw.cz>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-------------------------------------------------------------------------------------
-WARNING: There were several incompatible changes between versions 3.1 and 4.0.
+-----------------------------------------------------------------------
+WARNING: There were several incompatible changes between major versions
See NEWS for the summary of changes.
-------------------------------------------------------------------------------------
+-----------------------------------------------------------------------
NSC is a set of shell and M4 scripts for easy maintenance of DNS zone files
for all your hosts, handling of classless reverse delegations and support for IPv6
(AAAA and PTR in ip6.arpa, not A6 and DNAME which seem to be dying out).
- NSC requires GNU m4, a POSIX-compatible shell and the `md5sum' utility (which
-is present for examile in GNU coreutils). Some of the extra utilities require
-Perl 5. I've tested everything on Linux (Debian Squeeze), but the whole package
-should run on other unices as well.
+ NSC requires GNU m4, GNU Bash, the `md5sum' and `sha1sum' utilities (which
+are present for example in GNU coreutils), and utilities distributed with BIND.
+Some of the extra utilities require Perl 5. I've tested everything on Linux
+(Debian Stretch), but the whole package should run on other unices as well.
The whole package can be used and distributed according to the terms of the
-GNU General Public License. See file COPYING in any of the GNU utility archives
-(you should have one as you are expected to have at least GNU M4 ;-)).
+GNU General Public License, version 2 or higher. See file COPYING in any of the
+GNU utility archives (you should have one as you are expected to have at least
+GNU M4 ;-)).
0. Quick Howto for the Impatient
added or removed domains or changed options which affect named.conf,
re-run bin/nsconfig before make.
- An interesting companion to this package is the DNS Sleuth -- a DNS zone
+An interesting companion to this package is the DNS Sleuth -- a DNS zone
consistency checker. It's a simple utility written in Perl with help of the
DNS module and it should be able to detect all common errors in DNS setup
(I have written it after much disappointment with the other checkers).
The Sleuth is available online on http://atrey.karlin.mff.cuni.cz/~mj/sleuth/,
-follow the links to download the source.
+follow the links to download the source. However, I haven't updated Sleuth
+for a long time, so it does not know about DNSSEC yet.
1. Directory structure
m4/ - M4 scripts (used by the commands)
zone/ - primary zone files
bak/ - backups of zones we serve as a secondary NS for
- hash/ - hashes of zone files used for detection of changes
ver/ - version files where NSC remembers version
numbers of the primary zones
+ tmp/ - temporary files
+ hash/ - hashes of zone files used for detection of changes
+ dss/<domain> - DNSSEC DS records
+ keys/<domain>/ - DNSSEC keys
+ khash/ - hashes of DNSSEC keys used for detection of changes
How are different files created:
- You create everything in cf/.
- Then you run bin/nsconfig.
+ - If you want to use DNSSEC, create keys (see section 8)
- Makefile and named.conf gets created according to cf/domains.
- You run make.
- The Makefile creates primary zone files in zone/ and version files
You can also use the REV macro explicitly, which can be handy
for example in SECONDARY declarations.
-ROOTHINT()
- Insert a definition of hints for reaching root servers into named.conf.
- This is necessary if you want your DNS server to resolve foreign
- domains; otherwise, it will only give out authoritative answers
- for locally defined zones and forward queries. The location of the
- file with the hints can be set by the ROOTCACHE directive (see below).
-
FORWARDED(zone, ip...)
Define a forwarding zone. All queries are forwarded to the
specified name servers.
MAKEFILE(...)
Insert user data to Makefile.
+DNSSEC(`declarations...')
+ Request DNSSEC signing for all zones declared within the block.
+
+DSFOR(zone)
+ Declare dependency of the previous PRIMARY/REVERSE domain on DS
+ records for the given zone configured in dss/*.
+
3. The Domain Files
~~~~~~~~~~~~~~~~~~~
ADDR(addr...)
Specify addresses for the current host. In the normal mode, it
- creates A records, in the reverse mode, PTR records.
+ creates A/AAAA records, in the reverse mode, PTR records.
H(host, addr...)
A shortcut for H(host) ADDR(addr...) -- in many cases everything
Specify a list of name server names for the current domain
(started by either a SOA or D declaration). Generates NS records.
+DS()
+DS(dsset)
+ Include DS records for the current sub-domain. With no arguments,
+ they are loaded from dss/<sub-domain>. If the name of the sub-domain
+ does not match the name of the DSset (as it frequently happens with
+ reverse zones), you can specify the DSset name explicitly.
+
MX(mx...)
Specify a list of mail exchangers for the current host or domain.
Each mail exchanger should be preceded by a priority. Generates
The following variables are available:
NAMED_RESTART_CMD Shell command for restarting the name server daemon
- (default: ndc restart)
+ (default: rndc reload)
-ROOT Root directory of the whole package (default: /etc/named)
CFDIR Directory with config files (default: cf)
-ZONEDIR Directory with zone files (default: zone)
-BAKDIR Directory with backup files (default: bak)
-HASHDIR Directory with zone hashes (default: hash)
-VERSDIR Directory with version files (default: var)
-ROOTCACHE File with the cache of root name servers
REFRESH SOA record parameters
RETRY
NSNAME Origin server (default: hostname of your machine)
MAINTNAME Domain maintainer name (default: root@NSNAME)
+KEYGEN_OPTIONS Extra options given to dnssec-keygen
+ (by default, it selects key type and key size).
+SIGNZONE_OPTIONS Extra options given to dnssec-signzone
+ (by default, it specifies signature validity of 365 days).
+DSFROMKEY_OPTIONS Extra options given to dnssec-dsfromkey
+ (by default, there are none).
+
For the timing parameters, the following shortcuts are available:
HOURS(n) Convert hours to seconds
is not supported. All other syntaxes and quirks hopefully are.
-8. Interaction with M4
+8. DNSSEC support
+~~~~~~~~~~~~~~~~~
+NSC knows the basics of DNSSEC. It does not handle key management (you need to
+schedule generation and retirement of your keys by other means), but once the
+keys are in place, it uses them for signing zones.
+
+=== Key management ===
+
+Keys live in keys/<zone>/*.(key|private) and they are stored in the usual BIND
+format. To generate a zone-signing key, you can use the following command after
+writing at least rudimentary cf/<zone>:
+
+ bin/key-gen <zone>
+
+If you want a key-signing key, use:
+
+ bin/key-gen <zone> -f KSK
+
+(Generally, you can add arbitrary arguments for BIND's dnssec-keygen. Default
+keygen options can be set in cf/config, see section 4.)
+
+To detect key changes, NSC keeps a hash of all keys for each domain.
+If you edit the keys manually (e.g., to delete a key), you need to recalculate
+the hash by:
+
+ bin/key-update <zone>
+
+(or without a zone to update all hashes).
+
+=== Domain signing ===
+
+All domains whose declarations in cf/domains are wrapped by DNSSEC(`...')
+are automatically signed using all set up keys. If you specify key validity
+period when generating the key, it is respected, but the domains are not
+re-signed automatically when a key becomes valid / ceases to be. If you
+want to modify dnssec-signzone arguments, you can do so in cf/config.
+
+Beware that all signatures have a limited lifetime (even if the keys do not
+expire). The default lifetime is 365 days, so you need to re-sign your zones
+at least once in a year. The recommended solution is to set up a cron job,
+which touches keys/resign-stamp. A change of timestamp of this file forces
+a re-sign on the next run of make.
+
+=== Subdomains ===
+
+If you want to delegate a signed sub-domain, you need to include DS records
+in the parent zone. Add a DS() macro after declaration of the sub-domain
+in the parent. It loads DS records from dss/<child>.
+
+If the sub-domain is also maintained by NSC, you can generate the DS record
+set automatically by:
+
+ bin/key-delegate <zone>
+
+=== Reverse zones ===
+
+Unlike primary/secondary zones, reverse zones have file names which differ
+from the full domain name. In such cases, keys are named after the file name
+and NSC constructs the full name whenever necessary.
+
+There is one exception where automatic construction is not available:
+delegation of sub-domain keys. In such cases, you need to pass the file
+name of the sub-zone to the DS macro.
+
+
+9. Interaction with M4
~~~~~~~~~~~~~~~~~~~~~~
All config files are fully-fledged M4 scripts, so you can use any M4 features
you need, the most helpful one being definition of your own macros by
freebsd: don't use `-f' in hostname
+
+- Update or delete nsc.lsm
+- do we still need root.cache?
--- /dev/null
+#!/bin/bash
+# NSC -- Zone file generator
+# (c) 1997--2019 Martin Mares <mj@ucw.cz>
+
+set -e
+. bin/shell-env
+
+if [ $# -lt 2 ] ; then
+ echo >&2 "Usage: $0 <domain> <source files>"
+ exit 1
+fi
+Z=$1
+shift
+
+CURRENT_HASH=$($M4 -DHASHING m4/nsc.m4 "$@" | md5sum | cut -d " " -f1)
+if [ -f khash/$Z ] ; then
+ CURRENT_HASH=$CURRENT_HASH:$(cat khash/$Z)
+ if [ -f keys/resign-stamp ] ; then
+ CURRENT_HASH=$CURRENT_HASH:$(stat -c '%Y' keys/resign-stamp)
+ fi
+fi
+
+PREV_HASH=$(if [ -s hash/$Z ] ; then cat hash/$Z ; fi)
+if [ "X$CURRENT_HASH" = "X$PREV_HASH" ] ; then
+ echo "-- $Z: No changes"
+ touch zone/$Z hash/$Z
+else
+ $M4 -DVERS=ver/$Z m4/nsc.m4 "$@" >zone/$Z.new
+ NEWVER="$(sed -e "s/^;;; VERSION: //; t; d" zone/$Z.new)"
+ if [ -f khash/$Z ] ; then
+ ORIGIN=$(grep '\$ORIGIN' zone/$Z.new | cut -d' ' -f2)
+ if [ -z "$ORIGIN" ] ; then
+ echo >&2 "FATAL: Cannot establish zone origin for $Z"
+ exit 1
+ fi
+ if ! dnssec-signzone -a -d tmp -K keys/$Z $SIGNZONE_OPTIONS -f zone/$Z.signed -o $ORIGIN -S -3 - zone/$Z.new &>zone/$Z.tmp ; then
+ cat zone/$Z.tmp
+ echo >&2 "FATAL: Cannot sign $Z"
+ exit 1
+ fi
+ rm -f zone/$Z.tmp
+ rm -f tmp/dsset-*
+ mv zone/$Z.signed zone/$Z
+ SIGNED=" (signed)"
+ else
+ mv zone/$Z.new zone/$Z
+ SIGNED=
+ fi
+ echo "** $Z: New version $NEWVER$SIGNED"
+ echo $CURRENT_HASH >hash/$Z
+fi
--- /dev/null
+#!/bin/bash
+# NSC -- DNSSEC key delegation
+# (c) 2019 Martin Mares <mj@ucw.cz>
+
+set -e
+shopt -s nullglob
+. bin/shell-env
+
+if [ $# -ne 1 ] ; then
+ echo >&2 "Usage: $0 <zone>"
+ exit 1
+fi
+Z=$1
+
+>dss/$Z.new
+for K in keys/$Z/*.key ; do
+ B=$(basename $K .key)
+ if grep -q '; This is a key-signing key,' $K ; then
+ echo "** $B: Adding"
+ dnssec-dsfromkey $DSFROMKEY_OPTIONS $K >>dss/$Z.new
+ else
+ echo "-- $B: Not a KSK"
+ fi
+done
+mv dss/$Z.new dss/$Z
--- /dev/null
+#!/bin/sh
+# NSC -- DNSSEC key generator
+# (c) 2019 Martin Mares <mj@ucw.cz>
+
+set -e
+. bin/shell-env
+
+if [ -z "$1" ] ; then
+ echo >&2 "Usage: $0 <config> [<extra-keygen-params>]"
+ exit 1
+fi
+C="$1"
+shift
+
+if [ ! -f $CFDIR/$C ] ; then
+ echo >&2 "$CFDIR/$C: No such configuration file"
+ exit 1
+fi
+
+Z=$($M4 m4/mkname.m4 $CFDIR/$C)
+echo "Zone name: $Z"
+
+mkdir -p keys/$C
+dnssec-keygen $KEYGEN_OPTIONS -K keys/$C "$@" $Z
+bin/key-update $C
--- /dev/null
+#!/bin/bash
+# NSC -- DNSSEC key hash updater
+# (c) 2019 Martin Mares <mj@ucw.cz>
+
+set -e
+shopt -s nullglob
+. bin/shell-env
+
+if [ $# -gt 1 ] ; then
+ echo >&2 "Usage: $0 [<zone>]"
+ exit 1
+fi
+
+update ()
+{
+ local D=$1
+ local K=keys/$D
+ local H=khash/$D
+ cat /dev/null $K/*.key | sha1sum | cut -f1 -d' ' >$H.new
+ if [ ! -f $H ] || ! cmp -s $H $H.new ; then
+ echo "** $D: New key hash"
+ mv $H.new $H
+ else
+ echo "-- $D: No change"
+ rm $H.new
+ fi
+}
+
+if [ -z "$1" ] ; then
+ for DD in keys/* ; do
+ if [ -d "$DD" ] ; then
+ update $(basename $DD)
+ fi
+ done
+ for H in khash/* ; do
+ B=$(basename $H)
+ if [ ! -d keys/$B ] ; then
+ echo "## $B: Deleted obsolete hash"
+ rm $H
+ fi
+ done
+else
+ update $1
+fi
#!/bin/sh
# NSC -- Makefile & Config file build script
-# (c) 1997--2008 Martin Mares <mj@ucw.cz>
+# (c) 1997--2019 Martin Mares <mj@ucw.cz>
set -e
exit 1
fi
-mkdir -p zone bak hash ver
+mkdir -p zone bak hash ver keys khash dss tmp
$M4 m4/mkconf.m4 $DOMAINS >named.conf
$M4 m4/mkmf.m4 $DOMAINS >Makefile
-$M4 -DM4=$M4 m4/mkgenzone.m4 >bin/genzone
-chmod +x bin/genzone
+$M4 -DM4=$M4 m4/mkshell-env.m4 >bin/shell-env
H(jabberwock, jabb)
H(this-one-is-classless-reverse-delegated, 10.3.0.65)
-
-undefine(`dnl')
-H(dnl, jabb)
; An example domain table for the NSC
-; Hints how to find root servers
-ROOTHINT()
+; If you do not want to use DNSSEC, please remove the lines
+; commented with "; DNSSEC".
; Various mandatory things required by RFC 1912, section 4.1
PRIMARY(localhost)
; A pretty normal example domain (we act as a primary nameserver for it)
+DNSSEC(` ; DNSSEC
PRIMARY(example.com)
+DSFOR(a.example.com) ; DNSSEC
+') ; DNSSEC
; It also has a couple of sub-domains and one of them resides on another server
; Here are reverse delegations for two networks. NSC automatically creates
; the PTR records from A records in all mentioned zones. See cf/{0,1}.0.10.
+DNSSEC(` ; DNSSEC
REVERSE(10.0.0, example.com, a.example.com)
REVERSE(10.1.0, example.com, a.example.com, ip6.example.com)
+') ; DNSSEC
; You can even have reverse zones for larger networks
TXT(Once upon a midnight dreary)
TXT(When I pondered weak and weary)
-; A subdomain called a.example.com
+; A subdomain called a.example.com with DNSSEC keys
D(a)
NS(ns1.example.com, ns2.example.com)
+DS()
; Another subdomain (b.example.com), but this time one of the nameservers
; is inside, so we need to specify a glue record
dnl ###
dnl ### NSC -- Library Functions For DNS Processing
-dnl ### (c) 1997--2011 Martin Mares <mj@ucw.cz>
+dnl ### (c) 1997--2019 Martin Mares <mj@ucw.cz>
dnl ###
divert(-1)
# NSC version
-define(`NSCVER', `NSC 3.1')
+define(`NSCVER', `NSC 5.0')
# Current date and time
define(REV, `nsc_if_v6($1,`nsc_revblock6($1).ip6.arpa',`nsc_revaddr($1).in-addr.arpa')')
+# DNSSEC wrapper
+
+define(`USE_DNSSEC')
+define(`DNSSEC', `define(`USE_DNSSEC',1)$1define(`USE_DNSSEC')')
+
# A for loop macro from m4 doc
define(`nsc_forloop',
# Default values of parameters
-define(`NAMED_RESTART_CMD', `ndc reload')
+define(`NAMED_RESTART_CMD', `rndc reload')
-define(`ROOT', `/etc/named')
define(`CFDIR', `cf')
-define(`ZONEDIR', `zone')
-define(`BAKDIR', `bak')
define(`VERSDIR', `ver')
-define(`HASHDIR', `hash')
-define(`ROOTCACHE', `root.cache')
define(`REFRESH', HOURS(8))
define(`RETRY', HOURS(2))
',`'))
define(`MAINTNAME', `root'.`nsc_corr_dot(NSNAME)')
+define(`KEYGEN_OPTIONS', `-a RSASHA256 -b 1024')
+define(`SIGNZONE_OPTIONS', `-e +'DAYS(365))
+define(`DSFROMKEY_OPTIONS', `')
+
# And finally we change comments to semicolons to be compatible with the zone files
changecom(;)
define(`DO_PRIMARY', `divert(0)zone "$1" in {
type master;
- file "ZONEDIR/nsc_file_name($2)";
+ file "zone/nsc_file_name($2)";
ZZ_OPTIONS()dnl
};
define(`SECONDARY', `divert(0)zone "$1" in {
type slave;
- file "BAKDIR/nsc_file_name($1)";
+ file "bak/nsc_file_name($1)";
masters { $2; };
ZZ_OPTIONS()dnl
};
divert(-1)')
-# Root hint zone
-
-define(`ROOTHINT', `divert(0)zone "." in {
- type hint;
- file "ROOTCACHE";
-};
-
-divert(-1)')
-
# Manual insertion of config file material
define(`CONFIG', `divert(0)$1
+++ /dev/null
-dnl ###
-dnl ### NSC -- Zone Generating Script Builder
-dnl ### (c) 2011 Martin Mares <mj@ucw.cz>
-dnl ###
-include(m4/dnslib.m4)
-changecom(REM)
-divert(0)dnl
-#!/bin/sh
-# Please do not modify this script, it is automatically generated by m4/mkgenzone.m4
-
-set -e
-Z=`$'1
-shift
-mkdir -p HASHDIR
-CURRENT_HASH=$(M4 -DHASHING m4/nsc.m4 "$@" | md5sum | cut -d " " -f1)
-PREV_HASH=$(if [ -s HASHDIR/$Z ] ; then cat HASHDIR/$Z ; fi)
-if [ "X$CURRENT_HASH" = "X$PREV_HASH" ] ; then
- echo "-- $Z: No changes"
- touch ZONEDIR/$Z HASHDIR/$Z
-else
- M4 -DVERS=VERSDIR/$Z m4/nsc.m4 "$@" >ZONEDIR/$Z.new
- mv ZONEDIR/$Z.new ZONEDIR/$Z
- echo "** $Z: New version $(sed -e "s/^;;; VERSION: //; t; d" ZONEDIR/$Z)"
- echo $CURRENT_HASH >HASHDIR/$Z
-fi
dnl ###
dnl ### NSC -- Makefile Builder
-dnl ### (c) 1997--2011 Martin Mares <mj@ucw.cz>
+dnl ### (c) 1997--2019 Martin Mares <mj@ucw.cz>
dnl ###
include(m4/dnslib.m4)
define(`nsc_prepend_cf_one', ` 'CFDIR/`nsc_file_name($1)')
define(`nsc_prepend_cf_multi', `nsc_iterate(`nsc_prepend_cf_one', $@)')
-define(`PRIMARY', `divert(0)ZONEDIR/nsc_file_name($1):nsc_prepend_cf_multi($@) $(DDEPS)
+define(`nsc_key_dep', `ifelse(USE_DNSSEC,,,` 'khash/$1 keys/resign-stamp)')
+define(`PRIMARY', `define(`CURRENT_TARGET',zone/nsc_file_name($1))
+divert(0)CURRENT_TARGET:nsc_prepend_cf_multi($@)nsc_key_dep($1) $(DDEPS)
@bin/genzone nsc_file_name($1)`'nsc_prepend_cf_multi($@)
divert(-1)
-define(`PRIMARIES', PRIMARIES ZONEDIR/nsc_file_name($1))
+define(`PRIMARIES', PRIMARIES zone/nsc_file_name($1))
')
define(`REVERSE', `PRIMARY(nsc_if_v6($1,`nsc_revblock6($1)',`nsc_revaddr($1)'), shift($@))')
define(`BLACKHOLE', `define(`NEED_BLACKHOLE', 1)')
+define(`DSFOR', `divert(0)CURRENT_TARGET: dss/$1
+
+divert(-1)')
+
# Insertion of raw makefile material
define(`MAKEFILE', `divert(0)$1
ifdef(`NEED_BLACKHOLE', `PRIMARY(blackhole)')
divert(0)dnl
-VERSDIR/.version: CFDIR/domains ROOTCACHE`'PRIMARIES`'ifdef(`NEED_BLACKHOLE',` ZONEDIR/blackhole')
+ver/.version: CFDIR/domains`'PRIMARIES`'ifdef(`NEED_BLACKHOLE',` zone/blackhole')
NAMED_RESTART_CMD
- touch VERSDIR/.version
+ touch ver/.version
+
+keys/resign-stamp:
+ touch `$'@
clean:
- find BAKDIR ZONEDIR HASHDIR -maxdepth 1 -type f | xargs rm -f
+ find bak zone hash tmp -maxdepth 1 -type f | xargs rm -f
clobber: clean
- rm -f Makefile named.conf bin/genzone
+ rm -f Makefile named.conf bin/shell-env
distclean: clobber
- find VERSDIR -maxdepth 1 -type f | xargs rm -f
+ find ver -maxdepth 1 -type f | xargs rm -f
')
divert(0)dnl
DDEPS=m4/nsc.m4 m4/dnslib.m4 cf/config
-all: VERSDIR/.version
+all: ver/.version
m4wrap(`nsc_cleanup')
divert(-1)
--- /dev/null
+dnl ###
+dnl ### NSC -- Zone Name Generator
+dnl ### (c) 2019 Martin Mares <mj@ucw.cz>
+dnl ###
+dnl ### Usage: m4 mkname.m4 domain-source-files >zone-name
+dnl ###
+include(m4/dnslib.m4)
+
+define(`SOA', `ifdef(`CURRENT_DOMAIN',,`define(`CURRENT_DOMAIN',$1)divert(0)$1
+divert(-1)')')
--- /dev/null
+dnl ###
+dnl ### NSC -- Shell Environment Builder
+dnl ### (c) 2019 Martin Mares <mj@ucw.cz>
+dnl ###
+include(m4/dnslib.m4)
+divert(0)dnl
+`CFDIR'=CFDIR
+`M4'=M4
+`KEYGEN_OPTIONS'="KEYGEN_OPTIONS"
+`SIGNZONE_OPTIONS'="SIGNZONE_OPTIONS"
+`DSFROMKEY_OPTIONS'="DSFROMKEY_OPTIONS"
define(nsc_set_name, `define(`CURRENT_NAME', nsc_corr_dot($1))define(`PRINT_NAME', CURRENT_NAME)')
define(nsc_emit_name, `ifdef(`PRINT_NAME', `PRINT_NAME`'undefine(`PRINT_NAME')', `')')
define(nsc_abs_name, `ifelse(CURRENT_NAME, translit(CURRENT_NAME,.,:), CURRENT_NAME.CURRENT_DOMAIN, CURRENT_NAME)')
+define(nsc_abs_name_nodot, `define(`nsc_tmp', nsc_abs_name)substr(nsc_tmp,0,decr(len(nsc_tmp)))')
# SOA record
define(PTR, `$1 `PTR' nsc_corr_dot($2)')
+# DS records (DNSSEC keys for subdomains)
+
+define(DS, `ifdef(`REVERSE_MODE',,`nsc_DS')')
+define(nsc_DS, `undivert(dss/nsc_abs_name_nodot)')
+
# Shortcut for classless reverse delegation of a block
define(REVBLOCK, `nsc_forloop(`i', $2, $3, `i' `CNAME' `i'.$1
+++ /dev/null
-; This file holds the information on root name servers needed to
-; initialize cache of Internet domain name servers
-; (e.g. reference this file in the "cache . <file>"
-; configuration file of BIND domain name servers).
-;
-; This file is made available by InterNIC
-; under anonymous FTP as
-; file /domain/named.cache
-; on server FTP.INTERNIC.NET
-; -OR- RS.INTERNIC.NET
-;
-; last update: Jun 17, 2010
-; related version of root zone: 2010061700
-;
-; formerly NS.INTERNIC.NET
-;
-. 3600000 IN NS A.ROOT-SERVERS.NET.
-A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
-A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30
-;
-; FORMERLY NS1.ISI.EDU
-;
-. 3600000 NS B.ROOT-SERVERS.NET.
-B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
-;
-; FORMERLY C.PSI.NET
-;
-. 3600000 NS C.ROOT-SERVERS.NET.
-C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
-;
-; FORMERLY TERP.UMD.EDU
-;
-. 3600000 NS D.ROOT-SERVERS.NET.
-D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90
-;
-; FORMERLY NS.NASA.GOV
-;
-. 3600000 NS E.ROOT-SERVERS.NET.
-E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
-;
-; FORMERLY NS.ISC.ORG
-;
-. 3600000 NS F.ROOT-SERVERS.NET.
-F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
-F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2F::F
-;
-; FORMERLY NS.NIC.DDN.MIL
-;
-. 3600000 NS G.ROOT-SERVERS.NET.
-G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
-;
-; FORMERLY AOS.ARL.ARMY.MIL
-;
-. 3600000 NS H.ROOT-SERVERS.NET.
-H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
-H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::803F:235
-;
-; FORMERLY NIC.NORDU.NET
-;
-. 3600000 NS I.ROOT-SERVERS.NET.
-I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
-I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FE::53
-;
-; OPERATED BY VERISIGN, INC.
-;
-. 3600000 NS J.ROOT-SERVERS.NET.
-J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
-J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:C27::2:30
-;
-; OPERATED BY RIPE NCC
-;
-. 3600000 NS K.ROOT-SERVERS.NET.
-K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
-K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FD::1
-;
-; OPERATED BY ICANN
-;
-. 3600000 NS L.ROOT-SERVERS.NET.
-L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
-L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42
-;
-; OPERATED BY WIDE
-;
-. 3600000 NS M.ROOT-SERVERS.NET.
-M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
-M.ROOT-SERVERS.NET. 3600000 AAAA 2001:DC3::35
-; End of File