From: root Date: Wed, 30 Jan 2019 13:48:37 +0000 (+0100) Subject: Merge branch 'master' of git+ssh://git.ucw.cz/home/mj/GIT/nsc X-Git-Tag: v5.1~14 X-Git-Url: http://mj.ucw.cz/gitweb/?a=commitdiff_plain;h=baa16cd63bef05542b4d583923cb7f500de2bec5;hp=afc8cda53925eb9ae3c54908a66f8566e6940909;p=nsc-5.git Merge branch 'master' of git+ssh://git.ucw.cz/home/mj/GIT/nsc --- diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e086dd1 --- /dev/null +++ b/.gitignore @@ -0,0 +1,10 @@ +cf +Makefile +named.conf +bin/shell-env +dss +hash +keys +khash +ver +zone diff --git a/NEWS b/NEWS index c5bebcc..c375d1d 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,18 @@ +Version 5.0 [2019-01-30] + + Added support for DNSSEC. See section 8 of README. + + It turned out that configurability of directory names (e.g., HASHDIR) + was incomplete and it made all scripts unnecessarily complicated. + We replaced the configuration variables by hard-coded names equal + to the previous default settings which hopefully nobody ever needed + to change. + + Also, ROOTHINT() became obsolete as BIND packages now regularly come + with a well updated root hint file. Please set up the root hints in + the master bind configuration file before you include named.conf + generated by NSC. + Version 4.0 [2011-10-22] This version brings several incompatible changes with a common @@ -17,7 +32,7 @@ Version 4.0 [2011-10-22] Blackhole zones in example cf/domains updated to use this macro. o When contents of a zone do not change, the version number is not incremented. Unfortunately, BIND tends to produce a warning - in such cases, and it be turned off. + in such cases, and it cannot be turned off. Version 3.1 [2008-05-21] diff --git a/README b/README index e7f7a00..57379a1 100644 --- a/README +++ b/README @@ -1,15 +1,15 @@ - Domain Name Server Configuration Utilities -- NSC 4.0 + Domain Name Server Configuration Utilities -- NSC 5.0 - (c) 1997--2011 Martin Mares + (c) 1997--2019 Martin Mares ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------------------------------------------------------------- -WARNING: There were several incompatible changes between versions 3.1 and 4.0. +----------------------------------------------------------------------- +WARNING: There were several incompatible changes between major versions See NEWS for the summary of changes. ------------------------------------------------------------------------------------- +----------------------------------------------------------------------- NSC is a set of shell and M4 scripts for easy maintenance of DNS zone files @@ -20,14 +20,15 @@ an English pudding :-) ), which includes automatic generation of reverse records for all your hosts, handling of classless reverse delegations and support for IPv6 (AAAA and PTR in ip6.arpa, not A6 and DNAME which seem to be dying out). - NSC requires GNU m4, a POSIX-compatible shell and the `md5sum' utility (which -is present for examile in GNU coreutils). Some of the extra utilities require -Perl 5. I've tested everything on Linux (Debian Squeeze), but the whole package -should run on other unices as well. + NSC requires GNU m4, GNU Bash, the `md5sum' and `sha1sum' utilities (which +are present for example in GNU coreutils), and utilities distributed with BIND. +Some of the extra utilities require Perl 5. I've tested everything on Linux +(Debian Stretch), but the whole package should run on other unices as well. The whole package can be used and distributed according to the terms of the -GNU General Public License. See file COPYING in any of the GNU utility archives -(you should have one as you are expected to have at least GNU M4 ;-)). +GNU General Public License, version 2 or higher. See file COPYING in any of the +GNU utility archives (you should have one as you are expected to have at least +GNU M4 ;-)). 0. Quick Howto for the Impatient @@ -62,12 +63,13 @@ GNU General Public License. See file COPYING in any of the GNU utility archives added or removed domains or changed options which affect named.conf, re-run bin/nsconfig before make. - An interesting companion to this package is the DNS Sleuth -- a DNS zone +An interesting companion to this package is the DNS Sleuth -- a DNS zone consistency checker. It's a simple utility written in Perl with help of the DNS module and it should be able to detect all common errors in DNS setup (I have written it after much disappointment with the other checkers). The Sleuth is available online on http://atrey.karlin.mff.cuni.cz/~mj/sleuth/, -follow the links to download the source. +follow the links to download the source. However, I haven't updated Sleuth +for a long time, so it does not know about DNSSEC yet. 1. Directory structure @@ -83,14 +85,19 @@ files and subdirectories: m4/ - M4 scripts (used by the commands) zone/ - primary zone files bak/ - backups of zones we serve as a secondary NS for - hash/ - hashes of zone files used for detection of changes ver/ - version files where NSC remembers version numbers of the primary zones + tmp/ - temporary files + hash/ - hashes of zone files used for detection of changes + dss/ - DNSSEC DS records + keys// - DNSSEC keys + khash/ - hashes of DNSSEC keys used for detection of changes How are different files created: - You create everything in cf/. - Then you run bin/nsconfig. + - If you want to use DNSSEC, create keys (see section 8) - Makefile and named.conf gets created according to cf/domains. - You run make. - The Makefile creates primary zone files in zone/ and version files @@ -145,13 +152,6 @@ REVERSE(network, primary-files...) You can also use the REV macro explicitly, which can be handy for example in SECONDARY declarations. -ROOTHINT() - Insert a definition of hints for reaching root servers into named.conf. - This is necessary if you want your DNS server to resolve foreign - domains; otherwise, it will only give out authoritative answers - for locally defined zones and forward queries. The location of the - file with the hints can be set by the ROOTCACHE directive (see below). - FORWARDED(zone, ip...) Define a forwarding zone. All queries are forwarded to the specified name servers. @@ -176,6 +176,13 @@ CONFIG(...) MAKEFILE(...) Insert user data to Makefile. +DNSSEC(`declarations...') + Request DNSSEC signing for all zones declared within the block. + +DSFOR(zone) + Declare dependency of the previous PRIMARY/REVERSE domain on DS + records for the given zone configured in dss/*. + 3. The Domain Files ~~~~~~~~~~~~~~~~~~~ @@ -216,7 +223,7 @@ H(host) ADDR(addr...) Specify addresses for the current host. In the normal mode, it - creates A records, in the reverse mode, PTR records. + creates A/AAAA records, in the reverse mode, PTR records. H(host, addr...) A shortcut for H(host) ADDR(addr...) -- in many cases everything @@ -242,6 +249,13 @@ NS(ns...) Specify a list of name server names for the current domain (started by either a SOA or D declaration). Generates NS records. +DS() +DS(dsset) + Include DS records for the current sub-domain. With no arguments, + they are loaded from dss/. If the name of the sub-domain + does not match the name of the DSset (as it frequently happens with + reverse zones), you can specify the DSset name explicitly. + MX(mx...) Specify a list of mail exchangers for the current host or domain. Each mail exchanger should be preceded by a priority. Generates @@ -328,15 +342,9 @@ semicolons, text outside macros is ignored. The following variables are available: NAMED_RESTART_CMD Shell command for restarting the name server daemon - (default: ndc restart) + (default: rndc reload) -ROOT Root directory of the whole package (default: /etc/named) CFDIR Directory with config files (default: cf) -ZONEDIR Directory with zone files (default: zone) -BAKDIR Directory with backup files (default: bak) -HASHDIR Directory with zone hashes (default: hash) -VERSDIR Directory with version files (default: var) -ROOTCACHE File with the cache of root name servers REFRESH SOA record parameters RETRY @@ -345,6 +353,13 @@ MINTTL NSNAME Origin server (default: hostname of your machine) MAINTNAME Domain maintainer name (default: root@NSNAME) +KEYGEN_OPTIONS Extra options given to dnssec-keygen + (by default, it selects key type and key size). +SIGNZONE_OPTIONS Extra options given to dnssec-signzone + (by default, it specifies signature validity of 365 days). +DSFROMKEY_OPTIONS Extra options given to dnssec-dsfromkey + (by default, there are none). + For the timing parameters, the following shortcuts are available: HOURS(n) Convert hours to seconds @@ -443,7 +458,72 @@ CAVEAT: The backward-compatible IPv6 address syntax with ":v.w.x.y" at the end is not supported. All other syntaxes and quirks hopefully are. -8. Interaction with M4 +8. DNSSEC support +~~~~~~~~~~~~~~~~~ +NSC knows the basics of DNSSEC. It does not handle key management (you need to +schedule generation and retirement of your keys by other means), but once the +keys are in place, it uses them for signing zones. + +=== Key management === + +Keys live in keys//*.(key|private) and they are stored in the usual BIND +format. To generate a zone-signing key, you can use the following command after +writing at least rudimentary cf/: + + bin/key-gen + +If you want a key-signing key, use: + + bin/key-gen -f KSK + +(Generally, you can add arbitrary arguments for BIND's dnssec-keygen. Default +keygen options can be set in cf/config, see section 4.) + +To detect key changes, NSC keeps a hash of all keys for each domain. +If you edit the keys manually (e.g., to delete a key), you need to recalculate +the hash by: + + bin/key-update + +(or without a zone to update all hashes). + +=== Domain signing === + +All domains whose declarations in cf/domains are wrapped by DNSSEC(`...') +are automatically signed using all set up keys. If you specify key validity +period when generating the key, it is respected, but the domains are not +re-signed automatically when a key becomes valid / ceases to be. If you +want to modify dnssec-signzone arguments, you can do so in cf/config. + +Beware that all signatures have a limited lifetime (even if the keys do not +expire). The default lifetime is 365 days, so you need to re-sign your zones +at least once in a year. The recommended solution is to set up a cron job, +which touches keys/resign-stamp. A change of timestamp of this file forces +a re-sign on the next run of make. + +=== Subdomains === + +If you want to delegate a signed sub-domain, you need to include DS records +in the parent zone. Add a DS() macro after declaration of the sub-domain +in the parent. It loads DS records from dss/. + +If the sub-domain is also maintained by NSC, you can generate the DS record +set automatically by: + + bin/key-delegate + +=== Reverse zones === + +Unlike primary/secondary zones, reverse zones have file names which differ +from the full domain name. In such cases, keys are named after the file name +and NSC constructs the full name whenever necessary. + +There is one exception where automatic construction is not available: +delegation of sub-domain keys. In such cases, you need to pass the file +name of the sub-zone to the DS macro. + + +9. Interaction with M4 ~~~~~~~~~~~~~~~~~~~~~~ All config files are fully-fledged M4 scripts, so you can use any M4 features you need, the most helpful one being definition of your own macros by diff --git a/TODO b/TODO index 8cddb5f..0845c7c 100644 --- a/TODO +++ b/TODO @@ -1 +1,4 @@ freebsd: don't use `-f' in hostname + +- Update or delete nsc.lsm +- do we still need root.cache? diff --git a/bin/genzone b/bin/genzone new file mode 100755 index 0000000..4af0867 --- /dev/null +++ b/bin/genzone @@ -0,0 +1,51 @@ +#!/bin/bash +# NSC -- Zone file generator +# (c) 1997--2019 Martin Mares + +set -e +. bin/shell-env + +if [ $# -lt 2 ] ; then + echo >&2 "Usage: $0 " + exit 1 +fi +Z=$1 +shift + +CURRENT_HASH=$($M4 -DHASHING m4/nsc.m4 "$@" | md5sum | cut -d " " -f1) +if [ -f khash/$Z ] ; then + CURRENT_HASH=$CURRENT_HASH:$(cat khash/$Z) + if [ -f keys/resign-stamp ] ; then + CURRENT_HASH=$CURRENT_HASH:$(stat -c '%Y' keys/resign-stamp) + fi +fi + +PREV_HASH=$(if [ -s hash/$Z ] ; then cat hash/$Z ; fi) +if [ "X$CURRENT_HASH" = "X$PREV_HASH" ] ; then + echo "-- $Z: No changes" + touch zone/$Z hash/$Z +else + $M4 -DVERS=ver/$Z m4/nsc.m4 "$@" >zone/$Z.new + NEWVER="$(sed -e "s/^;;; VERSION: //; t; d" zone/$Z.new)" + if [ -f khash/$Z ] ; then + ORIGIN=$(grep '\$ORIGIN' zone/$Z.new | cut -d' ' -f2) + if [ -z "$ORIGIN" ] ; then + echo >&2 "FATAL: Cannot establish zone origin for $Z" + exit 1 + fi + if ! dnssec-signzone -a -d tmp -K keys/$Z $SIGNZONE_OPTIONS -f zone/$Z.signed -o $ORIGIN -S -3 - zone/$Z.new &>zone/$Z.tmp ; then + cat zone/$Z.tmp + echo >&2 "FATAL: Cannot sign $Z" + exit 1 + fi + rm -f zone/$Z.tmp + rm -f tmp/dsset-* + mv zone/$Z.signed zone/$Z + SIGNED=" (signed)" + else + mv zone/$Z.new zone/$Z + SIGNED= + fi + echo "** $Z: New version $NEWVER$SIGNED" + echo $CURRENT_HASH >hash/$Z +fi diff --git a/bin/key-delegate b/bin/key-delegate new file mode 100755 index 0000000..bb4c5cd --- /dev/null +++ b/bin/key-delegate @@ -0,0 +1,25 @@ +#!/bin/bash +# NSC -- DNSSEC key delegation +# (c) 2019 Martin Mares + +set -e +shopt -s nullglob +. bin/shell-env + +if [ $# -ne 1 ] ; then + echo >&2 "Usage: $0 " + exit 1 +fi +Z=$1 + +>dss/$Z.new +for K in keys/$Z/*.key ; do + B=$(basename $K .key) + if grep -q '; This is a key-signing key,' $K ; then + echo "** $B: Adding" + dnssec-dsfromkey $DSFROMKEY_OPTIONS $K >>dss/$Z.new + else + echo "-- $B: Not a KSK" + fi +done +mv dss/$Z.new dss/$Z diff --git a/bin/key-gen b/bin/key-gen new file mode 100755 index 0000000..bf2a819 --- /dev/null +++ b/bin/key-gen @@ -0,0 +1,25 @@ +#!/bin/sh +# NSC -- DNSSEC key generator +# (c) 2019 Martin Mares + +set -e +. bin/shell-env + +if [ -z "$1" ] ; then + echo >&2 "Usage: $0 []" + exit 1 +fi +C="$1" +shift + +if [ ! -f $CFDIR/$C ] ; then + echo >&2 "$CFDIR/$C: No such configuration file" + exit 1 +fi + +Z=$($M4 m4/mkname.m4 $CFDIR/$C) +echo "Zone name: $Z" + +mkdir -p keys/$C +dnssec-keygen $KEYGEN_OPTIONS -K keys/$C "$@" $Z +bin/key-update $C diff --git a/bin/key-update b/bin/key-update new file mode 100755 index 0000000..e7efe36 --- /dev/null +++ b/bin/key-update @@ -0,0 +1,44 @@ +#!/bin/bash +# NSC -- DNSSEC key hash updater +# (c) 2019 Martin Mares + +set -e +shopt -s nullglob +. bin/shell-env + +if [ $# -gt 1 ] ; then + echo >&2 "Usage: $0 []" + exit 1 +fi + +update () +{ + local D=$1 + local K=keys/$D + local H=khash/$D + cat /dev/null $K/*.key | sha1sum | cut -f1 -d' ' >$H.new + if [ ! -f $H ] || ! cmp -s $H $H.new ; then + echo "** $D: New key hash" + mv $H.new $H + else + echo "-- $D: No change" + rm $H.new + fi +} + +if [ -z "$1" ] ; then + for DD in keys/* ; do + if [ -d "$DD" ] ; then + update $(basename $DD) + fi + done + for H in khash/* ; do + B=$(basename $H) + if [ ! -d keys/$B ] ; then + echo "## $B: Deleted obsolete hash" + rm $H + fi + done +else + update $1 +fi diff --git a/bin/nsconfig b/bin/nsconfig index b891206..229dc36 100755 --- a/bin/nsconfig +++ b/bin/nsconfig @@ -1,6 +1,6 @@ #!/bin/sh # NSC -- Makefile & Config file build script -# (c) 1997--2008 Martin Mares +# (c) 1997--2019 Martin Mares set -e @@ -12,8 +12,7 @@ if [ ! -f $DOMAINS ] ; then exit 1 fi -mkdir -p zone bak hash ver +mkdir -p zone bak hash ver keys khash dss tmp $M4 m4/mkconf.m4 $DOMAINS >named.conf $M4 m4/mkmf.m4 $DOMAINS >Makefile -$M4 -DM4=$M4 m4/mkgenzone.m4 >bin/genzone -chmod +x bin/genzone +$M4 -DM4=$M4 m4/mkshell-env.m4 >bin/shell-env diff --git a/cf.dist/a.example.com b/cf.dist/a.example.com index 2a0026b..7911c20 100644 --- a/cf.dist/a.example.com +++ b/cf.dist/a.example.com @@ -24,6 +24,3 @@ DADDR(jabb) H(jabberwock, jabb) H(this-one-is-classless-reverse-delegated, 10.3.0.65) - -undefine(`dnl') -H(dnl, jabb) diff --git a/cf.dist/domains b/cf.dist/domains index b897470..4ec0d21 100644 --- a/cf.dist/domains +++ b/cf.dist/domains @@ -1,7 +1,7 @@ ; An example domain table for the NSC -; Hints how to find root servers -ROOTHINT() +; If you do not want to use DNSSEC, please remove the lines +; commented with "; DNSSEC". ; Various mandatory things required by RFC 1912, section 4.1 PRIMARY(localhost) @@ -31,7 +31,10 @@ BLACKHOLE(REV(192.168)) ; A pretty normal example domain (we act as a primary nameserver for it) +DNSSEC(` ; DNSSEC PRIMARY(example.com) +DSFOR(a.example.com) ; DNSSEC +') ; DNSSEC ; It also has a couple of sub-domains and one of them resides on another server @@ -52,8 +55,10 @@ ZONE_OPTIONS() ; Here are reverse delegations for two networks. NSC automatically creates ; the PTR records from A records in all mentioned zones. See cf/{0,1}.0.10. +DNSSEC(` ; DNSSEC REVERSE(10.0.0, example.com, a.example.com) REVERSE(10.1.0, example.com, a.example.com, ip6.example.com) +') ; DNSSEC ; You can even have reverse zones for larger networks diff --git a/cf.dist/example.com b/cf.dist/example.com index 65f57c7..b5e900c 100644 --- a/cf.dist/example.com +++ b/cf.dist/example.com @@ -39,10 +39,11 @@ H(text) TXT(Once upon a midnight dreary) TXT(When I pondered weak and weary) -; A subdomain called a.example.com +; A subdomain called a.example.com with DNSSEC keys D(a) NS(ns1.example.com, ns2.example.com) +DS() ; Another subdomain (b.example.com), but this time one of the nameservers ; is inside, so we need to specify a glue record diff --git a/m4/dnslib.m4 b/m4/dnslib.m4 index 6cdb921..414aa65 100644 --- a/m4/dnslib.m4 +++ b/m4/dnslib.m4 @@ -1,12 +1,12 @@ dnl ### dnl ### NSC -- Library Functions For DNS Processing -dnl ### (c) 1997--2011 Martin Mares +dnl ### (c) 1997--2019 Martin Mares dnl ### divert(-1) # NSC version -define(`NSCVER', `NSC 3.1') +define(`NSCVER', `NSC 5.0') # Current date and time @@ -70,6 +70,11 @@ define(nsc_iterate, `define(`nsc_iter', defn(`$1'))nsc_itera(shift($@))') define(REV, `nsc_if_v6($1,`nsc_revblock6($1).ip6.arpa',`nsc_revaddr($1).in-addr.arpa')') +# DNSSEC wrapper + +define(`USE_DNSSEC') +define(`DNSSEC', `define(`USE_DNSSEC',1)$1define(`USE_DNSSEC')') + # A for loop macro from m4 doc define(`nsc_forloop', @@ -85,15 +90,10 @@ define(`nsc_fatal_error', `errprint(`NSC error: $1 # Default values of parameters -define(`NAMED_RESTART_CMD', `ndc reload') +define(`NAMED_RESTART_CMD', `rndc reload') -define(`ROOT', `/etc/named') define(`CFDIR', `cf') -define(`ZONEDIR', `zone') -define(`BAKDIR', `bak') define(`VERSDIR', `ver') -define(`HASHDIR', `hash') -define(`ROOTCACHE', `root.cache') define(`REFRESH', HOURS(8)) define(`RETRY', HOURS(2)) @@ -103,6 +103,10 @@ define(`NSNAME', translit(esyscmd(`hostname -f'),` ',`')) define(`MAINTNAME', `root'.`nsc_corr_dot(NSNAME)') +define(`KEYGEN_OPTIONS', `-a RSASHA256 -b 1024') +define(`SIGNZONE_OPTIONS', `-e +'DAYS(365)) +define(`DSFROMKEY_OPTIONS', `') + # And finally we change comments to semicolons to be compatible with the zone files changecom(;) diff --git a/m4/mkconf.m4 b/m4/mkconf.m4 index 927ea9e..befb306 100644 --- a/m4/mkconf.m4 +++ b/m4/mkconf.m4 @@ -8,7 +8,7 @@ include(m4/dnslib.m4) define(`DO_PRIMARY', `divert(0)zone "$1" in { type master; - file "ZONEDIR/nsc_file_name($2)"; + file "zone/nsc_file_name($2)"; ZZ_OPTIONS()dnl }; @@ -21,7 +21,7 @@ define(`REVERSE', `DO_PRIMARY(REV($1),nsc_if_v6($1,`nsc_revblock6($1)',`nsc_reva define(`SECONDARY', `divert(0)zone "$1" in { type slave; - file "BAKDIR/nsc_file_name($1)"; + file "bak/nsc_file_name($1)"; masters { $2; }; ZZ_OPTIONS()dnl }; @@ -48,15 +48,6 @@ define(`BLACKHOLE', `divert(0)zone "$1" in { divert(-1)') -# Root hint zone - -define(`ROOTHINT', `divert(0)zone "." in { - type hint; - file "ROOTCACHE"; -}; - -divert(-1)') - # Manual insertion of config file material define(`CONFIG', `divert(0)$1 diff --git a/m4/mkgenzone.m4 b/m4/mkgenzone.m4 deleted file mode 100644 index 0d898f4..0000000 --- a/m4/mkgenzone.m4 +++ /dev/null @@ -1,25 +0,0 @@ -dnl ### -dnl ### NSC -- Zone Generating Script Builder -dnl ### (c) 2011 Martin Mares -dnl ### -include(m4/dnslib.m4) -changecom(REM) -divert(0)dnl -#!/bin/sh -# Please do not modify this script, it is automatically generated by m4/mkgenzone.m4 - -set -e -Z=`$'1 -shift -mkdir -p HASHDIR -CURRENT_HASH=$(M4 -DHASHING m4/nsc.m4 "$@" | md5sum | cut -d " " -f1) -PREV_HASH=$(if [ -s HASHDIR/$Z ] ; then cat HASHDIR/$Z ; fi) -if [ "X$CURRENT_HASH" = "X$PREV_HASH" ] ; then - echo "-- $Z: No changes" - touch ZONEDIR/$Z HASHDIR/$Z -else - M4 -DVERS=VERSDIR/$Z m4/nsc.m4 "$@" >ZONEDIR/$Z.new - mv ZONEDIR/$Z.new ZONEDIR/$Z - echo "** $Z: New version $(sed -e "s/^;;; VERSION: //; t; d" ZONEDIR/$Z)" - echo $CURRENT_HASH >HASHDIR/$Z -fi diff --git a/m4/mkmf.m4 b/m4/mkmf.m4 index d224efa..0734061 100644 --- a/m4/mkmf.m4 +++ b/m4/mkmf.m4 @@ -1,6 +1,6 @@ dnl ### dnl ### NSC -- Makefile Builder -dnl ### (c) 1997--2011 Martin Mares +dnl ### (c) 1997--2019 Martin Mares dnl ### include(m4/dnslib.m4) @@ -10,17 +10,23 @@ define(`PRIMARIES', `') define(`nsc_prepend_cf_one', ` 'CFDIR/`nsc_file_name($1)') define(`nsc_prepend_cf_multi', `nsc_iterate(`nsc_prepend_cf_one', $@)') -define(`PRIMARY', `divert(0)ZONEDIR/nsc_file_name($1):nsc_prepend_cf_multi($@) $(DDEPS) +define(`nsc_key_dep', `ifelse(USE_DNSSEC,,,` 'khash/$1 keys/resign-stamp)') +define(`PRIMARY', `define(`CURRENT_TARGET',zone/nsc_file_name($1)) +divert(0)CURRENT_TARGET:nsc_prepend_cf_multi($@)nsc_key_dep($1) $(DDEPS) @bin/genzone nsc_file_name($1)`'nsc_prepend_cf_multi($@) divert(-1) -define(`PRIMARIES', PRIMARIES ZONEDIR/nsc_file_name($1)) +define(`PRIMARIES', PRIMARIES zone/nsc_file_name($1)) ') define(`REVERSE', `PRIMARY(nsc_if_v6($1,`nsc_revblock6($1)',`nsc_revaddr($1)'), shift($@))') define(`BLACKHOLE', `define(`NEED_BLACKHOLE', 1)') +define(`DSFOR', `divert(0)CURRENT_TARGET: dss/$1 + +divert(-1)') + # Insertion of raw makefile material define(`MAKEFILE', `divert(0)$1 @@ -32,18 +38,21 @@ define(`nsc_cleanup', ` ifdef(`NEED_BLACKHOLE', `PRIMARY(blackhole)') divert(0)dnl -VERSDIR/.version: CFDIR/domains ROOTCACHE`'PRIMARIES`'ifdef(`NEED_BLACKHOLE',` ZONEDIR/blackhole') +ver/.version: CFDIR/domains`'PRIMARIES`'ifdef(`NEED_BLACKHOLE',` zone/blackhole') NAMED_RESTART_CMD - touch VERSDIR/.version + touch ver/.version + +keys/resign-stamp: + touch `$'@ clean: - find BAKDIR ZONEDIR HASHDIR -maxdepth 1 -type f | xargs rm -f + find bak zone hash tmp -maxdepth 1 -type f | xargs rm -f clobber: clean - rm -f Makefile named.conf bin/genzone + rm -f Makefile named.conf bin/shell-env distclean: clobber - find VERSDIR -maxdepth 1 -type f | xargs rm -f + find ver -maxdepth 1 -type f | xargs rm -f ') divert(0)dnl @@ -55,6 +64,6 @@ divert(0)dnl DDEPS=m4/nsc.m4 m4/dnslib.m4 cf/config -all: VERSDIR/.version +all: ver/.version m4wrap(`nsc_cleanup') divert(-1) diff --git a/m4/mkname.m4 b/m4/mkname.m4 new file mode 100644 index 0000000..90c7191 --- /dev/null +++ b/m4/mkname.m4 @@ -0,0 +1,10 @@ +dnl ### +dnl ### NSC -- Zone Name Generator +dnl ### (c) 2019 Martin Mares +dnl ### +dnl ### Usage: m4 mkname.m4 domain-source-files >zone-name +dnl ### +include(m4/dnslib.m4) + +define(`SOA', `ifdef(`CURRENT_DOMAIN',,`define(`CURRENT_DOMAIN',$1)divert(0)$1 +divert(-1)')') diff --git a/m4/mkshell-env.m4 b/m4/mkshell-env.m4 new file mode 100644 index 0000000..262fd8c --- /dev/null +++ b/m4/mkshell-env.m4 @@ -0,0 +1,11 @@ +dnl ### +dnl ### NSC -- Shell Environment Builder +dnl ### (c) 2019 Martin Mares +dnl ### +include(m4/dnslib.m4) +divert(0)dnl +`CFDIR'=CFDIR +`M4'=M4 +`KEYGEN_OPTIONS'="KEYGEN_OPTIONS" +`SIGNZONE_OPTIONS'="SIGNZONE_OPTIONS" +`DSFROMKEY_OPTIONS'="DSFROMKEY_OPTIONS" diff --git a/m4/nsc.m4 b/m4/nsc.m4 index ad9ed24..cf7a81d 100644 --- a/m4/nsc.m4 +++ b/m4/nsc.m4 @@ -31,6 +31,7 @@ define(`VERSION',TODAY_CODE`'format(`%02d', SUBVER_NUM)) define(nsc_set_name, `define(`CURRENT_NAME', nsc_corr_dot($1))define(`PRINT_NAME', CURRENT_NAME)') define(nsc_emit_name, `ifdef(`PRINT_NAME', `PRINT_NAME`'undefine(`PRINT_NAME')', `')') define(nsc_abs_name, `ifelse(CURRENT_NAME, translit(CURRENT_NAME,.,:), CURRENT_NAME.CURRENT_DOMAIN, CURRENT_NAME)') +define(nsc_abs_name_nodot, `define(`nsc_tmp', nsc_abs_name)substr(nsc_tmp,0,decr(len(nsc_tmp)))') # SOA record @@ -144,6 +145,11 @@ define(CNAME, `$1 `CNAME' nsc_corr_dot($2)') define(PTR, `$1 `PTR' nsc_corr_dot($2)') +# DS records (DNSSEC keys for subdomains) + +define(DS, `ifdef(`REVERSE_MODE',,`nsc_DS')') +define(nsc_DS, `undivert(dss/nsc_abs_name_nodot)') + # Shortcut for classless reverse delegation of a block define(REVBLOCK, `nsc_forloop(`i', $2, $3, `i' `CNAME' `i'.$1 diff --git a/root.cache b/root.cache deleted file mode 100644 index d081faa..0000000 --- a/root.cache +++ /dev/null @@ -1,87 +0,0 @@ -; This file holds the information on root name servers needed to -; initialize cache of Internet domain name servers -; (e.g. reference this file in the "cache . " -; configuration file of BIND domain name servers). -; -; This file is made available by InterNIC -; under anonymous FTP as -; file /domain/named.cache -; on server FTP.INTERNIC.NET -; -OR- RS.INTERNIC.NET -; -; last update: Jun 17, 2010 -; related version of root zone: 2010061700 -; -; formerly NS.INTERNIC.NET -; -. 3600000 IN NS A.ROOT-SERVERS.NET. -A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 -A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30 -; -; FORMERLY NS1.ISI.EDU -; -. 3600000 NS B.ROOT-SERVERS.NET. -B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201 -; -; FORMERLY C.PSI.NET -; -. 3600000 NS C.ROOT-SERVERS.NET. -C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 -; -; FORMERLY TERP.UMD.EDU -; -. 3600000 NS D.ROOT-SERVERS.NET. -D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90 -; -; FORMERLY NS.NASA.GOV -; -. 3600000 NS E.ROOT-SERVERS.NET. -E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 -; -; FORMERLY NS.ISC.ORG -; -. 3600000 NS F.ROOT-SERVERS.NET. -F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 -F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2F::F -; -; FORMERLY NS.NIC.DDN.MIL -; -. 3600000 NS G.ROOT-SERVERS.NET. -G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 -; -; FORMERLY AOS.ARL.ARMY.MIL -; -. 3600000 NS H.ROOT-SERVERS.NET. -H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53 -H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::803F:235 -; -; FORMERLY NIC.NORDU.NET -; -. 3600000 NS I.ROOT-SERVERS.NET. -I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 -I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FE::53 -; -; OPERATED BY VERISIGN, INC. -; -. 3600000 NS J.ROOT-SERVERS.NET. -J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 -J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:C27::2:30 -; -; OPERATED BY RIPE NCC -; -. 3600000 NS K.ROOT-SERVERS.NET. -K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 -K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FD::1 -; -; OPERATED BY ICANN -; -. 3600000 NS L.ROOT-SERVERS.NET. -L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42 -L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42 -; -; OPERATED BY WIDE -; -. 3600000 NS M.ROOT-SERVERS.NET. -M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 -M.ROOT-SERVERS.NET. 3600000 AAAA 2001:DC3::35 -; End of File