Add internal zone and only verify local records, add unbound
This commit is contained in:
parent
96d54ab33d
commit
1455564f0f
|
@ -27,12 +27,16 @@ redxen.eu/gameservers/minecraft/minecraft-rx/${BUILD_ID_OUT}: %/${BUILD_ID_OUT}
|
|||
redxen.eu/gameservers/minecraft/spigot/${BUILD_ID_OUT}
|
||||
|
||||
# DNS
|
||||
redxen.eu/daemons/unbound/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
|
||||
%/unbound.conf \
|
||||
redxen.eu/data/dns/${BUILD_ID_OUT}
|
||||
redxen.eu/daemons/nsd/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
|
||||
%/nsd.conf \
|
||||
redxen.eu/data/dns/${BUILD_ID_OUT}
|
||||
|
||||
redxen.eu/data/dns/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
|
||||
%/redxen.eu \
|
||||
%/internal \
|
||||
redxen.eu/data/dnssec/${BUILD_ID_OUT} \
|
||||
redxen.eu/data/opendkim/${BUILD_ID_OUT}
|
||||
|
||||
|
|
|
@ -0,0 +1,17 @@
|
|||
FROM alpine:latest
|
||||
|
||||
RUN --network=host apk add \
|
||||
ca-certificates-bundle \
|
||||
dns-root-hints \
|
||||
dnssec-root \
|
||||
unbound
|
||||
|
||||
WORKDIR /etc/redxen/unbound/
|
||||
|
||||
ADD unbound.conf unbound.conf
|
||||
COPY --from=redxen.eu/data/dns:latest /dns-zones/redxen.eu /etc/redxen/bindzone/redxen.eu
|
||||
COPY --from=redxen.eu/data/dns:latest /dns-zones/internal /etc/redxen/bindzone/internal
|
||||
|
||||
RUN unbound-checkconf unbound.conf
|
||||
|
||||
CMD ["unbound", "-d", "-p", "-c", "unbound.conf"]
|
|
@ -0,0 +1,53 @@
|
|||
server:
|
||||
root-hints: /usr/share/dns-root-hints/named.root
|
||||
trust-anchor-file: /usr/share/dnssec-root/trusted-key.key
|
||||
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
|
||||
|
||||
logfile: ""
|
||||
log-replies: yes
|
||||
|
||||
interface: 0.0.0.0
|
||||
interface: ::0
|
||||
port: 53
|
||||
|
||||
minimal-responses: no
|
||||
extended-statistics: yes
|
||||
rrset-roundrobin: yes
|
||||
cache-min-ttl: 60
|
||||
prefetch: yes
|
||||
prefetch-key: yes
|
||||
harden-glue: yes
|
||||
aggressive-nsec: yes
|
||||
serve-expired: yes
|
||||
serve-expired-ttl: 86400
|
||||
serve-expired-ttl-reset: yes
|
||||
|
||||
access-control: 0.0.0.0/0 refuse_non_local
|
||||
access-control: ::/0 refuse_non_local
|
||||
|
||||
access-control: 127.0.0.0/8 allow
|
||||
access-control: ::1/128 allow
|
||||
|
||||
access-control: 172.22.12.1/24 allow
|
||||
access-control: fd42:42:42::2:1/120 allow
|
||||
|
||||
access-control: 172.24.0.1/24 allow
|
||||
|
||||
remote-control:
|
||||
control-enable: yes
|
||||
control-use-cert: no
|
||||
control-interface: ::1
|
||||
|
||||
auth-zone:
|
||||
name: redxen.eu
|
||||
fallback-enabled: no
|
||||
for-downstream: yes
|
||||
for-upstream: yes
|
||||
zonefile: "/etc/redxen/bindzone/redxen.eu"
|
||||
|
||||
auth-zone:
|
||||
name: internal
|
||||
fallback-enabled: no
|
||||
for-downstream: yes
|
||||
for-upstream: yes
|
||||
zonefile: "/etc/redxen/bindzone/internal"
|
|
@ -6,7 +6,13 @@ RUN --network=host apk add \
|
|||
|
||||
RUN mkdir -p /tmp/zones
|
||||
ADD redxen.eu /tmp/zones/redxen.eu
|
||||
RUN sed -i 's/CURRENTSOA/'"$(date +'%Y%m%d'01)"'/' /tmp/zones/redxen.eu
|
||||
ADD internal /tmp/zones/internal
|
||||
RUN for x in redxen.eu internal; do sed -i 's/CURRENTSOA/'"$(date +'%Y%m%d'01)"'/' /tmp/zones/"$x"; done
|
||||
|
||||
# Verify zone after signing
|
||||
RUN named-checkzone -i local internal /tmp/zones/internal
|
||||
|
||||
# DNSSEC zones need more processing
|
||||
|
||||
# Add keys to zone
|
||||
RUN \
|
||||
|
@ -29,7 +35,7 @@ RUN \
|
|||
/tmp/zones/redxen.eu
|
||||
|
||||
# Verify zone after signing
|
||||
RUN named-checkzone redxen.eu /tmp/zones/redxen.eu
|
||||
RUN named-checkzone -i local redxen.eu /tmp/zones/redxen.eu
|
||||
|
||||
# Copy back only signed zone
|
||||
FROM scratch
|
||||
|
|
|
@ -0,0 +1,81 @@
|
|||
;
|
||||
; .internal zonefile for internal RedXen usage
|
||||
;
|
||||
|
||||
$TTL 120
|
||||
|
||||
@ 86400 IN SOA 12180625.nbg1-dc3.hetzner admin.redxen.eu. CURRENTSOA ( 86400
|
||||
7200
|
||||
3600000
|
||||
3600 )
|
||||
|
||||
; NS records
|
||||
@ 86400 NS @
|
||||
|
||||
@ 86400 A 127.0.0.1
|
||||
86400 AAAA ::1
|
||||
|
||||
; Machines
|
||||
12180623.nbg1-dc3.hetzner 86400 A 10.10.0.2
|
||||
12180621.nbg1-dc3.hetzner 86400 A 10.10.0.3
|
||||
12180625.nbg1-dc3.hetzner 86400 A 10.10.0.4
|
||||
12180710.fsn1-dc14.hetzner 86400 A 10.10.0.5
|
||||
12180711.fsn1-dc14.hetzner 86400 A 10.10.0.6
|
||||
|
||||
; Services
|
||||
node_exporters.prometheus.routinginfo SRV 0 5 7580 12180623.nbg1-dc3.hetzner
|
||||
SRV 0 5 7580 12180621.nbg1-dc3.hetzner
|
||||
SRV 0 5 7580 12180625.nbg1-dc3.hetzner
|
||||
SRV 0 5 7580 12180710.fsn1-dc14.hetzner
|
||||
SRV 0 5 7580 12180711.fsn1-dc14.hetzner
|
||||
SRV 0 5 9100 a89b55b4-e8ba-448a-873c-47278bbc7db1.vultr.redxen.eu.
|
||||
SRV 0 5 9100 izmaylovo.russia.redxen.eu.
|
||||
SRV 0 5 9100 lakewood.united-states.redxen.eu.
|
||||
SRV 0 5 9100 tarui.japan.redxen.eu.
|
||||
SRV 0 5 9100 thetford-mines.canada.redxen.eu.
|
||||
SRV 0 5 9100 magong.taiwan.redxen.eu.
|
||||
SRV 0 5 9100 dongguan.china.redxen.eu.
|
||||
SRV 0 5 9100 san-jorge.argentina.redxen.eu.
|
||||
bird_exporters.prometheus.routinginfo SRV 0 5 9324 a89b55b4-e8ba-448a-873c-47278bbc7db1.vultr.redxen.eu.
|
||||
smartctl_exporters.prometheus.routinginfo SRV 0 5 9633 izmaylovo.russia.redxen.eu.
|
||||
SRV 0 5 9633 tarui.japan.redxen.eu.
|
||||
libvirt.prometheus.routinginfo SRV 0 5 9177 tarui.japan.redxen.eu.
|
||||
SRV 0 5 9177 izmaylovo.russia.redxen.eu.
|
||||
ipmi.prometheus.routinginfo SRV 0 5 9290 tarui.japan.redxen.eu.
|
||||
SRV 0 5 9290 izmaylovo.russia.redxen.eu.
|
||||
unbound.prometheus.routinginfo SRV 0 5 7583 12180623.nbg1-dc3.hetzner
|
||||
SRV 0 5 7583 12180621.nbg1-dc3.hetzner
|
||||
SRV 0 5 7583 12180625.nbg1-dc3.hetzner
|
||||
SRV 0 5 7583 12180710.fsn1-dc14.hetzner
|
||||
SRV 0 5 7583 12180711.fsn1-dc14.hetzner
|
||||
frontends.prometheus.routinginfo SRV 0 5 7581 12180621.nbg1-dc3.hetzner
|
||||
SRV 0 5 7581 12180711.fsn1-dc14.hetzner
|
||||
postgresql.prometheus.routinginfo SRV 0 5 7582 12180625.nbg1-dc3.hetzner
|
||||
ceph.prometheus.routinginfo SRV 0 5 9283 tarui.japan.redxen.eu.
|
||||
SRV 0 5 9283 izmaylovo.russia.redxen.eu.
|
||||
telegraf.prometheus.routinginfo SRV 0 5 7584 12180623.nbg1-dc3.hetzner
|
||||
SRV 0 5 7584 12180621.nbg1-dc3.hetzner
|
||||
SRV 0 5 7584 12180625.nbg1-dc3.hetzner
|
||||
SRV 0 5 7584 12180710.fsn1-dc14.hetzner
|
||||
SRV 0 5 7584 12180711.fsn1-dc14.hetzner
|
||||
_grafana._tcp.routinginfo SRV 0 5 7577 12180621.nbg1-dc3.hetzner
|
||||
SRV 0 5 7577 12180710.fsn1-dc14.hetzner
|
||||
_gitea._tcp.routinginfo SRV 0 5 7570 12180711.fsn1-dc14.hetzner
|
||||
_gitssh._tcp.routinginfo SRV 0 5 7571 12180711.fsn1-dc14.hetzner
|
||||
_transmission._tcp.routinginfo SRV 0 5 7572 12180710.fsn1-dc14.hetzner
|
||||
_root._tcp.routinginfo SRV 0 5 7575 12180710.fsn1-dc14.hetzner
|
||||
_packages._tcp.routinginfo SRV 0 5 7574 12180710.fsn1-dc14.hetzner
|
||||
_seedown._tcp.routinginfo SRV 0 5 7576 12180710.fsn1-dc14.hetzner
|
||||
_radicale._tcp.routinginfo SRV 0 5 7578 12180710.fsn1-dc14.hetzner
|
||||
_wssproxy._tcp.routinginfo SRV 0 5 7591 12180621.nbg1-dc3.hetzner
|
||||
|
||||
postgresql.routinginfo CNAME 12180625.nbg1-dc3.hetzner
|
||||
redis.routinginfo CNAME 12180625.nbg1-dc3.hetzner
|
||||
loki.routinginfo CNAME 12180625.nbg1-dc3.hetzner
|
||||
prometheus.routinginfo CNAME 12180625.nbg1-dc3.hetzner
|
||||
influxdb.routinginfo CNAME 12180625.nbg1-dc3.hetzner
|
||||
rspamd.routinginfo CNAME 12180623.nbg1-dc3.hetzner
|
||||
opendkim.routinginfo CNAME 12180623.nbg1-dc3.hetzner
|
||||
dovecot.routinginfo CNAME 12180623.nbg1-dc3.hetzner
|
||||
postfix.routinginfo CNAME 12180623.nbg1-dc3.hetzner
|
||||
murmur.routinginfo CNAME 12180623.nbg1-dc3.hetzner
|
Loading…
Reference in New Issue