commit 0fd22f929592b41d00ba27127452b0f22610f02c
parent a178439a0a4e4786bee92fa2e054d99fe6f33168
author: nathanael <nathanael@dalliard.ch>
date: Thu, 23 Oct 2025 14:20:34 +0000
s0: add bw to ns
diffstat:
7 files changed, 110 insertions(+), 63 deletions(-)
diff --git a/s0/dnsfiles/bw.zone b/s0/dnsfiles/bw.zone
@@ -0,0 +1,18 @@
+$ORIGIN bitcoinwallis.ch.
+$TTL 300
+@ SOA ns1.dalliard.ch. nathanael.dalliard.ch. (
+ 2025102300 ; serial
+ 14400 ; refresh
+ 3600 ; retry
+ 605800 ; expire
+ 75600 ; minimum ttl
+ )
+@ NS ns1.dalliard.ch.
+@ NS ns2.dalliard.ch.
+@ A 152.53.196.107
+@ AAAA 2a03:4000:0:170d::1
+*._domainkey TXT "v=DKIM1; p="
+@ MX 0 void.blackhole.mx.
+@ TXT "v=spf1 -all"
+www CNAME @
+_dmarc TXT "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s;"
diff --git a/s0/dnsfiles/bwd.zone b/s0/dnsfiles/bwd.zone
@@ -0,0 +1,12 @@
+$ORIGIN bitcoin-wallis.ch.
+$TTL 300
+@ SOA ns1.dalliard.ch. nathanael.dalliard.ch. (
+ 2025102300 ; serial
+ 14400 ; refresh
+ 3600 ; retry
+ 605800 ; expire
+ 75600 ; minimum ttl
+ )
+@ NS ns1.dalliard.ch.
+@ NS ns2.dalliard.ch.
+@ DNAME bitcoinwallis.ch.
diff --git a/s0/dnsfiles/nsd.conf b/s0/dnsfiles/nsd.conf
@@ -9,3 +9,11 @@ remote-control:
zone:
name: dalliard.ch
zonefile: master/%s.signed
+
+zone:
+ name: bitcoinwallis.ch
+ zonefile: master/%s
+
+zone:
+ name: bitcoin-wallis.ch
+ zonefile: master/%s
diff --git a/s0/dnsfiles/nsd.zone b/s0/dnsfiles/nsd.zone
@@ -1,52 +0,0 @@
-$ORIGIN dalliard.ch.
-$TTL 75600
-
-@ SOA ns1.dalliard.ch. hostmaster.dalliard.ch. (
- 2025101900 ; serial
- 14400 ; refresh
- 3600 ; retry
- 605800 ; expire
- 3600 ; minimum TTL
- )
-
-@ NS ns1.dalliard.ch.
-@ NS ns2.dalliard.ch.
-ns1 A 46.23.90.207
-ns1 AAAA 2a03:6000:6f64:604::207
-ns2 A 152.53.196.107
-ns2 AAAA 2a03:4000:0:170d::1
-
-@ A 46.23.90.207
-@ AAAA 2a03:6000:6f64:604::207
-@ MX 0 mx
-@ TXT "v=spf1 mx ~all"
-@ CAA 0 issue "letsencrypt.org"
-
-s1 A 46.23.90.207
-s1 AAAA 2a03:6000:6f64:604::207
-s2 A 152.53.196.107
-s2 AAAA 2a03:4000:0:170d::1
-
-go CNAME s1
-tmp CNAME s1
-www CNAME s1
-src CNAME s2
-
-mx A 46.23.90.207
-mx AAAA 2a03:6000:6f64:604::207
-
-mail CNAME mx
-mta-sts CNAME mx
-
-_imap._tcp SRV 10 5 993 mx
-_submissions._tcp SRV 10 5 465 mx
-
-_dmarc TXT "v=DMARC1; p=reject; rua=mailto:rua+sxmlzx30tg6t@dmarcwise.email; sp=reject; aspf=r;"
-_mta-sts TXT "v=STSv1; id=202509122100;
-_smtp._tls TXT "v=TLSRPTv1; rua=mailto:rua+sxmlzx30tg6t@dmarcwise.email;"
-
-ed._domainkey TXT "v=DKIM1;k=ed25519;p=Tu6L+N+G48OPNGJVamG17XnP4w8DAeLiGH81ITbh9lc="
-rsa._domainkey TXT "v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5PVj+wFglrH4xa74ynu3zIaLmxSrarYCvKY0BQYZVujHp52zYYCKKcnodp+DKWJKxtTen0kMi4/sVEtDf8Pw3hI7N8aKcJrX65Sk5CttoYsUWCM9APfHRA6/6zts9vXq3ruqlCzMoMXqzumHJhV2SWBhaCbAkr5gJMZqCZWWDnphe1uXTs/TDdOC9cIjYN3aoj+VQV8SH" "0uC8dRnAv9/P23J/dSRB1TVMjvxi3M0rOz8VqjahFBzJkm0xzMoXPKfJy9cyTw+qS/dWVG8r7nAgKty+gk97sWBQngtDPFN/FrlvF4RRtOO4ZKMERetpNRx/Y0BIRq288L8QYkiWqDzNwIDAQAB"
-
-_25._tcp.mx.dalliard.ch. TLSA 3 1 1 20bbe337af2720d066b5e1e459992539e79b8de79f767fbaabddd299d759bb7e
-_443._tcp.dalliard.ch. TLSA 3 1 1 fd7975203557c5398aa88002415f6d1b56d6487d4f8f791f55972ac56d924a7c
diff --git a/s0/dnsfiles/www.zone b/s0/dnsfiles/www.zone
@@ -0,0 +1,52 @@
+$ORIGIN dalliard.ch.
+$TTL 75600
+
+@ SOA ns1.dalliard.ch. nathanael.dalliard.ch. (
+ 2025102300 ; serial
+ 14400 ; refresh
+ 3600 ; retry
+ 605800 ; expire
+ 75600 ; minimum TTL
+ )
+
+@ NS ns1.dalliard.ch.
+@ NS ns2.dalliard.ch.
+ns1 A 46.23.90.207
+ns1 AAAA 2a03:6000:6f64:604::207
+ns2 A 152.53.196.107
+ns2 AAAA 2a03:4000:0:170d::1
+
+@ A 46.23.90.207
+@ AAAA 2a03:6000:6f64:604::207
+@ MX 0 mx
+@ TXT "v=spf1 mx ~all"
+@ CAA 0 issue "letsencrypt.org"
+
+s1 A 46.23.90.207
+s1 AAAA 2a03:6000:6f64:604::207
+s2 A 152.53.196.107
+s2 AAAA 2a03:4000:0:170d::1
+
+go CNAME s1
+tmp CNAME s1
+www CNAME s1
+src CNAME s2
+
+mx A 46.23.90.207
+mx AAAA 2a03:6000:6f64:604::207
+
+mail CNAME mx
+mta-sts CNAME mx
+
+_imap._tcp SRV 10 5 993 mx
+_submissions._tcp SRV 10 5 465 mx
+
+_dmarc TXT "v=DMARC1; p=reject; rua=mailto:rua+sxmlzx30tg6t@dmarcwise.email; sp=reject; aspf=r;"
+_mta-sts TXT "v=STSv1; id=202509122100;
+_smtp._tls TXT "v=TLSRPTv1; rua=mailto:rua+sxmlzx30tg6t@dmarcwise.email;"
+
+ed._domainkey TXT "v=DKIM1;k=ed25519;p=Tu6L+N+G48OPNGJVamG17XnP4w8DAeLiGH81ITbh9lc="
+rsa._domainkey TXT "v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5PVj+wFglrH4xa74ynu3zIaLmxSrarYCvKY0BQYZVujHp52zYYCKKcnodp+DKWJKxtTen0kMi4/sVEtDf8Pw3hI7N8aKcJrX65Sk5CttoYsUWCM9APfHRA6/6zts9vXq3ruqlCzMoMXqzumHJhV2SWBhaCbAkr5gJMZqCZWWDnphe1uXTs/TDdOC9cIjYN3aoj+VQV8SH" "0uC8dRnAv9/P23J/dSRB1TVMjvxi3M0rOz8VqjahFBzJkm0xzMoXPKfJy9cyTw+qS/dWVG8r7nAgKty+gk97sWBQngtDPFN/FrlvF4RRtOO4ZKMERetpNRx/Y0BIRq288L8QYkiWqDzNwIDAQAB"
+
+_25._tcp.mx.dalliard.ch. TLSA 3 1 1 20bbe337af2720d066b5e1e459992539e79b8de79f767fbaabddd299d759bb7e
+_443._tcp.dalliard.ch. TLSA 3 1 1 fd7975203557c5398aa88002415f6d1b56d6487d4f8f791f55972ac56d924a7c
diff --git a/s0/scripts/dnsfiles.sh b/s0/scripts/dnsfiles.sh
@@ -1,19 +1,17 @@
#!/bin/sh -e
src="$HOME/src/src/s0/dnsfiles"
prv="$HOME/prv/secrets/dns"
-zone="/var/nsd/zones/master/dalliard.ch"
-doas install -o root -g _nsd -m 640 "$src/nsd.conf" "/var/nsd/etc/nsd.conf"
-doas install -o root -g _nsd -m 644 "$src/nsd.zone" "/var/nsd/zones/master/dalliard.ch"
-
-doas nsd-checkconf "/var/nsd/etc/nsd.conf"
-nsd-checkzone dalliard.ch "$zone" >/dev/null
+nsd-checkconf "$src/nsd.conf"
+nsd-checkzone dalliard.ch "$src/www.zone" >/dev/null
+nsd-checkzone bitcoinwallis.ch "$src/bw.zone" >/dev/null
+nsd-checkzone bitcoin-wallis.ch "$src/bwd.zone" >/dev/null
-ldns-read-zone -S YYYYMMDDxx "$zone" | doas tee "$zone.tosign" >/dev/null
-ksk=$(find ${prv} -name "Kdalliard.ch.+008+*.key" | sort -nr | head -1 | sed 's/\.\///;s/[0-9]\+ //;s/.key$//')
-zsk=$(find ${prv} -name "Kdalliard.ch.+008+*.key" | sort -n | head -1 | sed 's/\.\///;s/[0-9]\+ //;s/.key$//')
-doas ldns-signzone -f "$zone.signed" "$zone.tosign" "$ksk" "$zsk"
+doas install -o root -g _nsd -m 640 "$src/nsd.conf" "/var/nsd/etc/nsd.conf"
+doas install -o root -g _nsd -m 644 "$src/www.zone" "/var/nsd/zones/master/dalliard.ch"
+doas install -o root -g _nsd -m 644 "$src/bw.zone" "/var/nsd/zones/master/bitcoinwallis.ch"
+doas install -o root -g _nsd -m 644 "$src/bwd.zone" "/var/nsd/zones/master/bitcoin-wallis.ch"
-ldns-verify-zone -V1 "$zone.signed"
+./scripts/dnssec.sh dalliard.ch
doas rdist -f "$src/distfile" -p "/usr/bin/doas /usr/bin/rdistd -S"
diff --git a/s0/scripts/dnssec.sh b/s0/scripts/dnssec.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+domain=$1
+zones=/var/nsd/zones/master
+zone=${zones}/${domain}
+prv="$HOME/prv/secrets/dns"
+
+ldns-read-zone -S YYYYMMDDxx ${zone} | doas tee ${zone}.tosign >/dev/null
+ksk=$(find ${prv} -name "K${domain}.+008+*.key" | sort -nr | head -1 | sed 's/\.\///;s/[0-9]\+ //;s/.key$//')
+zsk=$(find ${prv} -name "K${domain}.+008+*.key" | sort -n | head -1 | sed 's/\.\///;s/[0-9]\+ //;s/.key$//')
+doas ldns-signzone -f ${zone}.signed ${zone}.tosign $ksk $zsk
+ldns-verify-zone -V1 "$zone.signed"
