commit 738f55f56d0a27c3114387429427f9d850c7f29d Author: Beu Date: Thu Mar 7 17:21:38 2019 +0100 POC template diff --git a/README.md b/README.md new file mode 100644 index 0000000..64a89b8 --- /dev/null +++ b/README.md @@ -0,0 +1,6 @@ +## How to deploy : + +* Delete all /etc/bind/ directory +* git clone +* Run 'rndc-confgen | grep '^key "rndc-key" {' -A3 > rndc.key' +* Restart bind service diff --git a/bind.keys b/bind.keys new file mode 100644 index 0000000..db22d4b --- /dev/null +++ b/bind.keys @@ -0,0 +1,69 @@ +# The bind.keys file is used to override the built-in DNSSEC trust anchors +# which are included as part of BIND 9. As of the current release, the only +# trust anchors it contains are those for the DNS root zone ("."), and for +# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org"). Trust anchors +# for any other zones MUST be configured elsewhere; if they are configured +# here, they will not be recognized or used by named. +# +# The built-in trust anchors are provided for convenience of configuration. +# They are not activated within named.conf unless specifically switched on. +# To use the built-in root key, set "dnssec-validation auto;" in +# named.conf options. To use the built-in DLV key, set +# "dnssec-lookaside auto;". Without these options being set, +# the keys in this file are ignored. +# +# This file is NOT expected to be user-configured. +# +# These keys are current as of Feburary 2017. If any key fails to +# initialize correctly, it may have expired. In that event you should +# replace this file with a current version. The latest version of +# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys. + +managed-keys { + # ISC DLV: See https://www.isc.org/solutions/dlv for details. + # + # NOTE: The ISC DLV zone is being phased out as of February 2017; + # the key will remain in place but the zone will be otherwise empty. + # Configuring "dnssec-lookaside auto;" to activate this key is + # harmless, but is no longer useful and is not recommended. + dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 + brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ + 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 + ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk + Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM + QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt + TDN0YUuWrBNh"; + + # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml + # for current trust anchor information. + # + # These keys are activated by setting "dnssec-validation auto;" + # in named.conf. + # + # This key (19036) is to be phased out starting in 2017. It will + # remain in the root zone for some time after its successor key + # has been added. It will remain this file until it is removed from + # the root zone. + . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF + FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX + bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD + X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz + W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS + Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq + QxA+Uk1ihz0="; + + # This key (20326) is to be published in the root zone in 2017. + # Servers which were already using the old key (19036) should + # roll seamlessly to this new one via RFC 5011 rollover. Servers + # being set up for the first time can use the contents of this + # file as initializing keys; thereafter, the keys in the + # managed key database will be trusted and maintained + # automatically. + . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 + +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv + ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF + 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e + oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd + RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN + R1AkUTV74bU="; +}; diff --git a/named.conf b/named.conf new file mode 100644 index 0000000..7a03b4a --- /dev/null +++ b/named.conf @@ -0,0 +1,13 @@ +// This is the primary configuration file for the BIND DNS server named. +// +// Please read /usr/share/doc/bind9/README.Debian.gz for information on the +// structure of BIND configuration files in Debian, *BEFORE* you customize +// this configuration file. +// +// If you are just adding zones, please do that in /etc/bind/named.conf.local + +include "/etc/bind/named.conf.keys"; +include "/etc/bind/named.conf.alias"; +include "/etc/bind/named.conf.default-zones"; +include "/etc/bind/named.conf.options"; +include "/etc/bind/named.conf.view"; diff --git a/named.conf.alias b/named.conf.alias new file mode 100644 index 0000000..73a8d19 --- /dev/null +++ b/named.conf.alias @@ -0,0 +1,26 @@ +// +// Fichier de déclaration des différents alias utilisés par le +// serveur DNS pour facilité son administration +// + +/////////////////////////////// +// DECLARATION DES RESEAUX // +/////////////////////////////// + +acl reseaux_ipv4_interne { + 127.0.0.1; +}; +acl reseaux_ipv6_interne { + ::1; +}; + +/////////////////////////////////////////// +// DECLARATION DES SERVEURS DNS SLAVES // +/////////////////////////////////////////// + +acl serveur_dns_slave { +}; + +masters serveur_dns_slave { +}; + diff --git a/named.conf.default-zones b/named.conf.default-zones new file mode 100644 index 0000000..7ba757e --- /dev/null +++ b/named.conf.default-zones @@ -0,0 +1,30 @@ +// prime the server with knowledge of the root servers +zone "." { + type hint; + file "/etc/bind/zones/default/db.root"; +}; + +// be authoritative for the localhost forward and reverse zones, and for +// broadcast zones as per RFC 1912 + +zone "localhost" { + type master; + file "/etc/bind/zones/default/db.local"; +}; + +zone "127.in-addr.arpa" { + type master; + file "/etc/bind/zones/default/db.127"; +}; + +zone "0.in-addr.arpa" { + type master; + file "/etc/bind/zones/default/db.0"; +}; + +zone "255.in-addr.arpa" { + type master; + file "/etc/bind/zones/default/db.255"; +}; + + diff --git a/named.conf.keys b/named.conf.keys new file mode 100644 index 0000000..e69de29 diff --git a/named.conf.options b/named.conf.options new file mode 100644 index 0000000..6fda40f --- /dev/null +++ b/named.conf.options @@ -0,0 +1,55 @@ +options { + directory "/var/cache/bind"; + + // forwarders { + // 0.0.0.0; + // }; + + dnssec-enable yes; + dnssec-validation auto; + auth-nxdomain no; + + listen-on-v6 { any; }; + version none; + hostname none; + server-id none; + + //////////////////////////////// + // SERVEUR DNS MAÎTRE CACHÉ // + //////////////////////////////// + + // Définit si ce serveur doit répondre aux requêtes + allow-query { 127.0.0.1; }; + allow-query-cache { none; }; + + // Définit si ce serveur répond aux requêtes pour + // des domaines qu'il ne connait pas. + recursion no; + allow-recursion { none; }; + + // Définit si le serveur peut recevoir des mises à jours + // pour les domaines qu'il gère + allow-update { none; }; + + // Indique au serveur de n'envoyer un message de NOTIFY + // qu' aux serveurs listés dans l'instruction `also-notify`. + // Cela désactive aussi le fonctionnement de bind qui envoie + // ce message à tous les serveurs DNS renseignés via + // l'enregistrement NS (sauf lui-même et le serveur primaire) + notify explicit; + also-notify { none; }; + + // Définit la liste des adresses IPs autorisés à copier les + // fichier de zone. + allow-transfer { none; }; + + // RNDC control + include "/etc/rndc.key"; + controls { + inet 127.0.0.1 port 953 + allow { 127.0.0.1; } keys { "rndc-key"; }; + }; + +}; + +// vim: set filetype=named : diff --git a/named.conf.view b/named.conf.view new file mode 100644 index 0000000..709f767 --- /dev/null +++ b/named.conf.view @@ -0,0 +1,75 @@ +// +// Fichier de configuration des vues +// +view "interne" { + match-clients { + }; + + // Définit si ce serveur doit répondre aux requêtes + allow-query { 127.0.0.1; }; + allow-query-cache { none; }; + + // Définit si ce serveur répond aux requêtes pour + // des domaines qu'il ne connait pas. + recursion no; + allow-recursion { none; }; + + // Définit si le serveur peut recevoir des mises à jours + // pour les domaines qu'il gère + allow-update { none; }; + + // Indique au serveur de n'envoyer un message de NOTIFY + // qu' aux serveurs listés dans l'instruction `also-notify`. + // Cela désactive aussi le fonctionnement de bind qui envoie + // ce message à tous les serveurs DNS renseignés via + // l'enregistrement NS (sauf lui-même et le serveur primaire) + notify explicit; + also-notify { + }; + + // Définit la liste des adresses IPs autorisés à copier les + // fichier de zone. + allow-transfer { + }; + + // Inclut les zones référencés dans le(s) fichier(s) suivant(s) + //include "/etc/bind/named.conf.default-zones"; + //include "/etc/bind/zones.rfc1918"; + include "/etc/bind/views/interne.conf"; +}; +view "public" { + match-clients { + }; + + // Définit si ce serveur doit répondre aux requêtes + allow-query { 127.0.0.1; }; + allow-query-cache { none; }; + + // Définit si ce serveur répond aux requêtes pour + // des domaines qu'il ne connait pas. + recursion no; + allow-recursion { none; }; + + // Définit si le serveur peut recevoir des mises à jours + // pour les domaines qu'il gère + allow-update { none; }; + + // Indique au serveur de n'envoyer un message de NOTIFY + // qu' aux serveurs listés dans l'instruction `also-notify`. + // Cela désactive aussi le fonctionnement de bind qui envoie + // ce message à tous les serveurs DNS renseignés via + // l'enregistrement NS (sauf lui-même et le serveur primaire) + notify explicit; + also-notify { + }; + + // Définit la liste des adresses IPs autorisés à copier les + // fichier de zone. + allow-transfer { + }; + + // Inclut les zones référencés dans le(s) fichier(s) suivant(s) + include "/etc/bind/views/public.conf"; +}; + +// vim: set filetype=named : diff --git a/views/interne.conf b/views/interne.conf new file mode 100644 index 0000000..d304945 --- /dev/null +++ b/views/interne.conf @@ -0,0 +1,9 @@ +// +// Déclaration des zones internes +// + + + +// +//// Déclaration des zones internes inverse +// diff --git a/views/public.conf b/views/public.conf new file mode 100644 index 0000000..529c7db --- /dev/null +++ b/views/public.conf @@ -0,0 +1,3 @@ +// +// Déclaration des zones publiques +// diff --git a/zones.rfc1918 b/zones.rfc1918 new file mode 100644 index 0000000..a832099 --- /dev/null +++ b/zones.rfc1918 @@ -0,0 +1,20 @@ +zone "10.in-addr.arpa" { type master; file "/etc/bind/zones/default/db.empty"; }; + +zone "16.172.in-addr.arpa" { type master; file "/etc/bind/zones/default/db.empty"; }; +zone "17.172.in-addr.arpa" { type master; file "/etc/bind/zones/default/db.empty"; }; +zone "18.172.in-addr.arpa" { type master; file "/etc/bind/zones/default/db.empty"; }; +zone "19.172.in-addr.arpa" { type master; file "/etc/bind/zones/default/db.empty"; }; +zone "20.172.in-addr.arpa" { type master; file "/etc/bind/zones/default/db.empty"; }; +zone "21.172.in-addr.arpa" { type master; file "/etc/bind/zones/default/db.empty"; }; +zone "22.172.in-addr.arpa" { type master; file "/etc/bind/zones/default/db.empty"; }; +zone "23.172.in-addr.arpa" { type master; file "/etc/bind/zones/default/db.empty"; }; +zone "24.172.in-addr.arpa" { type master; file "/etc/bind/zones/default/db.empty"; }; +zone "25.172.in-addr.arpa" { type master; file "/etc/bind/zones/default/db.empty"; }; +zone "26.172.in-addr.arpa" { type master; file "/etc/bind/zones/default/db.empty"; }; +zone "27.172.in-addr.arpa" { type master; file "/etc/bind/zones/default/db.empty"; }; +zone "28.172.in-addr.arpa" { type master; file "/etc/bind/zones/default/db.empty"; }; +zone "29.172.in-addr.arpa" { type master; file "/etc/bind/zones/default/db.empty"; }; +zone "30.172.in-addr.arpa" { type master; file "/etc/bind/zones/default/db.empty"; }; +zone "31.172.in-addr.arpa" { type master; file "/etc/bind/zones/default/db.empty"; }; + +zone "168.192.in-addr.arpa" { type master; file "/etc/bind/zones/default/db.empty"; }; diff --git a/zones/default/db.0 b/zones/default/db.0 new file mode 100644 index 0000000..e3aabdb --- /dev/null +++ b/zones/default/db.0 @@ -0,0 +1,12 @@ +; +; BIND reverse data file for broadcast zone +; +$TTL 604800 +@ IN SOA localhost. root.localhost. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS localhost. diff --git a/zones/default/db.127 b/zones/default/db.127 new file mode 100644 index 0000000..cd05bef --- /dev/null +++ b/zones/default/db.127 @@ -0,0 +1,13 @@ +; +; BIND reverse data file for local loopback interface +; +$TTL 604800 +@ IN SOA localhost. root.localhost. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS localhost. +1.0.0 IN PTR localhost. diff --git a/zones/default/db.255 b/zones/default/db.255 new file mode 100644 index 0000000..e3aabdb --- /dev/null +++ b/zones/default/db.255 @@ -0,0 +1,12 @@ +; +; BIND reverse data file for broadcast zone +; +$TTL 604800 +@ IN SOA localhost. root.localhost. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS localhost. diff --git a/zones/default/db.empty b/zones/default/db.empty new file mode 100644 index 0000000..8a12858 --- /dev/null +++ b/zones/default/db.empty @@ -0,0 +1,14 @@ +; BIND reverse data file for empty rfc1918 zone +; +; DO NOT EDIT THIS FILE - it is used for multiple zones. +; Instead, copy it, edit named.conf, and use that copy. +; +$TTL 86400 +@ IN SOA localhost. root.localhost. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 86400 ) ; Negative Cache TTL +; +@ IN NS localhost. diff --git a/zones/default/db.local b/zones/default/db.local new file mode 100644 index 0000000..2f272d4 --- /dev/null +++ b/zones/default/db.local @@ -0,0 +1,14 @@ +; +; BIND data file for local loopback interface +; +$TTL 604800 +@ IN SOA localhost. root.localhost. ( + 2 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS localhost. +@ IN A 127.0.0.1 +@ IN AAAA ::1 diff --git a/zones/default/db.root b/zones/default/db.root new file mode 100644 index 0000000..f0b79d2 --- /dev/null +++ b/zones/default/db.root @@ -0,0 +1,90 @@ +; This file holds the information on root name servers needed to +; initialize cache of Internet domain name servers +; (e.g. reference this file in the "cache . " +; configuration file of BIND domain name servers). +; +; This file is made available by InterNIC +; under anonymous FTP as +; file /domain/named.cache +; on server FTP.INTERNIC.NET +; -OR- RS.INTERNIC.NET +; +; last update: February 17, 2016 +; related version of root zone: 2016021701 +; +; formerly NS.INTERNIC.NET +; +. 3600000 NS A.ROOT-SERVERS.NET. +A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 +A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30 +; +; FORMERLY NS1.ISI.EDU +; +. 3600000 NS B.ROOT-SERVERS.NET. +B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201 +B.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:84::b +; +; FORMERLY C.PSI.NET +; +. 3600000 NS C.ROOT-SERVERS.NET. +C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 +C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c +; +; FORMERLY TERP.UMD.EDU +; +. 3600000 NS D.ROOT-SERVERS.NET. +D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13 +D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d +; +; FORMERLY NS.NASA.GOV +; +. 3600000 NS E.ROOT-SERVERS.NET. +E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 +; +; FORMERLY NS.ISC.ORG +; +. 3600000 NS F.ROOT-SERVERS.NET. +F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 +F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f +; +; FORMERLY NS.NIC.DDN.MIL +; +. 3600000 NS G.ROOT-SERVERS.NET. +G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 +; +; FORMERLY AOS.ARL.ARMY.MIL +; +. 3600000 NS H.ROOT-SERVERS.NET. +H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53 +H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53 +; +; FORMERLY NIC.NORDU.NET +; +. 3600000 NS I.ROOT-SERVERS.NET. +I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 +I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53 +; +; OPERATED BY VERISIGN, INC. +; +. 3600000 NS J.ROOT-SERVERS.NET. +J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 +J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30 +; +; OPERATED BY RIPE NCC +; +. 3600000 NS K.ROOT-SERVERS.NET. +K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 +K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1 +; +; OPERATED BY ICANN +; +. 3600000 NS L.ROOT-SERVERS.NET. +L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42 +L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42 +; +; OPERATED BY WIDE +; +. 3600000 NS M.ROOT-SERVERS.NET. +M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 +M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35 +; End of file