bind9: modernize and update zone files & config (#47)

dd-ix · Jan 13, 2024 · 9d81c22 · 9d81c22
1 parent 32e39db
commit 9d81c22
Show file tree

Hide file tree

Showing 3 changed files with 84 additions and 50 deletions.
diff --git a/modules/management/bind9.nix b/modules/management/bind9.nix
@@ -26,7 +26,9 @@ in
 
   services.bind = {
     enable = true;
-    listenOn = [ "127.0.0.1" "::1" "212.111.245.179" ];
+
+    # cannot talk to root ns (firewall)
+    forward = "only";
 
     zones = {
       "dd-ix.net" = {

diff --git a/resources/0.b.0.8.0.0.7.7.1.0.a.2.ip6.arpa.zone b/resources/0.b.0.8.0.0.7.7.1.0.a.2.ip6.arpa.zone
@@ -3,19 +3,37 @@
 
 $TTL    1h         ; default TTL for zone
 
-0.b.0.8.0.0.7.7.1.0.a.2.ip6.arpa.  SOA  ns.dd-ix.net.  noc.dd-ix.net.  (
-        2024011101  ;Serial
-        7200        ;Refresh
-        3600        ;Retry
-        1209600     ;Expire
-        3600        ;Negative response caching TTL
-)
+@    SOA  ns.dd-ix.net.  noc.dd-ix.net.  (
+        2024011300  ; Serial
+        7200        ; Refresh
+        3600        ; Retry
+        1209600     ; Expire
+        3600 )      ; Negative response caching TTL
 
 ;; NS Records
-  86400  NS  ans-01.ibh.de.
-  86400  NS  ans-02.ibh.net.
-  86400  NS  ans-03.ibh.de.
-  86400  NS  ans-04.ibh.services.
-  86400  NS  ans-05.ibh.net.
+         NS   ans-01.ibh.de.
+         NS   ans-02.ibh.net.
+         NS   ans-03.ibh.de.
+         NS   ans-04.ibh.services.
+         NS   ans-05.ibh.net.
 
-;; PTR Records
+
+;; PTR IXP Public Services
+;a.f.e.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3
+
+;; PTR IXP Internal Services
+a.f.e.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4 PTR  gw-v601.dd-ix.net.
+
+;; PTR IXP EVPN Underlay
+;a.f.e.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5
+
+;; PTR SVC Public Services
+a.f.e.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6  PTR  gw-v100.dd-ix.net.
+a.f.e.d.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.6  PTR  gw-v101.dd-ix.net.
+
+;; PTR SVC Internal Services
+a.f.e.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7  PTR  gw-v102.dd-ix.net.
+
+;; PTR IBH Uplink
+1.0.0.0.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f  PTR  rtr-c2-pop1-e4-1.ibh.net.
+2.0.0.0.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f  PTR  fw-v99.dd-ix.net.
diff --git a/resources/dd-ix.net.zone b/resources/dd-ix.net.zone
@@ -3,50 +3,64 @@
 
 $TTL    1h         ; default TTL for zone
 
-dd-ix.net.  SOA  ns.dd-ix.net.  noc.dd-ix.net.  (
-        2024011101  ;Serial
-        7200        ;Refresh
-        3600        ;Retry
-        1209600     ;Expire
-        3600        ;Negative response caching TTL
-)
-
-  86400  NS   ans-01.ibh.de.
-  86400  NS   ans-02.ibh.net.
-  86400  NS   ans-03.ibh.de.
-  86400  NS   ans-04.ibh.services.
-  86400  NS   ans-05.ibh.net.
-
-  600    A    212.111.245.178
+@        SOA  ns.dd-ix.net.  noc.dd-ix.net.  (
+              2024011300  ; Serial
+              7200        ; Refresh
+              3600        ; Retry
+              1209600     ; Expire
+              3600 )      ; Negative response caching TTL
+
+         NS   ans-01.ibh.de.
+         NS   ans-02.ibh.net.
+         NS   ans-03.ibh.de.
+         NS   ans-04.ibh.services.
+         NS   ans-05.ibh.net.
+
+         A    212.111.245.178
+
+         CAA  0 issue "letsencrypt.org"
+         CAA  0 issuewild "letsencrypt.org"
+         CAA  0 iodef "mailto:noc@dd-ix.net"
+
          TXT  "v=spf1 include:spf.migadu.com -all"
          TXT  "hosted-email-verify=ddocclet"
 
          MX  20  aspmx2.migadu.com.
          MX  10  aspmx1.migadu.com.
 
-rpx.dd-ix.net.  600  A  212.111.245.178
-ns.dd-ix.net.   600  A  212.111.245.179
 
-www.dd-ix.net.      CNAME  rpx.dd-ix.net.
-content.dd-ix.net.  CNAME  rpx.dd-ix.net.
-auth.dd-ix.net.     CNAME  rpx.dd-ix.net.
-cloud.dd-ix.net.    CNAME  rpx.dd-ix.net.
-wiki.dd-ix.net.     CNAME  rpx.dd-ix.net.
-dcim.dd-ix.net.     CNAME  rpx.dd-ix.net.
-lists.dd-ix.net.    CNAME  rpx.dd-ix.net.
-vault.dd-ix.net.    CNAME  rpx.dd-ix.net.
+;; Hosts
+fw01     A      212.111.245.177
+         AAAA   2a01:7700:80b0:6000::defa
+mno01    A      212.111.245.178
+
+
+;; Services
+rpx      A      212.111.245.178
+ns       A      212.111.245.179
+wg       CNAME  fw01
+
+
+;; Reverse Proxy Aliases
+www      CNAME  rpx
+content  CNAME  rpx
+auth     CNAME  rpx
+cloud    CNAME  rpx
+wiki     CNAME  rpx
+dcim     CNAME  rpx
+lists    CNAME  rpx
+vault    CNAME  rpx
 
-;; BACKUP only: TODO remove
-*.dd-ix.net.        CNAME  dd-ix.net.
 
-autoconfig.dd-ix.net.       CNAME  autoconfig.migadu.com.
-key1._domainkey.dd-ix.net.  CNAME  key1.dd-ix.net._domainkey.migadu.com.
-key2._domainkey.dd-ix.net.  CNAME  key2.dd-ix.net._domainkey.migadu.com.
-key3._domainkey.dd-ix.net.  CNAME  key3.dd-ix.net._domainkey.migadu.com.
+;; Migadu Mail Setup
+autoconfig          CNAME  autoconfig.migadu.com.
+key1._domainkey     CNAME  key1.dd-ix.net._domainkey.migadu.com.
+key2._domainkey     CNAME  key2.dd-ix.net._domainkey.migadu.com.
+key3._domainkey     CNAME  key3.dd-ix.net._domainkey.migadu.com.
 
-_autodiscover._tcp.dd-ix.net.  SRV  0  1  443 autodiscover.migadu.com.
-_imaps._tcp.dd-ix.net.         SRV  0  1  993 imap.migadu.com.
-_pop3s._tcp.dd-ix.net.         SRV  0  1  995 pop.migadu.com.
-_submissions._tcp.dd-ix.net.   SRV  0  1  465 smtp.migadu.com.
+_autodiscover._tcp  SRV  0  1  443 autodiscover.migadu.com.
+_imaps._tcp         SRV  0  1  993 imap.migadu.com.
+_pop3s._tcp         SRV  0  1  995 pop.migadu.com.
+_submissions._tcp   SRV  0  1  465 smtp.migadu.com.
 
-_dmarc.dd-ix.net.  TXT  "v=DMARC1; p=quarantine;"
+_dmarc              TXT  "v=DMARC1; p=quarantine;"