From: Frank Brehm Date: Tue, 9 Oct 2018 04:35:13 +0000 (+0200) Subject: daily autocommit X-Git-Url: https://git.uhu-banane.org/?a=commitdiff_plain;h=d021e05e4089fbcbaeb06c14d85b368bf99e065e;p=config%2Fsarah%2Fetc.git daily autocommit --- diff --git a/.etckeeper b/.etckeeper index ca58c87..e662337 100755 --- a/.etckeeper +++ b/.etckeeper @@ -4,6 +4,8 @@ mkdir -p './X11/xkb' mkdir -p './apm/event.d' mkdir -p './apparmor.d/force-complain' mkdir -p './apt/preferences.d' +mkdir -p './bind/dyn' +mkdir -p './bind/zones' mkdir -p './binfmt.d' mkdir -p './ca-certificates/update.d' mkdir -p './clamav/onerrorexecute.d' @@ -163,17 +165,28 @@ maybe chmod 0644 'bind/db.255' maybe chmod 0644 'bind/db.empty' maybe chmod 0644 'bind/db.local' maybe chmod 0644 'bind/db.root' -maybe chgrp 'bind' 'bind/named.conf' +maybe chmod 0700 'bind/dnssec' +maybe chmod 0600 'bind/dnssec/Kdns-uhu-banane.+157+21915.key' +maybe chmod 0600 'bind/dnssec/Kdns-uhu-banane.+157+21915.private' +maybe chmod 0600 'bind/dnssec/Kdyn-dns-updater.+157+29290.key' +maybe chmod 0600 'bind/dnssec/Kdyn-dns-updater.+157+29290.private' +maybe chown 'bind' 'bind/dyn' +maybe chgrp 'bind' 'bind/dyn' +maybe chmod 0770 'bind/dyn' +maybe chmod 0644 'bind/named-acl.conf' +maybe chmod 0644 'bind/named-dyn.conf' +maybe chmod 0644 'bind/named-log.conf' +maybe chmod 0644 'bind/named-pri.conf' +maybe chmod 0644 'bind/named-sec.conf' maybe chmod 0644 'bind/named.conf' -maybe chgrp 'bind' 'bind/named.conf.default-zones' maybe chmod 0644 'bind/named.conf.default-zones' -maybe chgrp 'bind' 'bind/named.conf.local' maybe chmod 0644 'bind/named.conf.local' -maybe chgrp 'bind' 'bind/named.conf.options' maybe chmod 0644 'bind/named.conf.options' maybe chown 'bind' 'bind/rndc.key' maybe chgrp 'bind' 'bind/rndc.key' maybe chmod 0640 'bind/rndc.key' +maybe chgrp 'bind' 'bind/zones' +maybe chmod 0755 'bind/zones' maybe chmod 0644 'bind/zones.rfc1918' maybe chmod 0644 'bindresvport.blacklist' maybe chmod 0755 'binfmt.d' @@ -887,6 +900,7 @@ maybe chmod 0644 'logrotate.conf' maybe chmod 0755 'logrotate.d' maybe chmod 0644 'logrotate.d/apt' maybe chmod 0644 'logrotate.d/aptitude' +maybe chmod 0644 'logrotate.d/bind' maybe chmod 0644 'logrotate.d/chrony' maybe chmod 0644 'logrotate.d/clamav-daemon' maybe chmod 0644 'logrotate.d/clamav-freshclam' diff --git a/bind/dnssec/Kdns-uhu-banane.+157+21915.key b/bind/dnssec/Kdns-uhu-banane.+157+21915.key new file mode 100644 index 0000000..2d24110 --- /dev/null +++ b/bind/dnssec/Kdns-uhu-banane.+157+21915.key @@ -0,0 +1 @@ +dns-uhu-banane. IN KEY 512 3 157 eMhLmrsWxS28+oUnhbjwE6xYhMCvDKtsEBEc6TzD62mPMQ3R57xDb6McBAduXo56/a1xOtrX/tFs4CVnDnYdMw== diff --git a/bind/dnssec/Kdns-uhu-banane.+157+21915.private b/bind/dnssec/Kdns-uhu-banane.+157+21915.private new file mode 100644 index 0000000..66faaf0 --- /dev/null +++ b/bind/dnssec/Kdns-uhu-banane.+157+21915.private @@ -0,0 +1,7 @@ +Private-key-format: v1.3 +Algorithm: 157 (HMAC_MD5) +Key: eMhLmrsWxS28+oUnhbjwE6xYhMCvDKtsEBEc6TzD62mPMQ3R57xDb6McBAduXo56/a1xOtrX/tFs4CVnDnYdMw== +Bits: AAA= +Created: 20160308220200 +Publish: 20160308220200 +Activate: 20160308220200 diff --git a/bind/dnssec/Kdyn-dns-updater.+157+29290.key b/bind/dnssec/Kdyn-dns-updater.+157+29290.key new file mode 100644 index 0000000..564d8a3 --- /dev/null +++ b/bind/dnssec/Kdyn-dns-updater.+157+29290.key @@ -0,0 +1 @@ +dyn-dns-updater. IN KEY 0 3 157 gi69Yjzo1OSPVQ/oTTgw+Q== diff --git a/bind/dnssec/Kdyn-dns-updater.+157+29290.private b/bind/dnssec/Kdyn-dns-updater.+157+29290.private new file mode 100644 index 0000000..8ce7689 --- /dev/null +++ b/bind/dnssec/Kdyn-dns-updater.+157+29290.private @@ -0,0 +1,4 @@ +Private-key-format: v1.2 +Algorithm: 157 (HMAC_MD5) +Key: gi69Yjzo1OSPVQ/oTTgw+Q== +Bits: AAA= diff --git a/bind/named-acl.conf b/bind/named-acl.conf new file mode 100644 index 0000000..dd9d54d --- /dev/null +++ b/bind/named-acl.conf @@ -0,0 +1,145 @@ +//############################################################### +//# Bind9-Konfigurationsdatei - Access-Control-Listen +//# /etc/bind/named-acl.conf +//# +//# Host sarah.uhu-banane.de +//# +//############################################################### + +//############################################################### +//# Access-Control-Listen + +#---------------------------------------- +acl allow-dyn-update { + 46.16.73.175; + 2001:4dd0:ff00:cd3::2; + 85.214.134.152; + 2a01:238:4225:6e00:8f8c:808a:7fb8:88df; + 144.76.221.169; + 2a01:4f8:200:94a8::2; + 138.201.28.135; + 2a01:4f8:171:3006::2; + 185.48.118.128; + 162.254.24.33; + 185.102.95.107; + 2a06:2380:0:1::3a; + 2a02:8109:ae3f:fa04:5604:a6ff:fe38:99f9; + 127.0.0.1; + ::1; +}; + +#---------------------------------------- +acl allow-notify { + 46.16.73.175; + 2001:4dd0:ff00:cd3::2; + 85.214.134.152; + 2a01:238:4225:6e00:8f8c:808a:7fb8:88df; + 144.76.221.169; + 2a01:4f8:200:94a8::2; + 138.201.28.135; + 2a01:4f8:171:3006::2; + 185.48.118.128; + 162.254.24.33; + 185.102.95.107; + 2a06:2380:0:1::3a; + 2a02:8109:ae3f:fa04:5604:a6ff:fe38:99f9; + 127.0.0.1; + ::1; +}; + +#---------------------------------------- +acl allow-recursion { + 46.16.73.175; + 2001:4dd0:ff00:cd3::2; + 85.214.134.152; + 2a01:238:4225:6e00:8f8c:808a:7fb8:88df; + 144.76.221.169; + 2a01:4f8:200:94a8::2; + 185.48.118.128; + 162.254.24.33; + 185.102.95.107; + 2a06:2380:0:1::3a; + 2a02:8109:ae3f:fa04:5604:a6ff:fe38:99f9; + 138.201.28.135; + 138.201.28.184; + 138.201.28.185; + 138.201.28.186; + 2a01:4f8:171:3006::/64; + 127.0.0.0/8; + ::1/128; + fe80::/10; +}; + +#---------------------------------------- +acl also-notify-acwain { + 144.76.221.169; + 2a01:4f8:200:94a8::2; + 2a02:8109:ae3f:fa04:5604:a6ff:fe38:99f9; + 138.201.28.135; + 2a01:4f8:171:3006::2; +}; + +#---------------------------------------- +acl also-notify-boreus { + 195.50.185.7; + 46.189.56.7; + 85.199.64.7; +}; + +#---------------------------------------- +acl also-notify-uhu-banane { + 185.48.118.128; + 162.254.24.33; +}; + +#---------------------------------------- +acl common-allow-transfer { + 195.50.185.7; + 46.189.56.7; + 85.199.64.7; + 46.16.73.175; + 2001:4dd0:ff00:cd3::2; + 85.214.134.152; + 2a01:238:4225:6e00:8f8c:808a:7fb8:88df; + 144.76.221.169; + 2a01:4f8:200:94a8::2; + 138.201.28.135; + 2a01:4f8:171:3006::2; + 185.48.118.128; + 162.254.24.33; + 185.102.95.107; + 2a06:2380:0:1::3a; + 2a02:8109:ae3f:fa04:5604:a6ff:fe38:99f9; + 127.0.0.1; + ::1; +}; + +#---------------------------------------- +acl local-host-ips { + 127.0.0.1/8; + ::1/128; +}; + +#---------------------------------------- +acl local-net-ips { + 127.0.0.0/8; + 10.0.0.0/8; + 172.16.0.0/12; + 192.168.0.0/16; + ::1/128; + fe80::/10; +}; + +#---------------------------------------- +acl private-net-ips { + 10.12.11.0/24; + 46.16.73.175; + 2001:4dd0:ff00:cd3::2; + 2a02:8109:ae3f:fa04:5604:a6ff:fe38:99f9; + 85.214.134.152; + 2a01:238:4225:6e00:8f8c:808a:7fb8:88df; + 185.102.95.107; + 2a06:2380:0:1::3a; +}; + +# vim: ts=4 filetype=named noai diff --git a/bind/named-dyn.conf b/bind/named-dyn.conf new file mode 100644 index 0000000..e0981dd --- /dev/null +++ b/bind/named-dyn.conf @@ -0,0 +1,11 @@ +//############################################################### +//# Bind9-Konfigurationsdatei - Dynamische Zonen +//# /etc/bind/named-dyn.conf +//# +//# Host sarah.uhu-banane.de +//# +//############################################################### + + + +# vim: ts=4 filetype=named noai diff --git a/bind/named-log.conf b/bind/named-log.conf new file mode 100644 index 0000000..861a5ee --- /dev/null +++ b/bind/named-log.conf @@ -0,0 +1,87 @@ +//############################################################### +//# Bind9-Konfigurationsdatei Logging +//# /etc/bind/named-log.conf +//# +//# Host sarah.uhu-banane.de +//# +//############################################################### + +//############################################################### +//# Angaben zum Logging + +logging { + + //--------------------------------------- + // Channels + + channel complete_debug { + file "/var/log/bind/complete-debug.log"; + print-category yes; + print-severity yes; + print-time yes; + severity debug 99; + }; + + channel logtofile { + file "/var/log/bind/named.log"; + print-category yes; + print-severity yes; + print-time yes; + severity info; + }; + + channel moderate_debug { + file "/var/log/bind/debug.log"; + print-category yes; + print-severity yes; + print-time yes; + severity debug 1; + }; + + channel query_logging { + file "/var/log/bind/query.log"; + print-time yes; + }; + + channel security_file { + file "/var/log/bind/security.log"; + print-category yes; + print-severity yes; + print-time yes; + severity dynamic; + }; + + channel syslog-warning { + syslog daemon; + severity warning; + }; + + + //--------------------------------------- + // Categories + + category default { + default_debug; + logtofile; + }; + + category general { + logtofile; + syslog-warning; + }; + + category lame-servers { + null; + }; + + category queries { + query_logging; + }; + + category security { + security_file; + }; + +}; + +# vim: ts=4 filetype=named noai diff --git a/bind/named-pri.conf b/bind/named-pri.conf new file mode 100644 index 0000000..c0fe5a3 --- /dev/null +++ b/bind/named-pri.conf @@ -0,0 +1,14 @@ +//############################################################### +//# Bind9-Konfigurationsdatei - Primaere Zonen +//# /etc/bind/named-pri.conf +//# +//# Host sarah.uhu-banane.de +//# +//############################################################### + +//############################################################### +//# Master-Zonen (Primary) + + + +# vim: ts=4 filetype=named noai diff --git a/bind/named-sec.conf b/bind/named-sec.conf new file mode 100644 index 0000000..1507fb7 --- /dev/null +++ b/bind/named-sec.conf @@ -0,0 +1,14 @@ +//############################################################### +//# Bind9-Konfigurationsdatei - Sekundaere Zonen +//# /etc/bind/named-sec +//# +//# Host sarah.uhu-banane.de +//# +//############################################################### + +//############################################################### +//# Slave-Zonen (Secondary) + + + +# vim: ts=4 filetype=named noai diff --git a/bind/named.conf b/bind/named.conf index 880786a..6630992 100644 --- a/bind/named.conf +++ b/bind/named.conf @@ -1,3 +1,11 @@ +//############################################################### +//# Bind9-Konfigurationsdatei +//# /etc/bind/named.conf +//# +//# Host sarah.uhu-banane.de +//# +//############################################################### + // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the @@ -6,6 +14,30 @@ // // If you are just adding zones, please do that in /etc/bind/named.conf.local +// access control lists +include "/etc/bind/named-acl.conf"; + +// global options include "/etc/bind/named.conf.options"; + +// logging configuration +include "/etc/bind/named-log.conf"; + +// local configuration include "/etc/bind/named.conf.local"; + +// Default zones include "/etc/bind/named.conf.default-zones"; + +// master zones +include "/etc/bind/named-pri.conf"; + +// dynamic zones +include "/etc/bind/named-dyn.conf"; + +// slave zones +include "/etc/bind/named-sec.conf"; + + + +# vim: ts=4 filetype=named noai diff --git a/bind/named.conf.default-zones b/bind/named.conf.default-zones index 355338b..a5f08f7 100644 --- a/bind/named.conf.default-zones +++ b/bind/named.conf.default-zones @@ -1,3 +1,11 @@ +//############################################################### +//# Bind9-Konfigurationsdatei Default zones +//# /etc/bind/named.conf.default-zones +//# +//# Host sarah.uhu-banane.de +//# +//############################################################### + // prime the server with knowledge of the root servers zone "." { type hint; @@ -27,4 +35,4 @@ zone "255.in-addr.arpa" { file "/etc/bind/db.255"; }; - +# vim: ts=4 filetype=named noai diff --git a/bind/named.conf.local b/bind/named.conf.local index 7a57b10..6a4ba75 100644 --- a/bind/named.conf.local +++ b/bind/named.conf.local @@ -1,8 +1,18 @@ +//############################################################### +//# Bind9-Konfigurationsdatei Lokeles Geruempel +//# /etc/bind/named.conf.local +//# +//# Host sarah.uhu-banane.de +//# +//############################################################### + // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization -//include "/etc/bind/zones.rfc1918"; +include "/etc/bind/zones.rfc1918"; + +# vim: ts=4 filetype=named noai diff --git a/bind/named.conf.options b/bind/named.conf.options index b1bef51..0d63566 100644 --- a/bind/named.conf.options +++ b/bind/named.conf.options @@ -1,26 +1,91 @@ +//############################################################### +//# Bind9-Konfigurationsdatei for general options +//# /etc/bind/named.conf.options +//# +//# Host sarah.uhu-banane.de +//# +//############################################################### + + +//############################################################### +//# Allgemeine Optionen + options { + directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 - // If your ISP provided one or more IP addresses for stable - // nameservers, you probably want to use them as forwarders. - // Uncomment the following block, and insert the addresses replacing + // If your ISP provided one or more IP addresses for stable + // nameservers, you probably want to use them as forwarders. + // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; + /* https://www.isc.org/solutions/dlv >=bind-9.7.x only */ + //bindkeys-file "/etc/bind/bind.keys"; + + listen-on-v6 { any; }; + listen-on { any; }; + + allow-notify { + allow-notify; + }; + + allow-recursion { + allow-recursion; + }; + //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== + //dnssec-enable yes; dnssec-validation auto; + dnssec-lookaside auto; - auth-nxdomain no; # conform to RFC1035 - listen-on-v6 { any; }; + /* + * As of bind 9.8.0: + * "If the root key provided has expired, + * named will log the expiration and validation will not work." + */ + //dnssec-validation auto; + + /* if you have problems and are behind a firewall: */ + //query-source address * port 53; + + // pid-file "/var/run/named/named.pid"; + + version "none"; + +}; + +// Managed Keys +include "/etc/bind/bind.keys"; + +key "dyn-dns-updater" { + algorithm hmac-md5; + secret "gi69Yjzo1OSPVQ/oTTgw+Q=="; }; +//############################################################### +//# Kontrollkanäle für RNDC + +include "/etc/bind/rndc.key"; + +controls { + inet 127.0.0.1 port 953 allow { + 127.0.0.1; + ::1/128; + } keys { + "rndc-key"; + }; +}; + + +# vim: ts=4 filetype=named noai diff --git a/bind/rndc.key b/bind/rndc.key index 6ee49f4..402f164 100644 --- a/bind/rndc.key +++ b/bind/rndc.key @@ -1,4 +1,4 @@ key "rndc-key" { algorithm hmac-md5; - secret "QZWrR209/0Vzozjh+86Tww=="; + secret "eMhLmrsWxS28+oUnhbjwE6xYhMCvDKtsEBEc6TzD62mPMQ3R57xDb6McBAduXo56/a1xOtrX/tFs4CVnDnYdMw=="; }; diff --git a/bind/zones.rfc1918 b/bind/zones.rfc1918 index 03b5546..48bf496 100644 --- a/bind/zones.rfc1918 +++ b/bind/zones.rfc1918 @@ -1,5 +1,13 @@ +//############################################################### +//# Bind9-Konfigurationsdatei Default zones RFC 1918 +//# /etc/bind/zones.rfc1918 +//# +//# Host sarah.uhu-banane.de +//# +//############################################################### + zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; - + zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; @@ -18,3 +26,5 @@ zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; + +# vim: ts=4 filetype=named noai diff --git a/logrotate.d/bind b/logrotate.d/bind new file mode 100644 index 0000000..75637e8 --- /dev/null +++ b/logrotate.d/bind @@ -0,0 +1,35 @@ +/var/log/bind/complete-debug.log /var/log/bind/debug.log /var/log/bind/query.log /var/log/bind/security.log { + daily + olddir /var/log/bind/.old + dateext + size 4M + rotate 10 + notifempty + missingok + compress + delaycompress + sharedscripts + postrotate + /usr/sbin/rndc reload + endscript +} + +/var/log/bind/named.log { + daily + olddir /var/log/bind/.old + dateext + size 10M + rotate 20 + notifempty + missingok + compress + delaycompress + sharedscripts + postrotate + /usr/sbin/rndc reload + endscript +} + + +# vim: ts=4 filetype=conf + diff --git a/passwd b/passwd index ddff25d..f1ce8f3 100644 --- a/passwd +++ b/passwd @@ -39,4 +39,4 @@ opendkim:x:114:123::/var/run/opendkim:/bin/false _apt:x:115:65534::/nonexistent:/bin/false _chrony:x:116:124:Chrony daemon,,,:/var/lib/chrony:/bin/false nagios:x:117:125::/var/lib/nagios:/bin/false -bind:x:118:126::/var/cache/bind:/bin/false +bind:x:118:126:Bind daemon user,,,:/var/cache/bind:/bin/false