From 2cdcc79e69aa5f1ed255f3894ab7e061b0761d40 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anton=20Luka=20=C5=A0ijanec?= Date: Mon, 7 Aug 2023 23:15:32 +0200 Subject: 6 --- prog/6/6d.conf | 155 ++++++++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 127 insertions(+), 28 deletions(-) (limited to 'prog/6/6d.conf') diff --git a/prog/6/6d.conf b/prog/6/6d.conf index 39e751c..3ecc3ff 100644 --- a/prog/6/6d.conf +++ b/prog/6/6d.conf @@ -1,28 +1,127 @@ -the example configuration file for 6d -this is where you define your zones/networks and static entries -syntax description: -- all lines that are unparsable are considered comments and ignored -- zones/networks are defined with a space separated list of the following items on the same line - 1) an ipv6 network address (see `man inet_pton`) and a netmask with a '/' in between - 2) the admin email address of the dns administrator - 3) a space-separated list of FQDNs of nameservers for this zone, the first entry being the master -- static PTRs for hosts are defined by an IPv6 address and FQDN, separated by a single space on a single line -- NS delegations for subnetworks are defined by an IPv6 subnetwork (address+mask) and nameserver FQDNs, with everything separated by a single space -- the order of configuration lines does not matter - -the following defines a dns zone. there can be many such lines for different networks. -those are authoritative zones for which on-the-fly generation will occur. -all nameservers, provided here, must be 6d nameservers or at least 6d nameservers behind a DNS proxy, such as bind. -there can be as many nameservers (but at least one) after the admin email -2001:db8::/32 dns@t-2.net.example dns1.t-2.net.example dns2.t-2.net.example - -the following line defines a static PTR FQDN for a single host -2001:db8:0:d::b90a tranzistor.sijanec.eu.example - -the following line defines static NS records for a subnetwork. -this subnetwork must be a subnetwork of a zone that 6d will generate records for. -when 6d will be asked for an address that is part of this subnetwork, it will state that some other server is authoritative for this subnetwork and direct the client to the server provided. -there can be as many nameservers (but at least one) after the network name -2001:db8:e77:5500::/56 ns1.sijanec.org.example ns2.sijanec.org.example - -you can run `6d dry ` to parse the configuration file, output it and exit without starting the daemon +# The example configuration file for 6d. +# This is where you define your zones/networks and static entries. +# It is parsed by libconfuse. +# Default TTL is 420. +# You can run `6d dry ` to parse the configuration file, output it and exit. +# You can `killall -SIGHUP 6d` or `service 6d reload` to reload the configuration of a running 6d. Reloading is a safe operation as an unparsable config file will not cause the program to stop, so check the logs after reloading to see if the reload succeeded. +# Hostnames that need to be resolved (for 6d-protocol communication) are resolved when needed and not on configuration reload, so you can change IP addresses of servers in DNS without needing to reload the server. This also means that if something doesn't resolve, it will not be apparent when you reload the config, but later on in runtime. +# Reloading the server also schedules a synchronization from masters (if any). +# Masters and slaves must have accurate clocks (at least minute accuracy is expected) +# To specify IPv4 addresses, use the V4MAPPED address format (::ffff:192.0.2.69). +# Zone transfers are made using a 6d-specific TCP+UDP-based protocol, so if you run 6d being a DNS proxy, such as bind9 zone forward, you must specify the host/port combination where 6d listens, not where bind9 listens. When unsigned, this 6d-specific protocol relies on trusted routing to master servers and no MiTM attacks on the line. +# DNSSEC and signed zone transfers are available upon request (mailto:anton@šijanec.eu). + +#################### SLAVE CONFIGURATION ###################### (You may delete this part on master-only 6d.) + +# You can optionally define master servers here, all of their configuration will be periodically retrieved and mirrored to this 6d instance. A host may optionally be followed by /TCPport. +master_servers = {6master.sijanec.eu, 6d2.example, 2001:db8::1/5353} + +# OBSOLETE NON-FEATURE (NOT WORKING) +# You can optionally define master networks/zones here, they will be also be mirrored from their master server. The master server will be obtained from their SOA record. +# Note that 6d is not a general purpose DNS server! Any FQDNs specified here will be treated as 6d suffix generators. +# Note that if this is used, master must not be behind a DNS proxy, such as bind9 zone forward. Use master_servers instead if that's the case. +# master_zones = {2001:db8:a::/48, 2001:db8:b::/48, 2001:db8:c::/48, 6ptr.sijanec.eu} + +# Master servers will be checked for changes every poll_interval number of seconds. Set to 0 to disable polling. +# 69 is the default. +poll_interval = 69 + +# Slaves hold everything they know in memory. + +#################### MASTER CONFIGURATION ##################### (You may delete this part on slave-only 6d.) + +# A computer in networks defined here may register a PTR for itself with the 6c program; such records are valid for two days. Everytime a record is created, it will be logged into this file. When 6d starts, old records are pruned and valid records are loaded into memory. Pruning is also done every two days. +# Static PTR and NS records obtained from the configuration file or master server always take precedence before 6c PTR requests. +# This binary file is not not portable. You can only read it on the same machine it was created on. +# /var/cache/6/backup is the default file. +ptr_file = /var/cache/6/backup + +# Instead of polling, slaves can be notified on changes. This is done over a DNS-compatible UDP protocol so slaves can run behind bind9 forward zone-like DNS proxies. +slaves = {6slave.sijanec.eu/666, ::ffff:192.0.2.69, 2001:db8::2/5353} + +# Defines networks to generate PTR records on the fly. The only required option is master. +network +{ + # List of networks this block defines. + networks = {2001:db8:d::/48, 2001:db8:e::/48} + # List the following slaves in NS responses. + slaves = {6slave.sijanec.eu, 6slave.example} + # This will be published in the SOA record. + admin = 6@sijanec.eu + # This will be published as the authoritative server in the SOA record (point it to this 6d instance). + master = 6d.example + # PTRs will be generated in form 2001-db8-d--5932.suffix for address 2001:db8:d::5932. + # By default, this suffix is the [...].ip6.arpa domain, so for network 2001:db8::/32, the suffix will be 8.B.D.0.1.0.0.2.IP6.ARPA, and the above mentioned PTR would be 2001-db8-d--5932.8.b.d.0.1.0.0.2.ip6.adpa, which is totaly OK standard-wise. Do not specify [...].ip6.arpa addresses as suffixes yourself, they will be managed automatically. + # The suffix must respond to queries with the correct AAAA records, 6d can serve it for you (see below). + ### suffix = "6ptr.sijanec.eu" + # TTL for generated records and negative caching. + ttl = 420 +} + +# Another networks definition. +network +{ + networks = {2001:db8:f:100::/56, 2001:db8:f:200::/56, 2001:db8:900::/48} + master = ptrdns1.example + suffix = suffixgenerator.net.example +} + +# Define suffixes that will generate AAAA records on the fly. The only required option is master. +suffix +{ + # List of suffixes + suffixes = {6ptr.sijanec.eu, ipv6.isp-provider.example} + # The netmasks that this on-the-fly generator will accept. + # By specifying ::/0 here you allow any network on the internet to use your suffix for PTRs. + # ::/0 is the default. + accept = {::/0} + slaves = {6slave.sijanec.org, 6slave.example} + admin = 6@sijanec.eu + master = 6ptr.sijanec.eu + # TTL for generated records and negative caching. + ttl = 420 +} + +# Another suffixes definition, this time networks are specified, other IPv6 addresses will be NXDOMAIN. +suffix +{ + suffixes = {private-ipv6.net.example, private-ipv6.org.example} + accept = {2001:db8:f:100::/56, 2001:db8:f:200::/56, 2001:db8:900::/48} + master = locked-ns1.net.example +} + +############################# STATIC NS AND PTR RECORDS ############################### + +# A static PTR entry for an IP address. You must configure the hostname to have the correct AAAA record yourself! The only required option is hostname. +ptr 2001:db8:d::1 +{ + hostname = mail.example + ttl = 420 +} + +# Another PTR definition +ptr 2001:db8:d::2 +{ + hostname = mail-out2.example +} + +# A static NS entry for some networks. Instead of on-the-fly generation, PTR queries will redirect clients to this NS. The only requirement is that ns list has a least one element. +ns +{ + networks = {2001:db8:d:1337::/64, 2001:db8:d:1338::/64} + ns = {ns1.sijanec.org, ns2.sijanec.org} + ttl = 420 +} + +# Another NS delegation. +ns +{ + networks = {2001:db8:8:1300::/56} + ns = {ns1.kompot.example} +} + +################################ IMPLEMENTATION NOTES ################################### + +# Specifying overlapping networks in accept clauses of suffix declarations is not suggested. Only the smaller network of two overlapping networks will be accepted. +# Specifying overlapping networks in network clauses is also not suggested. The configuration of the larger network of the two overlapping networks will be used. +# Static records only make sense in networks you are authoritative for. Static records not inside a network will be silently ignored. -- cgit v1.2.3