2020-12-14 20:50:47 +00:00
#!/bin/bash
# Execute these commands first time in order to create required files
# $ dnssec-keygen -K /etc/bind -a RSASHA256 -b 4096 -n ZONE -3 -f KSK $DOMAIN
# $ dnssec-keygen -K /etc/bind -a RSASHA256 -b 2048 -n ZONE $DOMAIN
# $ opendkim-genkey -b 2048 -h rsa-sha256 -r -s dkim -d $DOMAIN -v
2024-11-23 11:16:23 +00:00
DOMAIN = $DOMAIN
IP = $IP
IPV6 = $IPV6
2020-12-14 20:50:47 +00:00
DKIM = $( sed -e 's/"/\"/g' /etc/bind/dkim.txt)
if [ $( cat /etc/bind/version) -gt 99 ] || [ ! -e /etc/bind/version ] ; then
echo 1 > /etc/bind/version
fi
rm -f /etc/bind/rev.*
echo -e " ;
; BIND data for $DOMAIN
;
\$ TTL 3h
@ IN SOA ns1.$DOMAIN . admin.$DOMAIN . (
$( date +%Y%m%d) $( cat /etc/bind/version) ; SERIAL
3h ; Refresh
1h ; Retry
1w ; Expire
1h ) ; Minimum
;
@ IN NS ns1.$DOMAIN .
$DOMAIN . IN A $IP
$DOMAIN . IN AAAA $IPV6
$DOMAIN . IN NS ns1
$DOMAIN . IN NS ns2
ns1 IN A $IP
ns1 IN AAAA $IPV6
ns2 IN A $IP
ns2 IN AAAA $IPV6
mail IN A $IP
mail IN AAAA $IPV6
pop IN A $IP
pop IN AAAA $IPV6
smtp IN A $IP
smtp IN AAAA $IPV6
imap IN A $IP
imap IN AAAA $IPV6
* IN CNAME $DOMAIN .
$DOMAIN . IN MX 10 mail.$DOMAIN .
$DOMAIN . IN TXT \" v = spf1 a mx -all\"
_dmarc IN TXT \" v = DMARC1; p = reject; rua = mailto:postmaster@$DOMAIN ; pct = 80; ruf = mailto:postmaster@$DOMAIN ; sp = reject; aspf = s; adkim = s; ri = 86400; fo = 0; rf = afrf\"
; _acme-challenge IN TXT \" xxx\"
$DKIM
\$ INCLUDE K$DOMAIN .+XXX+YYYYY.key
\$ INCLUDE K$DOMAIN .+XXX+YYYYY.key" > /etc/bind/ $DOMAIN
echo -e " ;
2024-10-27 19:03:43 +00:00
; BIND reverse file for $( ipcalc -4 -a --reverse-dns $IP | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//' )
2020-12-14 20:50:47 +00:00
;
\$ TTL 604800
@ IN SOA ns1.$DOMAIN . admin.$DOMAIN . (
$( date +%Y%m%d) $( cat /etc/bind/version) ; Serial
3h ; Refresh
1h ; Retry
1w ; Expire
1h ) ; Minimum
;
@ IN NS ns1.$DOMAIN .
@ IN NS ns2.$DOMAIN .
2024-10-27 19:03:43 +00:00
$( ipcalc -4 -a --reverse-dns $IP | grep REVERSEDNS | sed -r 's/^REVERSEDNS=([[:digit:]]+).*/\1/' ) IN PTR $DOMAIN .
$( ipcalc -4 -a --reverse-dns $IP | grep REVERSEDNS | sed -r 's/^REVERSEDNS=([[:digit:]]+).*/\1/' ) IN PTR mail.$DOMAIN ." > /etc/bind/rev. $( ipcalc -4 -a --reverse-dns $IP | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//' )
2020-12-14 20:50:47 +00:00
echo -e " \$TTL 604800
2024-10-27 19:03:43 +00:00
; BIND reverse file for $( ipcalc -6 -a --reverse-dns $IPV6 | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//' )
2020-12-14 20:50:47 +00:00
@ IN SOA ns1.$DOMAIN . admin.$DOMAIN . (
$( date +%Y%m%d) $( cat /etc/bind/version) ; Serial
3h ; Refresh
1h ; Retry
1w ; Expire
1h ) ; Minimum
;
@ IN NS ns1.$DOMAIN .
@ IN NS ns2.$DOMAIN .
; IPv6 PTR entries
2024-10-27 19:03:43 +00:00
$( ipcalc -6 -a --reverse-dns $IPV6 | grep REVERSEDNS | sed -e 's/^REVERSEDNS=\([[:digit:]]\)\+.*/\1/' ) IN PTR $DOMAIN .
$( ipcalc -6 -a --reverse-dns $IPV6 | grep REVERSEDNS | sed -e 's/^REVERSEDNS=\([[:digit:]]\)\+.*/\1/' ) IN PTR mail.$DOMAIN ." > /etc/bind/rev. $( ipcalc -6 -a --reverse-dns $IPV6 | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//' )
2020-12-14 20:50:47 +00:00
echo -e " \$TTL 604800
@ IN SOA ns1.$DOMAIN . admin.$DOMAIN . (
$( date +%Y%m%d) $( cat /etc/bind/version) ; Serial
3h ; Refresh
1h ; Retry
1w ; Expire
1h ) ; Minimum
;
@ IN NS ns1.$DOMAIN .
@ IN NS ns2.$DOMAIN .
; IPv6 PTR entries
$( ipv6calc -q -a ::ffff:$IP | sed -e 's/\..*$//' ) IN PTR $DOMAIN .
$( ipv6calc -q -a ::ffff:$IP | sed -e 's/\..*$//' ) IN PTR mail.$DOMAIN ." > /etc/bind/rev. $( ipv6calc -q -a ::ffff:$IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//' )
echo -e " //
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include \" /etc/bind/zones.rfc1918\" ;
zone \" $DOMAIN \" {
2024-10-27 19:03:43 +00:00
type primary;
2020-12-14 20:50:47 +00:00
file \" /etc/bind/$DOMAIN .signed\" ;
2024-10-27 19:03:43 +00:00
notify explicit;
2020-12-14 20:50:47 +00:00
} ;
2024-10-27 19:03:43 +00:00
zone \" $( ipcalc -4 -a --reverse-dns $IP | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//' ) \" {
2020-12-14 20:50:47 +00:00
type master;
2024-10-27 19:03:43 +00:00
file \" /etc/bind/rev.$( ipcalc -4 -a --reverse-dns $IP | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//' ) \" ;
2020-12-14 20:50:47 +00:00
} ;
2024-10-27 19:03:43 +00:00
zone \" $( ipcalc -6 -a --reverse-dns $IPV6 | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//' ) \" {
2020-12-14 20:50:47 +00:00
type master;
2024-10-27 19:03:43 +00:00
file \" /etc/bind/rev.$( ipcalc -6 -a --reverse-dns $IPV6 | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//' ) \" ;
2020-12-14 20:50:47 +00:00
} ;
2024-10-27 19:03:43 +00:00
acl \" trusted\" {
127.0.0.0/8;
2020-12-14 20:50:47 +00:00
} ;
options {
directory \" /var/cache/bind\" ;
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0' s placeholder.
// forwarders {
// 0.0.0.0;
// } ;
//= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
//dnssec-enable yes;
dnssec-validation auto;
//dnssec-lookaside auto;
auth-nxdomain no; # conform to RFC1035
listen-on { any; } ;
listen-on-v6 { any; } ;
// config-bind9.txt
2024-10-27 19:03:43 +00:00
disable-empty-zone \" .\" ;
// root-delegation-only;
require-server-cookie no;
send-cookie yes;
check-wildcard no;
clients-per-query 20;
max-clients-per-query 30;
auth-nxdomain yes;
listen-on { any; } ;
listen-on-v6 { any; } ;
max-udp-size 512;
recursion no;
minimal-responses yes;
notify no;
2020-12-14 20:50:47 +00:00
allow-transfer { none; } ;
allow-query { any; } ;
allow-query-cache { trusted; } ;
allow-query-cache-on { trusted; } ;
allow-query-on { trusted; } ;
allow-recursion { trusted; } ;
allow-notify { trusted; } ;
allow-update { none; } ;
version none;
check-names master warn;
check-names slave warn;
check-names response warn;
2024-10-27 19:03:43 +00:00
querylog yes;
hostname \" $DOMAIN \" ;
server-id \" $DOMAIN \" ;
2020-12-14 20:50:47 +00:00
} ;
logging {
channel querylog{
file \" /var/log/querylog\" ;
2024-10-27 19:03:43 +00:00
severity info;
2020-12-14 20:50:47 +00:00
print-category yes;
print-time yes;
print-severity yes;
} ;
category queries { querylog; } ;
} ; " > /etc/bind/named.conf.options
2024-10-27 19:03:43 +00:00
chown $( id -u bind ) :$( id -g bind ) -R /etc/bind
2020-12-14 20:50:47 +00:00
echo $( echo $( cat /etc/bind/version) "+1" | bc) > /etc/bind/version
cd /etc/bind
dnssec-signzone -A -3 $( head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT $DOMAIN
2024-10-27 19:03:43 +00:00
/usr/sbin/named -u bind