#!/bin/bash # Execute these commands first time in order to create required files # $ dnssec-keygen -K /etc/bind -a RSASHA256 -b 4096 -n ZONE -3 -f KSK $DOMAIN # $ dnssec-keygen -K /etc/bind -a RSASHA256 -b 2048 -n ZONE $DOMAIN # $ opendkim-genkey -b 2048 -h rsa-sha256 -r -s dkim -d $DOMAIN -v DOMAIN="DOMAIN.COM" IP=MACHINE-IPV4 IPV6=MACHINE-IPV6 DKIM=$(sed -e 's/"/\"/g' /etc/bind/dkim.txt) if [ $(cat /etc/bind/version) -gt 99 ] || [ ! -e /etc/bind/version ]; then echo 1 > /etc/bind/version fi rm -f /etc/bind/rev.* echo -e "; ; BIND data for $DOMAIN ; \$TTL 3h @ IN SOA ns1.$DOMAIN. admin.$DOMAIN. ( $(date +%Y%m%d)$(cat /etc/bind/version) ; SERIAL 3h ; Refresh 1h ; Retry 1w ; Expire 1h ) ; Minimum ; @ IN NS ns1.$DOMAIN. $DOMAIN. IN A $IP $DOMAIN. IN AAAA $IPV6 $DOMAIN. IN NS ns1 $DOMAIN. IN NS ns2 ns1 IN A $IP ns1 IN AAAA $IPV6 ns2 IN A $IP ns2 IN AAAA $IPV6 mail IN A $IP mail IN AAAA $IPV6 pop IN A $IP pop IN AAAA $IPV6 smtp IN A $IP smtp IN AAAA $IPV6 imap IN A $IP imap IN AAAA $IPV6 * IN CNAME $DOMAIN. $DOMAIN. IN MX 10 mail.$DOMAIN. $DOMAIN. IN TXT \"v=spf1 a mx -all\" _dmarc IN TXT \"v=DMARC1;p=reject;rua=mailto:postmaster@$DOMAIN;pct=80;ruf=mailto:postmaster@$DOMAIN;sp=reject;aspf=s;adkim=s;ri=86400;fo=0;rf=afrf\" ;_acme-challenge IN TXT \"xxx\" $DKIM \$INCLUDE K$DOMAIN.+XXX+YYYYY.key \$INCLUDE K$DOMAIN.+XXX+YYYYY.key"> /etc/bind/$DOMAIN echo -e "; ; BIND reverse file for $(ipcalc -4 -a --reverse-dns $IP | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//') ; \$TTL 604800 @ IN SOA ns1.$DOMAIN. admin.$DOMAIN. ( $(date +%Y%m%d)$(cat /etc/bind/version) ; Serial 3h ; Refresh 1h ; Retry 1w ; Expire 1h ) ; Minimum ; @ IN NS ns1.$DOMAIN. @ IN NS ns2.$DOMAIN. $(ipcalc -4 -a --reverse-dns $IP | grep REVERSEDNS | sed -r 's/^REVERSEDNS=([[:digit:]]+).*/\1/') IN PTR $DOMAIN. $(ipcalc -4 -a --reverse-dns $IP | grep REVERSEDNS | sed -r 's/^REVERSEDNS=([[:digit:]]+).*/\1/') IN PTR mail.$DOMAIN." > /etc/bind/rev.$(ipcalc -4 -a --reverse-dns $IP | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//') echo -e "\$TTL 604800 ; BIND reverse file for $(ipcalc -6 -a --reverse-dns $IPV6 | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//') @ IN SOA ns1.$DOMAIN. admin.$DOMAIN. ( $(date +%Y%m%d)$(cat /etc/bind/version) ; Serial 3h ; Refresh 1h ; Retry 1w ; Expire 1h ) ; Minimum ; @ IN NS ns1.$DOMAIN. @ IN NS ns2.$DOMAIN. ; IPv6 PTR entries $(ipcalc -6 -a --reverse-dns $IPV6 | grep REVERSEDNS | sed -e 's/^REVERSEDNS=\([[:digit:]]\)\+.*/\1/') IN PTR $DOMAIN. $(ipcalc -6 -a --reverse-dns $IPV6 | grep REVERSEDNS | sed -e 's/^REVERSEDNS=\([[:digit:]]\)\+.*/\1/') IN PTR mail.$DOMAIN." > /etc/bind/rev.$(ipcalc -6 -a --reverse-dns $IPV6 | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//') echo -e "\$TTL 604800 @ IN SOA ns1.$DOMAIN. admin.$DOMAIN. ( $(date +%Y%m%d)$(cat /etc/bind/version) ; Serial 3h ; Refresh 1h ; Retry 1w ; Expire 1h ) ; Minimum ; @ IN NS ns1.$DOMAIN. @ IN NS ns2.$DOMAIN. ; IPv6 PTR entries $(ipv6calc -q -a ::ffff:$IP | sed -e 's/\..*$//') IN PTR $DOMAIN. $(ipv6calc -q -a ::ffff:$IP | sed -e 's/\..*$//') IN PTR mail.$DOMAIN." > /etc/bind/rev.$(ipv6calc -q -a ::ffff:$IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//') echo -e "// // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include \"/etc/bind/zones.rfc1918\"; zone \"$DOMAIN\" { type primary; file \"/etc/bind/$DOMAIN.signed\"; notify explicit; }; zone \"$(ipcalc -4 -a --reverse-dns $IP | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//')\" { type master; file \"/etc/bind/rev.$(ipcalc -4 -a --reverse-dns $IP | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//')\"; }; zone \"$(ipcalc -6 -a --reverse-dns $IPV6 | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//')\" { type master; file \"/etc/bind/rev.$(ipcalc -6 -a --reverse-dns $IPV6 | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//')\"; }; acl \"trusted\" { 127.0.0.0/8; }; options { directory \"/var/cache/bind\"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== //dnssec-enable yes; dnssec-validation auto; //dnssec-lookaside auto; auth-nxdomain no; # conform to RFC1035 listen-on { any; }; listen-on-v6 { any; }; // config-bind9.txt disable-empty-zone \".\"; // root-delegation-only; require-server-cookie no; send-cookie yes; check-wildcard no; clients-per-query 20; max-clients-per-query 30; auth-nxdomain yes; listen-on { any; }; listen-on-v6 { any; }; max-udp-size 512; recursion no; minimal-responses yes; notify no; allow-transfer { none; }; allow-query { any; }; allow-query-cache { trusted; }; allow-query-cache-on { trusted; }; allow-query-on { trusted; }; allow-recursion { trusted; }; allow-notify { trusted; }; allow-update { none; }; version none; check-names master warn; check-names slave warn; check-names response warn; querylog yes; hostname \"$DOMAIN\"; server-id \"$DOMAIN\"; }; logging { channel querylog{ file \"/var/log/querylog\"; severity info; print-category yes; print-time yes; print-severity yes; }; category queries { querylog; }; };"> /etc/bind/named.conf.options chown $(id -u bind):$(id -g bind) -R /etc/bind echo $(echo $(cat /etc/bind/version)"+1" | bc) > /etc/bind/version cd /etc/bind dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT $DOMAIN /usr/sbin/named -u bind