#!/bin/bash # dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST -K /etc/bind _acme-challenge.hatthieves.es # dnssec-keygen -K /etc/bind -a RSASHA256 -b 4096 -n ZONE -3 -f KSK hatthieves.es # dnssec-keygen -K /etc/bind -a RSASHA256 -b 2048 -n ZONE hatthieves.es # opendkim-genkey -b 2048 -h rsa-sha256 -r -s dkim -d hatthieves.es -v DOMAIN="hatthieves.es" DOMAIN2="hatthieves.com" DOMAIN3="hatthieves.co" IP=82.223.3.135 IPV6=2001:ba0:1800:80e0::1 DKIM=$(sed -e 's/"/\"/g' /etc/bind/dkim.txt) DKIM2=$(sed -e 's/"/\"/g' /etc/bind/dkim2.txt) if [ $(cat /etc/bind/version) -gt 99 ]; then echo 1 > /etc/bind/version fi rm -f /etc/bind/rev.* echo -e "; ; BIND data for $DOMAIN ; \$TTL 3h @ IN SOA ns1.$DOMAIN. admin.$DOMAIN. ( $(date +%Y%m%d)$(cat /etc/bind/version) ; SERIAL 3h ; Refresh 1h ; Retry 1w ; Expire 1h ) ; Minimum ; @ IN NS ns1.$DOMAIN. $DOMAIN. IN A $IP $DOMAIN. IN AAAA $IPV6 ns1 IN A $IP ns1 IN AAAA $IPV6 ns2 IN A $IP ns2 IN AAAA $IPV6 mail IN A $IP pop IN A $IP smtp IN A $IP imap IN A $IP * IN CNAME $DOMAIN. $DOMAIN. IN MX 10 mail.$DOMAIN. $DOMAIN. IN TXT \"v=spf1 ip4:172.200.0.0/24 a mx -all\" $DOMAIN. IN TXT \"google-site-verification=OGwhD4vhFpXHvQsbJinxAn5sozl0-R7MiiMt-fcYREY\" _dmarc IN TXT \"v=DMARC1;p=reject;rua=mailto:postmaster@$DOMAIN;pct=100;ruf=mailto:postmaster@$DOMAIN;sp=reject;aspf=s;adkim=s;ri=86400;fo=0;rf=afrf\" _dnsaddr IN TXT \"dnsaddr=/ip4/82.223.3.135/tcp/4001/p2p/QmcLwDnTPuSuaBL6QyfPGWyrAjHZYonahiKPeYSAjcU25V\" _dnsaddr IN TXT \"dnsaddr=/ip6/2001:ba0:1800:80e0::1/tcp/4001/p2p/QmcLwDnTPuSuaBL6QyfPGWyrAjHZYonahiKPeYSAjcU25V\" $DOMAIN. IN TXT \"dnslink=/ipns/hatthieves.es\" _dnslink IN TXT \"dnslink=/ipns/k2k4r8olq17uslpwyedjx5o0g5azfq8inmw0fp1jh0xqm9zrcho3p5zk\" _acme-challenge IN TXT \"56ICipwdln5gLbl_s82sUQl_8NjxHJLkMrJmAeOVX9c\" _acme-challenge IN TXT \"paSCs9dPonZOzoQETYyMDfc8cyATdeD4FZZXdXSRc6U\" _xmpp-client._tcp IN SRV 100 1 5222 xmpp.$DOMAIN. _xmpp-server._tcp IN SRV 100 1 5269 xmpp.$DOMAIN. $DKIM \$INCLUDE K$DOMAIN.+008+10060.key \$INCLUDE K$DOMAIN.+008+00825.key \$INCLUDE K_acme-challenge.$DOMAIN.+165+31790.key"> /etc/bind/$DOMAIN echo -e "; ; BIND reverse file for $(ipv6calc -q -a $IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//') ; \$TTL 604800 @ IN SOA ns1.$DOMAIN. admin.$DOMAIN. ( $(date +%Y%m%d)$(cat /etc/bind/version) ; Serial 3h ; Refresh 1h ; Retry 1w ; Expire 1h ) ; Minimum ; @ IN NS ns1.$DOMAIN. @ IN NS ns2.$DOMAIN. $(ipv6calc -q -a $IP | sed -e 's/\..*$//') IN PTR $DOMAIN. $(ipv6calc -q -a $IP | sed -e 's/\..*$//') IN PTR mail.$DOMAIN." > /etc/bind/rev.$(ipv6calc -q -a $IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//') echo -e "\$TTL 604800 @ IN SOA ns1.$DOMAIN. admin.$DOMAIN. ( $(date +%Y%m%d)$(cat /etc/bind/version) ; Serial 3h ; Refresh 1h ; Retry 1w ; Expire 1h ) ; Minimum ; @ IN NS ns1.$DOMAIN. @ IN NS ns2.$DOMAIN. ; IPv6 PTR entries $(ipv6calc -q -a $(ipv6calc -q --ipv4_to_6to4addr $IP) | sed -e 's/\..*$//') IN PTR $DOMAIN. $(ipv6calc -q -a $(ipv6calc -q --ipv4_to_6to4addr $IP) | sed -e 's/\..*$//') IN PTR mail.$DOMAIN." > /etc/bind/rev.$(ipv6calc -q -a $(ipv6calc -q --ipv4_to_6to4addr $IP) | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//') echo -e "\$TTL 604800 @ IN SOA ns1.$DOMAIN. admin.$DOMAIN. ( $(date +%Y%m%d)$(cat /etc/bind/version) ; Serial 3h ; Refresh 1h ; Retry 1w ; Expire 1h ) ; Minimum ; @ IN NS ns1.$DOMAIN. @ IN NS ns2.$DOMAIN. ; IPv6 PTR entries $(ipv6calc -q -a ::ffff:$IP | sed -e 's/\..*$//') IN PTR $DOMAIN. $(ipv6calc -q -a ::ffff:$IP | sed -e 's/\..*$//') IN PTR mail.$DOMAIN." > /etc/bind/rev.$(ipv6calc -q -a ::ffff:$IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//') echo -e "// // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include \"/etc/bind/zones.rfc1918\"; zone \"$DOMAIN\" { type master; file \"/etc/bind/$DOMAIN.signed\"; allow-update { key \"$DOMAIN.\"; key \"_acme-challenge.$DOMAIN.\"; }; }; zone \"$DOMAIN2\" { type master; file \"/etc/bind/$DOMAIN2.signed\"; allow-update { key \"$DOMAIN2.\"; key \"_acme-challenge.$DOMAIN2.\"; }; }; zone \"$DOMAIN3\" { type master; file \"/etc/bind/$DOMAIN3.signed\"; allow-update { key \"$DOMAIN3.\"; key \"_acme-challenge.$DOMAIN3.\"; }; }; zone \"$(ipv6calc -q -a $IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\" { type master; file \"/etc/bind/rev.$(ipv6calc -q -a $IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\"; }; zone \"$(ipv6calc -q -a $(ipv6calc -q --ipv4_to_6to4addr $IP) | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\" { type master; file \"/etc/bind/rev.$(ipv6calc -q -a $(ipv6calc -q --ipv4_to_6to4addr $IP) | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\"; }; zone \"$(ipv6calc -q -a ::ffff:$IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\" { type master; file \"/etc/bind/rev.$(ipv6calc -q -a ::ffff:$IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\"; };" > /etc/bind/named.conf.local echo -e "acl \"trusted\" { ::1/128; 127.0.0.0/8; 172.0.0.0/8; $IP; $IPV6; }; options { directory \"/var/cache/bind\"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== dnssec-enable yes; dnssec-validation auto; dnssec-lookaside auto; //dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on { any; }; listen-on-v6 { any; }; // config-bind9.txt recursion yes; notify yes; interface-interval 0; allow-transfer { trusted; }; allow-query { any; }; allow-query-cache { trusted; }; allow-recursion { trusted; }; allow-notify { trusted; }; allow-update { none; }; version none; check-names master warn; check-names slave warn; check-names response warn; // querylog yes; }; logging { channel querylog{ file \"/var/log/querylog\"; severity debug 10; print-category yes; print-time yes; print-severity yes; }; category queries { querylog;}; }; key \"_acme-challenge.$DOMAIN.\" { algorithm hmac-sha512; secret \"GC9RKMhiWpRxwtBvxNQ8abBSTsfLE8kOuDxMA04q0YuyWPBo9YshtkOGEr9yGC6UPgzYOj7CNKYpn3OF9wEgzA==\"; }; key \"_acme-challenge.$DOMAIN2.\" { algorithm hmac-sha512; secret \"JlCDMOnkKuNHSiDi6GnxurCwGpnw85NngKogSqKjSU+cvb8RJSQEZekkfW88hZIPUf0cY+Td9c2SttUL05xQEw==\"; }; key \"_acme-challenge.$DOMAIN3.\" { algorithm hmac-sha512; secret \"Au4vHdNujqmk9p77UvMIYydOgj4vFCioan7RFBprqtepjohr9eVFN6wMcvYR3HKFLWv0ZW7YZoFZmHFKtiaUKA==\"; };"> /etc/bind/named.conf.options echo -e "; ; BIND data for $DOMAIN2 ; \$TTL 3h @ IN SOA ns1.$DOMAIN2. admin.$DOMAIN2. ( $(date +%Y%m%d)$(cat /etc/bind/version) ; SERIAL 3h ; Refresh 1h ; Retry 1w ; Expire 1h ) ; Minimum ; @ IN NS ns1.$DOMAIN. @ IN NS ns2.$DOMAIN. $DOMAIN2. IN A $IP $DOMAIN2. IN AAAA $IPV6 * IN CNAME $DOMAIN2. $DOMAIN2. IN MX 10 mail.$DOMAIN. $DOMAIN2. IN TXT \"v=spf1 ip4:172.200.0.0/24 a mx -all\" _dmarc IN TXT \"v=DMARC1;p=reject;rua=mailto:postmaster@$DOMAIN;pct=100;ruf=mailto:postmaster@$DOMAIN;sp=reject;aspf=s;adkim=s;ri=86400;fo=0;rf=afrf\" _dnsaddr IN TXT \"dnsaddr=/ip4/82.223.3.135/tcp/4001/p2p/QmcLwDnTPuSuaBL6QyfPGWyrAjHZYonahiKPeYSAjcU25V\" _dnsaddr IN TXT \"dnsaddr=/ip6/2001:ba0:1800:80e0::1/tcp/4001/p2p/QmcLwDnTPuSuaBL6QyfPGWyrAjHZYonahiKPeYSAjcU25V\" _dnslink IN TXT \"dnslink=/ipns/QmcLwDnTPuSuaBL6QyfPGWyrAjHZYonahiKPeYSAjcU25V\" $DKIM2 \$INCLUDE K$DOMAIN2.+008+61170.key \$INCLUDE K$DOMAIN2.+008+28449.key \$INCLUDE K_acme-challenge.$DOMAIN2.+165+29132.key"> /etc/bind/$DOMAIN2 echo -e "; ; BIND data for $DOMAIN3 ; \$TTL 3h @ IN SOA ns1.$DOMAIN3. admin.$DOMAIN3. ( $(date +%Y%m%d)$(cat /etc/bind/version) ; SERIAL 3h ; Refresh 1h ; Retry 1w ; Expire 1h ) ; Minimum ; @ IN NS ns1.$DOMAIN. @ IN NS ns2.$DOMAIN. $DOMAIN3. IN A $IP $DOMAIN3. IN AAAA $IPV6 * IN CNAME $DOMAIN3. $DOMAIN3. IN MX 10 mail.$DOMAIN. $DOMAIN3. IN TXT \"v=spf1 ip4:172.200.0.0/24 a mx -all\" _dmarc IN TXT \"v=DMARC1;p=reject;rua=mailto:postmaster@$DOMAIN;pct=100;ruf=mailto:postmaster@$DOMAIN;sp=reject;aspf=s;adkim=s;ri=86400;fo=0;rf=afrf\" _dnsaddr IN TXT \"dnsaddr=/ip4/82.223.3.135/tcp/4001/p2p/QmcLwDnTPuSuaBL6QyfPGWyrAjHZYonahiKPeYSAjcU25V\" _dnsaddr IN TXT \"dnsaddr=/ip6/2001:ba0:1800:80e0::1/tcp/4001/p2p/QmcLwDnTPuSuaBL6QyfPGWyrAjHZYonahiKPeYSAjcU25V\" _dnslink IN TXT \"dnslink=/ipns/QmcLwDnTPuSuaBL6QyfPGWyrAjHZYonahiKPeYSAjcU25V\" $DKIM3 \$INCLUDE K$DOMAIN3.+008+03409.key \$INCLUDE K$DOMAIN3.+008+09300.key \$INCLUDE K_acme-challenge.$DOMAIN3.+165+22537.key"> /etc/bind/$DOMAIN3 COUNT=$(echo $(cat /etc/bind/version)"+1" | bc) echo $COUNT > /etc/bind/version mkdir /run/named chown 101.101 -R /etc/bind chown 101.101 -R /run/named cd /etc/bind dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT $DOMAIN dnssec-signzone -P -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT $DOMAIN2 dnssec-signzone -P -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT $DOMAIN3 named -c named.conf -f -u bind