docker-compose-hatthieves/production/bind9/bind/command.sh

#!/bin/bash
# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST -K /etc/bind _acme-challenge.hatthieves.es
# dnssec-keygen -K /etc/bind -a RSASHA256 -b 4096 -n ZONE -3 -f KSK hatthieves.es
# dnssec-keygen -K /etc/bind -a RSASHA256 -b 2048 -n ZONE hatthieves.es
# opendkim-genkey -b 2048 -h rsa-sha256 -r -s dkim -d hatthieves.es -v
DOMAIN="hatthieves.es"
DOMAIN2="hatthieves.com"
DOMAIN3="hatthieves.co"
IP=82.223.3.135
IPV6=2001:ba0:1800:80e0::1
DKIM=$(sed -e 's/"/\"/g' /etc/bind/dkim.txt)
DKIM2=$(sed -e 's/"/\"/g' /etc/bind/dkim2.txt)
if [ $(cat /etc/bind/version) -gt 99 ]; then
  echo 1 > /etc/bind/version
fi
rm -f /etc/bind/rev.*
echo -e ";
; BIND data for $DOMAIN
;
\$TTL 3h
@       IN      SOA     ns1.$DOMAIN. admin.$DOMAIN. (
                        $(date +%Y%m%d)$(cat /etc/bind/version) ; SERIAL
                        3h      ; Refresh
                        1h      ; Retry
                        1w      ; Expire
                        1h )    ; Minimum
;
@       IN      NS      ns1.$DOMAIN.

$DOMAIN.       IN      A       $IP
$DOMAIN.       IN      AAAA    $IPV6
ns1                     IN      A       $IP
ns1                     IN      AAAA    $IPV6
ns2                     IN      A       $IP
ns2                     IN      AAAA    $IPV6
mail                    IN      A       $IP
pop                     IN      A       $IP
smtp                    IN      A       $IP
imap                    IN      A       $IP
*                       IN      CNAME   $DOMAIN.
$DOMAIN.        IN      MX      10     mail.$DOMAIN.
$DOMAIN.        IN      TXT     \"v=spf1 ip4:172.200.0.0/24 a mx -all\"
$DOMAIN.        IN      TXT     \"google-site-verification=OGwhD4vhFpXHvQsbJinxAn5sozl0-R7MiiMt-fcYREY\"
_dmarc                  IN      TXT     \"v=DMARC1;p=reject;rua=mailto:postmaster@$DOMAIN;pct=100;ruf=mailto:postmaster@$DOMAIN;sp=reject;aspf=s;adkim=s;ri=86400;fo=0;rf=afrf\"
_dnsaddr                IN      TXT     \"dnsaddr=/ip4/82.223.3.135/tcp/4001/p2p/QmcLwDnTPuSuaBL6QyfPGWyrAjHZYonahiKPeYSAjcU25V\"
_dnsaddr                IN      TXT     \"dnsaddr=/ip6/2001:ba0:1800:80e0::1/tcp/4001/p2p/QmcLwDnTPuSuaBL6QyfPGWyrAjHZYonahiKPeYSAjcU25V\"
$DOMAIN.                IN      TXT     \"dnslink=/ipns/hatthieves.es\"
_dnslink                IN      TXT     \"dnslink=/ipns/k2k4r8olq17uslpwyedjx5o0g5azfq8inmw0fp1jh0xqm9zrcho3p5zk\"
_acme-challenge         IN      TXT     \"56ICipwdln5gLbl_s82sUQl_8NjxHJLkMrJmAeOVX9c\"
_acme-challenge         IN      TXT     \"paSCs9dPonZOzoQETYyMDfc8cyATdeD4FZZXdXSRc6U\"
_xmpp-client._tcp	IN	SRV	100 1 5222 xmpp.$DOMAIN.
_xmpp-server._tcp	IN	SRV	100 1 5269 xmpp.$DOMAIN.
$DKIM

\$INCLUDE K$DOMAIN.+008+10060.key
\$INCLUDE K$DOMAIN.+008+00825.key
\$INCLUDE K_acme-challenge.$DOMAIN.+165+31790.key"> /etc/bind/$DOMAIN
echo -e ";
; BIND reverse file for $(ipv6calc -q -a $IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')
;
\$TTL    604800
@       IN      SOA     ns1.$DOMAIN. admin.$DOMAIN. (
                                $(date +%Y%m%d)$(cat /etc/bind/version)       ; Serial
                                3h      ; Refresh
                                1h      ; Retry
                                1w      ; Expire
                                1h )    ; Minimum
;
@       IN      NS      ns1.$DOMAIN.
@       IN      NS      ns2.$DOMAIN.

$(ipv6calc -q -a $IP | sed -e 's/\..*$//')       IN      PTR     $DOMAIN.
$(ipv6calc -q -a $IP | sed -e 's/\..*$//')       IN      PTR     mail.$DOMAIN." > /etc/bind/rev.$(ipv6calc -q -a $IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')
echo -e "\$TTL    604800
@       IN      SOA     ns1.$DOMAIN. admin.$DOMAIN. (
                                $(date +%Y%m%d)$(cat /etc/bind/version)       ; Serial
                                3h      ; Refresh
                                1h      ; Retry
                                1w      ; Expire
                                1h )    ; Minimum
;
@       IN      NS      ns1.$DOMAIN.
@       IN      NS      ns2.$DOMAIN.

; IPv6 PTR entries
$(ipv6calc -q -a $(ipv6calc -q --ipv4_to_6to4addr $IP) | sed -e 's/\..*$//')	IN    PTR    $DOMAIN.
$(ipv6calc -q -a $(ipv6calc -q --ipv4_to_6to4addr $IP) | sed -e 's/\..*$//')	IN    PTR    mail.$DOMAIN." > /etc/bind/rev.$(ipv6calc -q -a $(ipv6calc -q --ipv4_to_6to4addr $IP) | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')
echo -e "\$TTL    604800
@       IN      SOA     ns1.$DOMAIN. admin.$DOMAIN. (
                                $(date +%Y%m%d)$(cat /etc/bind/version)       ; Serial
                                3h      ; Refresh
                                1h      ; Retry
                                1w      ; Expire
                                1h )    ; Minimum
;
@       IN      NS      ns1.$DOMAIN.
@       IN      NS      ns2.$DOMAIN.

; IPv6 PTR entries
$(ipv6calc -q -a ::ffff:$IP | sed -e 's/\..*$//')	IN    PTR    $DOMAIN.
$(ipv6calc -q -a ::ffff:$IP | sed -e 's/\..*$//')	IN    PTR    mail.$DOMAIN." > /etc/bind/rev.$(ipv6calc -q -a ::ffff:$IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')
echo -e "//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include \"/etc/bind/zones.rfc1918\";

zone \"$DOMAIN\" {
     type master;
     file \"/etc/bind/$DOMAIN.signed\";
     allow-update {
       key \"$DOMAIN.\";
       key \"_acme-challenge.$DOMAIN.\";
     };
};

zone \"$DOMAIN2\" {
     type master;
     file \"/etc/bind/$DOMAIN2.signed\";
     allow-update {
       key \"$DOMAIN2.\";
       key \"_acme-challenge.$DOMAIN2.\";
     };
};

zone \"$DOMAIN3\" {
     type master;
     file \"/etc/bind/$DOMAIN3.signed\";
     allow-update {
       key \"$DOMAIN3.\";
       key \"_acme-challenge.$DOMAIN3.\";
     };
};

zone \"$(ipv6calc -q -a $IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\" {
     type master;
     file \"/etc/bind/rev.$(ipv6calc -q -a $IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\";
};

zone \"$(ipv6calc -q -a $(ipv6calc -q --ipv4_to_6to4addr $IP) | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\" {
     type master;
     file \"/etc/bind/rev.$(ipv6calc -q -a $(ipv6calc -q --ipv4_to_6to4addr $IP) | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\";
};

zone \"$(ipv6calc -q -a ::ffff:$IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\" {
     type master;
     file \"/etc/bind/rev.$(ipv6calc -q -a ::ffff:$IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\";
};" > /etc/bind/named.conf.local
echo -e "acl \"trusted\" {
        ::1/128; 127.0.0.0/8; 172.0.0.0/8; $IP; $IPV6;
};

options {
        directory \"/var/cache/bind\";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        //  0.0.0.0;
        // };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-enable yes;
        dnssec-validation auto;
        dnssec-lookaside auto;
        //dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on { any; };
        listen-on-v6 { any; };

        // config-bind9.txt
        recursion yes;
        notify yes;
        interface-interval 0;
        allow-transfer { trusted; };
        allow-query { any; };
        allow-query-cache { trusted; };
        allow-recursion { trusted; };
        allow-notify { trusted; };
        allow-update { none; };
        version none;
        check-names master warn;
        check-names slave warn;
        check-names response warn;
//        querylog yes;
};

logging {
    channel querylog{
        file \"/var/log/querylog\";
        severity debug 10;
        print-category yes;
        print-time yes;
        print-severity yes;
    };
    category queries { querylog;};
};

key \"_acme-challenge.$DOMAIN.\" {
        algorithm hmac-sha512;
        secret \"GC9RKMhiWpRxwtBvxNQ8abBSTsfLE8kOuDxMA04q0YuyWPBo9YshtkOGEr9yGC6UPgzYOj7CNKYpn3OF9wEgzA==\";
};

key \"_acme-challenge.$DOMAIN2.\" {
        algorithm hmac-sha512;
        secret \"JlCDMOnkKuNHSiDi6GnxurCwGpnw85NngKogSqKjSU+cvb8RJSQEZekkfW88hZIPUf0cY+Td9c2SttUL05xQEw==\";
};

key \"_acme-challenge.$DOMAIN3.\" {
        algorithm hmac-sha512;
        secret \"Au4vHdNujqmk9p77UvMIYydOgj4vFCioan7RFBprqtepjohr9eVFN6wMcvYR3HKFLWv0ZW7YZoFZmHFKtiaUKA==\";
};"> /etc/bind/named.conf.options
echo -e ";
; BIND data for $DOMAIN2
;
\$TTL 3h
@       IN      SOA     ns1.$DOMAIN2. admin.$DOMAIN2. (
                        $(date +%Y%m%d)$(cat /etc/bind/version) ; SERIAL
                        3h      ; Refresh
                        1h      ; Retry
                        1w      ; Expire
                        1h )    ; Minimum
;
@       IN      NS      ns1.$DOMAIN.
@       IN      NS      ns2.$DOMAIN.

$DOMAIN2.       IN      A       $IP
$DOMAIN2.       IN      AAAA    $IPV6
*                       IN      CNAME   $DOMAIN2.
$DOMAIN2.        IN      MX      10     mail.$DOMAIN.
$DOMAIN2.        IN      TXT     \"v=spf1 ip4:172.200.0.0/24 a mx -all\"
_dmarc                  IN      TXT     \"v=DMARC1;p=reject;rua=mailto:postmaster@$DOMAIN;pct=100;ruf=mailto:postmaster@$DOMAIN;sp=reject;aspf=s;adkim=s;ri=86400;fo=0;rf=afrf\"
_dnsaddr                IN      TXT     \"dnsaddr=/ip4/82.223.3.135/tcp/4001/p2p/QmcLwDnTPuSuaBL6QyfPGWyrAjHZYonahiKPeYSAjcU25V\"
_dnsaddr                IN      TXT     \"dnsaddr=/ip6/2001:ba0:1800:80e0::1/tcp/4001/p2p/QmcLwDnTPuSuaBL6QyfPGWyrAjHZYonahiKPeYSAjcU25V\"
_dnslink                IN      TXT     \"dnslink=/ipns/QmcLwDnTPuSuaBL6QyfPGWyrAjHZYonahiKPeYSAjcU25V\"
$DKIM2

\$INCLUDE K$DOMAIN2.+008+61170.key
\$INCLUDE K$DOMAIN2.+008+28449.key
\$INCLUDE K_acme-challenge.$DOMAIN2.+165+29132.key"> /etc/bind/$DOMAIN2
echo -e ";
; BIND data for $DOMAIN3
;
\$TTL 3h
@       IN      SOA     ns1.$DOMAIN3. admin.$DOMAIN3. (
                        $(date +%Y%m%d)$(cat /etc/bind/version) ; SERIAL
                        3h      ; Refresh
                        1h      ; Retry
                        1w      ; Expire
                        1h )    ; Minimum
;
@       IN      NS      ns1.$DOMAIN.
@       IN      NS      ns2.$DOMAIN.

$DOMAIN3.       IN      A       $IP
$DOMAIN3.       IN      AAAA    $IPV6
*                       IN      CNAME   $DOMAIN3.
$DOMAIN3.        IN      MX      10     mail.$DOMAIN.
$DOMAIN3.        IN      TXT     \"v=spf1 ip4:172.200.0.0/24 a mx -all\"
_dmarc                  IN      TXT     \"v=DMARC1;p=reject;rua=mailto:postmaster@$DOMAIN;pct=100;ruf=mailto:postmaster@$DOMAIN;sp=reject;aspf=s;adkim=s;ri=86400;fo=0;rf=afrf\"
_dnsaddr                IN      TXT     \"dnsaddr=/ip4/82.223.3.135/tcp/4001/p2p/QmcLwDnTPuSuaBL6QyfPGWyrAjHZYonahiKPeYSAjcU25V\"
_dnsaddr                IN      TXT     \"dnsaddr=/ip6/2001:ba0:1800:80e0::1/tcp/4001/p2p/QmcLwDnTPuSuaBL6QyfPGWyrAjHZYonahiKPeYSAjcU25V\"
_dnslink                IN      TXT     \"dnslink=/ipns/QmcLwDnTPuSuaBL6QyfPGWyrAjHZYonahiKPeYSAjcU25V\"
$DKIM3

\$INCLUDE K$DOMAIN3.+008+03409.key
\$INCLUDE K$DOMAIN3.+008+09300.key
\$INCLUDE K_acme-challenge.$DOMAIN3.+165+22537.key"> /etc/bind/$DOMAIN3
COUNT=$(echo $(cat /etc/bind/version)"+1" | bc)
echo $COUNT > /etc/bind/version
mkdir /run/named
chown 101.101 -R /etc/bind
chown 101.101 -R /run/named
cd /etc/bind
dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT $DOMAIN
dnssec-signzone -P -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT $DOMAIN2
dnssec-signzone -P -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT $DOMAIN3
named -c named.conf -f -u bind