Bind

    spf examples

    Delegation

    In this example we would like to delagate dokuwiki.society-lbl.com

    First add glue record in domain main file configuration.

    /etc/bind/society-lbl.com

    ; GLUE RECORD SUBDOMAIN
    dokuwiki.society-lbl.com.	IN	NS	ns2.dokuwiki.society-lbl.com.
                                  NS	ns.dokuwiki.society-lbl.com.
    ns.dokuwiki.society-lbl.com.	IN	A	91.121.62.12
    ns2.dokuwiki.society-lbl.com.	IN	A	91.121.12.116
    

    After you could add a separate file about delegate subdomain.

    /etc/bind/dokuwiki.society-lbl.com

    $TTL 3h
    @       IN      SOA     ns2.dokuwiki.society-lbl.com. hostmaster.society-lbl.com. (
                                    2013073101
                                    8H
                                    2H
                                    1W
                                    1D )
    
    ; NS for dokuwiki :
    
    @	IN	NS	ns2.dokuwiki.society-lbl.com.
    @	IN	NS	ns.dokuwiki.society-lbl.com.
    
    ns		IN	A	91.121.62.12
    ns2		IN	A	91.121.12.116
    
    dokuwiki.society-lbl.com.	IN	A	91.121.12.116
    
    memorandum	IN	CNAME	dokuwiki.society-lbl.com.
    cultivation	IN	CNAME	dokuwiki.society-lbl.com.
    network	        IN	CNAME	dokuwiki.society-lbl.com.
    

    /etc/bind/named.conf.local

    zone "dokuwiki.society-lbl.com" {
            type master;
            file "/etc/bind/dokuwiki.society-lbl.com";
    };
    

    Setup DDNS

    rfc2136

    Example to update ipv4 and ipv6 of a subdomain.

    Server-side

    require: bind9utils package

    Dynamic DNS, first create a key.

    dnssec-keygen -a HMAC-SHA512 -b 512 -r /dev/urandom -n HOST home.society-lbl.com
    

    notes:

    • society-lbl.com will be part of the filenames (.private and .key)
    • I tried to use more complex algorithms (based on private/public key), but it's overkill time/security just to update an ip on a subdomain.

    /etc/bind/keys.conf

    key home.society-lbl.com {
           algorithm HMAC-SHA512;
           secret "KEY_VALUE";
    };
    

    notes:

    • replace KEY_VALUE by the everything after Key: in the generated prefixed by .private
    • keep the .private file, it will be used by the client as well as the .key
    • home.society-lbl.com will the name of the key identified by bind

    /etc/bind/named.conf:

    include "/etc/bind/keys.conf";
    

    Then you have two choice, warning it can't be both.

    1. allow-update the key can update anything on the zone /etc/bind/named.conf.local:
    zone "society-lbl.com" {
            type master;
            file "/etc/bind/domains/society-lbl.com";
            allow-update {
              key home.society-lbl.com;
            };
    };
    
    1. (preferred) update-policy the key can update only specific part of the zone /etc/bind/named.conf.local:
    zone "society-lbl.com" {
            type master;
            file "/etc/bind/domains/society-lbl.com";
            update-policy {
             grant home.society-lbl.com name home.society-lbl.com. A AAAA;
            };
    };
    

    notes:

    • update policy is in the form <permission> <identity> <matchtype> [tname] [rr], see details
    • in this case, identity is the name of the key home.society-lbl.com

    Check the configuration

    named-checkconf && restart bind9
    

    In case of a manual update

    If you update society-lbl.com zone configuration, you will need to:

    rndc freeze society-lbl.com
    # edit your zone conf file (/etc/bind/domains/society-lbl.com)
    rndc thaw society-lbl.com # when finished
    

    Security-part

    Ensure bind can read/write the file containing the zone (.e.g, /etc/bind/domains/society-lbl.com) with chown and chmod for the group bind.

    In case you have Apparmor, do the following changes, if required: /etc/apparmor.d/usr.sbin.named:

    /usr/sbin/named {
      ...
      /etc/bind/** r,
      /etc/bind/domains/** rw,
      ...
    }
    

    systemctl restart apparmor

    Client side

    Check it works

    Try to retrieve the TSIG part:

     dig -y hmac-sha512:home.society-lbl.com:KEY_VALUE @ns1.society-lbl.com TSIG society-lbl.com
    

    If you have an error, check /var/log/syslog on the server.

    Update the zone

    require: dnsutils package

    Example to add/edit ip address for the subdomain home.society-lbl.com

    update.txt

    server ns1.society-lbl.com
    zone society-lbl.com
    update delete home.society-lbl.com. A
    update delete home.society-lbl.com. AAAA
    update add home.society-lbl.com. 600 AAAA xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
    update add home.society-lbl.com. 600 A xxx.xxx.xxx.xxx
    show
    send
    

    important: ensure 2 files for identification are present: .private and .key file (else you risk to have a response update failed: REFUSED with no details)

    nsupdate -k Kkeyname.+165+0316.private -v update.txt
    

    notes:

    • specified a file is not necessarily if you prefer to type the command interactively
    • -v force TCP instead of UDP, preferred for batch requests
    • update delete without this command, if the ip change, the older ones remain present (cause long resolution)

    Ensure the update has been done with:

    dig ANY home.society-lbl.com
    

    Sources:

    • https://web.archive.org/web/20180831164247/http://linux.yyz.us/nsupdate/
    • https://web.archive.org/web/20180830082119/http://linux.yyz.us/dns/ddns-server.html
    • https://www.freeipa.org/page/Howto/DNS_updates_and_zone_transfers_with_TSIG
    • https://www.afnic.fr/medias/documents/DNSSEC/afnic-dnssec-howto-fr-v2.pdf
    • https://www.bortzmeyer.org/5155.html
    • https://www.zytrax.com/books/dns/ch2/#dyn-update
    • https://www.bortzmeyer.org/2845.html

    See also ddns-confgen

    Check configuration

    named-checkconf
    named-checkconf -z
    

    Note: for more detail on a zone, you can type: named-checkzone domain.tld /etc/bind/domains/domain.tld

    Check propagation

    nslookup DOMAIN.TLD NS_SERVER.TLD
    

    Example

    /etc/bind/society-lbl.com

    $TTL 3h
    @       IN      SOA     ns2.society-lbl.com. hostmaster.society-lbl.com. (
                                    2013080101 ; serial number (YYYYMMDDxx)
                                    1D         ; refresh =  1 day
                                    15M        ; update retry = 15 minutes
                                    3W         ; expiry = 3 weeks
                                    2H         ; minimum = 2 hours
                                    )
    
    ; NS :
    ns1             IN      A       91.121.62.12  ; glue record
    ns2             IN      A       91.121.12.116 ; glue record
    @       IN      NS      ns2.society-lbl.com.
    @       IN      NS      ns1.society-lbl.com.
    @       IN      NS      ns.kimsufi.com.
    
    @       IN      A       91.121.62.12
    @       IN      A       91.121.12.116
    
    ; it is equivalent to
    ; society-lbl.com.  IN  A  91.121.62.12
    ; society-lbl.com.  IN  A  91.121.12.116
    
    ftp     IN      CNAME   society-lbl.com.
    

    Notice :

    - @ is replace by the filename (society-lbl.com) - You could also specify $ORIGIN society-lbl.com (begin of file)
    
    - To know more about glue record ([see](softwares/server/dns/start#glue_record))
    
    - **Refresh Time** - The time, in seconds, a secondary DNS server waits before querying the primary DNS server's SOA record to check for changes. When the refresh time expires, the secondary DNS server requests a copy of the current SOA record from the primary. The primary DNS server complies with this request. The secondary DNS server compares the serial number of the primary DNS server's current SOA record and the serial number in it's own SOA record. If they are different, the secondary DNS server will request a zone transfer from the primary DNS server. The default value is 3,600.
    
    - **Retry time** - The time, in seconds, a secondary server waits before retrying a failed zone transfer. Normally, the retry time is less than the refresh time. The default value is 600.
    
    - **Expire time** - The time, in seconds, that a secondary server will keep trying to complete a zone transfer. If this time expires prior to a successful zone transfer, the secondary server will expire its zone file. This means the secondary will stop answering queries, as it considers its data too old to be reliable. The default value is 86,400.
    
    - **Minimum TTL** - The minimum time-to-live value applies to all resource records in the zone file. This value is supplied in query responses to inform other servers how long they should keep the data in cache. The default value is 3,600.
    

    Tips

    List subdomains locally

    cat parmentier.io | grep -v -E "^[\\$|*]" | grep -v -E "NS|SOA" | grep -E "^\w"