zydronium/getnamingo-registry
1
0
Fork 0
mirror of https://github.com/getnamingo/registry.git synced 2025-05-10 16:58:34 +02:00
Code Issues Projects Releases Packages Wiki Activity

Added easier OpenDNSSEC support

Browse source
This commit is contained in:
Pinga 2024-02-23 01:13:48 +02:00
parent f80f1bcb95
commit 23d50a0b0c
2 changed files with 112 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
automation/write-zone.php
View file

@ -135,7 +135,7 @@ Coroutine::create(function () use ($pool, $log, $c) {
$zone->addResourceRecord($dsRecord); $zone->addResourceRecord($dsRecord);
} }
} }
$builder = new ZoneBuilder(); $builder = new ZoneBuilder();
$completed_zone = $builder->build($zone); $completed_zone = $builder->build($zone);
@ -151,6 +151,12 @@ Coroutine::create(function () use ($pool, $log, $c) {
} }
file_put_contents("{$basePath}/{$cleanedTld}.zone", $completed_zone); file_put_contents("{$basePath}/{$cleanedTld}.zone", $completed_zone);
if ($c['dns_server'] == 'opendnssec') {
chown("{$basePath}/{$cleanedTld}.zone", 'opendnssec');
chgrp("{$basePath}/{$cleanedTld}.zone", 'opendnssec');
}
} }
if ($c['dns_server'] == 'bind') { if ($c['dns_server'] == 'bind') {
@ -178,6 +184,20 @@ Coroutine::create(function () use ($pool, $log, $c) {
if ($return_var != 0) { if ($return_var != 0) {
$log->error('Failed to notify secondary servers. ' . $return_var); $log->error('Failed to notify secondary servers. ' . $return_var);
} }
} elseif ($c['dns_server'] == 'opendnssec') {
exec("ods-signer sign {$cleanedTld}");
sleep(1);
copy("/var/lib/opendnssec/signed/{$cleanedTld}", "/var/lib/bind/{$cleanedTld}.zone.signed");
exec("rndc reload {$cleanedTld}.", $output, $return_var);
if ($return_var != 0) {
$log->error('Failed to reload BIND. ' . $return_var);
}
exec("rndc notify {$cleanedTld}.", $output, $return_var);
if ($return_var != 0) {
$log->error('Failed to notify secondary servers. ' . $return_var);
}
} else { } else {
// Default // Default
exec("rndc reload {$cleanedTld}.", $output, $return_var); exec("rndc reload {$cleanedTld}.", $output, $return_var);

93
docs/install.md
View file

@ -699,7 +699,42 @@ key "test.key" {
Copy this output for use in the configuration files of both the master and slave DNS servers. (```/etc/bind/named.conf.local```) Copy this output for use in the configuration files of both the master and slave DNS servers. (```/etc/bind/named.conf.local```)
### Configure the Named Configuration File: ### Configure the Named Configuration File (Please Choose One):
1. Without DNSSEC:
Edit the named.conf.local file:
```bash
nano /etc/bind/named.conf.local
```
Add the following zone definition:
```bash
zone "test." {
type master;
file "/var/lib/bind/test.zone";
allow-transfer { key "test.key"; };
also-notify { <slave-server-IP>; };
};
```
Replace ```<slave-server-IP>``` with the actual IP address of your slave server. Replace ```test``` with your TLD.
Use rndc to reload BIND:
```bash
systemctl restart bind9
```
Configure the `Zone Writer` in Registry Automation and run it manually the first time.
```bash
php /opt/registry/automation/write-zone.php
```
2. Using DNSSEC with BIND9:
Edit the named.conf.local file: Edit the named.conf.local file:
@ -755,7 +790,61 @@ systemctl restart bind9
rndc loadkeys test. rndc loadkeys test.
``` ```
Configure the ```write-zone.php``` file and activate it in the automation script. Configure the `Zone Writer` in Registry Automation and run it manually the first time.
```bash
php /opt/registry/automation/write-zone.php
```
3. Using DNSSEC with OpenDNSSEC:
Edit the named.conf.local file:
```bash
nano /etc/bind/named.conf.local
```
Add the following zone definition:
```bash
zone "test." {
type master;
file "/var/lib/bind/test.zone.signed";
allow-transfer { key "test.key"; };
also-notify { <slave-server-IP>; };
};
```
Replace ```<slave-server-IP>``` with the actual IP address of your slave server. Replace ```test``` with your TLD.
Install OpenDNSSEC:
```bash
apt install opendnssec opendnssec-enforcer-sqlite3 opendnssec-signer softhsm2
```
Update files in `/etc/opendnssec` to match your registry policy. As minimum, please enable at least Signer Threads in `/etc/opendnssec/conf.xml`, but we recommend to fully review [all the files](https://wiki.opendnssec.org/configuration/confxml/). Then run the following commands:
```bash
softhsm2-util --init-token --slot 0 --label OpenDNSSEC --pin 1234 --so-pin 1234
ods-enforcer-db-setup
rm /etc/opendnssec/prevent-startup
ods-control start
ods-enforcer policy import
ods-enforcer zone add -z test -p default -i /var/lib/bind/test.zone
```
Use rndc to reload BIND:
```bash
systemctl restart bind9
```
Configure the `Zone Writer` in Registry Automation and run it manually the first time.
```bash
php /opt/registry/automation/write-zone.php
```
### Check BIND9 Configuration: ### Check BIND9 Configuration: