# To generate keys: # dnssec-keygen -K /secret/keys/example.net example.net { config, lib, pkgs, ... }: let masterZones = [ "tommvo.com" "orbekk.com" "orbekk.no" ]; zone-files = pkgs.callPackage ../pkgs/zone-files/default.nix { }; in { networking.firewall = { allowedTCPPorts = [ 53 ]; allowedUDPPorts = [ 53 ]; }; services.bind = { enable = true; forwarders = [ "1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001" ]; cacheNetworks = [ "::1/128" "127.0.0.0/24" "10.0.0.0/8" ]; extraOptions = '' serial-update-method unixtime; listen-on-v6 { 2001:470:8e2e:20::d; }; ''; extraConfig = '' ${lib.concatMapStrings (zone: '' zone ${zone} { type master; file "/var/run/named/db.${zone}.zone"; // auto-dnssec maintain; dnssec-policy default; // inline-signing yes; // sig-validity-interval 21 16; key-directory "/opt/secret/bind/${zone}"; update-policy local; allow-query { any; }; allow-transfer { ::1; // 216.218.133.2; // slave.dns.he.net 2001:470:600::2; // slave.dns.he.net }; also-notify { // 216.218.133.2; // slave.dns.he.net 2001:470:600::2; // slave.dns.he.net }; notify-source-v6 2001:470:8e2e:20::d; notify explicit; }; '') masterZones} include "/opt/secret/bind/dynamic.orbekk.com/update/named.conf.key"; zone dynamic.orbekk.com { type master; file "/var/run/named/db.dynamic.orbekk.com.zone"; // auto-dnssec maintain; dnssec-policy default; key-directory "/opt/secret/bind/dynamic.orbekk.com"; allow-query { any; }; allow-transfer { ::1; 193.35.52.61; // trygve transfer 2a00:1b60:1011::6def:e868; // ns1 2001:67c:29f4::61; // ns2 216.218.133.2; // slave.dns.he.net 2001:470:600::2; // slave.dns.he.net }; also-notify { 193.35.52.61; // trygve transfer 2a00:1b60:1011::6def:e868; // ns1 2001:67c:29f4::61; // ns2 216.218.133.2; // slave.dns.he.net 2001:470:600::2; // slave.dns.he.net }; notify-source-v6 2001:470:8e2e:20::d; notify explicit; update-policy { grant dynamic.orbekk.com.key zonesub any; }; }; ''; }; systemd.services.bind = { preStart = lib.mkAfter '' #rm /var/run/named/*.jnl || true #rm /var/run/named/*.jbk || true echo "Copy zone files" for z in ${zone-files}/*; do if [[ $z =~ .*dynamic.* && -e "/var/run/named/$(basename $z)" ]]; then echo "Skip dynamic zone $z" continue fi echo "Copy zone $z" rm /var/run/named/$(basename $z).jnl || true rm /var/run/named/$(basename $z).jbk || true cp -f $z /var/run/named/ done echo "Done copying zone files" ''; }; }