From 9799f1f60b09741f3c2902be15e1b26b7a5a0feb Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Mon, 21 Aug 2023 13:26:39 +0200 Subject: [PATCH] saving uncommitted changes in /etc prior to apt run --- bind/bind.keys | 48 ++- bind/named-acl.conf | 35 +- bind/named-sec.conf | 693 ---------------------------------- bind/named.conf.default-zones | 2 +- bind/named.conf.options | 13 +- 5 files changed, 36 insertions(+), 755 deletions(-) diff --git a/bind/bind.keys b/bind/bind.keys index 6d4217f..5e5a32b 100644 --- a/bind/bind.keys +++ b/bind/bind.keys @@ -4,30 +4,42 @@ # be configured elsewhere; if they are configured here, they will not be # recognized or used by named. # -# To use the built-in root key, set "dnssec-validation auto;" in the -# named.conf options, or else leave "dnssec-validation" unset. If -# "dnssec-validation" is set to "yes", then the keys in this file are -# ignored; keys will need to be explicitly configured in named.conf for -# validation to work. "auto" is the default setting, unless named is -# built with "configure --disable-auto-validation", in which case the -# default is "yes". +# The built-in trust anchors are provided for convenience of configuration. +# They are not activated within named.conf unless specifically switched on. +# To use the built-in key, use "dnssec-validation auto;" in the +# named.conf options. Without this option being set, the keys in this +# file are ignored. # # This file is NOT expected to be user-configured. # -# Servers being set up for the first time can use the contents of this file -# as initializing keys; thereafter, the keys in the managed key database -# will be trusted and maintained automatically. +# These keys are current as of October 2017. If any key fails to +# initialize correctly, it may have expired. In that event you should +# replace this file with a current version. The latest version of +# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys. # -# These keys are current as of Mar 2019. If any key fails to initialize -# correctly, it may have expired. In that event you should replace this -# file with a current version. The latest version of bind.keys can always -# be obtained from ISC at https://www.isc.org/bind-keys. -# -# See https://data.iana.org/root-anchors/root-anchors.xml for current trust -# anchor information for the root zone. +# See https://data.iana.org/root-anchors/root-anchors.xml +# for current trust anchor information for the root zone. + +managed-keys { + # This key (19036) is to be phased out starting in 2017. It will + # remain in the root zone for some time after its successor key + # has been added. It will remain this file until it is removed from + # the root zone. + . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF + FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX + bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD + X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz + W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS + Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq + QxA+Uk1ihz0="; -trust-anchors { # This key (20326) was published in the root zone in 2017. + # Servers which were already using the old key (19036) should + # roll seamlessly to this new one via RFC 5011 rollover. Servers + # being set up for the first time can use the contents of this + # file as initializing keys; thereafter, the keys in the + # managed key database will be trusted and maintained + # automatically. . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF diff --git a/bind/named-acl.conf b/bind/named-acl.conf index 4f643bb..28ffc70 100644 --- a/bind/named-acl.conf +++ b/bind/named-acl.conf @@ -11,14 +11,8 @@ #---------------------------------------- acl allow-dyn-update { - 46.16.73.175; - 2001:4dd0:ff00:cd3::2; 188.34.187.246; 2a01:4f8:c010:80ee::1; - 144.76.221.169; - 2a01:4f8:200:94a8::2; - 138.201.28.135; - 2a01:4f8:171:3006::2; 185.48.118.128; 162.254.24.33; 185.102.95.107; @@ -30,14 +24,8 @@ acl allow-dyn-update { #---------------------------------------- acl allow-notify { - 46.16.73.175; - 2001:4dd0:ff00:cd3::2; 188.34.187.246; 2a01:4f8:c010:80ee::1; - 144.76.221.169; - 2a01:4f8:200:94a8::2; - 138.201.28.135; - 2a01:4f8:171:3006::2; 185.48.118.128; 162.254.24.33; 185.102.95.107; @@ -49,22 +37,13 @@ acl allow-notify { #---------------------------------------- acl allow-recursion { - 46.16.73.175; - 2001:4dd0:ff00:cd3::2; 188.34.187.246; 2a01:4f8:c010:80ee::1; - 144.76.221.169; - 2a01:4f8:200:94a8::2; 185.48.118.128; 162.254.24.33; 185.102.95.107; 2a06:2380:0:1::3a; 2a02:8109:ae3f:fa04:5604:a6ff:fe38:99f9; - 138.201.28.135; - 138.201.28.184; - 138.201.28.185; - 138.201.28.186; - 2a01:4f8:171:3006::/64; 127.0.0.0/8; ::1/128; fe80::/10; @@ -72,11 +51,7 @@ acl allow-recursion { #---------------------------------------- acl also-notify-acwain { - 144.76.221.169; - 2a01:4f8:200:94a8::2; 2a02:8109:ae3f:fa04:5604:a6ff:fe38:99f9; - 138.201.28.135; - 2a01:4f8:171:3006::2; }; #---------------------------------------- @@ -97,14 +72,8 @@ acl common-allow-transfer { 195.50.185.7; 46.189.56.7; 85.199.64.7; - 46.16.73.175; - 2001:4dd0:ff00:cd3::2; 188.34.187.246; 2a01:4f8:c010:80ee::1; - 144.76.221.169; - 2a01:4f8:200:94a8::2; - 138.201.28.135; - 2a01:4f8:171:3006::2; 185.48.118.128; 162.254.24.33; 185.102.95.107; @@ -116,7 +85,7 @@ acl common-allow-transfer { #---------------------------------------- acl local-host-ips { - 127.0.0.0/8; + 127.0.0.1/8; ::1/128; }; @@ -133,8 +102,6 @@ acl local-net-ips { #---------------------------------------- acl private-net-ips { 10.12.11.0/24; - 46.16.73.175; - 2001:4dd0:ff00:cd3::2; 2a02:8109:ae3f:fa04:5604:a6ff:fe38:99f9; 188.34.187.246; 2a01:4f8:c010:80ee::1; diff --git a/bind/named-sec.conf b/bind/named-sec.conf index dc59d73..5e71ab9 100644 --- a/bind/named-sec.conf +++ b/bind/named-sec.conf @@ -10,28 +10,6 @@ //# Slave-Zonen (Secondary) -zone "0.0.0.1.6.0.0.3.1.7.1.0.8.f.4.0.1.0.a.2.ip6.arpa" { - type slave; - file "rev.2a01-4f8-171-3006-1000.zone"; - masters { - 138.201.28.135; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "0.0.0.2.6.0.0.3.1.7.1.0.8.f.4.0.1.0.a.2.ip6.arpa" { - type slave; - file "rev.2a01-4f8-171-3006-2000.zone"; - masters { - 138.201.28.135; - }; - allow-transfer { - common-allow-transfer; - }; -}; - zone "0.29.172.in-addr.arpa" { type slave; file "rev.172.29.0.zone"; @@ -43,676 +21,5 @@ zone "0.29.172.in-addr.arpa" { }; }; -zone "0.31.172.in-addr.arpa" { - type slave; - file "rev.172.31.0.zone"; - masters { - 138.201.28.135; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "0.32.172.in-addr.arpa" { - type slave; - file "rev.172.32.0.zone"; - masters { - 138.201.28.135; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "acwain.com" { - type slave; - file "acwain.com.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "acwain.de" { - type slave; - file "acwain.de.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "acwain.net" { - type slave; - file "acwain.net.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "acwain.org" { - type slave; - file "acwain.org.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "dkn-die-zahnaerzte.de" { - type slave; - file "dkn-die-zahnaerzte.de.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "domaniecki.com" { - type slave; - file "domaniecki.com.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "dyn.acwain.net" { - type slave; - file "dyn.acwain.net.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "e-nergieplus.de" { - type slave; - file "e-nergieplus.de.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "ereda.de" { - type slave; - file "ereda.de.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "gl-versicherungsmakler.de" { - type slave; - file "gl-versicherungsmakler.de.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "haemato-onkologie-hamburg.de" { - type slave; - file "haemato-onkologie-hamburg.de.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "haemato-onkologie-hh.de" { - type slave; - file "haemato-onkologie-hh.de.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "hausarztpraxis-hoheluft.de" { - type slave; - file "hausarztpraxis-hoheluft.de.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "ihrezahnaerzte.com" { - type slave; - file "ihrezahnaerzte.com.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "irtk.de" { - type slave; - file "irtk.de.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "kleinanzeigen-mv.de" { - type slave; - file "kleinanzeigen-mv.de.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "krebszentrum-hoheluft.de" { - type slave; - file "krebszentrum-hoheluft.de.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "krebszentrum-laack.de" { - type slave; - file "krebszentrum-laack.de.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "krebszentrum-suederelbe.de" { - type slave; - file "krebszentrum-suederelbe.de.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "mexico-language-school.com" { - type slave; - file "mexico-language-school.com.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "mexico-travel-and-tours.com" { - type slave; - file "mexico-travel-and-tours.com.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "mexventure.com" { - type slave; - file "mexventure.com.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "mexventure.de" { - type slave; - file "mexventure.de.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "mexventures.com" { - type slave; - file "mexventures.com.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "mexventures.de" { - type slave; - file "mexventures.de.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "mypettown.com" { - type slave; - file "mypettown.com.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "mypettown.de" { - type slave; - file "mypettown.de.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "nexunus.com" { - type slave; - file "nexunus.com.zone"; - masters { - 138.201.28.135; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "nexunus.de" { - type slave; - file "nexunus.de.zone"; - masters { - 138.201.28.135; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "nexunus.net" { - type slave; - file "nexunus.net.zone"; - masters { - 138.201.28.135; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "onkologie-hoheluft.de" { - type slave; - file "onkologie-hoheluft.de.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "onkologie-laack.de" { - type slave; - file "onkologie-laack.de.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "onkologie-suederelbe.de" { - type slave; - file "onkologie-suederelbe.de.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "planetec.de" { - type slave; - file "planetec.de.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "pontilus.com" { - type slave; - file "pontilus.com.zone"; - masters { - 138.201.28.135; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "pontilus.de" { - type slave; - file "pontilus.de.zone"; - masters { - 138.201.28.135; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "saeger.cc" { - type slave; - file "saeger.cc.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "saeger.net" { - type slave; - file "saeger.net.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "sg-hohh.de" { - type slave; - file "sg-hohh.de.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "shop-yoo.com" { - type slave; - file "shop-yoo.com.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "shop-yoo.de" { - type slave; - file "shop-yoo.de.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "shop-you.de" { - type slave; - file "shop-you.de.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "shopyoo.com" { - type slave; - file "shopyoo.com.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "shopyoo.de" { - type slave; - file "shopyoo.de.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "shopyou.com" { - type slave; - file "shopyou.com.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "shopyou.de" { - type slave; - file "shopyou.de.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "spanish-school-mexico.com" { - type slave; - file "spanish-school-mexico.com.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "sprachreisen-mexiko.com" { - type slave; - file "sprachreisen-mexiko.com.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "sprachschule-mexiko.com" { - type slave; - file "sprachschule-mexiko.com.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "spridget-register.com" { - type slave; - file "spridget-register.com.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "spridgets.net" { - type slave; - file "spridgets.net.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "timo-adam.de" { - type slave; - file "timo-adam.de.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "timoadam.de" { - type slave; - file "timoadam.de.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "vital-beauty.net" { - type slave; - file "vital-beauty.net.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "vitalbeauty.net" { - type slave; - file "vitalbeauty.net.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "xn--hmato-onkologie-hamburg-v7b.de" { - type slave; - file "xn--hmato-onkologie-hamburg-v7b.de.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "xn--hmato-onkologie-hh-ltb.de" { - type slave; - file "xn--hmato-onkologie-hh-ltb.de.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "zahnpiraten-hamburg.com" { - type slave; - file "zahnpiraten-hamburg.com.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - -zone "zahnpiraten.com" { - type slave; - file "zahnpiraten.com.zone"; - masters { - 144.76.221.169; - }; - allow-transfer { - common-allow-transfer; - }; -}; - # vim: ts=4 filetype=named noai diff --git a/bind/named.conf.default-zones b/bind/named.conf.default-zones index 71b56c8..952ae71 100644 --- a/bind/named.conf.default-zones +++ b/bind/named.conf.default-zones @@ -9,7 +9,7 @@ // prime the server with knowledge of the root servers zone "." { type hint; - file "/usr/share/dns/root.hints"; + file "/etc/bind/db.root"; }; // be authoritative for the localhost forward and reverse zones, and for diff --git a/bind/named.conf.options b/bind/named.conf.options index 0b08785..44af16c 100644 --- a/bind/named.conf.options +++ b/bind/named.conf.options @@ -18,9 +18,9 @@ options { // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 - // If your ISP provided one or more IP addresses for stable - // nameservers, you probably want to use them as forwarders. - // Uncomment the following block, and insert the addresses replacing + // If your ISP provided one or more IP addresses for stable + // nameservers, you probably want to use them as forwarders. + // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { @@ -47,7 +47,7 @@ options { //======================================================================== //dnssec-enable yes; dnssec-validation auto; - # dnssec-lookaside auto; + dnssec-lookaside auto; /* * As of bind 9.8.0: @@ -73,11 +73,6 @@ key "dyn-dns-updater" { secret "gi69Yjzo1OSPVQ/oTTgw+Q=="; }; -key "uhu-banane.de" { - algorithm hmac-sha256; - secret "Fp7S3LW+bSZZi2hFZUwFje47xW4cYTR6O4QfCUPoAGM="; -}; - //############################################################### //# Kontrollkanäle für RNDC -- 2.39.5