1 zdns -- DNS zones creator helper
3 This is very simple Tcl-based helper functions to create DNS zones.
4 Many things are hardcoded there. Basically you just write ordinary
5 Tcl script, sourcing the rc.tcl, containing various helper functions.
6 It expects DOMAIN variable to be set.
8 Initially that utility was written on zsh, but later it was replaced
11 * fqdn(domain) -- prints fully-qualified domain name, taking either
12 "domain.", or "@", or "subdomain" names
13 * shorten(domain) -- prints $DOMAIN-relative shortened name, printing
14 only subdomain parts or "@"
15 * zone(serial) -- prints SOA record with two predefined (hardcoded)
16 nameservers and none DMARC policy
17 * mx(domain) -- add predefined MX records for given domain, with
18 predefined redirect-based SPF policy
19 * dane(domain, [port=443]) -- add DANE records for given domain. You
20 have to have tls/ subdirectory, containing zeasypki's state
21 (http://www.git.stargrave.org/?p=zeasypki.git;a=blob;f=README)
22 It looks in each CA's subdirectory if keypair exists for the domain,
23 printing necessary CAA and TLSA records
24 * ssh(domain) -- searches for corresponding public key in ssh/
25 subdirectory and (if it exists) prints corresponding SSHFP record
26 * subdomain(domain, addrs, [y mailable dane:PORT]) -- adds specified domain
27 with provided space-separated addresses. It automatically calls dane
28 and ssh helpers. Third argument is a list containing three optional
29 elements. Unless "mailable" is specified, it prints "-all" SPF policy
30 and sets null MX. If "y" is specified, it adds "y.domain" address with
31 predefined $Y6 address with "-all" SPF policy and null MX
32 * pgp(keyid, uid) -- prints _openpgpkey DANE record for given OpenPGP
33 key of desired UID. "uid" is optional and useful only if your key have
34 got multiple UIDs and you need to add only the single specified one
36 To omit burden of sourcing rc.tcl, setting $DOMAIN and rebuilding zones
37 after its change, there is default.zone.do redo (http://cr.yp.to/redo.html)
38 target, expecting your script in $domain.tcl file.
40 For example the zone for nncpgo.org domain with mail-capabilities, WWW
41 subdomain (available via Yggdrasil network), OpenPGP DANE key,
42 openpgp-subdomain for WKD and necessary DANE/SSH records could be
43 created the following way:
45 $ ln -fs /path/to/zeasypki/state tls
46 $ [[ -d tls/ee/ecdsa/ca.cypherpunks.ru/openpgpkey.nncpgo.org ]]
47 $ [[ -d tls/ee/gost/cagost.cypherpunks.ru/openpgpkey.nncpgo.org ]]
48 $ [[ -d tls/ee/ecdsa/ca.cypherpunks.ru/www.nncpgo.org ]]
49 $ [[ -d tls/ee/gost/cagost.cypherpunks.ru/www.nncpgo.org ]]
52 $ print ssh-ed25519 AAAA... > ssh/www.nncpgo.org
54 $ cat > nncpgo.org.tcl <<EOF
57 subdomain www "$GW4 $GW6 $VPS4 $VPS6" y
58 subdomain openpgpkey "$GW4 $GW6" y
59 pgp releases@nncpgo.org
62 $ redo nncpgo.org.zone
68 nncpgo.org. 21600 IN SOA uz5....ns7.stargrave.org. admin.nncpgo.org. (
75 @ NS uz5....ns7.stargrave.org.
76 @ NS uz5....ns5.stargrave.org.
77 _dmarc TXT "v=DMARC1; p=none"
78 @ MX 10 mailfake0.stargrave.org.
79 @ MX 20 mail2.stargrave.org.
80 @ MX 30 mailfake1.stargrave.org.
81 @ TXT "v=spf1 redirect=_spf.stargrave.org"
83 www AAAA 2a03:e2c0:2663:1::1
85 www AAAA 2a04:ac00:a:146::25
86 www CAA 0 issue "ca.cypherpunks.ru"
87 _443._tcp.www TLSA 3 1 1 0a77...d187
88 www CAA 0 issue "cagost.cypherpunks.ru"
89 _443._tcp.www TLSA 3 1 1 9b98...7b3a
90 www SSHFP 4 2 e72b...c53f
93 y.www AAAA 21a:af91:8d0e:b05:9645:e4e9:12be:3c39
94 y.www TXT "v=spf1 -all"
96 openpgpkey A 91.211.5.21
97 openpgpkey AAAA 2a03:e2c0:2663:1::1
98 openpgpkey CAA 0 issue "ca.cypherpunks.ru"
99 _443._tcp.openpgpkey TLSA 3 1 1 ddf4...e89c
100 openpgpkey CAA 0 issue "cagost.cypherpunks.ru"
101 _443._tcp.openpgpkey TLSA 3 1 1 2075...7c3d
102 openpgpkey TXT "v=spf1 -all"
104 y.openpgpkey AAAA 21a:af91:8d0e:b05:9645:e4e9:12be:3c39
105 y.openpgpkey TXT "v=spf1 -all"
107 ; NNCP releases <releases@nncpgo.org>
108 2019...15ac._openpgpkey TYPE61 \# 655 (...)