1 zdns -- DNS zones creator helper
3 This is very simple zsh-based helper functions to create DNS zones.
4 Many things are hardcoded there. Basically you just write ordinary
5 zsh script, sourcing the rc.zsh, containing various helper functions.
6 It expects DOMAIN variable to be set.
8 * fqdn(domain) -- prints fully-qualified domain name, taking either
9 "domain.", or "@", or "subdomain" names
10 * shortened(domain) -- prints $DOMAIN-relative shortened name, printing
11 only subdomain parts or "@"
12 * zone_start(serial) -- prints SOA record with two predefined (hardcoded)
13 nameservers and none DMARC policy
14 * add_mx(domain) -- add predefined MX records for given domain, with
15 predefined redirect-based SPF policy
16 * add_dane(domain) -- add DANE records for given domain. You have to
17 have tls/ subdirectory, containing zeasypki's state
18 (http://www.git.stargrave.org/?p=zeasypki.git;a=blob;f=README)
19 It looks in each CA's subdirectory if keypair exists for the domain,
20 printing necessary CAA and TLSA records
21 * add_ssh(domain) -- searches for corresponding public key in ssh/
22 subdirectory and (if it exists) prints corresponding SSHFP record
23 * add_subdomain(domain, addresses) -- adds specified domain with
24 provided space-separated addresses. It automatically calls add_dane
25 and add_ssh helpers. Unless $NOSPF=1 is specified, it prints "-all"
26 SPF policy. If $Y=1 is specified, then it adds "y.domain" address with
27 predefined $Y6 address and "-all" SPF policy
28 * add_pgp(keyid, uid) -- prints _openpgpkey DANE record for given
29 OpenPGP key of desired UID. "uid" is optional and useful only if your
30 key have got multiple UIDs and you need to add only the single
33 To omit burden of sourcing rc.zsh, setting $DOMAIN and rebuilding zones
34 after its change, there is default.zone.do redo (http://cr.yp.to/redo.html)
35 target, expecting your script in $domain.zsh file.
37 For example the zone for nncpgo.org domain with mail-capabilities, WWW
38 subdomain (available via Yggdrasil network), OpenPGP DANE key,
39 openpgp-subdomain for WKD and necessary DANE/SSH records could be
40 created the following way:
42 $ ln -fs /path/to/zeasypki/state tls
43 $ [[ -d tls/ee/ecdsa/ca.cypherpunks.ru/openpgpkey.nncpgo.org ]]
44 $ [[ -d tls/ee/gost/cagost.cypherpunks.ru/openpgpkey.nncpgo.org ]]
45 $ [[ -d tls/ee/ecdsa/ca.cypherpunks.ru/www.nncpgo.org ]]
46 $ [[ -d tls/ee/gost/cagost.cypherpunks.ru/www.nncpgo.org ]]
49 $ print ssh-ed25519 AAAA... > ssh/www.nncpgo.org
51 $ cat > nncpgo.org.zsh <<EOF
54 Y=1 add_subdomain www "$GW4 $GW6 $VPS4 $VPS6"
55 Y=1 add_subdomain openpgpkey "$GW4 $GW6"
56 add_pgp releases@nncpgo.org
59 $ redo nncpgo.org.zone
65 nncpgo.org. 21600 IN SOA uz5....ns7.stargrave.org. admin.nncpgo.org. (
72 @ NS uz5....ns7.stargrave.org.
73 @ NS uz5....ns5.stargrave.org.
74 _dmarc TXT "v=DMARC1; p=none"
75 @ MX 10 mailfake0.stargrave.org.
76 @ MX 20 mail2.stargrave.org.
77 @ MX 30 mailfake1.stargrave.org.
78 @ TXT "v=spf1 redirect=_spf.stargrave.org"
80 www AAAA 2a03:e2c0:2663:1::1
82 www AAAA 2a04:ac00:a:146::25
83 www CAA 0 issue "ca.cypherpunks.ru"
84 _443._tcp.www TLSA 3 1 1 0a77...d187
85 www CAA 0 issue "cagost.cypherpunks.ru"
86 _443._tcp.www TLSA 3 1 1 9b98...7b3a
88 y.www AAAA 21a:af91:8d0e:b05:9645:e4e9:12be:3c39
89 y.www TXT "v=spf1 -all"
90 openpgpkey A 91.211.5.21
91 openpgpkey AAAA 2a03:e2c0:2663:1::1
92 openpgpkey CAA 0 issue "ca.cypherpunks.ru"
93 _443._tcp.openpgpkey TLSA 3 1 1 ddf4...e89c
94 openpgpkey CAA 0 issue "cagost.cypherpunks.ru"
95 _443._tcp.openpgpkey TLSA 3 1 1 2075...7c3d
96 openpgpkey TXT "v=spf1 -all"
97 y.openpgpkey AAAA 21a:af91:8d0e:b05:9645:e4e9:12be:3c39
98 y.openpgpkey TXT "v=spf1 -all"
99 ; NNCP releases <releases@nncpgo.org>
100 2019...15ac._openpgpkey TYPE61 \# 655 (...)