From: Sergey Matveev <stargrave@stargrave.org>
Date: Sun, 21 Aug 2022 11:15:16 +0000 (+0300)
Subject: README
X-Git-Url: http://www.git.stargrave.org/?p=zdns.git;a=commitdiff_plain;h=74a9ba010f72c9f220d50d184804b5c5ac234be3

README
---

diff --git a/README b/README
new file mode 100644
index 0000000..065a8e4
--- /dev/null
+++ b/README
@@ -0,0 +1,100 @@
+zdns -- DNS zones creator helper
+
+This is very simple zsh-based helper functions to create DNS zones.
+Many things are hardcoded there. Basically you just write ordinary
+zsh script, sourcing the rc.zsh, containing various helper functions.
+It expects DOMAIN variable to be set.
+
+* fqdn(domain) -- prints fully-qualified domain name, taking either
+  "domain.", or "@", or "subdomain" names
+* shortened(domain) -- prints $DOMAIN-relative shortened name, printing
+  only subdomain parts or "@"
+* zone_start(serial) -- prints SOA record with two predefined (hardcoded)
+  nameservers and none DMARC policy
+* add_mx(domain) -- add predefined MX records for given domain, with
+  predefined redirect-based SPF policy
+* add_dane(domain) -- add DANE records for given domain. You have to
+  have tls/ subdirectory, containing zeasypki's state
+  (http://www.git.stargrave.org/?p=zeasypki.git;a=blob;f=README)
+  It looks in each CA's subdirectory if keypair exists for the domain,
+  printing necessary CAA and TLSA records
+* add_ssh(domain) -- searches for corresponding public key in ssh/
+  subdirectory and (if it exists) prints corresponding SSHFP record
+* add_subdomain(domain, addresses) -- adds specified domain with
+  provided space-separated addresses. It automatically calls add_dane
+  and add_ssh helpers. Unless $NOSPF=1 is specified, it prints "-all"
+  SPF policy. If $Y=1 is specified, then it adds "y.domain" address with
+  predefined $Y6 address and "-all" SPF policy
+* add_pgp(keyid, uid) -- prints _openpgpkey DANE record for given
+  OpenPGP key of desired UID. "uid" is optional and useful only if your
+  key have got multiple UIDs and you need to add only the single
+  specified one
+
+To omit burden of sourcing rc.zsh, setting $DOMAIN and rebuilding zones
+after its change, there is default.zone.do redo (http://cr.yp.to/redo.html)
+target, expecting your script in $domain.zsh file.
+
+For example the zone for nncpgo.org domain with mail-capabilities, WWW
+subdomain (available via Yggdrasil network), OpenPGP DANE key,
+openpgp-subdomain for WKD and necessary DANE/SSH records could be
+created the following way:
+
+    $ ln -fs /path/to/zeasypki/state tls
+    $ [[ -d tls/ee/ecdsa/ca.cypherpunks.ru/openpgpkey.nncpgo.org ]]
+    $ [[ -d tls/ee/gost/cagost.cypherpunks.ru/openpgpkey.nncpgo.org ]]
+    $ [[ -d tls/ee/ecdsa/ca.cypherpunks.ru/www.nncpgo.org ]]
+    $ [[ -d tls/ee/gost/cagost.cypherpunks.ru/www.nncpgo.org ]]
+
+    $ mkdir -p ssh
+    $ print ssh-ed25519 AAAA... > ssh/www.nncpgo.org
+
+    $ cat > nncpgo.org.zsh <<EOF
+    zone_start 2012011633
+    add_mx @
+    Y=1 add_subdomain www "$GW4 $GW6 $VPS4 $VPS6"
+    Y=1 add_subdomain openpgpkey "$GW4 $GW6"
+    add_pgp releases@nncpgo.org
+    EOF
+
+    $ redo nncpgo.org.zone
+
+It will produce:
+
+    $TTL 21600
+    $ORIGIN nncpgo.org.
+    nncpgo.org. 21600 IN SOA uz5....ns7.stargrave.org. admin.nncpgo.org. (
+        2012011633 ; Serial
+        12h ; Refresh
+        2h ; Retry
+        2w ; Expire
+        6h ; TTL
+    )
+    @ NS uz5....ns7.stargrave.org.
+    @ NS uz5....ns5.stargrave.org.
+    _dmarc TXT "v=DMARC1; p=none"
+    @ MX 10 mailfake0.stargrave.org.
+    @ MX 20 mail2.stargrave.org.
+    @ MX 30 mailfake1.stargrave.org.
+    @ TXT "v=spf1 redirect=_spf.stargrave.org"
+    www A 91.211.5.21
+    www AAAA 2a03:e2c0:2663:1::1
+    www A 45.10.110.72
+    www AAAA 2a04:ac00:a:146::25
+    www CAA 0 issue "ca.cypherpunks.ru"
+    _443._tcp.www TLSA 3 1 1 0a77...d187
+    www CAA 0 issue "cagost.cypherpunks.ru"
+    _443._tcp.www TLSA 3 1 1 9b98...7b3a
+    www TXT "v=spf1 -all"
+    y.www AAAA 21a:af91:8d0e:b05:9645:e4e9:12be:3c39
+    y.www TXT "v=spf1 -all"
+    openpgpkey A 91.211.5.21
+    openpgpkey AAAA 2a03:e2c0:2663:1::1
+    openpgpkey CAA 0 issue "ca.cypherpunks.ru"
+    _443._tcp.openpgpkey TLSA 3 1 1 ddf4...e89c
+    openpgpkey CAA 0 issue "cagost.cypherpunks.ru"
+    _443._tcp.openpgpkey TLSA 3 1 1 2075...7c3d
+    openpgpkey TXT "v=spf1 -all"
+    y.openpgpkey AAAA 21a:af91:8d0e:b05:9645:e4e9:12be:3c39
+    y.openpgpkey TXT "v=spf1 -all"
+    ; NNCP releases <releases@nncpgo.org>
+    2019...15ac._openpgpkey TYPE61 \# 655 (...)
diff --git a/rc.zsh b/rc.zsh
index 31a6113..b3e32a6 100644
--- a/rc.zsh
+++ b/rc.zsh
@@ -46,6 +46,16 @@ shortened() {
     esac
 }
 
+add_mx() {
+    local shorten=`shortened $1`
+    cat <<EOF
+$shorten MX 10 mailfake0.stargrave.org.
+$shorten MX 20 mail2.stargrave.org.
+$shorten MX 30 mailfake1.stargrave.org.
+$shorten TXT $ReSPF
+EOF
+}
+
 add_dane() {
     local domain=`fqdn $1`
     local dirname=${domain%%.}
@@ -86,16 +96,6 @@ add_subdomain() {
     add_ssh $1
 }
 
-add_mx() {
-    local shorten=`shortened $1`
-    cat <<EOF
-$shorten MX 10 mailfake0.stargrave.org.
-$shorten MX 20 mail2.stargrave.org.
-$shorten MX 30 mailfake1.stargrave.org.
-$shorten TXT $ReSPF
-EOF
-}
-
 add_pgp() {
     local what=$2
     [[ -n "$what" ]] || what=$1