My VMs (thanks openbsd.amsterdam) will play master and slave roles, as authoritative for the following zone (thanks eu.org):
Their IPv4 and IPv6 addresses are:
I asked both of my hosting contacts to create PTR records.
Both of my machines uses acme-client (ns0 also handles “w00t.eu.org” as alternative name):
authority letsencrypt {
api url "https://acme-v02.api.letsencrypt.org/directory"
account key "/etc/acme/letsencrypt-privkey.pem"
}
domain ns1.w00t.eu.org {
domain key "/etc/ssl/private/ns1.w00t.eu.org.key"
domain certificate "/etc/ssl/ns1.w00t.eu.org.crt"
domain full chain certificate "/etc/ssl/ns1.w00t.eu.org.pem"
sign with letsencrypt
}
Zone configuration on ns0 (/var/nsd/etc/nsd.conf):
zone:
name: "w00t.eu.org"
zonefile: "master/w00t.eu.org"
notify: ns1 MYKEY
provide-xfr: ns1 MYKEY
The zone file (/var/nsd/zones/master/w00t.eu.org):
$ORIGIN w00t.eu.org. ; default zone domain
$TTL 3600 ; default time to live
; 10800 3600 604800 3600
@ IN SOA ns0.w00t.eu.org. hostmaster.w00t.eu.org. (
2019040208
14400 ; Refresh
1800 ; Retry
1209600 ; Expire
1800 ; Min TTL
)
@ NS ns0.w00t.eu.org.
@ NS ns1.w00t.eu.org.
@ MX 10 ns0.w00t.eu.org.
@ MX 50 ns1.w00t.eu.org.
@ IN A 217.163.29.223
@ IN AAAA 2a05:f480:1800:33:5400:2ff:fe29:deaa
ns0 IN A 217.163.29.223
ns0 IN AAAA 2a05:f480:1800:33:5400:2ff:fe29:deaa
ns1 IN A 46.23.93.121
ns1 IN AAAA 2a03:6000:6f64:621::121
Don’t forget after each step to:
nsd-control reload w00t.eu.org
nsd-control notify w00t.eu.org
rcctl restart nsd
As we did for the master NS, now let’s do it for the slaves:
zone:
name: "w00t.eu.org"
zonefile: "slave/w00t.eu.org"
allow-notify: ns0 MYKEY
request-xfr: ns0 MYKEY
The zone file (/var/nsd/zones/slave/w00t.eu.org) is the same as master’s one. Note that you don’t need to copy / scp / rsync the flat zone files between Master and Slaves, using NSD you can simply achieve the file generation and write on disk by using the “nsd-control write” command, once the change is made on the Master and (A)XFR’d to the slaves.
Use whatever registrar your familiar with, just keep in mind that you will need to be able to perform some modifications on your zone, eg. some registrar’ “panel” or interface doesn’t allow DS records modification (you’ve been warned before next steps ;-)). Also ensure that both of your TLD and registrar is DNSSEC ready.
I used a free registrar to do so, setting up “w00t.eu.org” in this example, with a really simple zone file. Yours may be more complex but you got the idea even if you need to add some/many CNAME, A, AAAA, MX, TXT, … and even NS records. This configuration is given for a single master and a single slave name server, but additional slaves could easily be added.
I only set a unicast v4 address for master/slave(s) notify and xfr, but feel free to bind it to your favorite v6 ones too.
Once the domain registration is done and both of your NS working well, you will be able to play with DNSSEC zone signing and setting some DANE entries (TLSA records) to it.
© 2019 _st0m_ and the puffy sisters User Agreement Privacy Policy