├── .coveragerc ├── .github └── workflows │ └── codeql-analysis.yml ├── .gitignore ├── .travis.yml ├── CHANGES ├── HOWTO.md ├── LICENSE ├── MANIFEST.in ├── README.md ├── TODO ├── all-unittests.sh ├── bind9_parser ├── __init__.py ├── isc_acl.py ├── isc_aml.py ├── isc_clause_acl.py ├── isc_clause_controls.py ├── isc_clause_dlz.py ├── isc_clause_dnssec_policy.py ├── isc_clause_dyndb.py ├── isc_clause_http.py ├── isc_clause_key.py ├── isc_clause_logging.py ├── isc_clause_managed_keys.py ├── isc_clause_options.py ├── isc_clause_parental_agents.py ├── isc_clause_plugin.py ├── isc_clause_primaries.py ├── isc_clause_server.py ├── isc_clause_statistics_channels.py ├── isc_clause_tls.py ├── isc_clause_trust_anchors.py ├── isc_clause_trusted_keys.py ├── isc_clause_view.py ├── isc_clause_zone.py ├── isc_clauses.py ├── isc_domain.py ├── isc_inet.py ├── isc_managed_keys.py ├── isc_options.py ├── isc_optview.py ├── isc_optviewserver.py ├── isc_optviewzone.py ├── isc_optviewzoneserver.py ├── isc_optzone.py ├── isc_primaries.py ├── isc_rr.py ├── isc_server.py ├── isc_trusted_keys.py ├── isc_utils.py ├── isc_view.py ├── isc_viewzone.py ├── isc_zone.py └── pyproject.toml ├── docs ├── Bv8ARM-8.4.0.html │ ├── acl.html │ ├── address_list.html │ ├── comments.html │ ├── config.html │ ├── controls.html │ ├── docdef.html │ ├── example.html │ ├── include.html │ ├── index.html │ ├── key.html │ ├── logging.html │ ├── master.html │ ├── options.html │ ├── server.html │ ├── trusted-keys.html │ └── zone.html ├── Bv8ARM-8.4.6.html │ ├── acl.html │ ├── address_list.html │ ├── comments.html │ ├── config.html │ ├── controls.html │ ├── docdef.html │ ├── example.html │ ├── include.html │ ├── index.html │ ├── key.html │ ├── logging.html │ ├── master.html │ ├── options.html │ ├── server.html │ ├── trusted-keys.html │ └── zone.html ├── Bv9ARM-v9.0.0.txt ├── Bv9ARM-v9.10.pdf ├── Bv9ARM-v9.12.0.pdf ├── Bv9ARM-v9.12.0a1.pdf ├── Bv9ARM-v9.13.0.pdf ├── Bv9ARM-v9.14.0.pdf ├── Bv9ARM-v9.15.0.pdf ├── Bv9ARM-v9.16.pdf ├── Bv9ARM-v9.4.0.pdf ├── Bv9ARM-v9.5.0.pdf ├── Bv9ARM-v9.6.0.pdf ├── Bv9ARM-v9.7.0.pdf ├── Bv9ARM-v9.8.0.pdf ├── Bv9ARM-v9.9.0.pdf ├── Bv9ARM-v9.9.7.pdf ├── CIS_BIND_9.0-9.5_Benchmark_v2.0.01.pdf ├── DESIGN-work-in-progress.md ├── README ├── bind-9.2.0.tar.gz ├── bind-9.3.0.tar.gz ├── bind-doc-8.1.tar.gz ├── bind-doc.tar-8.4.7.gz ├── bind-doc.tar-v8.1.gz ├── bind-doc.tar-v8.3.0.gz ├── bind-doc.tar-v8.4.0.gz ├── bind10-1.0.0.tar.gz ├── bind10-1.1.0.tar.gz ├── bind10-1.2.0.tar.gz ├── options.9.0.0 ├── options.9.1.0 ├── options.9.10.0 ├── options.9.11.0 ├── options.9.12.0 ├── options.9.13.0 ├── options.9.14.0 ├── options.9.15.0 ├── options.9.16.0 ├── options.9.17.0 ├── options.9.18.0 ├── options.9.19.0 ├── options.9.2.0 ├── options.9.3.0 ├── options.9.4.0 ├── options.9.5.0 ├── options.9.5.0.orig ├── options.9.6.0 ├── options.9.7.0 ├── options.9.8.0 └── options.9.9.0 ├── dump-named-conf-json.py ├── dump-named-conf.py ├── examples ├── README ├── bugs │ ├── P000 │ │ ├── README.md │ │ └── p000.py │ ├── bug-bind9_parser-001.txt │ └── t1.py ├── exclamation.py ├── flatten_namedconf.py ├── isc_boolean.py ├── named-conf │ ├── basic │ │ └── named.conf │ ├── debian-HOWTO │ │ └── etc │ │ │ └── bind │ │ │ ├── named.conf │ │ │ ├── named.conf.default-zones │ │ │ ├── named.conf.local │ │ │ ├── named.conf.options │ │ │ ├── ns-example-com_rndc-key │ │ │ └── zones.rfc1918 │ ├── hidden-master │ │ └── public │ │ │ └── etc │ │ │ └── bind │ │ │ ├── .orig │ │ │ ├── bind.keys │ │ │ ├── db.0 │ │ │ ├── db.127 │ │ │ ├── db.255 │ │ │ ├── db.empty │ │ │ ├── db.local │ │ │ ├── db.root │ │ │ ├── named.conf │ │ │ ├── named.conf.default-zones │ │ │ ├── named.conf.local │ │ │ ├── named.conf.options │ │ │ ├── rndc.key │ │ │ └── zones.rfc1918 │ │ │ ├── KEY_LOCATIONS.txt │ │ │ ├── acl-named.conf │ │ │ ├── bind.keys │ │ │ ├── controls-named.conf │ │ │ ├── db.0 │ │ │ ├── db.127 │ │ │ ├── db.255 │ │ │ ├── db.empty │ │ │ ├── db.local │ │ │ ├── db.root │ │ │ ├── default-zones-named.conf │ │ │ ├── generate-keys.sh │ │ │ ├── keys │ │ │ ├── ddns.md5.master-to-slave.key │ │ │ ├── ddns.sha512.master-to-slave.key │ │ │ ├── ddns.sha512.public-master-to-public-secondary.key │ │ │ ├── named.conf.key │ │ │ └── rndc.sha512.key │ │ │ ├── local-named.conf │ │ │ ├── logging-named.conf │ │ │ ├── managed-keys-named.conf │ │ │ ├── masters-named.conf │ │ │ ├── named.conf │ │ │ ├── named.iscdlv.key │ │ │ ├── options-named.conf │ │ │ ├── rndc.conf │ │ │ ├── servers-named.conf │ │ │ ├── statistics-named.conf │ │ │ ├── trusted-keys-named.conf │ │ │ ├── view.chaos │ │ │ ├── view.local │ │ │ ├── view.red │ │ │ ├── views-named.conf │ │ │ ├── zones-named.conf │ │ │ ├── zones.rfc1918 │ │ │ └── zones │ │ │ ├── db.0 │ │ │ ├── db.127 │ │ │ ├── db.255 │ │ │ ├── db.bind │ │ │ ├── db.empty │ │ │ ├── db.empty.10 │ │ │ ├── db.empty.16.172 │ │ │ ├── db.empty.168.192 │ │ │ ├── db.empty.17.172 │ │ │ ├── db.empty.18.172 │ │ │ ├── db.empty.19.172 │ │ │ ├── db.empty.20.172 │ │ │ ├── db.empty.21.172 │ │ │ ├── db.empty.22.172 │ │ │ ├── db.empty.23.172 │ │ │ ├── db.empty.24.172 │ │ │ ├── db.empty.25.172 │ │ │ ├── db.empty.26.172 │ │ │ ├── db.empty.27.172 │ │ │ ├── db.empty.28.172 │ │ │ ├── db.empty.29.172 │ │ │ ├── db.empty.30.172 │ │ │ ├── db.empty.31.172 │ │ │ ├── db.local │ │ │ └── db.root │ ├── linuxjournal │ │ ├── named.conf │ │ └── x.key │ ├── linuxquestions │ │ └── named.conf │ ├── mmacleod.ca │ │ ├── dnsadmin.key │ │ └── named.conf │ ├── named-oracle.conf │ ├── named-tldp.conf │ ├── named-zytrax.conf │ ├── redhat-9.3 │ │ └── etc │ │ │ ├── named.conf │ │ │ ├── named.rfc1912.zones │ │ │ └── named.root.hints │ ├── sbarjatiya.com │ │ ├── etc │ │ │ ├── named.rfc1912.zones │ │ │ └── named.root.hints │ │ └── named.conf │ ├── split-horizon-2-bind9-servers │ │ └── etc │ │ │ ├── bind │ │ │ ├── README │ │ │ ├── README.otherfiles │ │ │ ├── README.setup │ │ │ ├── internal │ │ │ │ ├── README │ │ │ │ ├── acl-named.conf │ │ │ │ ├── channels-named.conf │ │ │ │ ├── controls-named.conf │ │ │ │ ├── hz.cache.home │ │ │ │ ├── hz.cache.lab │ │ │ │ ├── keys │ │ │ │ │ ├── README.bind.keys │ │ │ │ │ ├── ddns.md5.dhcp-updater.key │ │ │ │ │ ├── ddns.md5.master-to-slave.key │ │ │ │ │ ├── ddns.sha256.dns-arca-a.key │ │ │ │ │ ├── keys-named.conf │ │ │ │ │ ├── red-named.conf.keys │ │ │ │ │ ├── rndc.md5.key │ │ │ │ │ ├── tlsa-privkey.pem │ │ │ │ │ └── tlsa-pubkey.pem │ │ │ │ ├── local-named.conf │ │ │ │ ├── masters-named.conf │ │ │ │ ├── mz.home │ │ │ │ ├── mz.ip4.1.168.192 │ │ │ │ ├── mz.ip4.127 │ │ │ │ ├── mz.ip4.4.168.192 │ │ │ │ ├── mz.ip4.5.168.192 │ │ │ │ ├── mz.ip4.6.168.192 │ │ │ │ ├── mz.ip4.7.168.192 │ │ │ │ ├── mz.lab │ │ │ │ ├── mz.localhost │ │ │ │ ├── options-named.conf │ │ │ │ ├── servers-named.conf │ │ │ │ ├── statistics-named.conf │ │ │ │ ├── sz.example.com │ │ │ │ ├── trusted-keys-named.conf │ │ │ │ ├── view.cable │ │ │ │ ├── view.chaos │ │ │ │ ├── view.green │ │ │ │ └── x-named.conf │ │ │ ├── keys │ │ │ │ ├── README.bind.keys │ │ │ │ ├── ddns.md5.dhcp-updater.key │ │ │ │ ├── ddns.md5.master-to-slave.key │ │ │ │ ├── ddns.sha256.dns-arca-a.key │ │ │ │ ├── keys-named.conf │ │ │ │ ├── red-named.conf.keys │ │ │ │ ├── rndc.md5.key │ │ │ │ ├── tlsa-privkey.pem │ │ │ │ └── tlsa-pubkey.pem │ │ │ ├── named-internal.conf │ │ │ ├── named-public.conf │ │ │ ├── public │ │ │ │ ├── acl-named.conf │ │ │ │ ├── channels-named.conf │ │ │ │ ├── controls-named.conf │ │ │ │ ├── keys │ │ │ │ │ ├── README.bind.keys │ │ │ │ │ ├── ddns.md5.dhcp-updater.key │ │ │ │ │ ├── ddns.md5.master-to-slave.key │ │ │ │ │ ├── ddns.sha256.dns-arca-a.key │ │ │ │ │ ├── keys-named.conf │ │ │ │ │ ├── red-named.conf.keys │ │ │ │ │ ├── rndc.md5.key │ │ │ │ │ ├── tlsa-privkey.pem │ │ │ │ │ └── tlsa-pubkey.pem │ │ │ │ ├── local-named.conf │ │ │ │ ├── masters-named.conf │ │ │ │ ├── mz.example.net │ │ │ │ ├── options-named.conf │ │ │ │ ├── servers-named.conf │ │ │ │ ├── statistics-named.conf │ │ │ │ ├── trusted-keys-named.conf │ │ │ │ ├── view.chaos │ │ │ │ └── view.red │ │ │ └── rndc.conf │ │ │ └── systemd │ │ │ └── system │ │ │ ├── README │ │ │ ├── bind9-internal.service │ │ │ ├── bind9-public.service │ │ │ └── bind9.service.d │ │ │ └── unit-conflicts.conf │ └── wellho │ │ └── etc │ │ ├── named.conf │ │ └── named.conf.include ├── patterns │ ├── opt-forwarders-named.conf │ ├── opt-response-policies-named.conf │ ├── options-ipv4only-contact-named.conf │ ├── trusted-keys-named.conf │ ├── zone-multiple-slave-masters-named.conf │ └── zone-slave-masters-named.conf ├── rough-draft │ ├── namedconf.py │ ├── namedconfglobal.py │ └── requirements.txt └── try-me.sh ├── pyproject.toml ├── requirements-test.txt ├── requirements.txt ├── setup.cfg ├── setup.py ├── tests ├── __init__.py ├── all-test.sh ├── all-unittests.sh ├── bug-reports │ ├── etc │ │ ├── named.rfc1912.zones │ │ └── named.root.hints │ ├── github-issue-10.named.conf │ ├── github-issue-12.named.conf │ ├── github-issue-13.named.conf │ ├── github-issue-34.named-variant1.conf │ ├── github-issue-34.named.conf │ ├── github-issue-35-variant1.named.conf │ ├── github-issue-35.named.conf │ ├── github-issue-4.named.conf │ ├── github-issue-5.named.conf │ ├── github-issue-8.named.conf │ ├── github-issue-9.view │ ├── ml-bind-users.named.conf │ ├── post-parser.named.conf │ └── x.named.conf ├── github-issues ├── runner_tests.py ├── split-horizon-2-bind9-servers │ └── etc │ │ ├── bind │ │ ├── README │ │ ├── README.otherfiles │ │ ├── README.setup │ │ ├── internal │ │ │ ├── README │ │ │ ├── acl-named.conf │ │ │ ├── channels-named.conf │ │ │ ├── controls-named.conf │ │ │ ├── hz.cache.home │ │ │ ├── hz.cache.lab │ │ │ ├── keys │ │ │ │ ├── README.bind.keys │ │ │ │ ├── ddns.md5.dhcp-updater.key │ │ │ │ ├── ddns.md5.master-to-slave.key │ │ │ │ ├── ddns.sha256.dns-arca-a.key │ │ │ │ ├── keys-named.conf │ │ │ │ ├── red-named.conf.keys │ │ │ │ ├── rndc.md5.key │ │ │ │ ├── tlsa-privkey.pem │ │ │ │ └── tlsa-pubkey.pem │ │ │ ├── local-named.conf │ │ │ ├── masters-named.conf │ │ │ ├── mz.home │ │ │ ├── mz.ip4.1.168.192 │ │ │ ├── mz.ip4.127 │ │ │ ├── mz.ip4.4.168.192 │ │ │ ├── mz.ip4.5.168.192 │ │ │ ├── mz.ip4.6.168.192 │ │ │ ├── mz.ip4.7.168.192 │ │ │ ├── mz.lab │ │ │ ├── mz.localhost │ │ │ ├── options-named.conf │ │ │ ├── servers-named.conf │ │ │ ├── statistics-named.conf │ │ │ ├── sz.example.com │ │ │ ├── trusted-keys-named.conf │ │ │ ├── view.cable │ │ │ ├── view.chaos │ │ │ └── view.green │ │ ├── keys │ │ │ ├── README.bind.keys │ │ │ ├── ddns.md5.dhcp-updater.key │ │ │ ├── ddns.md5.master-to-slave.key │ │ │ ├── ddns.sha256.dns-arca-a.key │ │ │ ├── keys-named.conf │ │ │ ├── red-named.conf.keys │ │ │ ├── rndc.md5.key │ │ │ ├── tlsa-privkey.pem │ │ │ └── tlsa-pubkey.pem │ │ ├── named-internal.conf │ │ ├── named-public.conf │ │ ├── public │ │ │ ├── acl-named.conf │ │ │ ├── channels-named.conf │ │ │ ├── controls-named.conf │ │ │ ├── keys │ │ │ │ ├── README.bind.keys │ │ │ │ ├── ddns.md5.dhcp-updater.key │ │ │ │ ├── ddns.md5.master-to-slave.key │ │ │ │ ├── ddns.sha256.dns-arca-a.key │ │ │ │ ├── keys-named.conf │ │ │ │ ├── red-named.conf.keys │ │ │ │ ├── rndc.md5.key │ │ │ │ ├── tlsa-privkey.pem │ │ │ │ └── tlsa-pubkey.pem │ │ │ ├── local-named.conf │ │ │ ├── masters-named.conf │ │ │ ├── mz.example.net │ │ │ ├── options-named.conf │ │ │ ├── servers-named.conf │ │ │ ├── statistics-named.conf │ │ │ ├── trusted-keys-named.conf │ │ │ ├── view.chaos │ │ │ └── view.red │ │ └── rndc.conf │ │ └── systemd │ │ └── system │ │ ├── README │ │ ├── bind9-internal.service │ │ ├── bind9-public.service │ │ └── bind9.service.d │ │ └── unit-conflicts.conf ├── test_acl.py ├── test_aml.py ├── test_clause_acl.py ├── test_clause_controls.py ├── test_clause_dlz.py ├── test_clause_dnssec_policy.py ├── test_clause_dyndb.py ├── test_clause_http.py ├── test_clause_key.py ├── test_clause_logging.py ├── test_clause_managed_keys.py ├── test_clause_options.py ├── test_clause_parental_agents.py ├── test_clause_plugin.py ├── test_clause_primaries.py ├── test_clause_server.py ├── test_clause_statistics_channels.py ├── test_clause_tls.py ├── test_clause_trust_anchors.py ├── test_clause_trusted_keys.py ├── test_clause_view.py ├── test_clause_zone.py ├── test_clauses.py ├── test_domain.py ├── test_inet.py ├── test_managed_keys.py ├── test_options.py ├── test_optview.py ├── test_optviewserver.py ├── test_optviewzone.py ├── test_optviewzoneserver.py ├── test_optzone.py ├── test_primaries.py ├── test_rr.py ├── test_server.py ├── test_trusted_keys.py ├── test_utils.py ├── test_view.py ├── test_viewzone.py └── test_zone.py └── tox.ini /.coveragerc: -------------------------------------------------------------------------------- 1 | # .coveragerc to control coverage.py 2 | [run] 3 | branch = True 4 | omit = pyparsing.py 5 | __init__.py 6 | 7 | 8 | [report] 9 | # Regexes for lines to exclude from consideration 10 | exclude_lines = 11 | # Have to re-enable the standard pragma 12 | pragma: no cover 13 | 14 | # Don't complain about missing debug-only code: 15 | def __repr__ 16 | if self\.debug: 17 | if settings\.DEBUG 18 | 19 | # Don't complain if tests don't hit defensive assertion code: 20 | raise AssertionError 21 | raise NotImplementedError 22 | 23 | import pyparsing 24 | 25 | # Don't complain if non-runnable code isn't run: 26 | if 0: 27 | if __name__ == .__main__.: 28 | 29 | 30 | ignore_errors = True 31 | 32 | [html] 33 | ###directory = coverage_html_report 34 | #directory = htmlcov # default 35 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | *.egg-info/ 24 | .installed.cfg 25 | *.egg 26 | MANIFEST 27 | share/python-wheels/ 28 | 29 | 30 | # PyInstaller 31 | # Usually these files are written by a python script from a template 32 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 33 | *.manifest 34 | *.spec 35 | 36 | # Installer logs 37 | pip-log.txt 38 | pip-delete-this-directory.txt 39 | 40 | # Unit test / coverage reports 41 | htmlcov/ 42 | .tox/ 43 | .coverage 44 | .coverage.* 45 | .cache 46 | nosetests.xml 47 | coverage.xml 48 | *.cover 49 | .hypothesis/ 50 | .pytest_cache/ 51 | .nox/ 52 | *.py,cover 53 | cover/ 54 | 55 | 56 | # Translations 57 | *.mo 58 | *.pot 59 | 60 | # Django stuff: 61 | *.log 62 | local_settings.py 63 | db.sqlite3 64 | db.sqlite3-journal 65 | 66 | # Flask stuff: 67 | instance/ 68 | .webassets-cache 69 | 70 | # Scrapy stuff: 71 | .scrapy 72 | 73 | # Sphinx documentation 74 | docs/_build/ 75 | 76 | # PyBuilder 77 | target/ 78 | .pybuilder/ 79 | 80 | 81 | # Jupyter Notebook 82 | .ipynb_checkpoints 83 | 84 | # pyenv 85 | .python-version 86 | 87 | # celery beat schedule file 88 | celerybeat-schedule 89 | 90 | # SageMath parsed files 91 | *.sage.py 92 | 93 | # Environments 94 | .env 95 | .venv 96 | env/ 97 | venv/ 98 | ENV/ 99 | env.bak/ 100 | venv.bak/ 101 | 102 | # Spyder project settings 103 | .spyderproject 104 | .spyproject 105 | 106 | # Rope project settings 107 | .ropeproject 108 | 109 | # mkdocs documentation 110 | /site 111 | 112 | # mypy 113 | .mypy_cache/ 114 | /.idea/bind9_parser.iml 115 | /tests/coverage/bind9_parser___init___py.html 116 | /tests/coverage/ 117 | 118 | # IPython 119 | profile_default/ 120 | ipython_config.py 121 | 122 | # pyenv 123 | # For a library or package, you might want to ignore these files since the code is 124 | # intended to run in multiple environments; otherwise, check them in: 125 | # .python-version 126 | 127 | /.idea -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | language: python 2 | 3 | matrix: 4 | include: 5 | - python: 3.8 6 | env: TOXENV=black 7 | - python: 3.5 8 | env: TOXENV=py35 9 | - python: 3.6 10 | env: TOXENV=py36 11 | - python: 3.7 12 | env: TOXENV=py37 13 | - python: 3.8 14 | env: TOXENV=py38 15 | - python: pypy3 16 | env: TOXENV=pypy3 17 | fast_finish: true 18 | 19 | install: 20 | - pip install tox codecov 21 | 22 | script: 23 | - tox 24 | 25 | after_success: 26 | - codecov 27 | -------------------------------------------------------------------------------- /CHANGES: -------------------------------------------------------------------------------- 1 | File: CHANGELOG.md 2 | Package: bind9\_parser 3 | 4 | 5 | 6 | # Release 0.9.10.1 7 | 8 | 2022-05-21 9 | 10 | Renamed following clauses: 11 | 'masters' -> 'primaries' 12 | 13 | Added following clauses: 14 | 'http' 15 | 'dnssec-policy' 16 | 'parental-agents' 17 | 'plugin' 18 | 'statistics-channels' 19 | 'trust_anchors' 20 | 'tls' 21 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 Egbert Networks, LLC 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | 23 | -------------------------------------------------------------------------------- /MANIFEST.in: -------------------------------------------------------------------------------- 1 | include bind9_parser/*.py 2 | include README.md CHANGES LICENSE ARCHITECTURE.txt DESIGN.txt TODO 3 | include examples/*.py examples/*.conf examples/README examples/try-me.sh 4 | include docs/README 5 | recursive-include tests tests/split-horizon-2-bind9-servers 6 | include setup.py setup.cfg requirements.txt tox.ini 7 | -------------------------------------------------------------------------------- /TODO: -------------------------------------------------------------------------------- 1 | 2 | No pressure there but the following needs to be implemented. 3 | 4 | It is just a low priority. 5 | 6 | - Convert parse_bind9 into a Python class module 7 | - Need to incorporate ParseElement action functions into a class-based one 8 | - How to deal with func(--> self <--, ...) 9 | 10 | -------------------------------------------------------------------------------- /all-unittests.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Cannot make this 'python3 -m unittest -q tests.test_*' work 4 | # But we can do filepath here 5 | python3 -m unittest -q tests/test_*.py 6 | # 7 | # or could do instead: 8 | # py.test-3 -q -s tests/test_*.py 9 | # nosetest3 -q tests/test_*.py 10 | 11 | # Specific unit testing: 12 | 13 | # python3 -m unittest -q tests.test_acl 14 | # python3 -m unittest -q tests.test_acl.TestACL 15 | # python3 -m unittest tests.test_acl.TestACL.test_isc_acl_geoip_inet_group_failing 16 | 17 | -------------------------------------------------------------------------------- /bind9_parser/isc_clause_dlz.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | """ 3 | File: isc_dlz 4 | 5 | Clause: dlz 6 | 7 | Title: Clause statement for the DLZ 8 | 9 | Description: 10 | """ 11 | 12 | from pyparsing import Group, CaselessKeyword, ZeroOrMore, OneOrMore 13 | from bind9_parser.isc_utils import semicolon, isc_boolean, \ 14 | lbrack, rbrack, dlz_name_type, \ 15 | dequoted_path_name 16 | 17 | 18 | # database ""; 19 | dlz_database_element = ( 20 | CaselessKeyword('database').suppress() 21 | - dequoted_path_name('db_args') 22 | + semicolon 23 | ) 24 | 25 | # search ; 26 | dlz_search_element = ( 27 | CaselessKeyword('search').suppress() 28 | - isc_boolean('search') 29 | + semicolon 30 | ) 31 | 32 | # At the moment, orderings matter: 'database' first, then 'search' 33 | dlz_element_group = ( 34 | ( 35 | dlz_search_element 36 | + dlz_database_element 37 | ) 38 | | ( 39 | dlz_database_element 40 | + dlz_search_element 41 | ) 42 | ) 43 | 44 | # dlz { database ; search ; }; [ DLZ ] 45 | clause_stmt_dlz_standalone = ( 46 | CaselessKeyword('dlz').suppress() 47 | - Group( 48 | dlz_name_type('dlz_name') 49 | - lbrack 50 | - OneOrMore( 51 | dlz_element_group('') 52 | ) 53 | + rbrack 54 | ) 55 | + semicolon 56 | )('dlz') 57 | 58 | clause_stmt_dlz_series = ( 59 | ZeroOrMore( 60 | clause_stmt_dlz_standalone 61 | ) 62 | )('dlz') 63 | 64 | # See isc_viewzone.dlz for a simplified version of 'dlz ;' option 65 | -------------------------------------------------------------------------------- /bind9_parser/isc_clause_dyndb.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | """ 3 | File: isc_clause_dyndb.py 4 | 5 | Clause: dyndb 6 | 7 | Title: Clause statement for Dynamic Database 8 | 9 | Description: 10 | """ 11 | from pyparsing import Group, Keyword, Word, OneOrMore 12 | from bind9_parser.isc_utils import lbrack, rbrack, semicolon, \ 13 | isc_file_name, dequoted_path_name, charset_filename_base 14 | 15 | # TODO For dyndb_driver_content, haven't figured out how to allow curly braces inside quotes yet 16 | dyndb_custom_driver_configuration = ( 17 | lbrack 18 | + Word(charset_filename_base + ' \t\r\n/;"\"\'')('driver_parameters') # no '{}' characters 19 | + rbrack 20 | # no semicolon here 21 | )(None) 22 | 23 | dyndb_database_name = ( 24 | isc_file_name 25 | )('db_name') 26 | 27 | dyndb_dynamic_module_name = ( 28 | dequoted_path_name 29 | )('module_filename') 30 | 31 | clause_stmt_dyndb_standalone = ( 32 | Keyword('dyndb').suppress() 33 | + Group( 34 | dyndb_database_name 35 | - dyndb_dynamic_module_name 36 | - dyndb_custom_driver_configuration 37 | ) 38 | + semicolon 39 | )('dyndb') 40 | 41 | clause_stmt_dyndb_series = ( 42 | OneOrMore( 43 | clause_stmt_dyndb_standalone 44 | ) 45 | )('dyndb') 46 | 47 | # if __name__ == '__main__': 48 | # unittest.main() 49 | -------------------------------------------------------------------------------- /bind9_parser/isc_clause_http.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | """ 3 | File: isc_clause_http.py 4 | 5 | Clause: http 6 | 7 | Title: Clause statement for HTTP of DNS-over-HTTP connections 8 | 9 | Description: 10 | 11 | Statement Grammar: 12 | 13 | http { 14 | endpoints { ; ... }; 15 | listener-clients ; 16 | streams-per-connection ; 17 | }; 18 | """ 19 | from pyparsing import Word, Group, Keyword, ZeroOrMore, OneOrMore, nums 20 | from bind9_parser.isc_utils import semicolon, \ 21 | quotable_name, \ 22 | lbrack, rbrack, quoted_name 23 | 24 | # NOTE: If any declaration here is to be used OUTSIDE of 25 | # the 'http' clause, it should instead be defined within isc_utils.py 26 | 27 | http_endpoints_element = ( 28 | Keyword('endpoints').suppress() 29 | + lbrack 30 | + OneOrMore( 31 | Group( 32 | quoted_name('endpoint_name') 33 | + semicolon 34 | ) 35 | ) 36 | + rbrack 37 | + semicolon 38 | )('endpoints') 39 | 40 | http_listener_clients_element = ( 41 | Keyword('listener-clients').suppress() 42 | + Word(nums, min=1, max=9)('listener_clients') 43 | + semicolon 44 | ) 45 | 46 | http_streams_per_conns_element = ( 47 | Keyword('streams-per-connections').suppress() 48 | + Word(nums, min=1, max=9)('streams_per_connections') 49 | + semicolon 50 | ) 51 | 52 | clause_stmt_http_standalone = ( 53 | Keyword('http').suppress() 54 | - Group( 55 | quotable_name('http_name') 56 | + lbrack 57 | + http_endpoints_element 58 | + http_listener_clients_element 59 | + http_streams_per_conns_element 60 | + rbrack 61 | )('http*') 62 | + semicolon 63 | ).setName('http { endpoints { ; ... };' 64 | + 'listener-clients ; streams-per-connections ; };') 65 | 66 | clause_stmt_http_set = clause_stmt_http_standalone.setName( 67 | 'http { endpoints { ; ... };' 68 | + 'listener-clients ; streams-per-connections ; };') 69 | 70 | # {0-*} statement 71 | clause_stmt_http_series = ZeroOrMore(clause_stmt_http_set) 72 | clause_stmt_http_series.setName('http { ... }; ...') 73 | -------------------------------------------------------------------------------- /bind9_parser/isc_clause_key.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | """ 3 | File: isc_clause_key.py 4 | 5 | Clause: keys 6 | 7 | Title: Clause statement for key 8 | 9 | Description: Provides key-related grammar in PyParsing engine 10 | for ISC-configuration style 11 | """ 12 | from pyparsing import Word, alphanums, Group, Keyword, ZeroOrMore 13 | from bind9_parser.isc_utils import semicolon, lbrack, rbrack, key_id, key_secret_dequotable 14 | 15 | # NOTE: If any declaration here is to be used OUTSIDE of the 'keys' clause, 16 | # it should instead be defined in isc_utils.py 17 | 18 | key_algorithm_name = Word(alphanums + '-')('algorithm') 19 | key_algorithm_name.setName('') 20 | 21 | # algorithm ; 22 | key_algorithm_element = ( 23 | Keyword('algorithm').suppress() 24 | - key_algorithm_name('algorithm') 25 | + semicolon 26 | ) 27 | key_algorithm_element.setName('algorithm ;') 28 | 29 | # secret ; 30 | key_secret_element = ( 31 | Keyword('secret').suppress() 32 | - key_secret_dequotable('secret') 33 | + semicolon 34 | ) 35 | key_secret_element.setName('secret ;') 36 | 37 | # key { algorithm ; secret ; }; 38 | # key key_id { 39 | # algorithm algorithm_id; 40 | # secret secret_string; 41 | # }; 42 | clause_stmt_key_standalone = ( 43 | Group( 44 | Keyword('key').suppress() 45 | - key_id('key_id') 46 | + lbrack 47 | - key_algorithm_element 48 | - key_secret_element 49 | + rbrack 50 | + semicolon 51 | ) 52 | )('key*') 53 | 54 | # {0-*} statement 55 | clause_stmt_key_series = ( 56 | ZeroOrMore( 57 | clause_stmt_key_standalone 58 | ) 59 | ) 60 | clause_stmt_key_series.setName('key { algorithm ; secret ; };') 61 | -------------------------------------------------------------------------------- /bind9_parser/isc_clause_managed_keys.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | """ 3 | File: isc_clause_managed_keys.py 4 | 5 | Clause: managed-keys 6 | 7 | Title: Clause statement for managed keys 8 | 9 | Description: Provides managed-key-related grammar in 10 | PyParsing engine for ISC-configuration style 11 | """ 12 | 13 | from pyparsing import ZeroOrMore 14 | from bind9_parser.isc_managed_keys import managed_keys_statement_standalone 15 | 16 | 17 | # Due to cyclic Python import, 'clause'-based managed-keys are 18 | # kept separate from 'view'-based managed-keys statement 19 | # 20 | # Fortunately, they are identical use of syntax so we merely assign its 21 | # managed-keys syntax to clause as well. 22 | 23 | clause_stmt_managed_keys_standalone = managed_keys_statement_standalone 24 | 25 | clause_stmt_managed_keys_series = ( 26 | ZeroOrMore( 27 | managed_keys_statement_standalone 28 | ) 29 | )('managed_keys') 30 | -------------------------------------------------------------------------------- /bind9_parser/isc_clause_plugin.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | """ 3 | File: isc_clause_plugin.py 4 | 5 | Clause: plugin 6 | 7 | Title: Clause statement for 'plugin' 8 | 9 | Description: 10 | 11 | Statement Grammar: 12 | 13 | plugin ( query ) string 14 | [ { unspecified-text } ] 15 | ; 16 | """ 17 | from pyparsing import Keyword, ZeroOrMore, OneOrMore, Optional 18 | from bind9_parser.isc_utils import semicolon, \ 19 | lbrack, rbrack, dequoted_path_name, config_base 20 | 21 | # NOTE: If any declaration here is to be used outside 22 | # the 'plugin' clause, it should instead be defined within isc_utils.py 23 | 24 | plugin_config_line_element = ( 25 | config_base 26 | + OneOrMore(semicolon) 27 | ) 28 | 29 | plugin_config_element = ( 30 | lbrack 31 | + OneOrMore(plugin_config_line_element)('config*') 32 | + rbrack 33 | ) 34 | 35 | clause_stmt_plugin_standalone = ( 36 | Keyword('plugin').suppress() 37 | + Optional(Keyword('query')('flag')) 38 | + dequoted_path_name 39 | + plugin_config_element 40 | + semicolon 41 | ).setName('plugin [ query ] { text ; ... };') 42 | 43 | clause_stmt_plugin_set = clause_stmt_plugin_standalone.setName('plugin [ query ] { text ; ... };') 44 | 45 | # {0-*} statement 46 | clause_stmt_plugin_series = ZeroOrMore(clause_stmt_plugin_set) 47 | clause_stmt_plugin_series.setName('plugin [ query ] { ... }; ...') 48 | -------------------------------------------------------------------------------- /bind9_parser/isc_clause_server.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | """ 3 | File: isc_clause_server.py 4 | 5 | Clause: server 6 | 7 | Title: Clause Statement for Server Definitions 8 | 9 | Description: 10 | """ 11 | from pyparsing import Keyword, ZeroOrMore, Group 12 | from bind9_parser.isc_utils import lbrack, rbrack, semicolon 13 | from bind9_parser.isc_inet import ip46_addr_or_prefix 14 | from bind9_parser.isc_server import server_statement_set 15 | from bind9_parser.isc_optviewserver import optviewserver_statements_set 16 | from bind9_parser.isc_optviewzoneserver import optviewzoneserver_statements_set 17 | 18 | 19 | # BUG: 'edns' and 'edns-udp-size' are reversed and needs unreversing 20 | server_all_statements_set = ( 21 | optviewserver_statements_set # make optviewserver_statements_set firstly due to 'edns-udp-size' pattern 22 | ^ optviewzoneserver_statements_set 23 | ^ server_statement_set # make server_statement_set last due to 'edns' pattern 24 | ) 25 | 26 | server_all_statements_series = ( 27 | ZeroOrMore( 28 | server_all_statements_set 29 | ) 30 | ) 31 | 32 | clause_stmt_server_standalone = ( 33 | Keyword('server').suppress() 34 | - Group( 35 | ip46_addr_or_prefix('ip_addr') 36 | - lbrack 37 | - Group( 38 | server_all_statements_series 39 | )('configs') 40 | - rbrack 41 | )('') 42 | - semicolon 43 | )('server') 44 | clause_stmt_server_standalone.setName('server { ... };') 45 | 46 | clause_stmt_server_series = ( 47 | ZeroOrMore( 48 | clause_stmt_server_standalone 49 | ) 50 | )('server') 51 | clause_stmt_server_series.setName('server { ... }; ...;') 52 | -------------------------------------------------------------------------------- /bind9_parser/isc_clause_statistics_channels.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | """ 3 | File: isc_clause_statistics_channels.py 4 | 5 | Clause: statistics_channels 6 | 7 | Title: Clause statement for 'statistics-channels' 8 | 9 | Description: 10 | 11 | Statement Grammar: 12 | 13 | statistics-channels { 14 | inet ( ipv4_address | 15 | ipv6_address | 16 | * ) 17 | [ port ( integer | * ) ] 18 | [ allow { address_match_element; ... } ]; 19 | }; 20 | """ 21 | from pyparsing import Group, Keyword, ZeroOrMore, OneOrMore, Optional 22 | from bind9_parser.isc_utils import semicolon, \ 23 | lbrack, rbrack 24 | from bind9_parser.isc_inet import ip46_addr_or_wildcard, inet_ip_port_keyword_and_wildcard_element 25 | 26 | # NOTE: If any declaration here is to be used OUTSIDE of 27 | # the 'statistics_channels' clause, it should instead be defined within isc_utils.py 28 | 29 | clause_stmt_statistics_channels_standalone = ( 30 | Keyword('statistics-channels').suppress() 31 | + lbrack 32 | + OneOrMore( 33 | Keyword('inet').suppress() 34 | + Group( 35 | Optional(ip46_addr_or_wildcard('ip_addr')) 36 | - Optional(inet_ip_port_keyword_and_wildcard_element('ip_port_w')) 37 | + OneOrMore(semicolon) 38 | )('statistics_channels*') 39 | ) 40 | + rbrack 41 | + semicolon 42 | ) 43 | clause_stmt_statistics_channels_standalone.setName( 44 | 'statistics_channels { endpoints { ; ... };' 45 | + 'listener-clients ; streams-per-connections ; };') 46 | 47 | clause_stmt_statistics_channels_set = clause_stmt_statistics_channels_standalone 48 | 49 | # {0-*} statement 50 | clause_stmt_statistics_channels_series = ZeroOrMore(clause_stmt_statistics_channels_set) 51 | clause_stmt_statistics_channels_series.setName('statistics_channels { ... }; ...') 52 | -------------------------------------------------------------------------------- /bind9_parser/isc_clause_trusted_keys.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | """ 3 | File: isc_clause_trusted_keys.py 4 | 5 | Clause: trusted_keys 6 | 7 | Title: Clause statement for 'trusted-keys' 8 | 9 | Description: 10 | 11 | Statement Grammar: 12 | 13 | trusted-keys { 14 | string ( 15 | static-key | 16 | initial-key | 17 | static-ds | 18 | initial-ds ) 19 | integer integer integer 20 | quoted_string; 21 | ... 22 | }; 23 | 24 | References: 25 | 26 | * https://egbert.net/blog/articles/dns-rr-key.html 27 | 28 | """ 29 | from bind9_parser.isc_trusted_keys import trusted_keys_stmt_set, \ 30 | trusted_keys_stmt_series 31 | 32 | clause_stmt_trusted_keys_standalone = trusted_keys_stmt_set 33 | 34 | clause_stmt_trusted_keys_set = trusted_keys_stmt_set 35 | clause_stmt_trusted_keys_set.setName( 36 | """trusted-keys { 37 | string ( 38 | static-key | 39 | initial-key | 40 | static-ds | 41 | initial-ds ) 42 | 43 | ; 44 | ... };""") 45 | 46 | # {0-*} statement 47 | clause_stmt_trusted_keys_series = trusted_keys_stmt_series 48 | clause_stmt_trusted_keys_series.setName( 49 | """trusted-keys { ... }; [ trusted-keys { ... }; ... ]""" 50 | ) 51 | -------------------------------------------------------------------------------- /bind9_parser/isc_clause_view.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | """ 3 | File: isc_clause_view.py 4 | 5 | Clause: view 6 | 7 | Title: Clause Statement for View Group 8 | 9 | Description: 10 | """ 11 | from pyparsing import Keyword, Optional, ZeroOrMore, Group 12 | from bind9_parser.isc_utils import lbrack, rbrack, semicolon, view_name 13 | from bind9_parser.isc_rr import rr_class_set 14 | from bind9_parser.isc_view import view_statements_set 15 | from bind9_parser.isc_managed_keys import managed_keys_statement_standalone 16 | from bind9_parser.isc_optview import optview_statements_set 17 | from bind9_parser.isc_optviewserver import optviewserver_statements_set 18 | from bind9_parser.isc_optviewzone import optviewzone_statements_set 19 | from bind9_parser.isc_optviewzoneserver import optviewzoneserver_statements_set 20 | from bind9_parser.isc_viewzone import viewzone_statements_set 21 | from bind9_parser.isc_clause_zone import clause_stmt_zone_standalone 22 | from bind9_parser.isc_clause_trusted_keys import clause_stmt_trusted_keys_standalone 23 | 24 | 25 | view_all_statements_set = ( 26 | view_statements_set 27 | | optview_statements_set 28 | | optviewserver_statements_set 29 | | optviewzone_statements_set 30 | | optviewzoneserver_statements_set 31 | | viewzone_statements_set 32 | | clause_stmt_zone_standalone 33 | | clause_stmt_trusted_keys_standalone 34 | | managed_keys_statement_standalone # Amazing copy 35 | ) 36 | 37 | view_all_statements_series = ZeroOrMore(view_all_statements_set) 38 | 39 | clause_stmt_view_standalone = ( 40 | Keyword('view').suppress() 41 | - Group( 42 | view_name('view_name') 43 | - Optional(rr_class_set('class')) 44 | - lbrack 45 | - ( 46 | view_all_statements_series 47 | ) 48 | + rbrack 49 | )('views*') 50 | + semicolon 51 | ) 52 | 53 | clause_stmt_view_series = ( 54 | ZeroOrMore( 55 | clause_stmt_view_standalone 56 | ) 57 | ) 58 | -------------------------------------------------------------------------------- /bind9_parser/isc_clause_zone.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | """ 3 | File: isc_clause_zone.py 4 | 5 | Clause: zone 6 | 7 | Title: Clause Statement for Zone Group 8 | 9 | Description: 10 | """ 11 | from pyparsing import Keyword, Optional, Group, OneOrMore 12 | from bind9_parser.isc_utils import lbrack, rbrack, semicolon 13 | from bind9_parser.isc_rr import rr_domain_name 14 | from bind9_parser.isc_utils import dequotable_zone_name 15 | from bind9_parser.isc_zone import zone_statements_set 16 | from bind9_parser.isc_optviewzone import optviewzone_statements_set 17 | from bind9_parser.isc_optviewzoneserver import optviewzoneserver_statements_set 18 | from bind9_parser.isc_optzone import optzone_statements_set 19 | from bind9_parser.isc_viewzone import viewzone_statements_set 20 | 21 | 22 | # Note: There is no validation method applied here to ensure that 23 | # ordering of Keywords are in longest listed, firstly. 24 | zone_all_stmts_set = ( 25 | zone_statements_set 26 | | optzone_statements_set 27 | | optviewzone_statements_set 28 | | optviewzoneserver_statements_set 29 | | viewzone_statements_set 30 | ) 31 | 32 | zone_all_stmts_series = OneOrMore( 33 | zone_all_stmts_set 34 | ) 35 | 36 | clause_stmt_zone_standalone = ( 37 | Keyword('zone').suppress() 38 | - Group( 39 | dequotable_zone_name('zone_name') 40 | - Optional(rr_domain_name('class')) 41 | - lbrack 42 | - ( 43 | zone_all_stmts_series 44 | ) # no dictionary available if ('zones9*') appended here 45 | + rbrack 46 | )('zones*') 47 | + semicolon 48 | ) 49 | 50 | clause_stmt_zone_series = ( 51 | OneOrMore( 52 | clause_stmt_zone_standalone 53 | ) 54 | ) 55 | -------------------------------------------------------------------------------- /bind9_parser/isc_optzone.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | """ 3 | File: isc_optzone.py 4 | 5 | Clause: options, zone 6 | 7 | Title: Statements Used Only By options And zone Clauses. 8 | 9 | Description: isc_optzone contains all parse elements pertaining 10 | to both options and zone (but not view) 11 | """ 12 | from pyparsing import Keyword, OneOrMore 13 | from bind9_parser.isc_utils import isc_boolean, semicolon 14 | 15 | 16 | optzone_stmt_notify_to_soa = ( 17 | Keyword('notify-to-soa') 18 | - isc_boolean('notify_to_soa') 19 | + semicolon 20 | ) 21 | 22 | # Keywords are in dictionary-order, but with longest pattern as 23 | # having been listed firstly 24 | optzone_statements_set = ( 25 | optzone_stmt_notify_to_soa 26 | ) 27 | 28 | optzone_statements_series = ( 29 | OneOrMore(optzone_statements_set) 30 | ) 31 | -------------------------------------------------------------------------------- /bind9_parser/isc_viewzone.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | """ 3 | File: isc_viewzone.py 4 | 5 | Clause: view, zone 6 | 7 | Title: Statements Used Only By view And zone Clauses 8 | 9 | Description: isc_viewzone contains all parse elements pertaining 10 | to both options and zone (but not view) 11 | """ 12 | from pyparsing import CaselessKeyword, OneOrMore, Keyword 13 | from bind9_parser.isc_utils import semicolon, database_name_type 14 | from bind9_parser.isc_clause_dlz import dlz_name_type 15 | 16 | 17 | viewzone_stmt_database = ( 18 | Keyword('database').suppress() 19 | - database_name_type('database') 20 | + semicolon 21 | ) 22 | 23 | # dlz ; [ View Zone ] 24 | # See isc_dlz.clause_stmt_dlz_series for full DLZ-clause syntax in 25 | # which views/zones' DLZ references to. 26 | viewzone_stmt_dlz = ( 27 | CaselessKeyword('dlz').suppress() 28 | - dlz_name_type('dlz') 29 | + semicolon 30 | ) 31 | 32 | # Keywords are in dictionary-order, but with longest pattern as 33 | # having been listed firstly 34 | # 35 | # This statement set is to be used by either 'view' or 'zone' clause 36 | viewzone_statements_set = ( 37 | viewzone_stmt_database 38 | | viewzone_stmt_dlz 39 | ) 40 | 41 | viewzone_statements_series = OneOrMore(viewzone_statements_set) 42 | -------------------------------------------------------------------------------- /bind9_parser/pyproject.toml: -------------------------------------------------------------------------------- 1 | 2 | [build-system] 3 | requires = ["pyparsing >=2.4.5"] 4 | backend-path = ["."] 5 | 6 | [project] 7 | name = "bind9_parser" 8 | authors = [ 9 | { name = "Egberts", email = "egberts@github.com"}, 10 | ] 11 | description = "Parser for named.conf used by ISC Bind9 DNS daemon" 12 | dependencies = [ 13 | "pyparsing >=2.4.5", 14 | "line_profiler", 15 | ] 16 | requires-python = ">=3.7" 17 | 18 | classifiers = [ 19 | "Intended Audience :: Web Developers", 20 | "Intended Audience :: Developers", 21 | "License :: OSI Approved :: MIT License", 22 | "Programming Language :: Python :: 3", 23 | "Topic :: Software Development :: Libraries :: Python Modules", 24 | ] 25 | dynamic = ['version', 'description'] 26 | 27 | [project.optional-dependencies] 28 | test = [ 29 | "unittest", 30 | ] 31 | doc = [ ] 32 | 33 | [project.urls] 34 | Documentation = "https://github.com/egberts/bind9_parser" 35 | Source = "https://github.com/egberts/bind9_parser" 36 | Changelog = "https://github.com/egberts/bind9_parser/ChangeLog" 37 | 38 | -------------------------------------------------------------------------------- /docs/Bv8ARM-8.4.0.html/acl.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | BIND acl Statement 5 | 6 | 7 | 8 |

BIND Configuration File Guide--acl Statement

9 | 10 |
11 | 12 |

Syntax

 13 | 14 | 
15 | acl name {
16 |   address_match_list
17 | };
18 |
19 | 20 |
21 | 22 |

Definition and Usage

 23 | 24 |

The acl statement creates a named address match list. 25 | It gets its name from a primary use of address match lists: Access 26 | Control Lists (ACLs).

27 | 28 |

Note that an address match list's name must be defined with 29 | acl before it can be used elsewhere; no forward 30 | references are allowed.

31 | 32 | The following ACLs are built-in: 33 | 34 |
35 |
any 36 |
37 | Allows all hosts. 38 | 39 |
none 40 |
41 | Denies all hosts. 42 | 43 |
localhost 44 |
45 | Allows the IP addresses of all interfaces on the system. 46 | 47 |
localnets 48 |
49 | Allows any host on a network for which the system has an interface. 50 |
51 | 52 |
53 | 54 |

[ BIND Config. File 55 | | BIND Home 56 | | ISC ]

57 | 58 |
59 |
60 | Last Updated: $Id: acl.html,v 1.5 1999/09/15 20:28:00 cyarnell Exp $ 61 |
62 | 63 | 64 | -------------------------------------------------------------------------------- /docs/Bv8ARM-8.4.0.html/example.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | BIND Configuration File Guide -- Example Config File 5 | 6 | 7 | 8 |

BIND Configuration File Guide -- Example Config File

9 | 10 |
11 | 12 | 
13 | 
14 | /*
15 |  * A simple BIND 8 configuration
16 |  */
17 | 
18 | logging {
19 | 	category lame-servers { null; };
20 | 	category cname { null; };
21 | };
22 | 
23 | options {
24 | 	directory "/var/named";
25 | };
26 | 
27 | controls {
28 | 	inet * port 52 allow { localnets; };		// a BAD idea
29 | 	unix "/var/run/ndc" perm 0600 owner 0 group 0;	// the default
30 | };
31 | 
32 | zone "isc.org" in {
33 | 	type master;
34 | 	file "master/isc.org";
35 | };
36 | 
37 | zone "vix.com" in {
38 | 	type slave;
39 | 	file "slave/vix.com";
40 | 	masters { 10.0.0.53; };
41 | };
42 | 
43 | zone "." in {
44 | 	type hint;
45 | 	file "named.cache";
46 | };
47 | 
48 | zone "0.0.127.in-addr.arpa" in {
49 | 	type master;
50 | 	notify no;
51 | 	file "master/127.0.0";
52 | };
53 |
54 | 55 |
56 | 57 |

[ BIND Home 58 | | ISC ]

59 | 60 |
61 |
62 | Last Updated: $Id: example.html,v 1.5 1999/09/15 20:28:01 cyarnell Exp $ 63 |
64 | 65 | 66 | -------------------------------------------------------------------------------- /docs/Bv8ARM-8.4.0.html/include.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | BIND include Statement 5 | 6 | 7 | 8 |

BIND Configuration File Guide--include Statement

9 | 10 |
11 | 12 |

Syntax

 13 | 14 | 
15 | include path_name;
16 |
17 | 18 |
19 | 20 |

Definition and Usage

 21 | 22 |

The include statement inserts the specified file at 23 | the point that the include statement is encountered. It 24 | cannot be used within another statement, though, so a line such as 25 | 

26 | acl internal_hosts { include "internal_hosts.acl"; };
27 |
28 | is not allowed.

29 | 30 |

Use include to break the configuration up into 31 | easily-managed chunks. For example: 32 | 33 | 

34 | include "/etc/security/keys.bind";
35 | include "/etc/acls.bind";
36 |
37 | 38 |

could be used at the top of a BIND configuration file in order to 39 | include any ACL or key information.

40 | 41 |

Be careful not to type 42 | "#include", like you would in a C 43 | program, because "#" is used to start a 44 | comment.

45 | 46 |
47 | 48 |

[ BIND Config. File 49 | | BIND Home 50 | | ISC ]

51 | 52 |
53 |
54 | Last Updated: $Id: include.html,v 1.7 1999/09/15 20:28:01 cyarnell Exp $ 55 |
56 | 57 | 58 | -------------------------------------------------------------------------------- /docs/Bv8ARM-8.4.0.html/key.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | BIND key Statement 5 | 6 | 7 | 8 |

BIND Configuration File Guide--key Statement

9 | 10 |
11 | 12 |

Syntax

 13 | 14 | 
15 | key key_id {
16 |   algorithm algorithm_id;
17 |   secret secret_string;
18 | };
19 |
20 | 21 |
22 | 23 |

Definition and Usage

 24 | 25 |

The key statement defines a key ID which can be used 26 | in a server statement to 27 | associate an authentication method with a particular name server. 28 | 29 |

A key ID must be created with the key 30 | statement before it can be used in a server 31 | definition or an address match list.

32 | 33 |

The algorithm_id is a string that specifies a 34 | security/authentication algorithm. The only supported 35 | algorithm is "hmac-md5". 36 | 37 |

secret_string is the secret to be used by the algorithm, 38 | and is treated as a base-64 encoded string. This may be generated 39 | using dnskeygen or another utility or created manually. 40 | 41 |

The key statement is intended for use in transaction 42 | security. Unless included in a server 43 | statement, it is not used to sign any requests. It is used to verify 44 | requests matching the key_id and algorithm_id, 45 | and sign replies to those requests. 46 |

47 | 48 |

[ BIND Config. File 49 | | BIND Home 50 | | ISC ]

51 | 52 |
53 |
54 | Last Updated: $Id: key.html,v 1.10 1999/09/15 20:28:02 cyarnell Exp $ 55 |
56 | 57 | 58 | -------------------------------------------------------------------------------- /docs/Bv8ARM-8.4.0.html/trusted-keys.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | BIND trusted-keys Statement 5 | 6 | 7 | 8 |

BIND Configuration File Guide--trusted-keys Statement

9 | 10 |
11 | 12 |

Syntax

 13 | 14 | 
15 | trusted-keys { 
16 |   [ domain_name number number number string; ]
17 | };
18 | 
19 |
20 | 21 |
22 | 23 |

Definition and Usage

 24 | 25 | The trusted-keys 26 | statement is for use with DNSSEC-style security, originally specified 27 | in RFC 2065. DNSSEC is meant to 28 | provide three distinct services: key distribution, data origin 29 | authentication, and transaction and request authentication. A 30 | complete description of DNSSEC and its use is beyond the scope of this 31 | document, and readers interested in more information should start with 32 | 33 | RFC 2065 and then continue with the 34 | 35 | Internet Drafts.

36 | 37 |

Each trusted key is associated with a domain name. Its attributes are 38 | the non-negative integral flags, protocol, and 39 | algorithm, as well as a base-64 encoded string representing 40 | the key.

41 | 42 | A trusted key is added when a public key for a non-authoritative zone is 43 | known, but cannot be securely obtained through DNS. This occurs when 44 | a signed zone is a child of an unsigned zone. Adding the trusted 45 | key here allows data signed by that zone to be considered secure.

46 | 47 |
48 | 49 |

[ BIND Config. File 50 | | BIND Home 51 | | ISC ]

52 | 53 |
54 |
55 | Last Updated: $Id: trusted-keys.html,v 1.4 1999/09/15 20:28:02 cyarnell Exp $ 56 |
57 | 58 | 59 | -------------------------------------------------------------------------------- /docs/Bv8ARM-8.4.6.html/acl.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | BIND acl Statement 5 | 6 | 7 | 8 |

BIND Configuration File Guide--acl Statement

9 | 10 |
11 | 12 |

Syntax

 13 | 14 | 
15 | acl name {
16 |   address_match_list
17 | };
18 |
19 | 20 |
21 | 22 |

Definition and Usage

 23 | 24 |

The acl statement creates a named address match list. 25 | It gets its name from a primary use of address match lists: Access 26 | Control Lists (ACLs).

27 | 28 |

Note that an address match list's name must be defined with 29 | acl before it can be used elsewhere; no forward 30 | references are allowed.

31 | 32 | The following ACLs are built-in: 33 | 34 |
35 |
any 36 |
37 | Allows all hosts. 38 | 39 |
none 40 |
41 | Denies all hosts. 42 | 43 |
localhost 44 |
45 | Allows the IP addresses of all interfaces on the system. 46 | 47 |
localnets 48 |
49 | Allows any host on a network for which the system has an interface. 50 |
51 | 52 |
53 | 54 |

[ BIND Config. File 55 | | BIND Home 56 | | ISC ]

57 | 58 |
59 |
60 | Last Updated: $Id: acl.html,v 1.5 1999/09/15 20:28:00 cyarnell Exp $ 61 |
62 | 63 | 64 | -------------------------------------------------------------------------------- /docs/Bv8ARM-8.4.6.html/example.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | BIND Configuration File Guide -- Example Config File 5 | 6 | 7 | 8 |

BIND Configuration File Guide -- Example Config File

9 | 10 |
11 | 12 | 
13 | 
14 | /*
15 |  * A simple BIND 8 configuration
16 |  */
17 | 
18 | logging {
19 | 	category lame-servers { null; };
20 | 	category cname { null; };
21 | };
22 | 
23 | options {
24 | 	directory "/var/named";
25 | };
26 | 
27 | controls {
28 | 	inet * port 52 allow { localnets; };		// a BAD idea
29 | 	unix "/var/run/ndc" perm 0600 owner 0 group 0;	// the default
30 | };
31 | 
32 | zone "isc.org" in {
33 | 	type master;
34 | 	file "master/isc.org";
35 | };
36 | 
37 | zone "vix.com" in {
38 | 	type slave;
39 | 	file "slave/vix.com";
40 | 	masters { 10.0.0.53; };
41 | };
42 | 
43 | zone "." in {
44 | 	type hint;
45 | 	file "named.cache";
46 | };
47 | 
48 | zone "0.0.127.in-addr.arpa" in {
49 | 	type master;
50 | 	notify no;
51 | 	file "master/127.0.0";
52 | };
53 |
54 | 55 |
56 | 57 |

[ BIND Home 58 | | ISC ]

59 | 60 |
61 |
62 | Last Updated: $Id: example.html,v 1.5 1999/09/15 20:28:01 cyarnell Exp $ 63 |
64 | 65 | 66 | -------------------------------------------------------------------------------- /docs/Bv8ARM-8.4.6.html/include.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | BIND include Statement 5 | 6 | 7 | 8 |

BIND Configuration File Guide--include Statement

9 | 10 |
11 | 12 |

Syntax

 13 | 14 | 
15 | include path_name;
16 |
17 | 18 |
19 | 20 |

Definition and Usage

 21 | 22 |

The include statement inserts the specified file at 23 | the point that the include statement is encountered. It 24 | cannot be used within another statement, though, so a line such as 25 | 

26 | acl internal_hosts { include "internal_hosts.acl"; };
27 |
28 | is not allowed.

29 | 30 |

Use include to break the configuration up into 31 | easily-managed chunks. For example: 32 | 33 | 

34 | include "/etc/security/keys.bind";
35 | include "/etc/acls.bind";
36 |
37 | 38 |

could be used at the top of a BIND configuration file in order to 39 | include any ACL or key information.

40 | 41 |

Be careful not to type 42 | "#include", like you would in a C 43 | program, because "#" is used to start a 44 | comment.

45 | 46 |
47 | 48 |

[ BIND Config. File 49 | | BIND Home 50 | | ISC ]

51 | 52 |
53 |
54 | Last Updated: $Id: include.html,v 1.7 1999/09/15 20:28:01 cyarnell Exp $ 55 |
56 | 57 | 58 | -------------------------------------------------------------------------------- /docs/Bv8ARM-8.4.6.html/key.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | BIND key Statement 5 | 6 | 7 | 8 |

BIND Configuration File Guide--key Statement

9 | 10 |
11 | 12 |

Syntax

 13 | 14 | 
15 | key key_id {
16 |   algorithm algorithm_id;
17 |   secret secret_string;
18 | };
19 |
20 | 21 |
22 | 23 |

Definition and Usage

 24 | 25 |

The key statement defines a key ID which can be used 26 | in a server statement to 27 | associate an authentication method with a particular name server. 28 | 29 |

A key ID must be created with the key 30 | statement before it can be used in a server 31 | definition or an address match list.

32 | 33 |

The algorithm_id is a string that specifies a 34 | security/authentication algorithm. The only supported 35 | algorithm is "hmac-md5". 36 | 37 |

secret_string is the secret to be used by the algorithm, 38 | and is treated as a base-64 encoded string. This may be generated 39 | using dnskeygen or another utility or created manually. 40 | 41 |

The key statement is intended for use in transaction 42 | security. Unless included in a server 43 | statement, it is not used to sign any requests. It is used to verify 44 | requests matching the key_id and algorithm_id, 45 | and sign replies to those requests. 46 |

47 | 48 |

[ BIND Config. File 49 | | BIND Home 50 | | ISC ]

51 | 52 |
53 |
54 | Last Updated: $Id: key.html,v 1.10 1999/09/15 20:28:02 cyarnell Exp $ 55 |
56 | 57 | 58 | -------------------------------------------------------------------------------- /docs/Bv8ARM-8.4.6.html/trusted-keys.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | BIND trusted-keys Statement 5 | 6 | 7 | 8 |

BIND Configuration File Guide--trusted-keys Statement

9 | 10 |
11 | 12 |

Syntax

 13 | 14 | 
15 | trusted-keys { 
16 |   [ domain_name number number number string; ]
17 | };
18 | 
19 |
20 | 21 |
22 | 23 |

Definition and Usage

 24 | 25 | The trusted-keys 26 | statement is for use with DNSSEC-style security, originally specified 27 | in RFC 2065. DNSSEC is meant to 28 | provide three distinct services: key distribution, data origin 29 | authentication, and transaction and request authentication. A 30 | complete description of DNSSEC and its use is beyond the scope of this 31 | document, and readers interested in more information should start with 32 | 33 | RFC 2065 and then continue with the 34 | 35 | Internet Drafts.

36 | 37 |

Each trusted key is associated with a domain name. Its attributes are 38 | the non-negative integral flags, protocol, and 39 | algorithm, as well as a base-64 encoded string representing 40 | the key.

41 | 42 | A trusted key is added when a public key for a non-authoritative zone is 43 | known, but cannot be securely obtained through DNS. This occurs when 44 | a signed zone is a child of an unsigned zone. Adding the trusted 45 | key here allows data signed by that zone to be considered secure.

46 | 47 |
48 | 49 |

[ BIND Config. File 50 | | BIND Home 51 | | ISC ]

52 | 53 |
54 |
55 | Last Updated: $Id: trusted-keys.html,v 1.4 1999/09/15 20:28:02 cyarnell Exp $ 56 |
57 | 58 | 59 | -------------------------------------------------------------------------------- /docs/Bv9ARM-v9.10.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/egberts/bind9_parser/HEAD/docs/Bv9ARM-v9.10.pdf -------------------------------------------------------------------------------- /docs/Bv9ARM-v9.12.0.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/egberts/bind9_parser/HEAD/docs/Bv9ARM-v9.12.0.pdf -------------------------------------------------------------------------------- /docs/Bv9ARM-v9.12.0a1.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/egberts/bind9_parser/HEAD/docs/Bv9ARM-v9.12.0a1.pdf -------------------------------------------------------------------------------- /docs/Bv9ARM-v9.13.0.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/egberts/bind9_parser/HEAD/docs/Bv9ARM-v9.13.0.pdf -------------------------------------------------------------------------------- /docs/Bv9ARM-v9.14.0.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/egberts/bind9_parser/HEAD/docs/Bv9ARM-v9.14.0.pdf -------------------------------------------------------------------------------- /docs/Bv9ARM-v9.15.0.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/egberts/bind9_parser/HEAD/docs/Bv9ARM-v9.15.0.pdf -------------------------------------------------------------------------------- /docs/Bv9ARM-v9.16.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/egberts/bind9_parser/HEAD/docs/Bv9ARM-v9.16.pdf -------------------------------------------------------------------------------- /docs/Bv9ARM-v9.4.0.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/egberts/bind9_parser/HEAD/docs/Bv9ARM-v9.4.0.pdf -------------------------------------------------------------------------------- /docs/Bv9ARM-v9.5.0.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/egberts/bind9_parser/HEAD/docs/Bv9ARM-v9.5.0.pdf -------------------------------------------------------------------------------- /docs/Bv9ARM-v9.6.0.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/egberts/bind9_parser/HEAD/docs/Bv9ARM-v9.6.0.pdf -------------------------------------------------------------------------------- /docs/Bv9ARM-v9.7.0.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/egberts/bind9_parser/HEAD/docs/Bv9ARM-v9.7.0.pdf -------------------------------------------------------------------------------- /docs/Bv9ARM-v9.8.0.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/egberts/bind9_parser/HEAD/docs/Bv9ARM-v9.8.0.pdf -------------------------------------------------------------------------------- /docs/Bv9ARM-v9.9.0.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/egberts/bind9_parser/HEAD/docs/Bv9ARM-v9.9.0.pdf -------------------------------------------------------------------------------- /docs/Bv9ARM-v9.9.7.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/egberts/bind9_parser/HEAD/docs/Bv9ARM-v9.9.7.pdf -------------------------------------------------------------------------------- /docs/CIS_BIND_9.0-9.5_Benchmark_v2.0.01.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/egberts/bind9_parser/HEAD/docs/CIS_BIND_9.0-9.5_Benchmark_v2.0.01.pdf -------------------------------------------------------------------------------- /docs/README: -------------------------------------------------------------------------------- 1 | Bind9 Administration Reference Manuals 2 | 3 | Source: https://ftp.ripe.net/mirrors/sites/ftp.isc.org/isc/bind9/ 4 | 5 | Maintainer keeps the original PDF copies in GitHub, but not in PyPi/pip 6 | -------------------------------------------------------------------------------- /docs/bind-9.2.0.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/egberts/bind9_parser/HEAD/docs/bind-9.2.0.tar.gz -------------------------------------------------------------------------------- /docs/bind-9.3.0.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/egberts/bind9_parser/HEAD/docs/bind-9.3.0.tar.gz -------------------------------------------------------------------------------- /docs/bind-doc-8.1.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/egberts/bind9_parser/HEAD/docs/bind-doc-8.1.tar.gz -------------------------------------------------------------------------------- /docs/bind-doc.tar-8.4.7.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/egberts/bind9_parser/HEAD/docs/bind-doc.tar-8.4.7.gz -------------------------------------------------------------------------------- /docs/bind-doc.tar-v8.1.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/egberts/bind9_parser/HEAD/docs/bind-doc.tar-v8.1.gz -------------------------------------------------------------------------------- /docs/bind-doc.tar-v8.3.0.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/egberts/bind9_parser/HEAD/docs/bind-doc.tar-v8.3.0.gz -------------------------------------------------------------------------------- /docs/bind-doc.tar-v8.4.0.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/egberts/bind9_parser/HEAD/docs/bind-doc.tar-v8.4.0.gz -------------------------------------------------------------------------------- /docs/bind10-1.0.0.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/egberts/bind9_parser/HEAD/docs/bind10-1.0.0.tar.gz -------------------------------------------------------------------------------- /docs/bind10-1.1.0.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/egberts/bind9_parser/HEAD/docs/bind10-1.1.0.tar.gz -------------------------------------------------------------------------------- /docs/bind10-1.2.0.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/egberts/bind9_parser/HEAD/docs/bind10-1.2.0.tar.gz -------------------------------------------------------------------------------- /examples/README: -------------------------------------------------------------------------------- 1 | The examples that are practical at the moment are: 2 | 3 | parse-bind9 - Most practical of all, actually 4 | parses ISC Bind into Python Dict structure 5 | 6 | flatten_namedconf - Reads in all include files and creates a single file. 7 | 8 | isc_boolean - ISC Bind9 boolean syntax (it's complex) 9 | 10 | exclamation - Exercise the use of 'exclamation' mark. 11 | 12 | namedconfglobal.py - Is a Pythonized database that contains all things 13 | related to ISC Bind syntax handling, except for 14 | its BNF (that's what bind9-parser is for).. 15 | -------------------------------------------------------------------------------- /examples/bugs/P000/README.md: -------------------------------------------------------------------------------- 1 | This python prototype of pyparsing 2 | properly handles 3 | 4 | multiple Views and its multiple Zones. 5 | 6 | Also ensures ordered dictionary (by virtue of Python 3.7+) 7 | 8 | Now, I just need to deploy these changes 9 | throughout the bind9\_parser 10 | 11 | NOTE: 'views' is mandatory in order to ensure the 12 | proper ordering of 'view' record, given that they 13 | may have differing `match-clients`, `allow-query`, 14 | and `allow-query-on`. 15 | 16 | Fixes: [Issue 7](https://github.com/egberts/bind9_parser/issues) 17 | -------------------------------------------------------------------------------- /examples/bugs/bug-bind9_parser-001.txt: -------------------------------------------------------------------------------- 1 | options 2 | { 3 | directory "/var/named"; // the default 4 | }; 5 | view "localhost_resolver" 6 | { 7 | match-clients { localhost; }; 8 | }; 9 | view "internal" 10 | { 11 | match-clients { localnets; }; 12 | zone "my.internal.zone" { 13 | type master; 14 | }; 15 | zone "my.slave.internal.zone" { 16 | type slave; 17 | }; 18 | zone "my.ddns.internal.zone" { 19 | type master; 20 | }; 21 | }; 22 | key ddns_key 23 | { 24 | algorithm hmac-md5; 25 | secret "togenerateTSIGkeys"; 26 | }; 27 | view "external" 28 | { 29 | match-clients { !localnets; !localhost; }; 30 | zone "my.external.zone" { 31 | type master; 32 | }; 33 | }; 34 | -------------------------------------------------------------------------------- /examples/exclamation.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pyparsing import Char, Group, Optional, Word, alphanums 4 | 5 | def parse_me(parse_element, pattern, expected_pass): 6 | result = parse_element.parseString(pattern, parseAll=True) 7 | print('result:', result.asDict()) 8 | return result.asDict() 9 | 10 | def convertExclamation(s, l, toks): 11 | if len(toks[0]): 12 | for what in toks[0]: 13 | if '!' == what: 14 | return True 15 | else: 16 | return False 17 | else: 18 | return False 19 | 20 | exclamation = Char('!') 21 | 22 | find_pattern = Group( 23 | Group( 24 | Optional(exclamation) 25 | )('not').setParseAction(convertExclamation) 26 | + Word(alphanums + '_-/:.')('addr') 27 | )('find_pattern') 28 | 29 | parse_me(find_pattern, 'a', True) 30 | parse_me(find_pattern, '! a', True) 31 | -------------------------------------------------------------------------------- /examples/isc_boolean.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pyparsing import Char, Group, Optional, Word, alphanums,\ 4 | CaselessLiteral, Literal 5 | 6 | def parse_me(parse_element, pattern): 7 | result = parse_element.parseString(pattern, parseAll=True) 8 | print('result:', result.asDict()) 9 | return result.asDict() 10 | 11 | def convertBoolean(s, l, toks): 12 | print('toks:', toks) 13 | if len(toks[0]): 14 | if (toks[0].lower() == 'true') or (toks[0].lower() == 'yes'): 15 | return True 16 | elif (toks[0].lower() == 'false') or (toks[0].lower() == 'no'): 17 | return False 18 | if toks[0].isnumeric(): 19 | if int(toks[0]) == 1: 20 | return True 21 | elif int(toks[0]) == 0: 22 | return False 23 | else: 24 | return False 25 | 26 | isc_boolean = ( 27 | CaselessLiteral('true') 28 | | CaselessLiteral('false') 29 | | CaselessLiteral('yes') 30 | | CaselessLiteral('no') 31 | | Literal('1') 32 | | Literal('0') 33 | ) 34 | 35 | find_pattern = Group( 36 | Word(alphanums + '_-/:.')('isc_boolean').setParseAction(convertBoolean) 37 | )('find_pattern') 38 | 39 | parse_me(find_pattern, 'TRUE') 40 | parse_me(find_pattern, 'True') 41 | parse_me(find_pattern, 'true') 42 | parse_me(find_pattern, 'yes') 43 | parse_me(find_pattern, 'Yes') 44 | parse_me(find_pattern, 'YES') 45 | parse_me(find_pattern, '1') 46 | 47 | parse_me(find_pattern, 'FALSE') 48 | parse_me(find_pattern, 'False') 49 | parse_me(find_pattern, 'false') 50 | parse_me(find_pattern, 'no') 51 | parse_me(find_pattern, 'No') 52 | parse_me(find_pattern, 'NO') 53 | parse_me(find_pattern, '0') 54 | 55 | parse_me(find_pattern, 'bogus') 56 | parse_me(find_pattern, 'wrong') 57 | parse_me(find_pattern, 'righto') 58 | parse_me(find_pattern, 'yeah') 59 | parse_me(find_pattern, 'nope') 60 | parse_me(find_pattern, 'nah') 61 | parse_me(find_pattern, '12345') 62 | -------------------------------------------------------------------------------- /examples/named-conf/basic/named.conf: -------------------------------------------------------------------------------- 1 | 2 | options { 3 | directory "/tmp"; 4 | forwarders { 10.0.0.1; }; 5 | notify no; 6 | }; 7 | 8 | zone "localhost" in { 9 | type master; 10 | file "localhost.zone"; 11 | }; 12 | 13 | zone "0.0.127.in-addr.arpa" in { 14 | type master; 15 | file "127.0.0.zone"; 16 | }; 17 | 18 | zone "." in { 19 | type hint; 20 | file "root.hint"; 21 | }; 22 | -------------------------------------------------------------------------------- /examples/named-conf/debian-HOWTO/etc/bind/named.conf: -------------------------------------------------------------------------------- 1 | // Managing acls 2 | // source: https://wiki.debian.org/Bind9#File_.2Fetc.2Fbind.2Fnamed.conf 3 | 4 | acl internals { 127.0.0.0/8; 192.168.0.0/24; }; 5 | 6 | // Load options 7 | include "/etc/bind/named.conf.options"; 8 | 9 | // TSIG key used for the dynamic update 10 | include "/etc/bind/ns-example-com_rndc-key"; 11 | 12 | // Configure the communication channel for Administrative BIND9 with rndc 13 | // By default, they key is in the rndc.key file and is used by rndc and bind9 14 | // on the localhost 15 | controls { 16 | inet 127.0.0.1 port 953 allow { 127.0.0.1; }; 17 | }; 18 | 19 | // prime the server with knowledge of the root servers 20 | zone "." { 21 | type hint; 22 | file "/etc/bind/db.root"; 23 | }; 24 | 25 | include "/etc/bind/named.conf.default-zones"; 26 | include "/etc/bind/named.conf.local"; 27 | -------------------------------------------------------------------------------- /examples/named-conf/debian-HOWTO/etc/bind/named.conf.default-zones: -------------------------------------------------------------------------------- 1 | // be authoritative for the localhost forward and reverse zones, and for 2 | // broadcast zones as per RFC 1912 3 | zone "localhost" { 4 | type master; 5 | file "/etc/bind/db.local"; 6 | }; 7 | zone "127.in-addr.arpa" { 8 | type master; 9 | file "/etc/bind/db.127"; 10 | }; 11 | zone "0.in-addr.arpa" { 12 | type master; 13 | file "/etc/bind/db.0"; 14 | }; 15 | zone "255.in-addr.arpa" { 16 | type master; 17 | file "/etc/bind/db.255"; 18 | }; 19 | -------------------------------------------------------------------------------- /examples/named-conf/debian-HOWTO/etc/bind/named.conf.local: -------------------------------------------------------------------------------- 1 | // Manage the file logs 2 | include "/etc/bind/named.conf.log"; 3 | 4 | // Domain Management example.com 5 | // ------------------------------ 6 | // - The server is defined as the master on the domain. 7 | // - There are no forwarders for this domain. 8 | // - Entries in the domain can be added dynamically 9 | // with the key ns-example-com_rndc-key 10 | zone "example.com" { 11 | type master; 12 | file "/var/lib/bind/db.example.com"; 13 | //forwarders {}; 14 | // If we do not comment the ''forwarders'' "empty" clients of the local subnet in my case don't have access to the upstream DNS ? 15 | //allow-update { key ns-example-com_rndc-key; }; 16 | allow-update { key rndc-key; }; 17 | //confusion between the file name to import (ns-example-com_rndc-key) and the key label (rndc-key) ? 18 | }; 19 | zone "0.168.192.in-addr.arpa" { 20 | type master; 21 | file "/var/lib/bind/db.example.com.inv"; 22 | //see comment below (zone "example.com") 23 | //forwarders {}; 24 | //allow-update { key ns-example-com_rndc-key; }; 25 | allow-update { key rndc-key; }; 26 | }; 27 | 28 | // Consider adding the 1918 zones here, if they are not used in your 29 | // organization 30 | include "/etc/bind/zones.rfc1918"; 31 | -------------------------------------------------------------------------------- /examples/named-conf/debian-HOWTO/etc/bind/named.conf.options: -------------------------------------------------------------------------------- 1 | options { 2 | directory "/var/cache/bind"; 3 | 4 | // Exchange port between DNS servers 5 | query-source address * port *; 6 | 7 | // Transmit requests to 192.168.1.1 if 8 | // this server does not know how to resolve them 9 | forward only; 10 | forwarders { 192.168.1.1; }; 11 | 12 | auth-nxdomain no; # conform to RFC1035 13 | 14 | // From 9.9.5 ARM, disables interfaces scanning to prevent unwanted stop listening 15 | interface-interval 0; 16 | // Listen on local interfaces only(IPV4) 17 | listen-on-v6 { none; }; 18 | listen-on { 127.0.0.1; 192.168.0.1; }; 19 | 20 | // Do not transfer the zone information to the secondary DNS 21 | allow-transfer { none; }; 22 | 23 | // Accept requests for internal network only 24 | allow-query { internals; }; 25 | 26 | // Allow recursive queries to the local hosts 27 | allow-recursion { internals; }; 28 | 29 | // Do not make public version of BIND 30 | version none; 31 | }; 32 | -------------------------------------------------------------------------------- /examples/named-conf/debian-HOWTO/etc/bind/ns-example-com_rndc-key: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /examples/named-conf/debian-HOWTO/etc/bind/zones.rfc1918: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/.orig/db.0: -------------------------------------------------------------------------------- 1 | ; 2 | ; BIND reverse data file for broadcast zone 3 | ; 4 | $TTL 604800 5 | @ IN SOA localhost. root.localhost. ( 6 | 1 ; Serial 7 | 604800 ; Refresh 8 | 86400 ; Retry 9 | 2419200 ; Expire 10 | 604800 ) ; Negative Cache TTL 11 | ; 12 | @ IN NS localhost. 13 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/.orig/db.127: -------------------------------------------------------------------------------- 1 | ; 2 | ; BIND reverse data file for local loopback interface 3 | ; 4 | $TTL 604800 5 | @ IN SOA localhost. root.localhost. ( 6 | 1 ; Serial 7 | 604800 ; Refresh 8 | 86400 ; Retry 9 | 2419200 ; Expire 10 | 604800 ) ; Negative Cache TTL 11 | ; 12 | @ IN NS localhost. 13 | 1.0.0 IN PTR localhost. 14 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/.orig/db.255: -------------------------------------------------------------------------------- 1 | ; 2 | ; BIND reverse data file for broadcast zone 3 | ; 4 | $TTL 604800 5 | @ IN SOA localhost. root.localhost. ( 6 | 1 ; Serial 7 | 604800 ; Refresh 8 | 86400 ; Retry 9 | 2419200 ; Expire 10 | 604800 ) ; Negative Cache TTL 11 | ; 12 | @ IN NS localhost. 13 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/.orig/db.empty: -------------------------------------------------------------------------------- 1 | ; BIND reverse data file for empty rfc1918 zone 2 | ; 3 | ; DO NOT EDIT THIS FILE - it is used for multiple zones. 4 | ; Instead, copy it, edit named.conf, and use that copy. 5 | ; 6 | $TTL 86400 7 | @ IN SOA localhost. root.localhost. ( 8 | 1 ; Serial 9 | 604800 ; Refresh 10 | 86400 ; Retry 11 | 2419200 ; Expire 12 | 86400 ) ; Negative Cache TTL 13 | ; 14 | @ IN NS localhost. 15 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/.orig/db.local: -------------------------------------------------------------------------------- 1 | ; 2 | ; BIND data file for local loopback interface 3 | ; 4 | $TTL 604800 5 | @ IN SOA localhost. root.localhost. ( 6 | 2 ; Serial 7 | 604800 ; Refresh 8 | 86400 ; Retry 9 | 2419200 ; Expire 10 | 604800 ) ; Negative Cache TTL 11 | ; 12 | @ IN NS localhost. 13 | @ IN A 127.0.0.1 14 | @ IN AAAA ::1 15 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/.orig/named.conf: -------------------------------------------------------------------------------- 1 | // This is the primary configuration file for the BIND DNS server named. 2 | // 3 | // Please read /usr/share/doc/bind9/README.Debian.gz for information on the 4 | // structure of BIND configuration files in Debian, *BEFORE* you customize 5 | // this configuration file. 6 | // 7 | // If you are just adding zones, please do that in /etc/bind/named.conf.local 8 | 9 | include "/etc/bind/named.conf.options"; 10 | include "/etc/bind/named.conf.local"; 11 | include "/etc/bind/named.conf.default-zones"; 12 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/.orig/named.conf.default-zones: -------------------------------------------------------------------------------- 1 | // prime the server with knowledge of the root servers 2 | zone "." { 3 | type hint; 4 | file "/etc/bind/db.root"; 5 | }; 6 | 7 | // be authoritative for the localhost forward and reverse zones, and for 8 | // broadcast zones as per RFC 1912 9 | 10 | zone "localhost" { 11 | type master; 12 | file "/etc/bind/db.local"; 13 | }; 14 | 15 | zone "127.in-addr.arpa" { 16 | type master; 17 | file "/etc/bind/db.127"; 18 | }; 19 | 20 | zone "0.in-addr.arpa" { 21 | type master; 22 | file "/etc/bind/db.0"; 23 | }; 24 | 25 | zone "255.in-addr.arpa" { 26 | type master; 27 | file "/etc/bind/db.255"; 28 | }; 29 | 30 | 31 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/.orig/named.conf.local: -------------------------------------------------------------------------------- 1 | // 2 | // Do any local configuration here 3 | // 4 | 5 | // Consider adding the 1918 zones here, if they are not used in your 6 | // organization 7 | //include "/etc/bind/zones.rfc1918"; 8 | 9 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/.orig/named.conf.options: -------------------------------------------------------------------------------- 1 | options { 2 | directory "/var/cache/bind"; 3 | 4 | // If there is a firewall between you and nameservers you want 5 | // to talk to, you may need to fix the firewall to allow multiple 6 | // ports to talk. See http://www.kb.cert.org/vuls/id/800113 7 | 8 | // If your ISP provided one or more IP addresses for stable 9 | // nameservers, you probably want to use them as forwarders. 10 | // Uncomment the following block, and insert the addresses replacing 11 | // the all-0's placeholder. 12 | 13 | // forwarders { 14 | // 0.0.0.0; 15 | // }; 16 | 17 | //======================================================================== 18 | // If BIND logs error messages about the root key being expired, 19 | // you will need to update your keys. See https://www.isc.org/bind-keys 20 | //======================================================================== 21 | dnssec-validation auto; 22 | 23 | auth-nxdomain no; # conform to RFC1035 24 | listen-on-v6 { any; }; 25 | }; 26 | 27 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/.orig/rndc.key: -------------------------------------------------------------------------------- 1 | key "rndc-key" { 2 | algorithm hmac-md5; 3 | secret "XXXXXXXXXXXXXXXXXXXXXX=="; 4 | }; 5 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/.orig/zones.rfc1918: -------------------------------------------------------------------------------- 1 | zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; 2 | 3 | zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; 4 | zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; 5 | zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; 6 | zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; 7 | zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; 8 | zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; 9 | zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; 10 | zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; 11 | zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; 12 | zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; 13 | zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; 14 | zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; 15 | zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; 16 | zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; 17 | zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; 18 | zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; 19 | 20 | zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; 21 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/KEY_LOCATIONS.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | /etc/bind/rndc.conf 4 | /etc/bind/keys 5 | /etc/bind/trusted-keys-named.conf 6 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/bind.keys: -------------------------------------------------------------------------------- 1 | # The bind.keys file is used to override the built-in DNSSEC trust anchors 2 | # which are included as part of BIND 9. The only trust anchors it contains 3 | # are for the DNS root zone ("."). Trust anchors for any other zones MUST 4 | # be configured elsewhere; if they are configured here, they will not be 5 | # recognized or used by named. 6 | # 7 | # To use the built-in root key, set "dnssec-validation auto;" in the 8 | # named.conf options, or else leave "dnssec-validation" unset. If 9 | # "dnssec-validation" is set to "yes", then the keys in this file are 10 | # ignored; keys will need to be explicitly configured in named.conf for 11 | # validation to work. "auto" is the default setting, unless named is 12 | # built with "configure --disable-auto-validation", in which case the 13 | # default is "yes". 14 | # 15 | # This file is NOT expected to be user-configured. 16 | # 17 | # Servers being set up for the first time can use the contents of this file 18 | # as initializing keys; thereafter, the keys in the managed key database 19 | # will be trusted and maintained automatically. 20 | # 21 | # These keys are current as of Mar 2019. If any key fails to initialize 22 | # correctly, it may have expired. In that event you should replace this 23 | # file with a current version. The latest version of bind.keys can always 24 | # be obtained from ISC at https://www.isc.org/bind-keys. 25 | # 26 | # See https://data.iana.org/root-anchors/root-anchors.xml for current trust 27 | # anchor information for the root zone. 28 | 29 | trust-anchors { 30 | # This key (20326) was published in the root zone in 2017. 31 | . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 32 | +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv 33 | ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 34 | 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e 35 | oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd 36 | RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN 37 | R1AkUTV74bU="; 38 | }; 39 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/db.0: -------------------------------------------------------------------------------- 1 | ; 2 | ; BIND reverse data file for broadcast zone 3 | ; 4 | $TTL 604800 5 | @ IN SOA localhost. root.localhost. ( 6 | 1 ; Serial 7 | 604800 ; Refresh 8 | 86400 ; Retry 9 | 2419200 ; Expire 10 | 604800 ) ; Negative Cache TTL 11 | ; 12 | @ IN NS localhost. 13 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/db.127: -------------------------------------------------------------------------------- 1 | ; 2 | ; BIND reverse data file for local loopback interface 3 | ; 4 | $TTL 604800 5 | @ IN SOA localhost. root.localhost. ( 6 | 1 ; Serial 7 | 604800 ; Refresh 8 | 86400 ; Retry 9 | 2419200 ; Expire 10 | 604800 ) ; Negative Cache TTL 11 | ; 12 | @ IN NS localhost. 13 | 1.0.0 IN PTR localhost. 14 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/db.255: -------------------------------------------------------------------------------- 1 | ; 2 | ; BIND reverse data file for broadcast zone 3 | ; 4 | $TTL 604800 5 | @ IN SOA localhost. root.localhost. ( 6 | 1 ; Serial 7 | 604800 ; Refresh 8 | 86400 ; Retry 9 | 2419200 ; Expire 10 | 604800 ) ; Negative Cache TTL 11 | ; 12 | @ IN NS localhost. 13 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/db.empty: -------------------------------------------------------------------------------- 1 | ; BIND reverse data file for empty rfc1918 zone 2 | ; 3 | ; DO NOT EDIT THIS FILE - it is used for multiple zones. 4 | ; Instead, copy it, edit named.conf, and use that copy. 5 | ; 6 | $TTL 86400 7 | @ IN SOA localhost. root.localhost. ( 8 | 1 ; Serial 9 | 604800 ; Refresh 10 | 86400 ; Retry 11 | 2419200 ; Expire 12 | 86400 ) ; Negative Cache TTL 13 | ; 14 | @ IN NS localhost. 15 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/db.local: -------------------------------------------------------------------------------- 1 | ; 2 | ; BIND data file for local loopback interface 3 | ; 4 | $TTL 604800 5 | @ IN SOA localhost. root.localhost. ( 6 | 2 ; Serial 7 | 604800 ; Refresh 8 | 86400 ; Retry 9 | 2419200 ; Expire 10 | 604800 ) ; Negative Cache TTL 11 | ; 12 | @ IN NS localhost. 13 | @ IN A 127.0.0.1 14 | @ IN AAAA ::1 15 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/generate-keys.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # File: generate-key.sh 3 | # Title: Generate keys for use with IXFR/AXFR secured (TSIG) session 4 | 5 | echo -n "Enter in hostname (ending with a period): " 6 | read -r MYHOST 7 | if [ -z "$MYHOST" ]; then 8 | exit 1 9 | fi 10 | 11 | KEYGEN=$(which dnssec-keygen) 12 | if [ ! -x "$KEYGEN" ]; then 13 | echo "Keygen binary is missing; missing package?" 14 | exit 2 15 | fi 16 | dnssec-keygen -a HMAC-SHA512 -b 512 -n USER $1 17 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/keys/ddns.md5.master-to-slave.key: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/keys/ddns.md5.master-to-slave.key 2 | // 3 | // Used to update downstream nameservers from a master NS 4 | 5 | key "master-to-slave-key" { 6 | algorithm hmac-md5; 7 | secret "XXXXXXXXXXXXXXXXXXXXXX=="; 8 | }; 9 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/keys/ddns.sha512.master-to-slave.key: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/keys/ddns.sha512.master-to-slave.key 2 | // 3 | // Used to update this downstream nameserver from a remote master NS 4 | // 5 | // Used to accept changes from hidden-master 6 | // 7 | // MUST Synchronize key with hidden master 8 | // 9 | // Created with: 'rndc-confgen -A HMAC-SHA512 -k Xy4jLa01' 10 | 11 | 12 | key "Xy4jLa01" { 13 | algorithm hmac-sha512; 14 | secret "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=="; 15 | }; 16 | 17 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/keys/ddns.sha512.public-master-to-public-secondary.key: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/keys/ddns.sha512.public-master-to-public-secondary.key 2 | // 3 | // Used to update this downstream secondary nameserver from the 4 | // public master nameserver (but not hidden master nameserver) 5 | // 6 | // Created with: 'ddns-confgen -a HMAC-SHA512 -k public-master-to-public-secondary -z egbert.net' 7 | 8 | 9 | key "public-master-to-public-secondary" { 10 | algorithm hmac-sha512; 11 | secret "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=="; 12 | }; 13 | 14 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/keys/named.conf.key: -------------------------------------------------------------------------------- 1 | //// named.conf.key 2 | //// 3 | //// key clause 4 | //// 5 | //// Defines shared keys used to control and authenticate operations 6 | //// such as Dynamic DNS (DDNS) and the remote control channel (the 7 | //// controls clause). May be nested in a view clause. 8 | 9 | //// Most common ones are given below as example: 10 | //// 11 | //// DDNS_UPDATER key 12 | //// used with isc-dhcpd or DHCP server for dynamic DNS updating 13 | //// 14 | //// key DDNS_UPDATER { 15 | //// algorithm hmac-md5; 16 | //// secret "abcdefghijklmnopqrstuv=="; 17 | //// }; 18 | 19 | //// NOTE: not recommended, used "rndc-confgen -a" and rndc.key file instead. 20 | //// 21 | //// // counterpart key is frequently stored in rndc.conf (i.e., webmin) 22 | //// key "rndc-key" { 23 | //// algorithm hmac-md5; 24 | //// secret "abcdefghijklmnopqrstuv=="; 25 | //// }; 26 | 27 | //// rndc-remote key 28 | //// used by remote rndc UNIX command 29 | //// Note: do not forget to add additional remote access to controls clause 30 | //// controls clause is in named.conf.controls 31 | //// 32 | //// key "rndc-remote" { 33 | //// algorithm hmac-md5; 34 | //// secret "OmItW1lOyLVUEuvv+Fme+Q=="; 35 | //// }; 36 | //// 37 | //// Note: The keys clause above would normally be placed in a 38 | //// separate secure file and included into one of the named.conf file group. 39 | 40 | 41 | //// for using "local-ddns" key (a default for session-based queries like 42 | //// sftdyn), we declare: 43 | //// 44 | //// session-keyname "local-ddns"; 45 | //// session-keyfile "/var/cache/bind/session.key"; 46 | //// 47 | //// in options group/clause within /etc/bind/options.named.conf instead 48 | 49 | //// rndc-key key is defined in /etc/bind/rndc.key 50 | //// rndc.key file is auto-generated by "rndc-confgen -a" command 51 | //// rndc.key file gets included in both named's named.conf 52 | //// and rndc's rndc.conf files. 53 | include "/etc/bind/keys/rndc.sha512.key"; 54 | 55 | include "/etc/bind/keys/ddns.sha512.master-to-slave.key"; 56 | include "/etc/bind/keys/ddns.sha512.public-master-to-public-secondary.key"; 57 | 58 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/keys/rndc.sha512.key: -------------------------------------------------------------------------------- 1 | # Use with the following in named.conf, adjusting the allow list as needed: 2 | key "rndc-key" { 3 | algorithm hmac-sha512; 4 | secret "2k2vfDGvjMj5Ts+N9OKC63G/U3qDQSAejReGY8px6rVN2SQWuu0K22bT1JnLyH6DYMsbOu1F8aqfho4OF0NPYA=="; 5 | }; 6 | 7 | # End of named.conf 8 | 9 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/local-named.conf: -------------------------------------------------------------------------------- 1 | // 2 | // Do any local configuration here 3 | // 4 | 5 | // Consider adding the 1918 zones here, if they are not used in your 6 | // organization 7 | //include "/etc/bind/zones.rfc1918"; 8 | 9 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/managed-keys-named.conf: -------------------------------------------------------------------------------- 1 | //// 2 | //// File: managed-keys-named.conf 3 | //// 4 | //// Defines DNSSEC trusted-anchors that are dynamically managed by 5 | //// RFC 5011 compliant procedures. 6 | //// 7 | //// deprecated 8 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/rndc.conf: -------------------------------------------------------------------------------- 1 | # 2 | # File: /etc/bind/rndc.conf 3 | # Title: Start of rndc.conf 4 | key "rndc-key" { 5 | algorithm hmac-sha512; 6 | secret "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=="; 7 | }; 8 | 9 | options { 10 | default-key "rndc-key"; 11 | default-server 127.0.0.1; 12 | default-port 953; 13 | }; 14 | # End of rndc.conf 15 | 16 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/statistics-named.conf: -------------------------------------------------------------------------------- 1 | //// 2 | //// File: statistics-named.conf 3 | //// 4 | //// Title: statistics-channels 5 | //// 6 | //// Defines access to XML (browser) statistics. 7 | 8 | //// CIS says do not use 'statistics-channel' 9 | // statistics-channels { 10 | // inet 127.0.0.1 port 8053; 11 | // }; 12 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/trusted-keys-named.conf: -------------------------------------------------------------------------------- 1 | //// 2 | //// File: trusted-keys-named.conf 3 | //// 4 | //// Title: Statically managed trusted-anchors for DNSSEC. 5 | //// 6 | //// The trusted-keys statement defines DNSSEC security roots. 7 | //// DNSSEC is described in the section called DNSSEC. 8 | //// A security root is defined when the public key for a 9 | //// non-authoritative zone is known, but cannot be securely 10 | //// obtained through DNS, either because it is the DNS root zone 11 | //// or because its parent zone is unsigned. Once a key has been 12 | //// configured as a trusted key, it is treated as if it had been 13 | //// validated and proven secure. The resolver attempts DNSSEC 14 | //// validation on all DNS data in subdomains of a security root. 15 | 16 | //// All keys (and corresponding zones) listed in trusted-keys 17 | //// are deemed to exist regardless of what parent zones say. 18 | //// Similarly for all keys listed in trusted-keys only those 19 | //// keys are used to validate the DNSKEY RRset. The parent's 20 | //// DS RRset will not be used. 21 | 22 | //// The trusted-keys statement can contain multiple key entries, 23 | //// each consisting of the key's domain name, flags, protocol, 24 | //// algorithm, and the Base64 representation of the key data. 25 | //// Spaces, tabs, newlines and carriage returns are ignored in 26 | //// the key data, so the configuration may be split up into 27 | //// multiple lines. 28 | 29 | //// trusted-keys may be set at the top level of named.conf or 30 | //// within a view. If it is set in both places, they are 31 | //// additive: keys defined at the top level are inherited by 32 | //// all views, but keys defined in a view are only used within 33 | //// that view. 34 | 35 | 36 | trusted-keys { 37 | 38 | egbert.net. 257 3 8 "AwEAAaXyFLs22Rg8n062hwxEzhxzfb1XZL5fL9ctaY9gqV5L//1s6sH+iO25YoX4k8+nLVHh/9U8DpsTIx7lGYzEhYaEuoYoqKmOmYuUohgZi9Fv8zpUoL9umoGOGhvPQg/AYEG9YSWWCyAeGcJSH3n7TR6/H8jJHHdLEiNcl3SP7F8J3Al7JmAqm8oQ8/YhLgalP0abq8twNhzWEQAirmXeJMZaNP3ThMSTiZR7oIB/SQxHhsjRqpFvehLMM/tjkZSj7FiKjrtyiOmJ0B5AzS7WwpTUE1YBa6YGlFkUSSBvt5/npfdhdrOCPORh/3IabYj2gLj4qji3babkjw78k2gTPoU="; 39 | }; 40 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/view.chaos: -------------------------------------------------------------------------------- 1 | //// 2 | //// File: view.chaos 3 | //// Title: View for CHAOS zones 4 | view "chaos" CH { 5 | match-clients { any; }; 6 | zone "bind" CH { 7 | type master; 8 | file "/etc/bind/zones/db.bind"; 9 | allow-update { none; }; 10 | allow-transfer { none; }; 11 | }; 12 | }; 13 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/zones-named.conf: -------------------------------------------------------------------------------- 1 | // zones-named.conf 2 | //// 3 | //// Holds all the zones clauses here that are outside of a view. 4 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/zones.rfc1918: -------------------------------------------------------------------------------- 1 | zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; 2 | 3 | zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; 4 | zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; 5 | zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; 6 | zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; 7 | zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; 8 | zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; 9 | zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; 10 | zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; 11 | zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; 12 | zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; 13 | zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; 14 | zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; 15 | zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; 16 | zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; 17 | zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; 18 | zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; 19 | 20 | zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; 21 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/zones/db.0: -------------------------------------------------------------------------------- 1 | ; 2 | ; BIND reverse data file for broadcast zone 3 | ; 4 | $TTL 604800 5 | @ IN SOA localhost. root.localhost. ( 6 | 17 7 | 604800 8 | 86400 9 | 2419200 10 | 604800 ) 11 | ; 12 | @ IN NS localhost. 13 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/zones/db.127: -------------------------------------------------------------------------------- 1 | ; 2 | ; BIND reverse data file for local loopback interface 3 | ; 4 | $TTL 604800 5 | @ IN SOA localhost. root.localhost. ( 6 | 4 7 | 604800 8 | 86400 9 | 2419200 10 | 604800 ) 11 | ; 12 | @ IN NS localhost. 13 | 1.0.0 IN PTR localhost. 14 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/zones/db.255: -------------------------------------------------------------------------------- 1 | ; 2 | ; BIND reverse data file for broadcast zone 3 | ; 4 | $TTL 604800 5 | @ IN SOA localhost. root.localhost. ( 6 | 17 7 | 604800 8 | 86400 9 | 2419200 10 | 604800 ) 11 | ; 12 | @ IN NS localhost. 13 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/zones/db.bind: -------------------------------------------------------------------------------- 1 | $TTL 3600 2 | @ 86400 CH SOA localhost. root.localhost. ( 3 | 2013050801 ; serial 4 | 3600 ; refresh 5 | 3600 ; retry 6 | 604800 ; expiry 7 | 86400 ) ; minimum 8 | ; 9 | @ CH NS localhost. 10 | 11 | version CH TXT "Microsoft DNS 6.0.6100 (2AEF76E)" 12 | authors CH TXT "Microsoft" 13 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/zones/db.empty: -------------------------------------------------------------------------------- 1 | ; BIND reverse data file for empty rfc1918 zone 2 | ; 3 | ; DO NOT EDIT THIS FILE - it is used for multiple zones. 4 | ; Instead, copy it, edit named.conf, and use that copy. 5 | ; 6 | $TTL 86400 7 | @ IN SOA localhost. root.localhost. ( 8 | 1 ; Serial 9 | 604800 ; Refresh 10 | 86400 ; Retry 11 | 2419200 ; Expire 12 | 86400 ) ; Negative Cache TTL 13 | ; 14 | @ IN NS localhost. 15 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/zones/db.empty.10: -------------------------------------------------------------------------------- 1 | ; BIND reverse data file for empty rfc1918 zone 2 | ; 3 | ; DO NOT EDIT THIS FILE - it is used for multiple zones. 4 | ; Instead, copy it, edit named.conf, and use that copy. 5 | ; 6 | $TTL 86400 7 | @ IN SOA localhost. root.localhost. ( 8 | 1 ; Serial 9 | 604800 ; Refresh 10 | 86400 ; Retry 11 | 2419200 ; Expire 12 | 86400 ) ; Negative Cache TTL 13 | ; 14 | @ IN NS localhost. 15 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/zones/db.empty.16.172: -------------------------------------------------------------------------------- 1 | ; BIND reverse data file for empty rfc1918 zone 2 | ; 3 | ; DO NOT EDIT THIS FILE - it is used for multiple zones. 4 | ; Instead, copy it, edit named.conf, and use that copy. 5 | ; 6 | $TTL 86400 7 | @ IN SOA localhost. root.localhost. ( 8 | 1 ; Serial 9 | 604800 ; Refresh 10 | 86400 ; Retry 11 | 2419200 ; Expire 12 | 86400 ) ; Negative Cache TTL 13 | ; 14 | @ IN NS localhost. 15 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/zones/db.empty.168.192: -------------------------------------------------------------------------------- 1 | ; BIND reverse data file for empty rfc1918 zone 2 | ; 3 | ; DO NOT EDIT THIS FILE - it is used for multiple zones. 4 | ; Instead, copy it, edit named.conf, and use that copy. 5 | ; 6 | $TTL 86400 7 | @ IN SOA localhost. root.localhost. ( 8 | 1 ; Serial 9 | 604800 ; Refresh 10 | 86400 ; Retry 11 | 2419200 ; Expire 12 | 86400 ) ; Negative Cache TTL 13 | ; 14 | @ IN NS localhost. 15 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/zones/db.empty.17.172: -------------------------------------------------------------------------------- 1 | ; BIND reverse data file for empty rfc1918 zone 2 | ; 3 | ; DO NOT EDIT THIS FILE - it is used for multiple zones. 4 | ; Instead, copy it, edit named.conf, and use that copy. 5 | ; 6 | $TTL 86400 7 | @ IN SOA localhost. root.localhost. ( 8 | 1 ; Serial 9 | 604800 ; Refresh 10 | 86400 ; Retry 11 | 2419200 ; Expire 12 | 86400 ) ; Negative Cache TTL 13 | ; 14 | @ IN NS localhost. 15 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/zones/db.empty.18.172: -------------------------------------------------------------------------------- 1 | ; BIND reverse data file for empty rfc1918 zone 2 | ; 3 | ; DO NOT EDIT THIS FILE - it is used for multiple zones. 4 | ; Instead, copy it, edit named.conf, and use that copy. 5 | ; 6 | $TTL 86400 7 | @ IN SOA localhost. root.localhost. ( 8 | 1 ; Serial 9 | 604800 ; Refresh 10 | 86400 ; Retry 11 | 2419200 ; Expire 12 | 86400 ) ; Negative Cache TTL 13 | ; 14 | @ IN NS localhost. 15 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/zones/db.empty.19.172: -------------------------------------------------------------------------------- 1 | ; BIND reverse data file for empty rfc1918 zone 2 | ; 3 | ; DO NOT EDIT THIS FILE - it is used for multiple zones. 4 | ; Instead, copy it, edit named.conf, and use that copy. 5 | ; 6 | $TTL 86400 7 | @ IN SOA localhost. root.localhost. ( 8 | 1 ; Serial 9 | 604800 ; Refresh 10 | 86400 ; Retry 11 | 2419200 ; Expire 12 | 86400 ) ; Negative Cache TTL 13 | ; 14 | @ IN NS localhost. 15 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/zones/db.empty.20.172: -------------------------------------------------------------------------------- 1 | ; BIND reverse data file for empty rfc1918 zone 2 | ; 3 | ; DO NOT EDIT THIS FILE - it is used for multiple zones. 4 | ; Instead, copy it, edit named.conf, and use that copy. 5 | ; 6 | $TTL 86400 7 | @ IN SOA localhost. root.localhost. ( 8 | 1 ; Serial 9 | 604800 ; Refresh 10 | 86400 ; Retry 11 | 2419200 ; Expire 12 | 86400 ) ; Negative Cache TTL 13 | ; 14 | @ IN NS localhost. 15 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/zones/db.empty.21.172: -------------------------------------------------------------------------------- 1 | ; BIND reverse data file for empty rfc1918 zone 2 | ; 3 | ; DO NOT EDIT THIS FILE - it is used for multiple zones. 4 | ; Instead, copy it, edit named.conf, and use that copy. 5 | ; 6 | $TTL 86400 7 | @ IN SOA localhost. root.localhost. ( 8 | 1 ; Serial 9 | 604800 ; Refresh 10 | 86400 ; Retry 11 | 2419200 ; Expire 12 | 86400 ) ; Negative Cache TTL 13 | ; 14 | @ IN NS localhost. 15 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/zones/db.empty.22.172: -------------------------------------------------------------------------------- 1 | ; BIND reverse data file for empty rfc1918 zone 2 | ; 3 | ; DO NOT EDIT THIS FILE - it is used for multiple zones. 4 | ; Instead, copy it, edit named.conf, and use that copy. 5 | ; 6 | $TTL 86400 7 | @ IN SOA localhost. root.localhost. ( 8 | 1 ; Serial 9 | 604800 ; Refresh 10 | 86400 ; Retry 11 | 2419200 ; Expire 12 | 86400 ) ; Negative Cache TTL 13 | ; 14 | @ IN NS localhost. 15 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/zones/db.empty.23.172: -------------------------------------------------------------------------------- 1 | ; BIND reverse data file for empty rfc1918 zone 2 | ; 3 | ; DO NOT EDIT THIS FILE - it is used for multiple zones. 4 | ; Instead, copy it, edit named.conf, and use that copy. 5 | ; 6 | $TTL 86400 7 | @ IN SOA localhost. root.localhost. ( 8 | 1 ; Serial 9 | 604800 ; Refresh 10 | 86400 ; Retry 11 | 2419200 ; Expire 12 | 86400 ) ; Negative Cache TTL 13 | ; 14 | @ IN NS localhost. 15 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/zones/db.empty.24.172: -------------------------------------------------------------------------------- 1 | ; BIND reverse data file for empty rfc1918 zone 2 | ; 3 | ; DO NOT EDIT THIS FILE - it is used for multiple zones. 4 | ; Instead, copy it, edit named.conf, and use that copy. 5 | ; 6 | $TTL 86400 7 | @ IN SOA localhost. root.localhost. ( 8 | 1 ; Serial 9 | 604800 ; Refresh 10 | 86400 ; Retry 11 | 2419200 ; Expire 12 | 86400 ) ; Negative Cache TTL 13 | ; 14 | @ IN NS localhost. 15 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/zones/db.empty.25.172: -------------------------------------------------------------------------------- 1 | ; BIND reverse data file for empty rfc1918 zone 2 | ; 3 | ; DO NOT EDIT THIS FILE - it is used for multiple zones. 4 | ; Instead, copy it, edit named.conf, and use that copy. 5 | ; 6 | $TTL 86400 7 | @ IN SOA localhost. root.localhost. ( 8 | 1 ; Serial 9 | 604800 ; Refresh 10 | 86400 ; Retry 11 | 2419200 ; Expire 12 | 86400 ) ; Negative Cache TTL 13 | ; 14 | @ IN NS localhost. 15 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/zones/db.empty.26.172: -------------------------------------------------------------------------------- 1 | ; BIND reverse data file for empty rfc1918 zone 2 | ; 3 | ; DO NOT EDIT THIS FILE - it is used for multiple zones. 4 | ; Instead, copy it, edit named.conf, and use that copy. 5 | ; 6 | $TTL 86400 7 | @ IN SOA localhost. root.localhost. ( 8 | 1 ; Serial 9 | 604800 ; Refresh 10 | 86400 ; Retry 11 | 2419200 ; Expire 12 | 86400 ) ; Negative Cache TTL 13 | ; 14 | @ IN NS localhost. 15 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/zones/db.empty.27.172: -------------------------------------------------------------------------------- 1 | ; BIND reverse data file for empty rfc1918 zone 2 | ; 3 | ; DO NOT EDIT THIS FILE - it is used for multiple zones. 4 | ; Instead, copy it, edit named.conf, and use that copy. 5 | ; 6 | $TTL 86400 7 | @ IN SOA localhost. root.localhost. ( 8 | 1 ; Serial 9 | 604800 ; Refresh 10 | 86400 ; Retry 11 | 2419200 ; Expire 12 | 86400 ) ; Negative Cache TTL 13 | ; 14 | @ IN NS localhost. 15 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/zones/db.empty.28.172: -------------------------------------------------------------------------------- 1 | ; BIND reverse data file for empty rfc1918 zone 2 | ; 3 | ; DO NOT EDIT THIS FILE - it is used for multiple zones. 4 | ; Instead, copy it, edit named.conf, and use that copy. 5 | ; 6 | $TTL 86400 7 | @ IN SOA localhost. root.localhost. ( 8 | 1 ; Serial 9 | 604800 ; Refresh 10 | 86400 ; Retry 11 | 2419200 ; Expire 12 | 86400 ) ; Negative Cache TTL 13 | ; 14 | @ IN NS localhost. 15 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/zones/db.empty.29.172: -------------------------------------------------------------------------------- 1 | ; BIND reverse data file for empty rfc1918 zone 2 | ; 3 | ; DO NOT EDIT THIS FILE - it is used for multiple zones. 4 | ; Instead, copy it, edit named.conf, and use that copy. 5 | ; 6 | $TTL 86400 7 | @ IN SOA localhost. root.localhost. ( 8 | 1 ; Serial 9 | 604800 ; Refresh 10 | 86400 ; Retry 11 | 2419200 ; Expire 12 | 86400 ) ; Negative Cache TTL 13 | ; 14 | @ IN NS localhost. 15 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/zones/db.empty.30.172: -------------------------------------------------------------------------------- 1 | ; BIND reverse data file for empty rfc1918 zone 2 | ; 3 | ; DO NOT EDIT THIS FILE - it is used for multiple zones. 4 | ; Instead, copy it, edit named.conf, and use that copy. 5 | ; 6 | $TTL 86400 7 | @ IN SOA localhost. root.localhost. ( 8 | 1 ; Serial 9 | 604800 ; Refresh 10 | 86400 ; Retry 11 | 2419200 ; Expire 12 | 86400 ) ; Negative Cache TTL 13 | ; 14 | @ IN NS localhost. 15 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/zones/db.empty.31.172: -------------------------------------------------------------------------------- 1 | ; BIND reverse data file for empty rfc1918 zone 2 | ; 3 | ; DO NOT EDIT THIS FILE - it is used for multiple zones. 4 | ; Instead, copy it, edit named.conf, and use that copy. 5 | ; 6 | $TTL 86400 7 | @ IN SOA localhost. root.localhost. ( 8 | 1 ; Serial 9 | 604800 ; Refresh 10 | 86400 ; Retry 11 | 2419200 ; Expire 12 | 86400 ) ; Negative Cache TTL 13 | ; 14 | @ IN NS localhost. 15 | -------------------------------------------------------------------------------- /examples/named-conf/hidden-master/public/etc/bind/zones/db.local: -------------------------------------------------------------------------------- 1 | ; 2 | ; BIND data file for local loopback interface 3 | ; 4 | $TTL 604800 5 | @ IN SOA localhost. root.localhost. ( 6 | 9 7 | 604800 8 | 86400 9 | 2419200 10 | 604800 ) 11 | ; 12 | @ IN NS localhost. 13 | @ IN A 127.0.0.1 14 | @ IN AAAA ::1 15 | -------------------------------------------------------------------------------- /examples/named-conf/linuxjournal/named.conf: -------------------------------------------------------------------------------- 1 | // https://www.linuxjournal.com/article/6541 2 | 3 | options { 4 | directory "./"; 5 | }; 6 | 7 | // a caching only nameserver config 8 | zone "." IN { 9 | type hint; 10 | file "named.ca"; 11 | }; 12 | 13 | // this defines the loopback name lookup 14 | zone "localhost" IN { 15 | type master; 16 | file "master/localhost.zone"; 17 | allow-update { none; }; 18 | }; 19 | 20 | // this defines the loopback reverse name lookup 21 | zone "0.0.127.in-addr.arpa" IN { 22 | type master; 23 | file "master/localhost.rev"; 24 | allow-update { none; }; 25 | }; 26 | 27 | // This defines the secv6 domain name lookup 28 | // Secure (signed) zone file is 29 | // secv6.your.domain.signed 30 | // Regular zone file is secv6.your.domain 31 | zone "secv6.your.domain" IN { 32 | type master; 33 | file "master/secv6.your.domain.signed"; 34 | // file "master/secv6.your.domain"; 35 | }; 36 | 37 | // this defines the secv6 domain reverse 38 | // name lookup (AAAA) 39 | zone "secv6.int" IN { 40 | type master; 41 | file "master/secv6.int"; 42 | }; 43 | 44 | // this defines the secv6 domain reverse 45 | // name lookup (A6) 46 | zone "secv6.arpa" IN { 47 | type master; 48 | file "master/secv6.rev"; 49 | }; 50 | 51 | // secret key truncated to fit 52 | key "key" { 53 | algorithm hmac-md5; 54 | secret "iIJ32X/HQvbw93VDGElN3g=="; 55 | }; 56 | -------------------------------------------------------------------------------- /examples/named-conf/linuxjournal/x.key: -------------------------------------------------------------------------------- 1 | key "key" { 2 | algorithm hmac-md5; 3 | secret "iIJ32X/HQvbw93VDGElN3g=="; 4 | }; 5 | -------------------------------------------------------------------------------- /examples/named-conf/linuxquestions/named.conf: -------------------------------------------------------------------------------- 1 | // https://www.linuxquestions.org/questions/linux-server-73/bind-ipv6-dns-server-configuration-738562/ 2 | # File : /etc/named.conf 3 | options { 4 | directory "./"; 5 | dump-file "/tmp/named_dump.db"; 6 | statistics-file "/tmp/named.stats"; 7 | listen-on-v6 { any; }; 8 | notify no; 9 | // include "/tmp/forwarders.conf"; 10 | }; 11 | 12 | zone "." in { 13 | type hint; 14 | file "root.hint"; 15 | }; 16 | 17 | zone "localhost" in { 18 | type master; 19 | file "localhost.zone"; 20 | }; 21 | 22 | zone "0.0.127.in-addr.arpa" in { 23 | type master; 24 | file "127.0.0.zone"; 25 | }; 26 | 27 | // include "/etc/named.conf.include"; 28 | logging { 29 | category default { log_syslog; }; 30 | channel log_syslog { syslog; }; 31 | }; 32 | zone "ashish.com" in { 33 | allow-transfer { any; }; 34 | file "master/ashish.com"; 35 | type master; 36 | }; 37 | -------------------------------------------------------------------------------- /examples/named-conf/mmacleod.ca/dnsadmin.key: -------------------------------------------------------------------------------- 1 | key "dnsadmin" { 2 | algorithm hmac-sha256; 3 | secret "ojlCVDN3lVMxGIGiB31x9DbhqHxxgx84NSZw0c4CRgw="; 4 | }; 5 | -------------------------------------------------------------------------------- /examples/named-conf/mmacleod.ca/named.conf: -------------------------------------------------------------------------------- 1 | // https://mmacleod.ca/2011/08/ipv6-part-9-configuring-a-domain-for-ipv6-with-bind/ 2 | 3 | options { 4 | directory "./"; 5 | pid-file "/tmp/tmp"; 6 | dump-file "/tmp/tmp"; 7 | statistics-file "/tmp/named.stats"; 8 | 9 | recursion no; 10 | allow-query { any; }; 11 | version "0"; 12 | 13 | listen-on { 203.0.113.238; }; 14 | listen-on-v6 { 2001:0DB8:1000:8b00::2; }; 15 | listen-on-v6 { G001:0DB8:1000:8b00::2; }; 16 | }; 17 | 18 | include "./dnsadmin.key"; 19 | 20 | controls { 21 | inet 127.0.0.1 allow { 127.0.0.1; } keys { "dnsadmin";}; 22 | inet ::1 allow { ::1; } keys { "dnsadmin"; }; 23 | 24 | }; 25 | 26 | zone "example.com" { 27 | type master; 28 | file "/tmp/tmp"; 29 | }; 30 | -------------------------------------------------------------------------------- /examples/named-conf/named-oracle.conf: -------------------------------------------------------------------------------- 1 | // Source: https://docs.oracle.com/cd/E19683-01/816-7511/6mdgu0h00/index.html 2 | options { 3 | directory "/var/named"; 4 | datasize 2098; 5 | forward only; 6 | forwarders { 7 | 99.11.33.44; 8 | }; 9 | recursion no; 10 | transfers-in 10; 11 | transfers-per-ns 2; 12 | allow-transfer { 13 | 127.0.1.1/24; 14 | }; 15 | }; 16 | 17 | logging { 18 | category queries { default_syslog; }; 19 | }; 20 | 21 | ##include "/var/named/abcZones.conf" 22 | 23 | 24 | // here are the names of the master files 25 | zone "cities.zn" { 26 | type master; 27 | file "db.cities.zn"; 28 | }; 29 | 30 | zone "0.0.127.in-addr.arpa" { 31 | type master; 32 | file "db.127.cities.zn"; 33 | }; 34 | 35 | zone "168.192.in-addr.arpa" { 36 | type master; 37 | file "db.cities.zn.rev"; 38 | }; 39 | 40 | zone "sales.doc.com" { 41 | type slave; 42 | file "slave/db.sales.doc"; 43 | masters { 44 | 192.168.1.151; 45 | }; 46 | }; 47 | 48 | 49 | zone "168.192.in-addr.arpa" { 50 | type slave; 51 | file "slave/db.sales.doc.rev"; 52 | masters { 53 | 192.168.1.151; 54 | }; 55 | }; 56 | -------------------------------------------------------------------------------- /examples/named-conf/named-tldp.conf: -------------------------------------------------------------------------------- 1 | // Boot file for LAND-5 name server 2 | // https://www.tldp.org/HOWTO/DNS-HOWTO-7.html 3 | 4 | options { 5 | directory "/var/named"; 6 | }; 7 | 8 | controls { 9 | inet 127.0.0.1 allow { localhost; } keys { rndc_key; }; 10 | }; 11 | 12 | key "rndc_key" { 13 | algorithm hmac-md5; 14 | secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; 15 | }; 16 | 17 | zone "." { 18 | type hint; 19 | file "root.hints"; 20 | }; 21 | 22 | zone "0.0.127.in-addr.arpa" { 23 | type master; 24 | file "zone/127.0.0"; 25 | }; 26 | 27 | zone "land-5.com" { 28 | type master; 29 | file "zone/land-5.com"; 30 | }; 31 | 32 | zone "177.6.206.in-addr.arpa" { 33 | type master; 34 | file "zone/206.6.177"; 35 | }; 36 | 37 | -------------------------------------------------------------------------------- /examples/named-conf/named-zytrax.conf: -------------------------------------------------------------------------------- 1 | // MASTER & CACHING NAME SERVER for EXAMPLE, INC. 2 | // maintained by: me myself alone 3 | // CHANGELOG: 4 | // 1. 9 july 2003 - did something 5 | // 2. 16 july 2003 - did something else 6 | // 3. 23 july 2003 - did something more 7 | // 8 | options { 9 | directory "/var/named"; 10 | // version statement - inhibited for security 11 | // (avoids hacking any known weaknesses) 12 | version "get lost"; 13 | // optional - disables all transfers 14 | // slaves allowed in zone clauses 15 | allow-transfer {"none";}; 16 | // Closed DNS - permits only local IPs to issue recursive queries 17 | // remove if an Open DNS required to support all users 18 | // or add additional ranges 19 | allow-recursion {192.168.3.0/24;}; 20 | }; 21 | // 22 | // log to /var/log/named/example.log all events from 23 | // info UP in severity (no debug) 24 | // defaults to use 3 files in rotation 25 | // BIND 8.x logging MUST COME FIRST in this file 26 | // BIND 9.x parses the whole file before using the log 27 | // failure messages up to this point are in (syslog) 28 | // typically /var/log/messages 29 | // 30 | logging{ 31 | channel example_log{ 32 | file "/var/log/named/example.log" versions 3 size 2m; 33 | severity info; 34 | print-severity yes; 35 | print-time yes; 36 | print-category yes; 37 | }; 38 | category default{ 39 | example_log; 40 | }; 41 | }; 42 | // required zone for recursive queries 43 | zone "." { 44 | type hint; 45 | file "root.servers"; 46 | }; 47 | zone "example.com" in{ 48 | type master; 49 | file "master/master.example.com"; 50 | // enable slaves only 51 | allow-transfer {192.168.23.1;192.168.23.2;}; 52 | }; 53 | // required local host domain 54 | zone "localhost" in{ 55 | type master; 56 | file "master.localhost"; 57 | allow-update{none;}; 58 | }; 59 | // localhost reverse map 60 | zone "0.0.127.in-addr.arpa" in{ 61 | type master; 62 | file "localhost.rev"; 63 | allow-update{none;}; 64 | }; 65 | // reverse map for class C 192.168.0.0 66 | zone "0.168.192.IN-ADDR.ARPA" in{ 67 | type master; 68 | file "192.168.0.rev"; 69 | }; 70 | -------------------------------------------------------------------------------- /examples/named-conf/redhat-9.3/etc/named.rfc1912.zones: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /examples/named-conf/redhat-9.3/etc/named.root.hints: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /examples/named-conf/sbarjatiya.com/etc/named.rfc1912.zones: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /examples/named-conf/sbarjatiya.com/etc/named.root.hints: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/README: -------------------------------------------------------------------------------- 1 | Default NAMED configuration files are: 2 | 3 | named.conf 4 | acl-named.conf 5 | channels-named.conf 6 | controls-named.conf 7 | local-named.conf 8 | masters-named.conf 9 | options-named.conf 10 | servers-named.conf 11 | statistics-named.conf 12 | trusted-keys-named.conf 13 | 14 | For multiple instances of bind daemons, preface named.conf-class filename 15 | with something like 'dmz-', 'int-', 'public-', 'red-', or 'white-'. 16 | 17 | Zone filename begin with 'zone.' 18 | 19 | View filename begin with 'view.' 20 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/README.otherfiles: -------------------------------------------------------------------------------- 1 | Other files that named daemon tries to open are: 2 | 3 | 4 | dmz2.tsigkeys ; dmz2 is a BIND view 5 | gateway.tsigkeys ; gateway is a BIND view 6 | white.tsigkeys ; white is a BIND view 7 | dmz.tsigkeys ; dmz is a BIND view 8 | green.tsigkeys ; green is a BIND view 9 | blue.tsigkeys ; blue is a BIND view 10 | virtualnet.tsigkeys ; virtualnet is a BIND view 11 | chaos.tsigkeys ; chaos is a BIND view 12 | _bind.tsigkeys ; _bind is an unknown BIND view 13 | 14 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/README.setup: -------------------------------------------------------------------------------- 1 | Setting up hidden DNS server 2 | 3 | 4 | cd /var/lib/bind 5 | dnssec-keygen -a HMAC-SHA512 -b 512 -n USER in-a-box.example.com 6 | 7 | On hidden-master, use general option 'notify-on-soa yes;' 8 | 9 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/internal/README: -------------------------------------------------------------------------------- 1 | 2 | = ROOT SERVERS = 3 | Root Servers used to be called 'root.hint', 'named.root', 'named.cache', but 4 | is now called 'db.cache' and no longer resides in /etc/bind 5 | but resides in /var/lib/bind as /etc/bind are no longer writeable 6 | in accordance with the Linux File System Standard. 7 | 8 | Also, DNSSEC now signs (and thusly updates) all zone files so 9 | writeable files can only be done under /var/lib/bind directory. 10 | 11 | Pick up the latest root servers here, at least monthly: 12 | 13 | https://www.internic.net/domain/ 14 | 15 | Optionally, use a cron job to fetch and update 16 | this '/var/lib/bind/db.cache' file. But that'd be a poor security risk. 17 | 18 | Or you can let bind9 networkly fetch the db.cache file content at 19 | bind9 startup and leave it as memory-resident storage. 20 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/internal/acl-named.conf: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/internal/acl-named.conf 2 | // 3 | //// Bind9 Access Control List 'acl' clause 4 | //// 5 | //// Defines one of more access control lists, groups of hosts 6 | //// or users identified by keys, that may be referenced in 7 | //// view and other clauses or statements. 8 | // 9 | // Customized for residential internal network 10 | // 11 | // DNS xfer 12 | // Allow no transfers. If we have other 13 | // name servers, place them here. 14 | acl xfer_acl { 15 | none; 16 | }; 17 | 18 | // Dynamically updated by /etc/dhcp/dhclient-enter-hooks.d/0-bind-update-ip 19 | include "/var/lib/bind/internal/named.conf.acl_intf_ext"; 20 | 21 | // support for cable network 22 | acl trusted_cablesupport_acl { 23 | 192.168.1.1/24; 24 | }; 25 | 26 | # dmz 27 | acl trusted_real_dmz_acl { 28 | 192.168.4.0/24; 29 | }; 30 | # dmz2 31 | acl trusted_residential_network_dmz_acl { 32 | 192.168.4.0/24; 33 | }; 34 | # blue 35 | acl trusted_residential_network_blue_acl { 36 | 192.168.5.0/24; 37 | }; 38 | # special, single-host, GATEWAY 39 | acl trusted_residential_gateway_acl { 40 | 192.168.6.1; 41 | }; 42 | # green 43 | acl trusted_residential_network_green_acl { 44 | 192.168.6.0/24; 45 | }; 46 | # white 47 | acl trusted_residential_network_white_acl { 48 | 192.168.7.0/24; 49 | }; 50 | # vmnet 51 | acl trusted_residential_network_vmnet_acl { 52 | 192.168.122.0/24; 53 | }; 54 | 55 | 56 | acl trusted_residential_network_acl { 57 | trusted_residential_network_dmz_acl; 58 | trusted_residential_network_blue_acl; 59 | trusted_residential_network_green_acl; 60 | trusted_residential_network_white_acl; 61 | trusted_residential_network_vmnet_acl; 62 | }; 63 | 64 | acl trusted_all_acl { 65 | trusted_real_dmz_acl; 66 | trusted_residential_network_dmz_acl; 67 | trusted_residential_network_blue_acl; 68 | trusted_residential_network_green_acl; 69 | trusted_residential_network_white_acl; 70 | trusted_residential_network_vmnet_acl; 71 | trusted_cablesupport_acl; 72 | localnet_acl; 73 | }; 74 | 75 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/internal/controls-named.conf: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/internal/controls-named.conf 2 | // 3 | //// Bind9 daemon controls 4 | //// 5 | //// Controls access to stopping/starting Bind9 daemon (named) 6 | //// 7 | //// Describes and controls access to the control channel used 8 | //// by the remote administrator when using the rndc utility. 9 | //// 10 | //// The controls clause is used to define access information 11 | //// and controls when using remote administration services, 12 | //// for example, the rndc utility. The controls clause takes 13 | //// a single inet statement type, though more than one inet 14 | //// statement may be defined. 15 | //// 16 | //// Customized for residential internal network 17 | // 18 | // 19 | // This file was generated by then pasted from rndc-confgen 20 | // 21 | // Drop file permission to 0640 root:bind on all RNDC-related files: 22 | // /etc/bind/rndc.key (if any) 23 | // /etc/bind/rndc.conf 24 | // Drop file permission to 0750 root:bind on all RNDC-related executable: 25 | // /usr/sbin/rndc 26 | // 27 | // For each instance of bind9.service (or bind9@.service), make a new port # 28 | 29 | controls { 30 | inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; }; 31 | }; 32 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/internal/hz.cache.home: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/internal/hz.cache.home 2 | // 3 | // bind9 has root hint built-in, but it give mice and men the willies 4 | // not to see one in the configuration file so we include it here. 5 | 6 | zone "." IN { 7 | type hint; 8 | delegation-only yes; 9 | file "/var/lib/bind/internal/master/db.cache.home"; 10 | }; 11 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/internal/hz.cache.lab: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/internal/hz.cache.lab 2 | // 3 | // bind9 has root hint built-in, but it give mice and men the willies 4 | // not to see one in the configuration file so we include it here. 5 | 6 | zone "." IN { 7 | type hint; 8 | delegation-only yes; 9 | file "/var/lib/bind/internal/master/db.cache.lab"; 10 | }; 11 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/internal/keys/README.bind.keys: -------------------------------------------------------------------------------- 1 | Key files are denoted by 2 | - Zone name 3 | - Key type 4 | - Random number 5 | 6 | 7 | Key types are: 8 | 9 | 5 - 10 | 8 - 11 | 157 - HMAC-MD5, only used for (ISC DHCP) dhcpd <--> named (ISC Bind9) 12 | 163 - HMAC-SHA256 (used for local-ddns) 13 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/internal/keys/ddns.md5.dhcp-updater.key: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/keys/ddns.md5.dhcp-updater.key 2 | // 3 | // Used to accept hostname changes via ISC DHCP dynamic update 4 | // 5 | // Referenced by /etc/dhcp/dhcpd.conf.options DDNS_UPDATER 6 | 7 | key DDNS_UPDATER { 8 | algorithm hmac-md5; 9 | secret "XXXXXXXXXXXXXXXXXXXXXX=="; 10 | }; 11 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/internal/keys/ddns.md5.master-to-slave.key: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/keys/ddns.md5.master-to-slave.key 2 | // 3 | // Used to update downstream nameservers from a master NS 4 | 5 | key "master-to-slave-key" { 6 | algorithm hmac-md5; 7 | secret "XXXXXXXXXXXXXXXXXXXXXX=="; 8 | }; 9 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/internal/keys/ddns.sha256.dns-arca-a.key: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/keys/ddns.sha256.dns-arca-a.key 2 | // 3 | // ddns-confgen -s in-a-box.example.com 4 | 5 | key "ddns-sha256-arca-a-key" { 6 | algorithm hmac-sha256; 7 | secret "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX="; 8 | }; 9 | 10 | /* vim: set filetype=bind-named */ 11 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/internal/keys/keys-named.conf: -------------------------------------------------------------------------------- 1 | 2 | // receives updated IP/hostname from DHCPD for BIND9 3 | // Only updates the 192.168.4.0/22 (green,blue,white views/zone) 4 | include "/etc/bind/keys/ddns.md5.dhcp-updater.key"; 5 | 6 | // Allows nsupdate to update zone database. 7 | include "/etc/bind/keys/ddns.sha256.dns-arca-a.key"; 8 | 9 | // Allows rndc tool to control BIND9 server daemon from command line. 10 | include "/etc/bind/keys/rndc.md5.key"; 11 | 12 | // Allows master NS to update slave NS(es). 13 | include "/etc/bind/keys/ddns.md5.master-to-slave.key"; 14 | 15 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/internal/keys/red-named.conf.keys: -------------------------------------------------------------------------------- 1 | 2 | // Allows nsupdate to update zone database. 3 | include "/etc/bind/keys/ddns.sha256.dns-arca-a.key"; 4 | 5 | // Allows rndc tool to control BIND9 server daemon from command line. 6 | include "/etc/bind/keys/rndc.md5.key"; 7 | 8 | // Allows master NS to update slave NS(es). 9 | include "/etc/bind/keys/ddns.md5.master-to-slave.key"; 10 | 11 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/internal/keys/rndc.md5.key: -------------------------------------------------------------------------------- 1 | # File: /etc/bind/keys/rndc.key 2 | # 3 | # Used by 'rndc' utility to control ISC BIND9 name daemon. 4 | # 5 | # Created using 'rndc-confgen -A HMAC-MD5 -k rndc-key' 6 | # and manually inserted here. 7 | key rndc-key { 8 | algorithm hmac-md5; 9 | secret "XXXXXXXXXXXXXXXXXXXXXX=="; 10 | }; 11 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/internal/keys/tlsa-privkey.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 3 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 4 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 5 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 6 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 7 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 8 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 9 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 10 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 11 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 12 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 13 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 14 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX== 15 | -----END RSA PRIVATE KEY----- 16 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/internal/keys/tlsa-pubkey.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN PUBLIC KEY----- 2 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 3 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 4 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 5 | XXXXXXXXXXXXXXXXXXXXXXXX 6 | -----END PUBLIC KEY----- 7 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/internal/local-named.conf: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/internal/local-named.conf 2 | // 3 | // Bind9 Local configuration 4 | // 5 | // Provides additional config files for bind9 configuration. 6 | // 7 | // Customized for residential internal network 8 | // 9 | //// 'include' is neither a statement nor a clause. Included here 10 | //// for no particularly good reason. include can appear anywhere 11 | //// in a named.conf file either inside or outside a clause. 12 | //// Allows inclusion of external files into named.conf for 13 | //// administrative convenience or security reasons. 14 | // 15 | 16 | include "/etc/bind/internal/view.cable"; 17 | include "/etc/bind/internal/view.green"; 18 | include "/etc/bind/internal/view.chaos"; 19 | 20 | // We don't do view-red here because we are an internal DNS server, 21 | // for that we do DNS-XFSR from another DNS server called 'bastion' 22 | // host and that is the 'public' counterpart to this 'internal' here, 23 | // and is ALSO within the same host as well (hence two DNS servers). 24 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/internal/mz.home: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/internal/mz.home 2 | // 3 | // ISP-provided 'home' TLD 4 | // 5 | // Required by cablemodem and set-top box(s) 6 | 7 | zone "home" IN { 8 | type master; 9 | file "/var/lib/bind/internal/master/db.home"; 10 | allow-update { none; }; 11 | }; 12 | 13 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/internal/mz.ip4.1.168.192: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/internal/zone.ip4.1.168.192 2 | // 3 | // No need to append "." to zone name (done automatically in zone data file) 4 | // 5 | zone "1.168.192.in-addr.arpa." IN { 6 | type master; 7 | file "/var/lib/bind/internal/master/db.ip4.1.168.192"; 8 | 9 | // Provides dynamic update to DNS from ISC DHCP 10 | allow-update { 11 | key DDNS_UPDATER; 12 | }; 13 | forwarders { }; 14 | notify no; 15 | }; 16 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/internal/mz.ip4.127: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/internal/zone.127 2 | 3 | 4 | zone "0.0.127.in-addr.arpa" IN { 5 | type master; 6 | file "/var/lib/bind/internal/master/db.ip4.127"; 7 | allow-update { none; }; 8 | forwarders { }; 9 | notify no; 10 | }; 11 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/internal/mz.ip4.4.168.192: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/internal/mz.ip4.8.168.192 2 | // 3 | // zone clause for 8.168.192.in-addr.arpa zone 4 | // 5 | // Updateably by ISC DHCP via DDNS_UPDATER key 6 | // 7 | zone "4.168.192.in-addr.arpa" IN { 8 | type master; 9 | file "/var/lib/bind/internal/master/db.ip4.4.168.192"; 10 | allow-update { 11 | key DDNS_UPDATER; 12 | }; 13 | forwarders { }; 14 | notify no; 15 | }; 16 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/internal/mz.ip4.5.168.192: -------------------------------------------------------------------------------- 1 | 2 | zone "5.168.192.in-addr.arpa" IN { 3 | type master; 4 | file "/var/lib/bind/internal/master/db.ip4.5.168.192"; 5 | allow-update { 6 | key DDNS_UPDATER; 7 | }; 8 | forwarders { }; 9 | notify no; 10 | }; 11 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/internal/mz.ip4.6.168.192: -------------------------------------------------------------------------------- 1 | 2 | zone "6.168.192.in-addr.arpa" IN { 3 | type master; 4 | file "/var/lib/bind/internal/master/db.ip4.6.168.192"; 5 | allow-update { 6 | key DDNS_UPDATER; 7 | }; 8 | forwarders { }; 9 | notify no; 10 | }; 11 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/internal/mz.ip4.7.168.192: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/internal/mz.ip4.7.168.192 2 | // 3 | zone "7.168.192.in-addr.arpa" { 4 | type master; 5 | file "/var/lib/bind/internal/master/db.ip4.6.168.192"; 6 | allow-update { 7 | key DDNS_UPDATER; 8 | }; 9 | forwarders { }; 10 | notify no; 11 | }; 12 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/internal/mz.lab: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/internal/mz.lab 2 | // 3 | zone "lab" { 4 | type master; 5 | file "/var/lib/bind/internal/master/db.lab"; 6 | allow-transfer { none; }; 7 | 8 | // Absolutely no forwarding if .lab zone is touched, it stops here 9 | forwarders { }; 10 | 11 | allow-update { 12 | !{ !localhost; any; }; 13 | // only localhost got past this point here 14 | // no one can update except localhost RNDC 15 | key "rndc-key"; // only RNDC on localhost 16 | 17 | // 'allow-update' on a "locally" view is essential for 18 | // communication between ISC-DHCP and BIND9 19 | key "DDNS_UPDATER"; // only isc-dhcpd on localhost 20 | }; 21 | }; 22 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/internal/mz.localhost: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/internal/mz.localhost 2 | // 3 | 4 | zone "localhost" IN { 5 | type master; 6 | file "/var/lib/bind/internal/master/db.localhost"; 7 | 8 | //// option clause should have none for allow-update, forwarders, notify 9 | allow-update { none; }; 10 | forwarders { }; 11 | notify no; 12 | }; 13 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/internal/servers-named.conf: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/internal/servers-named.conf 2 | // 3 | //// Bind9 'server' clause 4 | //// 5 | //// Defines the properties or behavior this server will use when 6 | //// accessing or responding to a defined remote server. 7 | //// May be nested in a view clause. 8 | // 9 | // Customized for residential internal network 10 | // 11 | //// The server statement defines characteristics to be associated 12 | //// with a remote name server. If a prefix length is specified, 13 | //// then a range of servers is covered. Only the most specific 14 | //// server clause applies regardless of the order in named.conf. 15 | 16 | 17 | //// The server statement can occur at the top level of the 18 | //// configuration file or inside a view statement. If a view 19 | //// statement contains one or more server statements, only those 20 | //// apply to the view and any top-level ones are ignored. If a 21 | //// view contains no server statements, any top-level server 22 | //// statements are used as defaults. 23 | 24 | //// in-a-box.example.com 25 | //// TODO: How to dynamically update its IP to point to in-a-box.example.com 26 | 27 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/internal/statistics-named.conf: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/internal/statistics-named.conf 2 | // 3 | // Bind9 statistics channel 4 | // 5 | // Customized for residential internal network 6 | // 7 | //// CISecurity.Org says do not use 'statistics-channel' 8 | //// 9 | //// statistics-channels { 10 | //// inet 127.0.0.1 port 8053; 11 | //// }; 12 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/internal/trusted-keys-named.conf: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/internal/trusted-keys-named.conf 2 | // 3 | // Bind9 trusted key 4 | // 5 | // Customized for residential internal network 6 | // 7 | trusted-keys { 8 | }; 9 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/internal/view.cable: -------------------------------------------------------------------------------- 1 | view cable 2 | { 3 | match-clients { 4 | trusted_cablesupport_acl; 5 | }; 6 | allow-query { 7 | trusted_cablesupport_acl; 8 | }; 9 | recursion yes; 10 | allow-recursion { 11 | trusted_cablesupport_acl; 12 | }; 13 | allow-query-cache { 14 | trusted_cablesupport_acl; 15 | }; 16 | allow-transfer { none; }; 17 | allow-update { none; }; 18 | empty-zones-enable no; 19 | disable-empty-zone yes; 20 | 21 | // ISP-provided cable-modem must use their OWN DNS servers 22 | forwarders { 23 | 123.123.123.123; 24 | 123.123.123.124; 25 | }; 26 | 27 | // Zone files 28 | // Master zones 29 | 30 | // ".home" TLD for ISP-provided cablemodem and set-top box(es). 31 | include "/etc/bind/internal/mz.home"; 32 | include "/etc/bind/internal/mz.ip4.1.168.192"; 33 | include "/etc/bind/internal/mz.localhost"; 34 | include "/etc/bind/internal/mz.ip4.127"; 35 | 36 | // Yes, ordering matters but only at daemon reload-time 37 | include "/etc/bind/internal/hz.cache.home"; 38 | }; 39 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/internal/view.chaos: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/internal/view.chaos 2 | // 3 | view "chaos" CH { 4 | match-clients { any; }; 5 | zone "bind" CH { 6 | type master; 7 | file "/var/lib/bind/internal/master/db.bind"; 8 | allow-update { none; }; 9 | allow-transfer { none; }; 10 | }; 11 | }; 12 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/keys/README.bind.keys: -------------------------------------------------------------------------------- 1 | Key files are denoted by 2 | - Zone name 3 | - Key type 4 | - Random number 5 | 6 | 7 | Key types are: 8 | 9 | 5 - 10 | 8 - 11 | 157 - HMAC-MD5, only used for (ISC DHCP) dhcpd <--> named (ISC Bind9) 12 | 163 - HMAC-SHA256 (used for local-ddns) 13 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/keys/ddns.md5.dhcp-updater.key: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/keys/ddns.md5.dhcp-updater.key 2 | // 3 | // Used to accept hostname changes via ISC DHCP dynamic update 4 | // 5 | // Referenced by /etc/dhcp/dhcpd.conf.options DDNS_UPDATER 6 | 7 | key DDNS_UPDATER { 8 | algorithm hmac-md5; 9 | secret "+XXXXXXXXXXXXXXXXXXXXX=="; 10 | }; 11 | 12 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/keys/ddns.md5.master-to-slave.key: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/keys/ddns.md5.master-to-slave.key 2 | // 3 | // Used to update downstream nameservers from a master NS 4 | 5 | key "master-to-slave-key" { 6 | algorithm hmac-md5; 7 | secret "AAAAAAAAAAAAAAAAAAAAAA=="; 8 | }; 9 | 10 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/keys/ddns.sha256.dns-arca-a.key: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/keys/ddns.sha256.dns-arca-a.key 2 | // 3 | // ddns-confgen -s in-a-box.example.com. 4 | 5 | key "ddns-sha256-arca-a-key" { 6 | algorithm hmac-sha256; 7 | secret "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=="; 8 | }; 9 | 10 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/keys/keys-named.conf: -------------------------------------------------------------------------------- 1 | 2 | // receives updated IP/hostname from DHCPD for BIND9 3 | // Only updates the 192.168.220/22 (green,blue,white views/zone) 4 | include "split-horizon-2-bind9-servers/etc/bind/keys/ddns.md5.dhcp-updater.key"; 5 | 6 | // Allows nsupdate to update zone database. 7 | include "split-horizon-2-bind9-servers/etc/bind/keys/ddns.sha256.dns-arca-a.key"; 8 | 9 | // Allows rndc tool to control BIND9 server daemon from command line. 10 | include "split-horizon-2-bind9-servers/etc/bind/keys/rndc.md5.key"; 11 | 12 | // Allows master NS to update slave NS(es). 13 | include "split-horizon-2-bind9-servers/etc/bind/keys/ddns.md5.master-to-slave.key"; 14 | 15 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/keys/red-named.conf.keys: -------------------------------------------------------------------------------- 1 | 2 | // Allows nsupdate to update zone database. 3 | include "/etc/bind/keys/ddns.sha256.dns-arca-a.key"; 4 | 5 | // Allows rndc tool to control BIND9 server daemon from command line. 6 | include "/etc/bind/keys/rndc.md5.key"; 7 | 8 | // Allows master NS to update slave NS(es). 9 | include "/etc/bind/keys/ddns.md5.master-to-slave.key"; 10 | 11 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/keys/rndc.md5.key: -------------------------------------------------------------------------------- 1 | # File: /etc/bind/keys/rndc.key 2 | # 3 | # Used by 'rndc' utility to control ISC BIND9 name daemon. 4 | # 5 | # Created using 'rndc-confgen -A HMAC-MD5 -k rndc-key' 6 | # and manually inserted here. 7 | key rndc-key { 8 | algorithm hmac-md5; 9 | secret "HHHHHHHHHHHHHHHHHHHHHH=="; 10 | }; 11 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/keys/tlsa-privkey.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 3 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 4 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 5 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 6 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 7 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 8 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 9 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 10 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 11 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 12 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 13 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 14 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX== 15 | -----END RSA PRIVATE KEY----- 16 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/keys/tlsa-pubkey.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN PUBLIC KEY----- 2 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 3 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 4 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 5 | XXXXXXXXXXXXXXXXXXXXXXXX 6 | -----END PUBLIC KEY----- 7 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/named-internal.conf: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/internal/named.conf 2 | // 3 | // Bind9 configuration 4 | // 5 | // Custom settings for internal network 6 | // 7 | // This is the primary configuration file for the BIND DNS server named. 8 | // 9 | 10 | // 'include' statement must have an absolute filespec or 11 | // it will read from current directory ($CWD). You 12 | // can defy this for unit testing purposes. 13 | 14 | // Please read /usr/share/doc/bind9/README.Debian.gz for 15 | // information on the structure of BIND configuration 16 | // files in Debian, *BEFORE* you customize this 17 | // configuration file. 18 | // 19 | // If you are just adding zones, please do that 20 | // inside the /etc/bind/named.conf.local file. 21 | 22 | // We can share the ACL amongst private/public zones because 23 | // it is a consistent thing to do. 24 | 25 | include "/etc/bind/internal/acl-named.conf"; 26 | // 27 | include "/etc/bind/internal/options-named.conf"; 28 | include "/etc/bind/internal/statistics-named.conf"; 29 | include "/etc/bind/internal/channels-named.conf"; 30 | include "/etc/bind/internal/masters-named.conf"; 31 | include "/etc/bind/internal/local-named.conf"; 32 | 33 | // If you used views in local-named.conf/named.conf.local, 34 | // then no default_zones is needed 35 | ////include "/etc/bind/internal/default_zones-named.conf"; 36 | 37 | 38 | include "/etc/bind/internal/keys/keys-named.conf"; 39 | 40 | include "/etc/bind/internal/controls-named.conf"; 41 | include "/etc/bind/internal/servers-named.conf"; 42 | 43 | include "/etc/bind/internal/trusted-keys-named.conf"; 44 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/public/controls-named.conf: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/public/controls-named.conf 2 | // 3 | //// Bind9 daemon controls 4 | //// 5 | //// Controls access to stopping/starting Bind9 daemon (named) 6 | //// 7 | //// Describes and controls access to the control channel used 8 | //// by the remote administrator when using the rndc utility. 9 | //// 10 | //// The controls clause is used to define access information 11 | //// and controls when using remote administration services, 12 | //// for example, the rndc utility. The controls clause takes 13 | //// a single inet statement type, though more than one inet 14 | //// statement may be defined. 15 | //// 16 | //// Customized for public network 17 | // 18 | // 19 | // This file was generated by then pasted from rndc-confgen 20 | // 21 | // Drop file permission to 0640 root:bind on all RNDC-related files: 22 | // /etc/bind/rndc.key (if any) 23 | // /etc/bind/rndc.conf 24 | // Drop file permission to 0750 root:bind on all RNDC-related executable: 25 | // /usr/sbin/rndc 26 | // 27 | // For each instance of bind9.service (or bind9@.service), make a new port # 28 | 29 | controls { 30 | inet 127.0.0.1 port 954 allow { 127.0.0.1; } keys { rndc-key; }; 31 | }; 32 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/public/keys/README.bind.keys: -------------------------------------------------------------------------------- 1 | Key files are denoted by 2 | - Zone name 3 | - Key type 4 | - Random number 5 | 6 | 7 | Key types are: 8 | 9 | 5 - 10 | 8 - 11 | 157 - HMAC-MD5, only used for (ISC DHCP) dhcpd <--> named (ISC Bind9) 12 | 163 - HMAC-SHA256 (used for local-ddns) 13 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/public/keys/ddns.md5.dhcp-updater.key: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/keys/ddns.md5.dhcp-updater.key 2 | // 3 | // Used to accept hostname changes via ISC DHCP dynamic update 4 | // 5 | // Referenced by /etc/dhcp/dhcpd.conf.options DDNS_UPDATER 6 | 7 | key DDNS_UPDATER { 8 | algorithm hmac-md5; 9 | secret "XXXXXXXXXXXXXXXXXXXXXX=="; 10 | }; 11 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/public/keys/ddns.md5.master-to-slave.key: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/keys/ddns.md5.master-to-slave.key 2 | // 3 | // Used to update downstream nameservers from a master NS 4 | 5 | key "master-to-slave-key" { 6 | algorithm hmac-md5; 7 | secret "XXXXXXXXXXXXXXXXXXXXXX=="; 8 | }; 9 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/public/keys/ddns.sha256.dns-arca-a.key: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/keys/ddns.sha256.dns-arca-a.key 2 | // 3 | // ddns-confgen -s in-a-box.example.com 4 | 5 | key "ddns-sha256-arca-a-key" { 6 | algorithm hmac-sha256; 7 | secret "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX="; 8 | }; 9 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/public/keys/keys-named.conf: -------------------------------------------------------------------------------- 1 | 2 | // receives updated IP/hostname from DHCPD for BIND9 3 | // Only updates the 192.168.4.0/22 (green,blue,white views/zone) 4 | include "/etc/bind/keys/ddns.md5.dhcp-updater.key"; 5 | 6 | // Allows nsupdate to update zone database. 7 | include "/etc/bind/keys/ddns.sha256.dns-arca-a.key"; 8 | 9 | // Allows rndc tool to control BIND9 server daemon from command line. 10 | include "/etc/bind/keys/rndc.md5.key"; 11 | 12 | // Allows master NS to update slave NS(es). 13 | include "/etc/bind/keys/ddns.md5.master-to-slave.key"; 14 | 15 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/public/keys/red-named.conf.keys: -------------------------------------------------------------------------------- 1 | 2 | // Allows nsupdate to update zone database. 3 | include "/etc/bind/keys/ddns.sha256.dns-arca-a.key"; 4 | 5 | // Allows rndc tool to control BIND9 server daemon from command line. 6 | include "/etc/bind/keys/rndc.md5.key"; 7 | 8 | // Allows master NS to update slave NS(es). 9 | include "/etc/bind/keys/ddns.md5.master-to-slave.key"; 10 | 11 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/public/keys/rndc.md5.key: -------------------------------------------------------------------------------- 1 | # File: /etc/bind/keys/rndc.key 2 | # 3 | # Used by 'rndc' utility to control ISC BIND9 name daemon. 4 | # 5 | # Created using 'rndc-confgen -A HMAC-MD5 -k rndc-key' 6 | # and manually inserted here. 7 | key rndc-key { 8 | algorithm hmac-md5; 9 | secret "XXXXXXXXXXXXXXXXXXXXXX=="; 10 | }; 11 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/public/keys/tlsa-privkey.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 3 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 4 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 5 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 6 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 7 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 8 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 9 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 10 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 11 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 12 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 13 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 14 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX== 15 | -----END RSA PRIVATE KEY----- 16 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/public/keys/tlsa-pubkey.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN PUBLIC KEY----- 2 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 3 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 4 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 5 | XXXXXXXXXXXXXXXXXXXXXXXX 6 | -----END PUBLIC KEY----- 7 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/public/local-named.conf: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/public/local-named.conf 2 | // 3 | // Bind9 Local configuration 4 | // 5 | // Provides additional config files for bind9 configuration. 6 | // 7 | // Customized for public network 8 | // 9 | //// 'include' is neither a statement nor a clause. Included here 10 | //// for no particularly good reason. include can appear anywhere 11 | //// in a named.conf file either inside or outside a clause. 12 | //// Allows inclusion of external files into named.conf for 13 | //// administrative convenience or security reasons. 14 | // 15 | 16 | include "/etc/bind/public/view.chaos"; 17 | include "/etc/bind/public/view.red"; 18 | 19 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/public/mz.example.net: -------------------------------------------------------------------------------- 1 | zone "example.com" IN 2 | { 3 | type master; 4 | allow-query { 5 | external_bastion_ip_acl; 6 | trusted_residential_network_all_acl; 7 | }; 8 | file "/var/lib/bind/public/master/db.example.com"; 9 | // journal "/var/cache/bind/public/example.com-master.jnl"; 10 | update-policy { 11 | grant ddns-sha256-arca-a-key self arca.example.com A; 12 | grant ddns-sha256-arca-a-key self example.com SOA; 13 | grant ddns-sha256-arca-a-key self arca.example.com PTR; 14 | }; 15 | allow-transfer { 16 | trusted_residential_network_acl; 17 | external_downstream_nameservers_acl; 18 | // key ddns-sha256-arca-a-key; 19 | !{ !localhost; any; }; 20 | // key master-to-slave-key; 21 | localhost; 22 | }; 23 | notify explicit; 24 | also-notify { masters_list_secondary_nameservers; }; 25 | auto-dnssec maintain; 26 | dnssec-loadkeys-interval 60; 27 | inline-signing yes; 28 | }; 29 | 30 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/public/statistics-named.conf: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/public/statistics-named.conf 2 | // 3 | // Bind9 statistics channel 4 | // 5 | // Customized for public network 6 | // 7 | //// CIS says do not use 'statistics-channel' 8 | //// 9 | //// statistics-channels { 10 | //// inet 127.0.0.1 port 8053; 11 | //// }; 12 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/public/trusted-keys-named.conf: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/public/trusted-keys-named.conf 2 | // 3 | // Bind9 trusted key 4 | // 5 | // Customized for public network 6 | // 7 | trusted-keys { 8 | }; 9 | 10 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/public/view.chaos: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/public/mz.bind 2 | 3 | view "chaos" CH { 4 | match-clients { any; }; 5 | zone "bind" CH { 6 | type master; 7 | file "split-horizon-2-bind9-servers/var/lib/bind/public/master/db.bind"; 8 | allow-update { none; }; 9 | allow-transfer { none; }; 10 | }; 11 | }; 12 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/bind/rndc.conf: -------------------------------------------------------------------------------- 1 | # Start of rndc.conf 2 | 3 | include "split-horizon-2-bind9-servers/keys/rndc.md5.key"; 4 | 5 | options { 6 | default-key "rndc-key"; 7 | default-server 127.0.0.1; 8 | default-port 953; 9 | }; 10 | # End of rndc.conf 11 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/systemd/system/README: -------------------------------------------------------------------------------- 1 | The following systemd files provide support for 2 | split-horizon name server topology in 3 | running two Bind9 daemons which are: 4 | 5 | 1. Public-facing named daemon 6 | 2. Internal-facing named daemon 7 | 8 | Copy the files into their respective /etc/systemd directory. 9 | 10 | Then execute: 11 | 12 | systemctl stop bind9 13 | systemctl disable bind9 14 | 15 | systemctl enable bind9-internal 16 | systemctl enable bind9-public 17 | systemctl start bind9-public 18 | systemctl start bind9-internal 19 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/systemd/system/bind9-internal.service: -------------------------------------------------------------------------------- 1 | # File: /etc/systemd/system/bind9-public.service 2 | # 3 | # Public-facing web server 4 | # 5 | # Not to be confused with default bind9.service 6 | # 7 | [Unit] 8 | Description=BIND Domain Name Server (Public) 9 | Documentation=man:named(8) 10 | 11 | # DHCLIENT SCRIPT will be activating this systemd unit service 12 | # No dependencies nor startup 13 | # After=network.target 14 | # Wants=nss-lookup.target 15 | # Before=nss-lookup.target 16 | 17 | # If a unit has a Conflicts= setting on another unit, starting 18 | # the former will stop the latter and vice versa. 19 | Conflicts=bind9.service 20 | 21 | [Service] 22 | EnvironmentFile=/etc/default/bind9-internal 23 | ExecStart=/usr/sbin/named -f $OPTIONS 24 | ExecReload=/usr/sbin/rndc -p 953 reload 25 | ExecStop=/usr/sbin/rndc -p 953 stop 26 | 27 | [Install] 28 | # WantedBy=multi-user.target 29 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/systemd/system/bind9-public.service: -------------------------------------------------------------------------------- 1 | # File: /etc/systemd/system/bind9-public.service 2 | # 3 | # Public-facing web server 4 | # 5 | # Not to be confused with default bind9.service 6 | # 7 | [Unit] 8 | Description=BIND Domain Name Server (Public) 9 | Documentation=man:named(8) 10 | 11 | # DHCLIENT SCRIPT will be activating this systemd unit service 12 | # No dependencies nor startup 13 | # After=network.target 14 | # Wants=nss-lookup.target 15 | # Before=nss-lookup.target 16 | 17 | # If a unit has a Conflicts= setting on another unit, starting 18 | # the former will stop the latter and vice versa. 19 | Conflicts=bind9.service 20 | 21 | [Service] 22 | EnvironmentFile=/etc/default/bind9-public 23 | ExecStart=/usr/sbin/named -c /etc/bind/named-public.conf -f $OPTIONS 24 | ExecReload=/usr/sbin/rndc -p 954 reload 25 | ExecStop=/usr/sbin/rndc -p 954 stop 26 | 27 | [Install] 28 | # WantedBy=multi-user.target 29 | -------------------------------------------------------------------------------- /examples/named-conf/split-horizon-2-bind9-servers/etc/systemd/system/bind9.service.d/unit-conflicts.conf: -------------------------------------------------------------------------------- 1 | 2 | 3 | # If a unit has a Conflicts= setting on another unit, 4 | # starting the former will stop the latter and vice versa. 5 | 6 | Conflicts=bind9-public.service bind9-internal.service 7 | -------------------------------------------------------------------------------- /examples/named-conf/wellho/etc/named.conf: -------------------------------------------------------------------------------- 1 | // source: http://www.wellho.net/resources/ex.php4?item=a193/named.conf 2 | 3 | options { 4 | 5 | directory "/var/lib/named"; 6 | dump-file "/var/log/named_dump.db"; 7 | statistics-file "/var/log/named.stats"; 8 | 9 | # The forwarders record contains a list of servers to which queries 10 | # should be forwarded. Up to three servers may be listed. 11 | 12 | forwarders { 62.31.176.39 ; 193.38.113.3; }; 13 | 14 | # Enable the next entry to prefer usage of the name server declared in 15 | # the forwarders section. 16 | 17 | #forward first; 18 | 19 | listen-on-v6 { any; }; 20 | 21 | # If notify is set to yes (default), notify messages are sent to other 22 | # name servers when the zone data is changed. Instead of setting 23 | # a global 'notify' statement in the 'options' section, a separate 24 | # 'notify' can be added to each zone definition. 25 | 26 | notify no; 27 | }; 28 | 29 | # The following zone definitions don't need any modification. The first one 30 | # is the definition of the root name servers. The second one defines 31 | # localhost while the third defines the reverse lookup for localhost. 32 | 33 | zone "." in { 34 | type hint; 35 | file "root.hint"; 36 | }; 37 | 38 | zone "localhost" in { 39 | type master; 40 | file "localhost.zone"; 41 | }; 42 | 43 | zone "0.0.127.in-addr.arpa" in { 44 | type master; 45 | file "127.0.0.zone"; 46 | }; 47 | 48 | # This is where you put in the link to the zone you 49 | # want to serve 50 | 51 | zone "spring.wellho.net" in { 52 | type master; 53 | file "/var/lib/named/wellho.zone"; 54 | }; 55 | 56 | # Include the meta include file generated by createNamedConfInclude. This 57 | # includes all files as configured in NAMED_CONF_INCLUDE_FILES from 58 | # /etc/sysconfig/named 59 | 60 | include "/etc/named.conf.include"; 61 | 62 | -------------------------------------------------------------------------------- /examples/named-conf/wellho/etc/named.conf.include: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /examples/patterns/opt-forwarders-named.conf: -------------------------------------------------------------------------------- 1 | 2 | 3 | options { 4 | 5 | forwarders { 1.1.1.1; }; 6 | forwarders { 2.2.2.2; }; 7 | }; 8 | -------------------------------------------------------------------------------- /examples/patterns/options-ipv4only-contact-named.conf: -------------------------------------------------------------------------------- 1 | 2 | 3 | options { 4 | ipv4only-contact "a.b.com"; 5 | }; 6 | -------------------------------------------------------------------------------- /examples/patterns/trusted-keys-named.conf: -------------------------------------------------------------------------------- 1 | 2 | 3 | trusted-keys { 4 | }; 5 | -------------------------------------------------------------------------------- /examples/patterns/zone-multiple-slave-masters-named.conf: -------------------------------------------------------------------------------- 1 | 2 | 3 | zone "example.test" { 4 | type slave; 5 | masters { 192.168.1.1; }; 6 | }; 7 | zone "second-example.test" { 8 | type slave; 9 | masters { 172.16.1.1; }; 10 | }; 11 | zone "third-example" { 12 | type slave; 13 | masters { 10.0.0.1; }; 14 | }; 15 | -------------------------------------------------------------------------------- /examples/patterns/zone-slave-masters-named.conf: -------------------------------------------------------------------------------- 1 | 2 | 3 | zone "example.test" { 4 | type slave; 5 | masters { 192.168.1.1; }; 6 | }; 7 | -------------------------------------------------------------------------------- /examples/rough-draft/requirements.txt: -------------------------------------------------------------------------------- 1 | pyparsing>=2.4.5 2 | line_profiler 3 | re 4 | typing 5 | pprint 6 | -------------------------------------------------------------------------------- /examples/try-me.sh: -------------------------------------------------------------------------------- 1 | 2 | 3 | # cd bind9_parser 4 | # python3 ./setup.py install --user 5 | 6 | cd tests/split-horizon-2-bind9-servers 7 | ../../examples/parse_bind9.py etc/bind/named-internal.conf 8 | 9 | cd ../../examples 10 | ./parse_bind9.py named-zytrax.conf 11 | -------------------------------------------------------------------------------- /pyproject.toml: -------------------------------------------------------------------------------- 1 | 2 | [build-system] 3 | requires = ["pyparsing >=2.4.5"] 4 | 5 | [project] 6 | name = "bind9_parser" 7 | authors = [ 8 | { name = "Stephen Egbert", email = "egberts@yahoo.com"}, 9 | ] 10 | dependencies = [ 11 | "pyparsing >=2.4.5", 12 | "line_profiler", 13 | ] 14 | requires-python = ">=3.7" 15 | readme = "README.md" 16 | 17 | classifiers = [ 18 | 19 | 'Development Status :: 4 - Beta', 20 | 'Environment :: Web Environment', 21 | 'Intended Audience :: Developers', 22 | 'Intended Audience :: Information Technology', 23 | 'Intended Audience :: System Administrators', 24 | 'Intended Audience :: Web Developers', 25 | 'License :: OSI Approved :: MIT License', 26 | 'Operating System :: OS Independent', 27 | 'Programming Language :: Python', 28 | 'Programming Language :: Python :: 3', 29 | 'Programming Language :: Python :: 3.7', 30 | 'Programming Language :: Python :: 3.8', 31 | 'Programming Language :: Python :: 3.9', 32 | 'Programming Language :: Python :: 3.10', 33 | 'Programming Language :: Python :: 3 :: Only', 34 | 'Programming Language :: Python :: Implementation :: CPython', 35 | 'Programming Language :: Python :: Implementation :: PyPy', 36 | 'Topic :: Internet :: Name Service (DNS)', 37 | 'Topic :: Security', 38 | 'Topic :: Software Development :: Libraries :: Python Modules', 39 | 'Topic :: System :: Installation/Setup', 40 | 'Topic :: System :: Networking', 41 | 'Topic :: Text Processing', 42 | 'Topic :: Utilities', 43 | ] 44 | dynamic = ['license', 'keywords', 'version', 'description'] 45 | 46 | [project.optional-dependencies] 47 | test = [ 48 | "unittest", 49 | ] 50 | doc = [ ] 51 | 52 | [project.urls] 53 | Documentation = "https://github.com/egberts/bind9_parser" 54 | Source = "https://github.com/egberts/bind9_parser" 55 | Changelog = "https://github.com/egberts/bind9_parser/CHANGES" 56 | 57 | -------------------------------------------------------------------------------- /requirements-test.txt: -------------------------------------------------------------------------------- 1 | pytest-runner 2 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | pyparsing>=2.4.5 2 | line_profiler 3 | -------------------------------------------------------------------------------- /setup.cfg: -------------------------------------------------------------------------------- 1 | 2 | [aliases] 3 | test=pytest 4 | 5 | [tool:pytest] 6 | addopts = --verbose 7 | python_files = tests/test_acl.py \ 8 | tests/test_aml.py \ 9 | tests/test_clause_acl.py \ 10 | tests/test_clause_controls.py \ 11 | tests/test_clause_dlz.py \ 12 | tests/test_clause_dnssec_policy.py \ 13 | tests/test_clause_dyndb.py \ 14 | tests/test_clause_http.py \ 15 | tests/test_clause_key.py \ 16 | tests/test_clause_logging.py \ 17 | tests/test_clause_managed_keys.py \ 18 | tests/test_clause_options.py \ 19 | tests/test_clause_parental_agents.py \ 20 | tests/test_clause_plugin.py \ 21 | tests/test_clause_primaries.py \ 22 | tests/test_clause_server.py \ 23 | tests/test_clause_statistics_channels.py \ 24 | tests/test_clause_tls.py \ 25 | tests/test_clause_trust_anchors.py \ 26 | tests/test_clause_trusted_keys.py \ 27 | tests/test_clause_view.py \ 28 | tests/test_clause_zone.py \ 29 | tests/test_clauses.py \ 30 | tests/test_domain.py \ 31 | tests/test_inet.py \ 32 | tests/test_managed_keys.py \ 33 | tests/test_options.py \ 34 | tests/test_optview.py \ 35 | tests/test_optviewserver.py \ 36 | tests/test_optviewzone.py \ 37 | tests/test_optviewzoneserver.py \ 38 | tests/test_optzone.py \ 39 | tests/test_primaries.py \ 40 | tests/test_rr.py \ 41 | tests/test_server.py \ 42 | tests/test_trusted_keys.py \ 43 | tests/test_utils.py \ 44 | tests/test_view.py \ 45 | tests/test_viewzone.py \ 46 | tests/test_zone.py 47 | -------------------------------------------------------------------------------- /tests/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /tests/all-test.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # test if already in tests subdirectory 4 | # if not, then go to tests subdirectory in this shell session 5 | echo "TEST_DIR: $TEST_DIR" 6 | PN="$(basename "$0")" 7 | CURDIR=${PWD} 8 | THISDIR="$(pwd -P)" 9 | THIS_DIRNAME="$(dirname $CURDIR)" 10 | SCRIPTREALPATH="$(realpath "$0")" 11 | SCRIPTFULLPATH="$(readlink -e "$SCRIPTREALPATH")" 12 | SCRIPTPATH="$(dirname $SCRIPTFULLPATH)" 13 | TEST_DIR=$SCRIPTPATH 14 | TEST_DIRNAME=$(basename "$TEST_DIR") 15 | if [ "$THIS_DIRNAME" == "$TEST_DIRNAME" ]; then 16 | THIS_DIRNAME="../" 17 | fi 18 | 19 | echo "CURDIR, where current directory is at: $CURDIR" 20 | echo "THISDIR, where execution is at: $THISDIR" 21 | echo "SCRIPTREALPATH, where script is : $SCRIPTREALPATH" 22 | echo "SCRIPTFULLPATH, where script is : $SCRIPTFULLPATH" 23 | echo "SCRIPTPATH, where script is : $SCRIPTPATH" 24 | echo "TEST_DIR, where full-path test directory is : $TEST_DIR" 25 | echo "TEST_DIRNAME, where test directory is : $TEST_DIRNAME" 26 | echo "THIS_DIRNAME, the project dir to include this module for testing: $THIS_DIRNAME" 27 | 28 | cd "$THIS_DIRNAME" 29 | LIST_TESTS="$(ls $TEST_DIR/test_*.py)" 30 | FAILED_MODULES='' 31 | ERR_COUNT=0 32 | echo "LIST_TESTS: $LIST_TESTS" 33 | 34 | for THIS_TEST in $LIST_TESTS; do 35 | ALT_THIS_TEST=$(basename $THIS_TEST) 36 | THIS_TEST=$(echo "$ALT_THIS_TEST" | cut -f 1 -d '.') 37 | python3 -m unittest "${TEST_DIRNAME}"."${THIS_TEST}" 38 | RETSTS=$? 39 | if [ $RETSTS -ne 0 ]; then 40 | ((ERR_COUNT++)) 41 | FAILED_MODULES="$FAILED_MODULES, $THIS_TEST" 42 | fi 43 | done 44 | echo "ERR_COUNT: $ERR_COUNT" 45 | echo "FAILED_MODULES: $FAILED_MODULES" 46 | -------------------------------------------------------------------------------- /tests/all-unittests.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | cd .. # go up to project directory 4 | python3 -m unittest tests/test_*.py 5 | -------------------------------------------------------------------------------- /tests/bug-reports/etc/named.rfc1912.zones: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /tests/bug-reports/etc/named.root.hints: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /tests/bug-reports/github-issue-10.named.conf: -------------------------------------------------------------------------------- 1 | view "trusted" { 2 | 3 | match-clients { 192.168.23.0/24; }; 4 | recursion yes; 5 | zone "example.com" { 6 | type master; 7 | file "internal/master.example.com"; 8 | }; 9 | zone "example22.com" { 10 | type master; 11 | file "internal/master.example22.com"; 12 | }; 13 | }; 14 | view "badguys" { 15 | match-clients {"any"; }; 16 | recursion no; 17 | zone "exampleaa.com" { 18 | type master; 19 | file "external/master.exampleaa.com"; 20 | }; 21 | }; 22 | -------------------------------------------------------------------------------- /tests/bug-reports/github-issue-12.named.conf: -------------------------------------------------------------------------------- 1 | 2 | options { 3 | 4 | disable-algorithms "." { 5 | RSAMD5; 6 | DSA; 7 | }; 8 | disable-ds-digests "." { 9 | GOST; 10 | }; 11 | 12 | }; 13 | -------------------------------------------------------------------------------- /tests/bug-reports/github-issue-13.named.conf: -------------------------------------------------------------------------------- 1 | 2 | masters junk_name { 3 | 192.168.2.7; 4 | }; 5 | zone "example.com" in { 6 | type slave; 7 | file "slave/example.com"; 8 | // masters {192.168.2.7;}; 9 | masters junk_name; 10 | }; 11 | 12 | zone "second-example.com" in { 13 | type slave; 14 | file "slave/second-example.com"; 15 | masters port 1127 { 16 | 192.168.2.7; 17 | 10.2.3.15 key zt-key; 18 | 2001:db8:0:1::15 port 1128; 19 | }; 20 | }; 21 | 22 | 23 | -------------------------------------------------------------------------------- /tests/bug-reports/github-issue-34.named-variant1.conf: -------------------------------------------------------------------------------- 1 | logging { 2 | channel "general_file" { 3 | file "/var/log/named/general.log" versions 10 size 104857600; 4 | severity dynamic; 5 | print-time yes; 6 | print-severity yes; 7 | print-category yes; 8 | }; 9 | category "general" { 10 | "general_file"; 11 | "notice-alert_file"; 12 | }; 13 | }; 14 | -------------------------------------------------------------------------------- /tests/bug-reports/github-issue-34.named.conf: -------------------------------------------------------------------------------- 1 | logging { 2 | channel "general_file" { 3 | file "/var/log/named/general.log" versions 10 size 104857600; 4 | severity dynamic; 5 | print-time yes; 6 | print-severity yes; 7 | print-category yes; 8 | }; 9 | category "general" { 10 | "general_file"; 11 | "notice-alert_file"; 12 | }; 13 | -------------------------------------------------------------------------------- /tests/bug-reports/github-issue-35-variant1.named.conf: -------------------------------------------------------------------------------- 1 | zone "umichtest.net" { 2 | type slave; 3 | file "oncampus/net.umichtest"; 4 | masters { 5 | "DNS123" ; 6 | }; 7 | }; 8 | -------------------------------------------------------------------------------- /tests/bug-reports/github-issue-35.named.conf: -------------------------------------------------------------------------------- 1 | zone "umichtest.net" { 2 | type slave; 3 | file "oncampus/net.umichtest"; 4 | masters { 5 | "DNS123" ; 6 | }; 7 | }; 8 | -------------------------------------------------------------------------------- /tests/bug-reports/github-issue-5.named.conf: -------------------------------------------------------------------------------- 1 | key "rndc-key" { algorithm hmac-sha256; secret "iQxBKDHuO62ECsjuWkrKzfC1FFmYF3C/5Wb8sR/MSZU="; }; 2 | controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; };}; 3 | logging { channel query_log { file "/etc/namedb/log/named.log" versions 12 size 100m; print-time yes; }; 4 | category default { query_log; default_syslog; default_debug;}; 5 | category lame-servers { query_log; default_syslog; default_debug;}; 6 | category config { query_log; default_syslog; default_debug;}; 7 | category update { query_log; default_syslog; default_debug;}; 8 | category update-security { query_log; default_syslog; default_debug;}; 9 | category notify { query_log; default_syslog; default_debug;}; 10 | category queries { query_log; }; 11 | }; 12 | 13 | 14 | 15 | acl "ok" { any; }; 16 | acl "nok" { none; }; 17 | acl "auth-temp-pub" { 192.168.254.40; 192.168.254.41; }; 18 | acl "auth-temp-priv" { 192.168.3.171; 192.168.3.172; }; 19 | acl "ripe-hostcount" { 193.0.0.0/22; 91.121.158.151; 2001:610:240::/48; 20 | 2001:67c:2e8::/48; }; 21 | 22 | acl "bogon" { 23 | // Filter out the bogon networks. These are networks 24 | // listed by IANA as test, RFC1918, Multicast, experi- 25 | // mental, etc. If you see DNS queries or updates with 26 | // a source address within these networks, this is likely 27 | // of malicious origin. CAUTION: If you are using RFC1918 28 | // netblocks on your network, remove those netblocks from 29 | // this list of blackhole ACLs! 30 | 0.0.0.0/8; 31 | 169.254.0.0/16; 32 | 192.0.0.0/24; 33 | 192.0.2.0/24; 34 | 198.18.0.0/15; 35 | 198.51.100.0/24; 36 | 203.0.113.0/24; 37 | 240.0.0.0/4; 38 | //10.0.0.0/8; 39 | //192.168.0.0/16; 40 | //172.16.0.0/12; 41 | }; 42 | 43 | options { 44 | // Relative to the chroot directory, if any 45 | #directory "/etc/namedb"; 46 | #pid-file "/var/run/named/pid"; 47 | #dump-file "/etc/namedb/log/named_dump.db"; 48 | #statistics-file "/etc/namedb/log/named.stats"; 49 | #memstatistics-file "/etc/namedb/log/named-mem.stats"; 50 | zone-statistics yes; 51 | listen-on { 127.0.0.1; 192.168.254.1; }; 52 | // listen-on-v6 { ::1; }; 53 | version "none"; 54 | interface-interval 0; 55 | transfers-in 15; 56 | transfers-out 15; 57 | transfers-per-ns 15; 58 | recursive-clients 20000; 59 | }; 60 | -------------------------------------------------------------------------------- /tests/bug-reports/github-issue-8.named.conf: -------------------------------------------------------------------------------- 1 | key "rndc-key" { algorithm hmac-sha256; secret "iQxBKDHuO62ECsjuWkrKzfC1FFmYF3C/5Wb8sR/MSZU="; };controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; };}; logging { channel query_log { file "/etc/namedb/log/named.log" versions 12 size 100m; print-time yes; }; 2 | category default { query_log; default_syslog; default_debug;}; 3 | category lame-servers { query_log; default_syslog; default_debug;}; 4 | category config { query_log; default_syslog; default_debug;}; 5 | category update { query_log; default_syslog; default_debug;}; 6 | category update-security { query_log; default_syslog; default_debug;}; 7 | category notify { query_log; default_syslog; default_debug;}; 8 | category queries { query_log; }; 9 | }; 10 | 11 | 12 | 13 | acl "ok" { any; }; 14 | acl "nok" { none; }; 15 | acl "auth-temp-pub" { 192.168.254.40; 192.168.254.41; }; 16 | acl "auth-temp-priv" { 192.168.3.171; 192.168.3.172; }; 17 | acl "ripe-hostcount" { 193.0.0.0/22; 91.121.158.151; 2001:610:240::/48; 18 | 2001:67c:2e8::/48; }; 19 | 20 | acl "bogon" { 21 | // Filter out the bogon networks. These are networks 22 | // listed by IANA as test, RFC1918, Multicast, experi- 23 | // mental, etc. If you see DNS queries or updates with 24 | // a source address within these networks, this is likely 25 | // of malicious origin. CAUTION: If you are using RFC1918 26 | // netblocks on your network, remove those netblocks from 27 | // this list of blackhole ACLs! 28 | 0.0.0.0/8; 29 | 169.254.0.0/16; 30 | 192.0.0.0/24; 31 | 192.0.2.0/24; 32 | 198.18.0.0/15; 33 | 198.51.100.0/24; 34 | 203.0.113.0/24; 35 | 240.0.0.0/4; 36 | //10.0.0.0/8; 37 | //192.168.0.0/16; 38 | //172.16.0.0/12; 39 | }; 40 | 41 | options { 42 | // Relative to the chroot directory, if any 43 | directory "/etc/namedb"; 44 | pid-file "/var/run/named/pid"; 45 | dump-file "/etc/namedb/log/named_dump.db"; 46 | statistics-file "/etc/namedb/log/named.stats"; 47 | memstatistics-file "/etc/namedb/log/named-mem.stats"; 48 | zone-statistics yes; 49 | listen-on { 127.0.0.1; 192.168.254.1; }; 50 | // listen-on-v6 { ::1; }; 51 | version "none"; 52 | interface-interval 0; 53 | transfers-in 15; 54 | transfers-out 15; 55 | transfers-per-ns 15; 56 | recursive-clients 20000; 57 | }; 58 | -------------------------------------------------------------------------------- /tests/bug-reports/github-issue-9.view: -------------------------------------------------------------------------------- 1 | fccagou commented May 13, 2020 2 | 3 | Hello, 4 | 5 | First of all, thanks a lot for your work ! 6 | 7 | I'm looking a way to make a network graph representation of the bind configuration. 8 | I began to make it using python regex it's not good enough. 9 | Searching for existing bind9 parser, I've found yours and I'm testing it now. 10 | 11 | I know the code is beta, I've found something looking like a bug. 12 | 13 | $ cat test_view.conf 14 | 15 | view "red" { 16 | zone "z1.com" { }; 17 | zone "z2.com" { }; 18 | }; 19 | 20 | view "green" { 21 | zone "z3.com" { }; 22 | zone "z4.com" { }; 23 | }; 24 | 25 | Running parser $ ~/src/bind9_parser/examples/parse_bind9.py test_view.conf 26 | 27 | Start: Is the library quiet? 28 | End: Is the library quiet? 29 | len(result): 2 30 | 31 | Plain print(result): 32 | [['"red"', [['"z1.com"'], ['"z2.com"']]], 33 | ['"green"', [['"z3.com"'], ['"z4.com"']]]] 34 | result: {'view': [{'view_name': '"green"', 'configs': {'zone': {'zone_name': '"z4.com"'}}}]} 35 | 36 | print(result.asDict()): 37 | { 'view': [ { 'configs': { 'zone': { 'zone_name': '"z4.com"'}}, 38 | 'view_name': '"green"'}]} 39 | end of result. 40 | 41 | The red view is present in result but absent in the dict format. 42 | 43 | Thanks in advance for informations. 44 | 45 | -- François 46 | 47 | 48 | SUMMARY 49 | ======= 50 | So, I goofed on the multiple view support as dict() type can only handle one 51 | unique view. 52 | 53 | A couple ways to fix this would be: 54 | 55 | 1. Support namedconf['view']['red'] dictionary. Bind9 does not support 56 | reuse of view names within each of its view and zone, so that'll work. 57 | 58 | 2. Support namedconf['view'][0] dictionary. This is easiest on pyparsing 59 | module. We would prefer option 1 above. 60 | 61 | 3. 62 | -------------------------------------------------------------------------------- /tests/bug-reports/ml-bind-users.named.conf: -------------------------------------------------------------------------------- 1 | 2 | 3 | options { 4 | deny-answer-addresses { any; }; 5 | deny-answer-aliases { any; }; 6 | deny-answer-addresses { 192.0.2.0/24; }; 7 | deny-answer-aliases { "example.net"; }; 8 | 9 | deny-answer-addresses { any; } except-from { "string"; }; 10 | deny-answer-aliases { any; } except-from { "string"; }; 11 | deny-answer-addresses { 192.0.2.0/24; } except-from { "example.net"; }; 12 | deny-answer-aliases { "example.net"; }; 13 | }; 14 | -------------------------------------------------------------------------------- /tests/bug-reports/x.named.conf: -------------------------------------------------------------------------------- 1 | options 2 | { 3 | query-source port 53; 4 | query-source-v6 port 53; 5 | directory "/var/named"; // the default 6 | dump-file "data/cache_dump.db"; 7 | statistics-file "data/named_stats.txt"; 8 | memstatistics-file "data/named_mem_stats.txt"; 9 | }; 10 | logging 11 | { 12 | channel default_debug { 13 | file "data/named.run"; 14 | severity dynamic; 15 | }; 16 | }; 17 | view "localhost_resolver" 18 | { 19 | match-clients { localhost; }; 20 | match-destinations { localhost; }; 21 | recursion yes; 22 | include "/etc/named.root.hints"; 23 | 24 | include "/etc/named.rfc1912.zones"; 25 | }; 26 | view "internal" 27 | { 28 | match-clients { localnets; }; 29 | match-destinations { localnets; }; 30 | recursion yes; 31 | include "/etc/named.root.hints"; 32 | 33 | zone "my.internal.zone" { 34 | type master; 35 | file "my.internal.zone.db"; 36 | }; 37 | zone "my.slave.internal.zone" { 38 | type slave; 39 | file "slaves/my.slave.internal.zone.db"; 40 | masters { 127.0.0.1; } ; 41 | }; 42 | zone "my.ddns.internal.zone" { 43 | type master; 44 | allow-update { key ddns_key; }; 45 | file "slaves/my.ddns.internal.zone.db"; 46 | }; 47 | }; 48 | key ddns_key 49 | { 50 | algorithm hmac-md5; 51 | secret "YmFkIHNlY3JldCBzdHJpbmcK"; 52 | }; 53 | view "external" 54 | { 55 | match-clients { !localnets; !localhost; }; 56 | match-destinations { !localnets; !localhost; }; 57 | 58 | recursion no; 59 | include "/etc/named.root.hints"; 60 | zone "my.external.zone" { 61 | type master; 62 | file "my.external.zone.db"; 63 | }; 64 | }; 65 | 66 | -------------------------------------------------------------------------------- /tests/github-issues: -------------------------------------------------------------------------------- 1 | bug-reports/ -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/README: -------------------------------------------------------------------------------- 1 | Default NAMED configuration files are: 2 | 3 | named.conf 4 | acl-named.conf 5 | channels-named.conf 6 | controls-named.conf 7 | local-named.conf 8 | masters-named.conf 9 | options-named.conf 10 | servers-named.conf 11 | statistics-named.conf 12 | trusted-keys-named.conf 13 | 14 | For multiple instances of bind daemons, preface named.conf-class filename 15 | with something like 'dmz-', 'int-', 'public-', 'red-', or 'white-'. 16 | 17 | Zone filename begin with 'zone.' 18 | 19 | View filename begin with 'view.' 20 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/README.otherfiles: -------------------------------------------------------------------------------- 1 | Other files that named daemon tries to open are: 2 | 3 | 4 | dmz2.tsigkeys ; dmz2 is a BIND view 5 | gateway.tsigkeys ; gateway is a BIND view 6 | white.tsigkeys ; white is a BIND view 7 | dmz.tsigkeys ; dmz is a BIND view 8 | green.tsigkeys ; green is a BIND view 9 | blue.tsigkeys ; blue is a BIND view 10 | virtualnet.tsigkeys ; virtualnet is a BIND view 11 | chaos.tsigkeys ; chaos is a BIND view 12 | _bind.tsigkeys ; _bind is an unknown BIND view 13 | 14 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/README.setup: -------------------------------------------------------------------------------- 1 | Setting up hidden DNS server 2 | 3 | 4 | cd /var/lib/bind 5 | dnssec-keygen -a HMAC-SHA512 -b 512 -n USER in-a-box.example.com 6 | 7 | On hidden-master, use general option 'notify-on-soa yes;' 8 | 9 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/internal/README: -------------------------------------------------------------------------------- 1 | 2 | = ROOT SERVERS = 3 | Root Servers used to be called 'root.hint', 'named.root', 'named.cache', but 4 | is now called 'db.cache' and no longer resides in /etc/bind 5 | but resides in /var/lib/bind as /etc/bind are no longer writeable 6 | in accordance with the Linux File System Standard. 7 | 8 | Also, DNSSEC now signs (and thusly updates) all zone files so 9 | writeable files can only be done under /var/lib/bind directory. 10 | 11 | Pick up the latest root servers here, at least monthly: 12 | 13 | https://www.internic.net/domain/ 14 | 15 | Optionally, use a cron job to fetch and update 16 | this '/var/lib/bind/db.cache' file. But that'd be a poor security risk. 17 | 18 | Or you can let bind9 networkly fetch the db.cache file content at 19 | bind9 startup and leave it as memory-resident storage. 20 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/internal/acl-named.conf: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/internal/acl-named.conf 2 | // 3 | //// Bind9 Access Control List 'acl' clause 4 | //// 5 | //// Defines one of more access control lists, groups of hosts 6 | //// or users identified by keys, that may be referenced in 7 | //// view and other clauses or statements. 8 | // 9 | // Customized for residential internal network 10 | // 11 | // DNS xfer 12 | // Allow no transfers. If we have other 13 | // name servers, place them here. 14 | acl xfer_acl { 15 | none; 16 | }; 17 | 18 | // Dynamically updated by /etc/dhcp/dhclient-enter-hooks.d/0-bind-update-ip 19 | include "/var/lib/bind/internal/named.conf.acl_intf_ext"; 20 | 21 | // support for cable network 22 | acl trusted_cablesupport_acl { 23 | 192.168.1.1/24; 24 | }; 25 | 26 | # dmz 27 | acl trusted_real_dmz_acl { 28 | 192.168.4.0/24; 29 | }; 30 | # dmz2 31 | acl trusted_residential_network_dmz_acl { 32 | 192.168.4.0/24; 33 | }; 34 | # blue 35 | acl trusted_residential_network_blue_acl { 36 | 192.168.5.0/24; 37 | }; 38 | # special, single-host, GATEWAY 39 | acl trusted_residential_gateway_acl { 40 | 192.168.6.1; 41 | }; 42 | # green 43 | acl trusted_residential_network_green_acl { 44 | 192.168.6.0/24; 45 | }; 46 | # white 47 | acl trusted_residential_network_white_acl { 48 | 192.168.7.0/24; 49 | }; 50 | # vmnet 51 | acl trusted_residential_network_vmnet_acl { 52 | 192.168.122.0/24; 53 | }; 54 | 55 | 56 | acl trusted_residential_network_acl { 57 | trusted_residential_network_dmz_acl; 58 | trusted_residential_network_blue_acl; 59 | trusted_residential_network_green_acl; 60 | trusted_residential_network_white_acl; 61 | trusted_residential_network_vmnet_acl; 62 | }; 63 | 64 | acl trusted_all_acl { 65 | trusted_real_dmz_acl; 66 | trusted_residential_network_dmz_acl; 67 | trusted_residential_network_blue_acl; 68 | trusted_residential_network_green_acl; 69 | trusted_residential_network_white_acl; 70 | trusted_residential_network_vmnet_acl; 71 | trusted_cablesupport_acl; 72 | localnet_acl; 73 | }; 74 | 75 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/internal/controls-named.conf: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/internal/controls-named.conf 2 | // 3 | //// Bind9 daemon controls 4 | //// 5 | //// Controls access to stopping/starting Bind9 daemon (named) 6 | //// 7 | //// Describes and controls access to the control channel used 8 | //// by the remote administrator when using the rndc utility. 9 | //// 10 | //// The controls clause is used to define access information 11 | //// and controls when using remote administration services, 12 | //// for example, the rndc utility. The controls clause takes 13 | //// a single inet statement type, though more than one inet 14 | //// statement may be defined. 15 | //// 16 | //// Customized for residential internal network 17 | // 18 | // 19 | // This file was generated by then pasted from rndc-confgen 20 | // 21 | // Drop file permission to 0640 root:bind on all RNDC-related files: 22 | // /etc/bind/rndc.key (if any) 23 | // /etc/bind/rndc.conf 24 | // Drop file permission to 0750 root:bind on all RNDC-related executable: 25 | // /usr/sbin/rndc 26 | // 27 | // For each instance of bind9.service (or bind9@.service), make a new port # 28 | 29 | controls { 30 | inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; }; 31 | }; 32 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/internal/hz.cache.home: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/internal/hz.cache.home 2 | // 3 | // bind9 has root hint built-in, but it give mice and men the willies 4 | // not to see one in the configuration file so we include it here. 5 | 6 | zone "." IN { 7 | type hint; 8 | delegation-only yes; 9 | file "/var/lib/bind/internal/master/db.cache.home"; 10 | }; 11 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/internal/hz.cache.lab: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/internal/hz.cache.lab 2 | // 3 | // bind9 has root hint built-in, but it give mice and men the willies 4 | // not to see one in the configuration file so we include it here. 5 | 6 | zone "." IN { 7 | type hint; 8 | delegation-only yes; 9 | file "/var/lib/bind/internal/master/db.cache.lab"; 10 | }; 11 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/internal/keys/README.bind.keys: -------------------------------------------------------------------------------- 1 | Key files are denoted by 2 | - Zone name 3 | - Key type 4 | - Random number 5 | 6 | 7 | Key types are: 8 | 9 | 5 - 10 | 8 - 11 | 157 - HMAC-MD5, only used for (ISC DHCP) dhcpd <--> named (ISC Bind9) 12 | 163 - HMAC-SHA256 (used for local-ddns) 13 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/internal/keys/ddns.md5.dhcp-updater.key: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/keys/ddns.md5.dhcp-updater.key 2 | // 3 | // Used to accept hostname changes via ISC DHCP dynamic update 4 | // 5 | // Referenced by /etc/dhcp/dhcpd.conf.options DDNS_UPDATER 6 | 7 | key DDNS_UPDATER { 8 | algorithm hmac-md5; 9 | secret "XXXXXXXXXXXXXXXXXXXXXX=="; 10 | }; 11 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/internal/keys/ddns.md5.master-to-slave.key: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/keys/ddns.md5.master-to-slave.key 2 | // 3 | // Used to update downstream nameservers from a master NS 4 | 5 | key "master-to-slave-key" { 6 | algorithm hmac-md5; 7 | secret "XXXXXXXXXXXXXXXXXXXXXX=="; 8 | }; 9 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/internal/keys/ddns.sha256.dns-arca-a.key: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/keys/ddns.sha256.dns-arca-a.key 2 | // 3 | // ddns-confgen -s in-a-box.example.com 4 | 5 | key "ddns-sha256-arca-a-key" { 6 | algorithm hmac-sha256; 7 | secret "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX="; 8 | }; 9 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/internal/keys/keys-named.conf: -------------------------------------------------------------------------------- 1 | 2 | // receives updated IP/hostname from DHCPD for BIND9 3 | // Only updates the 192.168.4.0/22 (green,blue,white views/zone) 4 | include "/etc/bind/keys/ddns.md5.dhcp-updater.key"; 5 | 6 | // Allows nsupdate to update zone database. 7 | include "/etc/bind/keys/ddns.sha256.dns-arca-a.key"; 8 | 9 | // Allows rndc tool to control BIND9 server daemon from command line. 10 | include "/etc/bind/keys/rndc.md5.key"; 11 | 12 | // Allows master NS to update slave NS(es). 13 | include "/etc/bind/keys/ddns.md5.master-to-slave.key"; 14 | 15 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/internal/keys/red-named.conf.keys: -------------------------------------------------------------------------------- 1 | 2 | // Allows nsupdate to update zone database. 3 | include "/etc/bind/keys/ddns.sha256.dns-arca-a.key"; 4 | 5 | // Allows rndc tool to control BIND9 server daemon from command line. 6 | include "/etc/bind/keys/rndc.md5.key"; 7 | 8 | // Allows master NS to update slave NS(es). 9 | include "/etc/bind/keys/ddns.md5.master-to-slave.key"; 10 | 11 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/internal/keys/rndc.md5.key: -------------------------------------------------------------------------------- 1 | # File: /etc/bind/keys/rndc.key 2 | # 3 | # Used by 'rndc' utility to control ISC BIND9 name daemon. 4 | # 5 | # Created using 'rndc-confgen -A HMAC-MD5 -k rndc-key' 6 | # and manually inserted here. 7 | key rndc-key { 8 | algorithm hmac-md5; 9 | secret "XXXXXXXXXXXXXXXXXXXXXX=="; 10 | }; 11 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/internal/keys/tlsa-privkey.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 3 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 4 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 5 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 6 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 7 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 8 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 9 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 10 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 11 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 12 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 13 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 14 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX== 15 | -----END RSA PRIVATE KEY----- 16 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/internal/keys/tlsa-pubkey.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN PUBLIC KEY----- 2 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 3 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 4 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 5 | XXXXXXXXXXXXXXXXXXXXXXXX 6 | -----END PUBLIC KEY----- 7 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/internal/local-named.conf: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/internal/local-named.conf 2 | // 3 | // Bind9 Local configuration 4 | // 5 | // Provides additional config files for bind9 configuration. 6 | // 7 | // Customized for residential internal network 8 | // 9 | //// 'include' is neither a statement nor a clause. Included here 10 | //// for no particularly good reason. include can appear anywhere 11 | //// in a named.conf file either inside or outside a clause. 12 | //// Allows inclusion of external files into named.conf for 13 | //// administrative convenience or security reasons. 14 | // 15 | 16 | include "/etc/bind/internal/view.cable"; 17 | include "/etc/bind/internal/view.green"; 18 | include "/etc/bind/internal/view.chaos"; 19 | 20 | // We don't do view-red here because we are an internal DNS server, 21 | // for that we do DNS-XFSR from another DNS server called 'bastion' 22 | // host and that is the 'public' counterpart to this 'internal' here, 23 | // and is ALSO within the same host as well (hence two DNS servers). 24 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/internal/mz.home: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/internal/mz.home 2 | // 3 | // ISP-provided 'home' TLD 4 | // 5 | // Required by cablemodem and set-top box(s) 6 | 7 | zone "home" IN { 8 | type master; 9 | file "/var/lib/bind/internal/master/db.home"; 10 | allow-update { none; }; 11 | }; 12 | 13 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/internal/mz.ip4.1.168.192: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/internal/zone.ip4.1.168.192 2 | // 3 | // No need to append "." to zone name (done automatically in zone data file) 4 | // 5 | zone "1.168.192.in-addr.arpa." IN { 6 | type master; 7 | file "/var/lib/bind/internal/master/db.ip4.1.168.192"; 8 | 9 | // Provides dynamic update to DNS from ISC DHCP 10 | allow-update { 11 | key DDNS_UPDATER; 12 | }; 13 | forwarders { }; 14 | notify no; 15 | }; 16 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/internal/mz.ip4.127: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/internal/zone.127 2 | 3 | 4 | zone "0.0.127.in-addr.arpa" IN { 5 | type master; 6 | file "/var/lib/bind/internal/master/db.ip4.127"; 7 | allow-update { none; }; 8 | forwarders { }; 9 | notify no; 10 | }; 11 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/internal/mz.ip4.4.168.192: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/internal/mz.ip4.8.168.192 2 | // 3 | // zone clause for 8.168.192.in-addr.arpa zone 4 | // 5 | // Updateably by ISC DHCP via DDNS_UPDATER key 6 | // 7 | zone "4.168.192.in-addr.arpa" IN { 8 | type master; 9 | file "/var/lib/bind/internal/master/db.ip4.4.168.192"; 10 | allow-update { 11 | key DDNS_UPDATER; 12 | }; 13 | forwarders { }; 14 | notify no; 15 | }; 16 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/internal/mz.ip4.5.168.192: -------------------------------------------------------------------------------- 1 | 2 | zone "5.168.192.in-addr.arpa" IN { 3 | type master; 4 | file "/var/lib/bind/internal/master/db.ip4.5.168.192"; 5 | allow-update { 6 | key DDNS_UPDATER; 7 | }; 8 | forwarders { }; 9 | notify no; 10 | }; 11 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/internal/mz.ip4.6.168.192: -------------------------------------------------------------------------------- 1 | 2 | zone "6.168.192.in-addr.arpa" IN { 3 | type master; 4 | file "/var/lib/bind/internal/master/db.ip4.6.168.192"; 5 | allow-update { 6 | key DDNS_UPDATER; 7 | }; 8 | forwarders { }; 9 | notify no; 10 | }; 11 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/internal/mz.ip4.7.168.192: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/internal/mz.ip4.7.168.192 2 | // 3 | zone "7.168.192.in-addr.arpa" { 4 | type master; 5 | file "/var/lib/bind/internal/master/db.ip4.6.168.192"; 6 | allow-update { 7 | key DDNS_UPDATER; 8 | }; 9 | forwarders { }; 10 | notify no; 11 | }; 12 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/internal/mz.lab: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/internal/mz.lab 2 | // 3 | zone "lab" { 4 | type master; 5 | file "/var/lib/bind/internal/master/db.lab"; 6 | allow-transfer { none; }; 7 | 8 | // Absolutely no forwarding if .lab zone is touched, it stops here 9 | forwarders { }; 10 | 11 | allow-update { 12 | !{ !localhost; any; }; 13 | // only localhost got past this point here 14 | // no one can update except localhost RNDC 15 | key "rndc-key"; // only RNDC on localhost 16 | 17 | // 'allow-update' on a "locally" view is essential for 18 | // communication between ISC-DHCP and BIND9 19 | key "DDNS_UPDATER"; // only isc-dhcpd on localhost 20 | }; 21 | }; 22 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/internal/mz.localhost: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/internal/mz.localhost 2 | // 3 | 4 | zone "localhost" IN { 5 | type master; 6 | file "/var/lib/bind/internal/master/db.localhost"; 7 | 8 | //// option clause should have none for allow-update, forwarders, notify 9 | allow-update { none; }; 10 | forwarders { }; 11 | notify no; 12 | }; 13 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/internal/servers-named.conf: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/internal/servers-named.conf 2 | // 3 | //// Bind9 'server' clause 4 | //// 5 | //// Defines the properties or behavior this server will use when 6 | //// accessing or responding to a defined remote server. 7 | //// May be nested in a view clause. 8 | // 9 | // Customized for residential internal network 10 | // 11 | //// The server statement defines characteristics to be associated 12 | //// with a remote name server. If a prefix length is specified, 13 | //// then a range of servers is covered. Only the most specific 14 | //// server clause applies regardless of the order in named.conf. 15 | 16 | 17 | //// The server statement can occur at the top level of the 18 | //// configuration file or inside a view statement. If a view 19 | //// statement contains one or more server statements, only those 20 | //// apply to the view and any top-level ones are ignored. If a 21 | //// view contains no server statements, any top-level server 22 | //// statements are used as defaults. 23 | 24 | //// in-a-box.example.com 25 | //// TODO: How to dynamically update its IP to point to in-a-box.example.com 26 | 27 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/internal/statistics-named.conf: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/internal/statistics-named.conf 2 | // 3 | // Bind9 statistics channel 4 | // 5 | // Customized for residential internal network 6 | // 7 | //// CISecurity.Org says do not use 'statistics-channel' 8 | //// 9 | //// statistics-channels { 10 | //// inet 127.0.0.1 port 8053; 11 | //// }; 12 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/internal/trusted-keys-named.conf: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/internal/trusted-keys-named.conf 2 | // 3 | // Bind9 trusted key 4 | // 5 | // Customized for residential internal network 6 | // 7 | trusted-keys { 8 | }; 9 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/internal/view.cable: -------------------------------------------------------------------------------- 1 | view cable 2 | { 3 | match-clients { 4 | trusted_cablesupport_acl; 5 | }; 6 | allow-query { 7 | trusted_cablesupport_acl; 8 | }; 9 | recursion yes; 10 | allow-recursion { 11 | trusted_cablesupport_acl; 12 | }; 13 | allow-query-cache { 14 | trusted_cablesupport_acl; 15 | }; 16 | allow-transfer { none; }; 17 | allow-update { none; }; 18 | empty-zones-enable no; 19 | disable-empty-zone yes; 20 | 21 | // ISP-provided cable-modem must use their OWN DNS servers 22 | forwarders { 23 | 123.123.123.123; 24 | 123.123.123.124; 25 | }; 26 | 27 | // Zone files 28 | // Master zones 29 | 30 | // ".home" TLD for ISP-provided cablemodem and set-top box(es). 31 | include "/etc/bind/internal/mz.home"; 32 | include "/etc/bind/internal/mz.ip4.1.168.192"; 33 | include "/etc/bind/internal/mz.localhost"; 34 | include "/etc/bind/internal/mz.ip4.127"; 35 | 36 | // Yes, ordering matters but only at daemon reload-time 37 | include "/etc/bind/internal/hz.cache.home"; 38 | }; 39 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/internal/view.chaos: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/internal/view.chaos 2 | // 3 | view "chaos" CH { 4 | match-clients { any; }; 5 | zone "bind" CH { 6 | type master; 7 | file "/var/lib/bind/internal/master/db.bind"; 8 | allow-update { none; }; 9 | allow-transfer { none; }; 10 | }; 11 | }; 12 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/keys/README.bind.keys: -------------------------------------------------------------------------------- 1 | Key files are denoted by 2 | - Zone name 3 | - Key type 4 | - Random number 5 | 6 | 7 | Key types are: 8 | 9 | 5 - 10 | 8 - 11 | 157 - HMAC-MD5, only used for (ISC DHCP) dhcpd <--> named (ISC Bind9) 12 | 163 - HMAC-SHA256 (used for local-ddns) 13 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/keys/ddns.md5.dhcp-updater.key: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/keys/ddns.md5.dhcp-updater.key 2 | // 3 | // Used to accept hostname changes via ISC DHCP dynamic update 4 | // 5 | // Referenced by /etc/dhcp/dhcpd.conf.options DDNS_UPDATER 6 | 7 | key DDNS_UPDATER { 8 | algorithm hmac-md5; 9 | secret "+TlDtzhAe/akZ/tF507/zQ=="; 10 | }; 11 | 12 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/keys/ddns.md5.master-to-slave.key: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/keys/ddns.md5.master-to-slave.key 2 | // 3 | // Used to update downstream nameservers from a master NS 4 | 5 | key "master-to-slave-key" { 6 | algorithm hmac-md5; 7 | secret "HwM8lCB9S51UK72fFe0+qA=="; 8 | }; 9 | 10 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/keys/ddns.sha256.dns-arca-a.key: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/keys/ddns.sha256.dns-arca-a.key 2 | // 3 | // ddns-confgen -s in-a-box.example.com. 4 | 5 | key "ddns-sha256-arca-a-key" { 6 | algorithm hmac-sha256; 7 | secret "37RvZTTXnsgufemSVy5jIcMaw2Fl0WPVR+SXgyWclXUsajtVu+7vXbuk91ArrZH1dAEJl1C8wHO1pLAvD0m0oQ=="; 8 | }; 9 | 10 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/keys/keys-named.conf: -------------------------------------------------------------------------------- 1 | 2 | // receives updated IP/hostname from DHCPD for BIND9 3 | // Only updates the 192.168.220/22 (green,blue,white views/zone) 4 | include "split-horizon-2-bind9-servers/etc/bind/keys/ddns.md5.dhcp-updater.key"; 5 | 6 | // Allows nsupdate to update zone database. 7 | include "split-horizon-2-bind9-servers/etc/bind/keys/ddns.sha256.dns-arca-a.key"; 8 | 9 | // Allows rndc tool to control BIND9 server daemon from command line. 10 | include "split-horizon-2-bind9-servers/etc/bind/keys/rndc.md5.key"; 11 | 12 | // Allows master NS to update slave NS(es). 13 | include "split-horizon-2-bind9-servers/etc/bind/keys/ddns.md5.master-to-slave.key"; 14 | 15 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/keys/red-named.conf.keys: -------------------------------------------------------------------------------- 1 | 2 | // Allows nsupdate to update zone database. 3 | include "/etc/bind/keys/ddns.sha256.dns-arca-a.key"; 4 | 5 | // Allows rndc tool to control BIND9 server daemon from command line. 6 | include "/etc/bind/keys/rndc.md5.key"; 7 | 8 | // Allows master NS to update slave NS(es). 9 | include "/etc/bind/keys/ddns.md5.master-to-slave.key"; 10 | 11 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/keys/rndc.md5.key: -------------------------------------------------------------------------------- 1 | # File: /etc/bind/keys/rndc.key 2 | # 3 | # Used by 'rndc' utility to control ISC BIND9 name daemon. 4 | # 5 | # Created using 'rndc-confgen -A HMAC-MD5 -k rndc-key' 6 | # and manually inserted here. 7 | key rndc-key { 8 | algorithm hmac-md5; 9 | secret "HwM8lCB9S51UK72fFe0+qA=="; 10 | }; 11 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/keys/tlsa-privkey.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 3 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 4 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 5 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 6 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 7 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 8 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 9 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 10 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 11 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 12 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 13 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 14 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX== 15 | -----END RSA PRIVATE KEY----- 16 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/keys/tlsa-pubkey.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN PUBLIC KEY----- 2 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 3 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 4 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 5 | XXXXXXXXXXXXXXXXXXXXXXXX 6 | -----END PUBLIC KEY----- 7 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/named-internal.conf: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/internal/named.conf 2 | // 3 | // Bind9 configuration 4 | // 5 | // Custom settings for internal network 6 | // 7 | // This is the primary configuration file for the BIND DNS server named. 8 | // 9 | 10 | // 'include' statement must have an absolute filespec or 11 | // it will read from current directory ($CWD). You 12 | // can defy this for unit testing purposes. 13 | 14 | // Please read /usr/share/doc/bind9/README.Debian.gz for 15 | // information on the structure of BIND configuration 16 | // files in Debian, *BEFORE* you customize this 17 | // configuration file. 18 | // 19 | // If you are just adding zones, please do that 20 | // inside the /etc/bind/named.conf.local file. 21 | 22 | // We can share the ACL amongst private/public zones because 23 | // it is a consistent thing to do. 24 | 25 | include "/etc/bind/internal/acl-named.conf"; 26 | // 27 | include "/etc/bind/internal/options-named.conf"; 28 | include "/etc/bind/internal/statistics-named.conf"; 29 | include "/etc/bind/internal/channels-named.conf"; 30 | include "/etc/bind/internal/masters-named.conf"; 31 | include "/etc/bind/internal/local-named.conf"; 32 | 33 | // If you used views in local-named.conf/named.conf.local, 34 | // then no default_zones is needed 35 | ////include "/etc/bind/internal/default_zones-named.conf"; 36 | 37 | 38 | include "/etc/bind/internal/keys/keys-named.conf"; 39 | 40 | include "/etc/bind/internal/controls-named.conf"; 41 | include "/etc/bind/internal/servers-named.conf"; 42 | 43 | include "/etc/bind/internal/trusted-keys-named.conf"; 44 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/public/controls-named.conf: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/public/controls-named.conf 2 | // 3 | //// Bind9 daemon controls 4 | //// 5 | //// Controls access to stopping/starting Bind9 daemon (named) 6 | //// 7 | //// Describes and controls access to the control channel used 8 | //// by the remote administrator when using the rndc utility. 9 | //// 10 | //// The controls clause is used to define access information 11 | //// and controls when using remote administration services, 12 | //// for example, the rndc utility. The controls clause takes 13 | //// a single inet statement type, though more than one inet 14 | //// statement may be defined. 15 | //// 16 | //// Customized for public network 17 | // 18 | // 19 | // This file was generated by then pasted from rndc-confgen 20 | // 21 | // Drop file permission to 0640 root:bind on all RNDC-related files: 22 | // /etc/bind/rndc.key (if any) 23 | // /etc/bind/rndc.conf 24 | // Drop file permission to 0750 root:bind on all RNDC-related executable: 25 | // /usr/sbin/rndc 26 | // 27 | // For each instance of bind9.service (or bind9@.service), make a new port # 28 | 29 | controls { 30 | inet 127.0.0.1 port 954 allow { 127.0.0.1; } keys { rndc-key; }; 31 | }; 32 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/public/keys/README.bind.keys: -------------------------------------------------------------------------------- 1 | Key files are denoted by 2 | - Zone name 3 | - Key type 4 | - Random number 5 | 6 | 7 | Key types are: 8 | 9 | 5 - 10 | 8 - 11 | 157 - HMAC-MD5, only used for (ISC DHCP) dhcpd <--> named (ISC Bind9) 12 | 163 - HMAC-SHA256 (used for local-ddns) 13 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/public/keys/ddns.md5.dhcp-updater.key: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/keys/ddns.md5.dhcp-updater.key 2 | // 3 | // Used to accept hostname changes via ISC DHCP dynamic update 4 | // 5 | // Referenced by /etc/dhcp/dhcpd.conf.options DDNS_UPDATER 6 | 7 | key DDNS_UPDATER { 8 | algorithm hmac-md5; 9 | secret "XXXXXXXXXXXXXXXXXXXXXX=="; 10 | }; 11 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/public/keys/ddns.md5.master-to-slave.key: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/keys/ddns.md5.master-to-slave.key 2 | // 3 | // Used to update downstream nameservers from a master NS 4 | 5 | key "master-to-slave-key" { 6 | algorithm hmac-md5; 7 | secret "XXXXXXXXXXXXXXXXXXXXXX=="; 8 | }; 9 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/public/keys/ddns.sha256.dns-arca-a.key: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/keys/ddns.sha256.dns-arca-a.key 2 | // 3 | // ddns-confgen -s in-a-box.example.com 4 | 5 | key "ddns-sha256-arca-a-key" { 6 | algorithm hmac-sha256; 7 | secret "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX="; 8 | }; 9 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/public/keys/keys-named.conf: -------------------------------------------------------------------------------- 1 | 2 | // receives updated IP/hostname from DHCPD for BIND9 3 | // Only updates the 192.168.4.0/22 (green,blue,white views/zone) 4 | include "/etc/bind/keys/ddns.md5.dhcp-updater.key"; 5 | 6 | // Allows nsupdate to update zone database. 7 | include "/etc/bind/keys/ddns.sha256.dns-arca-a.key"; 8 | 9 | // Allows rndc tool to control BIND9 server daemon from command line. 10 | include "/etc/bind/keys/rndc.md5.key"; 11 | 12 | // Allows master NS to update slave NS(es). 13 | include "/etc/bind/keys/ddns.md5.master-to-slave.key"; 14 | 15 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/public/keys/red-named.conf.keys: -------------------------------------------------------------------------------- 1 | 2 | // Allows nsupdate to update zone database. 3 | include "/etc/bind/keys/ddns.sha256.dns-arca-a.key"; 4 | 5 | // Allows rndc tool to control BIND9 server daemon from command line. 6 | include "/etc/bind/keys/rndc.md5.key"; 7 | 8 | // Allows master NS to update slave NS(es). 9 | include "/etc/bind/keys/ddns.md5.master-to-slave.key"; 10 | 11 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/public/keys/rndc.md5.key: -------------------------------------------------------------------------------- 1 | # File: /etc/bind/keys/rndc.key 2 | # 3 | # Used by 'rndc' utility to control ISC BIND9 name daemon. 4 | # 5 | # Created using 'rndc-confgen -A HMAC-MD5 -k rndc-key' 6 | # and manually inserted here. 7 | key rndc-key { 8 | algorithm hmac-md5; 9 | secret "XXXXXXXXXXXXXXXXXXXXXX=="; 10 | }; 11 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/public/keys/tlsa-privkey.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 3 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 4 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 5 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 6 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 7 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 8 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 9 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 10 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 11 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 12 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 13 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 14 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX== 15 | -----END RSA PRIVATE KEY----- 16 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/public/keys/tlsa-pubkey.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN PUBLIC KEY----- 2 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 3 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 4 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 5 | XXXXXXXXXXXXXXXXXXXXXXXX 6 | -----END PUBLIC KEY----- 7 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/public/local-named.conf: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/public/local-named.conf 2 | // 3 | // Bind9 Local configuration 4 | // 5 | // Provides additional config files for bind9 configuration. 6 | // 7 | // Customized for public network 8 | // 9 | //// 'include' is neither a statement nor a clause. Included here 10 | //// for no particularly good reason. include can appear anywhere 11 | //// in a named.conf file either inside or outside a clause. 12 | //// Allows inclusion of external files into named.conf for 13 | //// administrative convenience or security reasons. 14 | // 15 | 16 | include "/etc/bind/public/view.chaos"; 17 | include "/etc/bind/public/view.red"; 18 | 19 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/public/mz.example.net: -------------------------------------------------------------------------------- 1 | zone "example.com" IN 2 | { 3 | type master; 4 | allow-query { 5 | external_bastion_ip_acl; 6 | trusted_residential_network_all_acl; 7 | }; 8 | file "/var/lib/bind/public/master/db.example.com"; 9 | // journal "/var/cache/bind/public/example.com-master.jnl"; 10 | update-policy { 11 | grant ddns-sha256-arca-a-key self arca.example.com A; 12 | grant ddns-sha256-arca-a-key self example.com SOA; 13 | grant ddns-sha256-arca-a-key self arca.example.com PTR; 14 | }; 15 | allow-transfer { 16 | trusted_residential_network_acl; 17 | external_downstream_nameservers_acl; 18 | // key ddns-sha256-arca-a-key; 19 | !{ !localhost; any; }; 20 | // key master-to-slave-key; 21 | localhost; 22 | }; 23 | notify explicit; 24 | also-notify { masters_list_secondary_nameservers; }; 25 | auto-dnssec maintain; 26 | dnssec-loadkeys-interval 60; 27 | inline-signing yes; 28 | }; 29 | 30 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/public/servers-named.conf: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/public/servers-named.conf 2 | // 3 | //// Bind9 'server' clause 4 | //// 5 | //// Defines the properties or behavior this server will use when 6 | //// accessing or responding to a defined remote server. 7 | //// May be nested in a view clause. 8 | // 9 | // Customized for public network 10 | // 11 | //// The server statement defines characteristics to be associated 12 | //// with a remote name server. If a prefix length is specified, 13 | //// then a range of servers is covered. Only the most specific 14 | //// server clause applies regardless of the order in named.conf. 15 | 16 | 17 | //// The server statement can occur at the top level of the 18 | //// configuration file or inside a view statement. If a view 19 | //// statement contains one or more server statements, only those 20 | //// apply to the view and any top-level ones are ignored. If a 21 | //// view contains no server statements, any top-level server 22 | //// statements are used as defaults. 23 | 24 | //// in-a-box.example.com 25 | //// TODO: How to dynamically update its IP to point to in-a-box.example.com 26 | 27 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/public/statistics-named.conf: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/public/statistics-named.conf 2 | // 3 | // Bind9 statistics channel 4 | // 5 | // Customized for public network 6 | // 7 | //// CIS says do not use 'statistics-channel' 8 | //// 9 | //// statistics-channels { 10 | //// inet 127.0.0.1 port 8053; 11 | //// }; 12 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/public/trusted-keys-named.conf: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/public/trusted-keys-named.conf 2 | // 3 | // Bind9 trusted key 4 | // 5 | // Customized for public network 6 | // 7 | trusted-keys { 8 | }; 9 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/public/view.chaos: -------------------------------------------------------------------------------- 1 | // File: /etc/bind/public/mz.bind 2 | 3 | view "chaos" CH { 4 | match-clients { any; }; 5 | zone "bind" CH { 6 | type master; 7 | file "split-horizon-2-bind9-servers/var/lib/bind/public/master/db.bind"; 8 | allow-update { none; }; 9 | allow-transfer { none; }; 10 | }; 11 | }; 12 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/bind/rndc.conf: -------------------------------------------------------------------------------- 1 | # Start of rndc.conf 2 | 3 | include "split-horizon-2-bind9-servers/keys/rndc.md5.key"; 4 | 5 | options { 6 | default-key "rndc-key"; 7 | default-server 127.0.0.1; 8 | default-port 953; 9 | }; 10 | # End of rndc.conf 11 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/systemd/system/README: -------------------------------------------------------------------------------- 1 | The following systemd files provide support for 2 | split-horizon name server topology in 3 | running two Bind9 daemons which are: 4 | 5 | 1. Public-facing named daemon 6 | 2. Internal-facing named daemon 7 | 8 | Copy the files into their respective /etc/systemd directory. 9 | 10 | Then execute: 11 | 12 | systemctl stop bind9 13 | systemctl disable bind9 14 | 15 | systemctl enable bind9-internal 16 | systemctl enable bind9-public 17 | systemctl start bind9-public 18 | systemctl start bind9-internal 19 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/systemd/system/bind9-internal.service: -------------------------------------------------------------------------------- 1 | # File: /etc/systemd/system/bind9-public.service 2 | # 3 | # Public-facing web server 4 | # 5 | # Not to be confused with default bind9.service 6 | # 7 | [Unit] 8 | Description=BIND Domain Name Server (Public) 9 | Documentation=man:named(8) 10 | 11 | # DHCLIENT SCRIPT will be activating this systemd unit service 12 | # No dependencies nor startup 13 | # After=network.target 14 | # Wants=nss-lookup.target 15 | # Before=nss-lookup.target 16 | 17 | # If a unit has a Conflicts= setting on another unit, starting 18 | # the former will stop the latter and vice versa. 19 | Conflicts=bind9.service 20 | 21 | [Service] 22 | EnvironmentFile=/etc/default/bind9-internal 23 | ExecStart=/usr/sbin/named -f $OPTIONS 24 | ExecReload=/usr/sbin/rndc -p 953 reload 25 | ExecStop=/usr/sbin/rndc -p 953 stop 26 | 27 | [Install] 28 | # WantedBy=multi-user.target 29 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/systemd/system/bind9-public.service: -------------------------------------------------------------------------------- 1 | # File: /etc/systemd/system/bind9-public.service 2 | # 3 | # Public-facing web server 4 | # 5 | # Not to be confused with default bind9.service 6 | # 7 | [Unit] 8 | Description=BIND Domain Name Server (Public) 9 | Documentation=man:named(8) 10 | 11 | # DHCLIENT SCRIPT will be activating this systemd unit service 12 | # No dependencies nor startup 13 | # After=network.target 14 | # Wants=nss-lookup.target 15 | # Before=nss-lookup.target 16 | 17 | # If a unit has a Conflicts= setting on another unit, starting 18 | # the former will stop the latter and vice versa. 19 | Conflicts=bind9.service 20 | 21 | [Service] 22 | EnvironmentFile=/etc/default/bind9-public 23 | ExecStart=/usr/sbin/named -c /etc/bind/named-public.conf -f $OPTIONS 24 | ExecReload=/usr/sbin/rndc -p 954 reload 25 | ExecStop=/usr/sbin/rndc -p 954 stop 26 | 27 | [Install] 28 | # WantedBy=multi-user.target 29 | -------------------------------------------------------------------------------- /tests/split-horizon-2-bind9-servers/etc/systemd/system/bind9.service.d/unit-conflicts.conf: -------------------------------------------------------------------------------- 1 | 2 | 3 | # If a unit has a Conflicts= setting on another unit, 4 | # starting the former will stop the latter and vice versa. 5 | 6 | Conflicts=bind9-public.service bind9-internal.service 7 | -------------------------------------------------------------------------------- /tox.ini: -------------------------------------------------------------------------------- 1 | [tox] 2 | envlist = 3 | black 4 | py{35,36,37,38,39,310,py3} 5 | 6 | [testenv] 7 | deps=coverage 8 | commands= 9 | coverage run --parallel --branch -m unittest 10 | 11 | [testenv:black] 12 | deps = black 13 | commands = {envbindir}/black --target-version py39 --check --diff . 14 | --------------------------------------------------------------------------------