#!/bin/bash # DNS # ----------------------------------------------- # This script installs packages, but the DNS zone files are only # created by the /dns/update API in the management server because # the set of zones (domains) hosted by the server depends on the # mail users & aliases created by the user later. source setup/functions.sh # load our functions source /etc/mailinabox.conf # load global vars # Prepare nsd's configuration. # We configure nsd before installation as we only want it to bind to some addresses # and it otherwise will have port / bind conflicts with bind9 used as the local resolver mkdir -p /var/run/nsd mkdir -p /etc/nsd mkdir -p /etc/nsd/zones touch /etc/nsd/zones.conf touch /etc/nsd/nsd.conf cat > /etc/nsd/nsd.conf << EOF; # Do not edit. Overwritten by Mail-in-a-Box setup. server: hide-version: yes logfile: "/var/log/nsd.log" # identify the server (CH TXT ID.SERVER entry). identity: "" # The directory for zonefile: files. zonesdir: "/etc/nsd/zones" # Allows NSD to bind to IP addresses that are not (yet) added to the # network interface. This allows nsd to start even if the network stack # isn't fully ready, which apparently happens in some cases. # See https://www.nlnetlabs.nl/projects/nsd/nsd.conf.5.html. ip-transparent: yes EOF # Since we have bind9 listening on localhost for locally-generated # DNS queries that require a recursive nameserver, and the system # might have other network interfaces for e.g. tunnelling, we have # to be specific about the network interfaces that nsd binds to. for ip in $PRIVATE_IP $PRIVATE_IPV6; do echo " ip-address: $ip" >> /etc/nsd/nsd.conf; done # Create a directory for additional configuration directives, including # the zones.conf file written out by our management daemon. echo "include: /etc/nsd/nsd.conf.d/*.conf" >> /etc/nsd/nsd.conf; # Remove the old location of zones.conf that we generate. It will # now be stored in /etc/nsd/nsd.conf.d. rm -f /etc/nsd/zones.conf # Add log rotation cat > /etc/logrotate.d/nsd < $STORAGE_ROOT/dns/dnssec/$algo.conf << EOF; KSK=$KSK ZSK=$ZSK EOF fi # And loop to do the next algorithm... done # Force the dns_update script to be run every day to re-sign zones for DNSSEC # before they expire. When we sign zones (in `dns_update.py`) we specify a # 30-day validation window, so we had better re-sign before then. cat > /etc/cron.daily/mailinabox-dnssec << EOF; #!/bin/bash # Mail-in-a-Box # Re-sign any DNS zones with DNSSEC because the signatures expire periodically. $(pwd)/tools/dns_update EOF chmod +x /etc/cron.daily/mailinabox-dnssec # Permit DNS queries on TCP/UDP in the firewall. ufw_allow domain