Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
doc:dns:core [2013/12/26 13:32] Benjamin Colletdoc:dns:core [2023/08/25 16:38] (current) – external edit 127.0.0.1
Line 9: Line 9:
 ^  Usage                      Prefix                     ^ ^  Usage                      Prefix                     ^
 | Anycast DNS IPv4           | 192.168.248.53/32           | | Anycast DNS IPv4           | 192.168.248.53/32           |
-| Anycast DNS IPv6           | ''fd00:6b64:f3b0:53::/64''  |+| Anycast DNS IPv6           | ''fd00:6b64:f3b0::53/128''  |
 | Anycast recursive DNS IPv4 | 192.168.248.153/32          | | Anycast recursive DNS IPv4 | 192.168.248.153/32          |
-| Anycast recursive DNS IPv6 | ''fd00:6b64:f3b0:153::/64'' |+| Anycast recursive DNS IPv6 | ''fd00:6b64:f3b0::153/128'' |
  
 <note warning> <note warning>
Line 17: Line 17:
 </note> </note>
  
-  * Core servers **MUST** be declared in //[[https://git.oxynux.org/glanet/dns/blob/master/acl.glanet_anycast_core|acl "glanet_anycast_core"]]//. 
-  * Core servers **MUST** allow zone transfer to any host querying the anycast DNS address. 
-  * Core servers **MUST NOT** allow zone transfer to an host querying the server's real IP address. 
   * Core recursive servers **MUST** allow recursion to any host querying the anycast recursive DNS address.   * Core recursive servers **MUST** allow recursion to any host querying the anycast recursive DNS address.
-  * Core recursive servers **MUST** allow recursion to any host defined in //[[https://git.oxynux.org/glanet/dns/blob/master/acl.glanet_mon|acl "glanet_mon"]]//.+  * Core recursive servers **MUST** allow recursion to supervision hosts querying the host's unicast address for supervision.
   * Core recursive servers **MAY** allow recursion to any other explicitly white listed host or network, at the administrator's discretion.   * Core recursive servers **MAY** allow recursion to any other explicitly white listed host or network, at the administrator's discretion.
   * Core recursive servers **MUST** deny recursion to any other host.   * Core recursive servers **MUST** deny recursion to any other host.
Line 28: Line 25:
 ===== List of anycast DNS servers ===== ===== List of anycast DNS servers =====
  
-^  Host            ^  IPv4              ^  IPv6                      ^  Recursive  ^  ASN               +^  Host                     ^  IPv4               ^  IPv6         ^  Function((Authoritative/Recursive/Both))   ASN   
-ns.fa0.org       | ''212.83.149.187'' | ''2001:bc8:3283:2000::15'' |  Yes        ^ [[as:64542|64542]] | +ns1.alt.tf                | ''212.83.149.187''  | ''2a06:e881:1101:2000::15''  |  Authoritative  ^ [[as:202945|202945]] | 
-ns2.fa0.org      | ''91.121.34.61''   | ''2001:470:1f15:872::1''   |  Yes        [[as:64542|64542]] | +ams-rdns.alt.tf           | ''192.168.42.10''   | ''2a06:e881:1101:2000::10''  |  Recursive      ^ :::                 | 
- +| tvl-services.alt.tf       | ''192.168.40.196''  ''2a06:e881:1102:2000::196''  Recursive      ^ :::                 | 
-===== BIND9 configuration examples ===== +anycast.lv0.in            | ''192.168.144.34''  | ''2a01:e35:2430:9492::2''     Recursive      ^ [[as:64544|64544]]  |
- +
-==== Common options ==== +
-<file text named.options> +
-masters "glanet"+
-  212.83.149.187; +
-  2001:bc8:3283:2000::15; +
-}; +
- +
-options { +
-  directory "/var/cache/bind"; +
- +
-  auth-nxdomain no;    # conform to RFC1035 +
- +
-  listen-on { +
-    127.0.0.1; +
-    <SERVER REAL IP>; +
-    192.168.248.53; +
-    192.168.248.153; +
-  }; +
- +
-  listen-on-v6 { any; }; +
- +
-  notify-source <SERVER REAL IP>; +
-  transfer-source <SERVER REAL IP>; +
-  notify-source-v6 <SERVER REAL IPv6>; +
-  transfer-source-v6 <SERVER REAL IPv6>; +
- +
-  version "0"; +
- +
-  notify yes; +
-  recursion no; +
- +
-  allow-query-cache { any; }; +
-  allow-transfer { none; }; +
-}; +
-</file> +
- +
-==== Core GLaNET domain name-server (without recursion) ==== +
- +
-<note important> +
-When adding a master server, don't forget that your DNS server must listen on 192.168.248.53 and/or ''fd00:6b64:f3b0:53::1'', that your BGP router must advertise it and your firewall must not bock it. +
-</note> +
- +
-<file text named.conf> +
-include named.options; +
- +
-view "glanet"+
-  match-destinations { 192.168.248.53; fd00:6b64:f3b0:53::1; }; +
-  allow-transfer { any; }; +
- +
-  # GLaNET address space PTR +
-  zone "168.192.in-addr.arpa"+
-    type slave; +
-    masters { glanet; }; +
-    file "/etc/bind/zones-slave/db.192.168"; +
-  }; +
- +
-  # GLaNET IPv6 services address space PTR +
-  zone "0.b.3.f.4.6.b.6.0.0.d.f.ip6.arpa"+
-    type slave; +
-    masters { glanet; }; +
-    file "/etc/bind/zones-slave/db.fd00:6b64:f3b0"; +
-  }; +
-}; +
- +
-view "default"+
-  # GLaNET address space PTR +
-  zone "168.192.in-addr.arpa"+
-    type slave; +
-    masters { glanet; }; +
-    file "/etc/bind/zones-slave/db.192.168"; +
-  }; +
- +
-  # GLaNET IPv6 services address space PTR +
-  zone "0.b.3.f.4.6.b.6.0.0.d.f.ip6.arpa"+
-    type slave; +
-    masters { glanet; }; +
-    file "/etc/bind/slave/db.fd00:6b64:f3b0"; +
-  }; +
- +
-  # Your own zones follow +
-  # ... +
-}; +
-</file> +
- +
-==== Core GLaNET domain name-server (with recursion) ==== +
-<note warning>Anycast recursive DNS server **must** resolve GLaNET internal zones (either locally or by forwarding the request to the anycast DNS service).</note> +
- +
-<file text named.conf> +
-include named.options; +
- +
-view "glanet_recursor"+
-  match-destinations { 192.168.248.153; fd00:6b64:f3b0:153::1; }; +
-  match-recursive-only yes; +
-  recursion yes; +
-  include "/etc/bind/named.dummy"; +
-  zone "168.192.in-addr.arpa" { type slave; masters { glanet; }; file "/etc/bind/zones-slave/db.192.168"; }; +
-  zone "d.f.ip6.arpa"         { type master; file "/etc/bind/zones-dummy/db.fd"; }; +
-}; +
- +
-view "glanet_recursor_sup"+
-  match-clients { 192.168.42.5/32; 2001:bc8:3283:2000::5/128; }; +
-  match-recursive-only yes; +
-  recursion yes; +
-  include "/etc/bind/named.dummy"; +
-  zone "168.192.in-addr.arpa" { type slave; masters { glanet; }; file "/etc/bind/zones-slave/db.192.168"; }; +
-  zone "d.f.ip6.arpa"         { type master; file "/etc/bind/zones-dummy/db.fd"; }; +
-}; +
- +
-view "glanet"+
-  match-destinations { 192.168.248.53; fd00:6b64:f3b0:53::1; }; +
-  allow-transfer { any; }; +
- +
-  # GLaNET address space PTR +
-  zone "168.192.in-addr.arpa"+
-    type slave; +
-    masters { glanet; }; +
-    file "/etc/bind/zones-slave/db.192.168"; +
-  }; +
- +
-  # GLaNET IPv6 services address space PTR +
-  zone "0.b.3.f.4.6.b.6.0.0.d.f.ip6.arpa"+
-    type slave; +
-    masters { glanet; }; +
-    file "/etc/bind/zones-slave/db.fd00:6b64:f3b0"; +
-  }; +
-}; +
- +
-view "default"+
-  # GLaNET address space PTR +
-  zone "168.192.in-addr.arpa"+
-    type slave; +
-    masters { glanet; }; +
-    file "/etc/bind/zones-slave/db.192.168"; +
-  }; +
- +
-  # GLaNET IPv6 services address space PTR +
-  zone "0.b.3.f.4.6.b.6.0.0.d.f.ip6.arpa"+
-    type slave; +
-    masters { glanet; }; +
-    file "/etc/bind/slave/db.fd00:6b64:f3b0"; +
-  }; +
- +
-  # Your own zones follow +
-  # ... +
-}; +
-</file> +
- +
-<file text db.fd> +
-$TTL 604800 +
-@ IN SOA localhost. root.localhost. ( +
-       2 ; Serial +
- 604800 ; Refresh +
-   86400 ; Retry +
- 2419200 ; Expire +
- 604800 ) ; Negative Cache TTL +
-+
-@ IN NS localhost. +
- +
-0.b.3.f.4.6.b.6.0.0 IN NS anycast-dns.glanet.org. +
-</file>+