dn42-router/host_vars/p2p-node.de/bind9.yml

---
# To update DNSSEC keys, see https://www.isc.org/bind-keys
bind:
  dnssec_policies:
    - name: standard
      ttl: 3600
      keys:
        - type: ksk
          lifetime: unlimited
          algorithm: ED25519
        - type: zsk
          lifetime: unlimited
          algorithm: ED25519
    - name: noed25519
      ttl: 3600
      keys:
        - type: ksk
          lifetime: unlimited
          algorithm: RSASHA256
        - type: ksk
          lifetime: unlimited
          algorithm: ECDSAP384SHA384
        - type: zsk
          lifetime: unlimited
          algorithm: RSASHA256
        - type: zsk
          lifetime: unlimited
          algorithm: ECDSAP384SHA384
  logging:
    channel:
      print_time: true
      print_category: true
      print_severity: true
      severity: info
      others:
        - syslog daemon
    categories:
      - resolver
      - default
      - client
      - config
      - unmatched
      - dispatch
      - database
      - security
      - rate-limit
      - dnssec
      - general
  options:
    directory: "/var/cache/bind"
    recursion: true
    allow_recursion:
      - 127.0.0.1
    allow_query:
      - 127.0.0.1
      - 172.31.0.5
      - 172.22.149.226
      - 172.22.149.227
      - 172.22.149.232
      - key transfer_key
    allow_transfer:
      - key transfer_key
      - 127.0.0.1
    also_notify:
      - 172.22.149.226 port 5353
      - 172.22.149.227 port 5353
      - 172.22.149.232 port 5353
    dnssec_validation: auto
    validate_except:
      - ff3l
      - fffd
      - fftr
      - ffhl
    port: 5353
    listen_on:
      - any
  servers:
    - server: 172.22.149.225
      keys:
        - transfer_key
    - server: 172.31.0.5
      keys:
        - mark22k_hack
  keys:
    - name: transfer_key
      algorithm: hmac-sha512
      secret: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          64643966386533336163363338663333643033633035663265393266333564323062313266363661
          6662313134613662623063623362626662346363623765620a643239396662333533383535613765
          34333631636338353139643163653261653461616165343761393364396462343733346465633463
          6666366535366631350a343232643764343433376261376239333439393931646566613934666533
          30393533356139396666356466643038656566613739666664633433656163303865396332616533
          66316636363931663335636661656365633939313065663632383665353661623764666563666565
          31653861316539326531396161323365333739633833363039663462313335316663376666373234
          63393764386661363837393432653361613666636239366433366562653963333966313563303939
          6630
    - name: mark22k_hack
      algorithm: hmac-sha256
      secret: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          32383331393737623961373666396532376263636566333863393961386339666332313061303462
          3362323662323164616334383564373237626436383030390a616261313163396633383033653664
          65663232663464663232363866633961663332376534373835336465363638663365666236373366
          6134663938333264660a653433373866383332353735393663643437336632396465306531353962
          35346238336530336366353665633832326330653931666134353835316137356630643136336162
          6263383664623262323636313237663438313337313530353861

  zones:
    # Own zones
    ## Clearnet
    - zone: mk16.de.
      type: master
      file: "/var/cache/bind/zones/db.mk16.de"
      key_directory: "/var/cache/bind/keys/"
      dnssec: true
      dnssec_policy: noed25519
    - zone: dn42-lab.de.
      type: master
      file: "/var/cache/bind/zones/db.dn42-lab.de"
      key_directory: "/var/cache/bind/keys/"
      dnssec: true
      dnssec_policy: noed25519
    - zone: byeob.de.
      type: master
      file: "/var/cache/bind/zones/db.byeob.de"
      key_directory: "/var/cache/bind/keys/"
      dnssec: true
      dnssec_policy: noed25519
    - zone: p2p-node.de.
      type: master
      file: "/var/cache/bind/zones/db.p2p-node.de"
      key_directory: "/var/cache/bind/keys/"
      dnssec: true
      dnssec_policy: noed25519
    - zone: p2p-router.de.
      type: master
      file: "/var/cache/bind/zones/db.p2p-router.de"
      key_directory: "/var/cache/bind/keys/"
      dnssec: true
      dnssec_policy: noed25519
    - zone: i2phides.me.
      type: master
      file: "/var/cache/bind/zones/db.i2phides.me"
      key_directory: "/var/cache/bind/keys/"
      dnssec: true
      dnssec_policy: noed25519
    - zone: crxn.de.
      type: master
      file: "/var/cache/bind/zones/db.crxn.de"
      key_directory: "/var/cache/bind/keys/"
      dnssec: true
      dnssec_policy: noed25519

    ## dn42
    - zone: bandura.dn42.
      type: master
      file: "/var/cache/bind/zones/db.bandura.dn42"
      key_directory: "/var/cache/bind/keys/"
      dnssec: true
      dnssec_policy: standard
    - zone: 224/27.149.22.172.in-addr.arpa.
      type: master
      file: "/var/cache/bind/zones/db.172.22.149_27"
      key_directory: "/var/cache/bind/keys/"
      dnssec: true
      dnssec_policy: standard
    - zone: 112/28.149.22.172.in-addr.arpa.
      type: master
      file: "/var/cache/bind/zones/db.172.22.149.112_28"
      key_directory: "/var/cache/bind/keys/"
      dnssec: true
      dnssec_policy: standard
    - zone: 1.3.c.f.e.4.3.2.4.0.d.f.ip6.arpa.
      type: master
      file: "/var/cache/bind/zones/db.fd04:234e:fc31::"
      key_directory: "/var/cache/bind/keys/"
      dnssec: true
      dnssec_policy: standard
      
    ## NeoNetwork
    - zone: bandura.neo.
      type: master
      file: "/var/cache/bind/zones/db.bandura.neo"
      key_directory: "/var/cache/bind/keys/"
      dnssec: true
      dnssec_policy: standard
    - zone: 149.127.10.in-addr.arpa.
      type: master
      file: "/var/cache/bind/zones/db.10.127.149"
      key_directory: "/var/cache/bind/keys/"
      dnssec: true
      dnssec_policy: standard
    - zone: 1.3.c.f.7.2.1.0.0.1.d.f.ip6.arpa.
      type: master
      file: "/var/cache/bind/zones/db.fd10:127:fc31::"
      key_directory: "/var/cache/bind/keys/"
      dnssec: true
      dnssec_policy: standard
    
    ## CRXN
    - zone: bandura.crxn.
      type: master
      file: "/var/cache/bind/zones/db.bandura.crxn"
      key_directory: "/var/cache/bind/keys/"
      dnssec: true
      dnssec_policy: standard
    - zone: docs.crxn.
      type: master
      file: "/var/cache/bind/zones/db.docs.crxn"
      key_directory: "/var/cache/bind/keys/"
      dnssec: true
      dnssec_policy: standard
    - zone: 2.b.2.0.6.b.8.5.2.9.d.f.ip6.arpa.
      type: master
      file: "/var/cache/bind/zones/db.fd92:58b6:2b2::_48"
      key_directory: "/var/cache/bind/keys/"
      dnssec: true
      dnssec_policy: standard
    - zone: 6.6.6.2.7.3.e.3.c.5.d.f.ip6.arpa.
      type: master
      file: "/var/cache/bind/zones/db.fd5c:3e37:2666::_48"
      key_directory: "/var/cache/bind/keys/"
      dnssec: true
      dnssec_policy: standard

    # myip.dn42
    - zone: myip.dn42.
      type: master
      file: "/var/cache/bind/zones/db.myip.dn42"
    - zone: 81/32.0.20.172.in-addr.arpa.
      type: master
      file: "/var/cache/bind/zones/db.172.20.0.81_32"
    - zone: 1.8.0.0.2.4.d.0.2.4.d.0.2.4.d.f.ip6.arpa.
      type: master
      file: "/var/cache/bind/zones/db.fd42:d42:d42:81::"

    # CRXN root
    - zone: crxn.
      type: master
      file: "/var/cache/bind/zones/db.crxn-root"
      key_directory: "/var/cache/bind/keys/crxn/"
      dnssec: true
      dnssec_policy: standard

    # Hack root
    - zone: hack.
      type: slave
      file: "/var/cache/bind/zones/hack/hack-root"
      masters:
        - 172.31.0.5 port 53
    - zone: 31.172.in-addr.arpa.
      type: slave
      file: "/var/cache/bind/zones/hack/172.31-root"
      masters:
        - 172.31.0.5 port 53
    - zone: 100.10.in-addr.arpa.
      type: slave
      file: "/var/cache/bind/zones/hack/10.100-root"
      masters:
        - 172.31.0.5 port 53
    - zone: 101.10.in-addr.arpa.
      type: slave
      file: "/var/cache/bind/zones/hack/10.101-root"
      masters:
        - 172.31.0.5 port 53
    - zone: 102.10.in-addr.arpa.
      type: slave
      file: "/var/cache/bind/zones/hack/10.102-root"
      masters:
        - 172.31.0.5 port 53
    - zone: 103.10.in-addr.arpa.
      type: slave
      file: "/var/cache/bind/zones/hack/10.103-root"
      masters:
        - 172.31.0.5 port 53

    # NeoNetwork root
    - zone: neo.
      type: master
      file: "/var/cache/bind/zones/db.neo-root"
      key_directory: "/var/cache/bind/keys/nn/"
      dnssec: true
      dnssec_policy: standard
    - zone: 127.10.in-addr.arpa.
      type: master
      file: "/var/cache/bind/zones/db.10.127.0.0_16"
      key_directory: "/var/cache/bind/keys/nn/"
      dnssec: true
      dnssec_policy: standard
    - zone: 7.2.1.0.0.1.d.f.ip6.arpa.
      type: master
      file: "/var/cache/bind/zones/db.fd10:127::_32"
      key_directory: "/var/cache/bind/keys/nn/"
      dnssec: true
      dnssec_policy: standard

    # dn42 root
    - zone: dn42.
      type: stub
      masters:
        - fd42:180:3de0:30::1 port 53
        - fd42:180:3de0:10:5054:ff:fe87:ea39 port 53
    - zone: 20.172.in-addr.arpa.
      type: stub
      masters:
        - fd42:180:3de0:30::1 port 53
        - fd42:180:3de0:10:5054:ff:fe87:ea39 port 53
    - zone: 21.172.in-addr.arpa.
      type: stub
      masters:
        - fd42:180:3de0:30::1 port 53
        - fd42:180:3de0:10:5054:ff:fe87:ea39 port 53
    - zone: 22.172.in-addr.arpa.
      type: stub
      masters:
        - fd42:180:3de0:30::1 port 53
        - fd42:180:3de0:10:5054:ff:fe87:ea39 port 53
    - zone: 23.172.in-addr.arpa.
      type: stub
      masters:
        - fd42:180:3de0:30::1 port 53
        - fd42:180:3de0:10:5054:ff:fe87:ea39 port 53
    - zone: 10.in-addr.arpa.
      type: stub
      masters:
        - fd42:180:3de0:30::1 port 53
        - fd42:180:3de0:10:5054:ff:fe87:ea39 port 53
    - zone: d.f.ip6.arpa.
      type: stub
      masters:
        - fd42:180:3de0:30::1 port 53
        - fd42:180:3de0:10:5054:ff:fe87:ea39 port 53

    # Freifunk zones
    - zone: ff3l.
      type: stub
      masters:
        - 10.119.0.5 port 53
        - 10.119.0.4 port 53
        - 10.119.0.10 port 53
        - fdc7:3c9d:b889:a272::5 port 53
        - fdc7:3c9d:b889:a272::4 port 53
        - fdc7:3c9d:b889:a272::a port 53
    - zone: fffd.
      type: stub
      masters:
        - 10.185.0.1 port 53
        - 10.185.0.2 port 53
        - 10.185.0.4 port 53
        - fd00:65a8:93a4::1 port 53
        - fd00:65a8:93a4::2 port 53
        - fd00:65a8:93a4::4 port 53
    - zone: fftr.
      type: stub
      masters:
        - 10.172.0.14 port 53
        - 10.172.0.16 port 53
        - 2001:bf7:fc0f::14 port 53
        - 2001:bf7:fc0f::16 port 53
    - zone: ffhl.
      type: stub
      masters:
        - fdef:ffc0:3dd7::801 port 53
        - fdef:ffc0:3dd7::a01 port 53
        - fdef:ffc0:3dd7::c01 port 53
        - fdef:ffc0:3dd7::e01 port 53
        - 10.130.0.252 port 53
        - 10.130.0.253 port 53
        - 10.130.0.254 port 53
        - 10.130.0.255 port 53

  zone_files:
    settings:
      refresh: 3h
      retry: 1h
      expire: 1w
      negative_cache: 1h

    zones:
      - zone_file: db.mk16.de
        ttl: 3600
        soa:
          master: n1.mk16.de.
          mail: hostmaster.mk16.de.
        records:
          "@":
            ns:
              - n1
              - n2
              - n3
              - n4
              - n5
            a: 5.45.109.122
            aaaa: 2a03:4000:6:2784::1
            caa:
              - 1 issue "letsencrypt.org;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/502687250"
              - 1 iodef "mailto:caa@mk16.de"
            txt:
              - "v=spf1 mx a include:_spf.webhosting.systems ~all"
              - "openpgp4fpr:9aa28159fceb3cd83bc212017e869146699108c7"
            mx: 10 mxe87b.netcup.net.
          n1:
            a: 5.45.109.122
            aaaa: 2a03:4000:6:2784::1
          n2:
            a: 5.252.226.123
            aaaa: 2a03:4000:40:ad::1
          n3:
            a: 103.73.66.184
            aaaa: 2406:ef80:1:f8d5::1
          n4:
            a: 51.81.139.248
            aaaa: 2604:2dc0:200:1549:703:c28d:2240:1
          n5:
            a: 185.175.59.174
            aaaa: 2a0e:dc0:3:1552::1
          ddns:
            ns:
              - ns1.afraid.org.
              - ns2.afraid.org.
              - ns3.afraid.org.
              - ns4.afraid.org.
          autoconfig:
            cname: autoconfig.netcup.net.
          "key1._domainkey":
            cname: key1._domainkey.webhosting.systems.
          "key2._domainkey":
            cname: key2._domainkey.webhosting.systems.
          openpgpkey:
            cname: wkd.keys.openpgp.org.
          _dmarc:
            txt: "v=DMARC1; p=quarantine; rua=mailto:postmaster@mk16.de; ruf=mailto:m.k@mk16.de; adkim=s; aspf=s;"
          alive:
            txt: "yes"
          "do-not-trust":
            a: 127.0.0.1
            aaaa: ::1

          # VPN
          vpn-lu:
            a: 104.244.77.202
            aaaa: 2605:6400:30:f7dd::1

          # Nodes
          aurora:
            a: 74.208.212.195
            aaaa: 2607:f1c0:f03e:2d00::1
          "dn42.aurora":
            a: 172.22.149.228
            aaaa: fd04:234e:fc31::4
          
          herzstein:
            a: 103.73.66.184
            aaaa: 2406:ef80:1:f8d5::1
          "y.herzstein":
            aaaa: 218:d3dc:a358:dc47:ea62:2ac1:80b2:be47
          "dn42.herzstein":
            a: 172.22.149.227
            aaaa: fd04:234e:fc31::3
          
          laplace-v6:
            cname: laplace-v6.ddns
          laplace-v4:
            cname: laplace-v4.ddns
          laplace:
            cname: laplace-v6
          "y.laplace":
            aaaa: 21d:8210:3f70:a38c:e7a0:155e:955:5f54
          "dn42.laplace":
            a: 172.22.149.231
            aaaa: fd04:234e:fc31::7
          
          p2pnode:
            a: 5.45.109.122
            aaaa: 2a03:4000:6:2784::1
            caa:
              - 0 issue "letsencrypt.org;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/502687250"
              - 1 iodef "mailto:caa@mk16.de"
          "y.p2pnode":
            aaaa: 218:4feb:a509:9db2:2b34:6e7e:e071:5dee
          "dn42.p2pnode":
            a: 172.22.149.225
            aaaa: fd04:234e:fc31::1

          p2prouter:
            a: 5.252.226.123
            aaaa: 2a03:4000:40:ad::1
            caa:
              - 0 issue "letsencrypt.org;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/75989130"
              - 1 iodef "mailto:caa@mk16.de"
          "y.p2prouter":
            aaaa: 220:f022:cd6c:22a9:5285:79e2:2e19:b66a
          "dn42.p2prouter":
            a: 172.22.149.226
            aaaa: fd04:234e:fc31::2
          
          palerme:
            aaaa: 2a01:cb05:944a:b8ff:e4a6:adff:fe95:4e75
          "dn42.palerme":
            a: 172.22.149.229
            aaaa: fd04:234e:fc31::5
          
          stricker:
            a: 51.81.139.248
            aaaa: 2604:2dc0:200:1549:703:c28d:2240:1
          "dn42.stricker":
            a: 172.22.149.232
            aaaa: fd04:234e:fc31::8
          
          silvermoon:
            a: 185.175.59.174
            aaaa: 2a0e:dc0:3:1552::1
          "dn42.silvermoon":
            a: 172.22.149.230
            aaaa: fd04:234e:fc31::6
          
          trolljaeger:
            a: 165.140.142.42
            aaaa: 2602:fc23:18::46
          "dn42.trolljaeger":
            a: 172.22.149.233
            aaaa: fd04:234e:fc31::9
          "y.trolljaeger":
            aaaa: 213:b820:7255:e331:d52b:4e2b:4eb3:9f5b

          frostwood:
            a: 5.45.108.22
            aaaa: 2a03:4000:6:203a::1
            caa:
              - 0 issue "letsencrypt.org;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1798961947"
              - 1 iodef "mailto:caa@mk16.de"
          "dn42.frostwood":
            a: 172.22.149.234
            aaaa: fd04:234e:fc31::10
          
          beastwarden-v6:
            cname: beastwarden-v6.ddns
          beastwarden-v4:
            cname: beastwarden-v4.ddns
          beastwarden:
            cname: beastwarden-v6
          "dn42.beastwarden":
            a: 172.22.149.235
            aaaa: fd04:234e:fc31::11
          "y.beastwarden":
            aaaa: 200:bc59:d0d9:6d6c:d2f7:ee92:e681:51e7

          fourth:
            a: 37.120.162.41
            aaaa: 2a03:4000:6:3632:e40e:5cff:fe6c:b1a8
          "y.fourth":
            aaaa: 217:fb11:f68b:8d9c:e4f5:a304:916:b011
          
          sobinka:
            aaaa: 2a01:e0a:46a:2785:14e7:3cff:feed:3810

          third:
            aaaa: 2a02:180:6:1:0:0:0:1f24
          
          # CRXN nodes
          grisha:
            cname: grisha-v6.ddns
          "crxn.grisha":
            aaaa: fd5c:3e37:2666:c700::1
          
          gleb:
            cname: gleb-v6.ddns
          "crxn.gleb":
            aaaa: fd5c:3e37:2666:7081::1
          
          mikhail:
            cname: mikhail-v6.ddns
          "crxn.mikhail":
            aaaa: fd5c:3e37:2666:4b00::1
          
          "crxn.zwergenland":
            aaaa: fd5c:3e37:2666:1900::1
          
          reseau:
            aaaa: 2a01:cb05:944a:b8ff:1469:3dff:fee3:97e9
          "crxn.reseau":
            aaaa: fd5c:3e37:2666:ea00::1
          "lg.reseau":
            cname: reseau
          "babelweb2":
            cname: reseau

          # Websites
          "bandura-comm":
            cname: p2pnode
          "dn42-bgplookup":
            cname: p2pnode
          monkic:
            cname: p2pnode
          irc:
            cname: p2prouter
          auth:
            cname: frostwood

          nextcloud:
            a: 202.61.232.121
            aaaa: 2a03:4000:61:14f0::17:2237
            caa:
              - 0 issue "letsencrypt.org;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/501236320"
              - 1 iodef "mailto:caa@mk16.de"
          baikal:
            a: 202.61.232.121
            aaaa: 2a03:4000:61:14f0::17:2237
            caa:
              - 0 issue "letsencrypt.org;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/501236320"
              - 1 iodef "mailto:caa@mk16.de"

          # Yggdrasil nodes:
          ygg1:
            cname: p2prouter
          ygg2:
            cname: p2pnode
          ygg3:
            cname: stricker
          ygg4:
            cname: trolljaeger

          # I2P reseed service
          www2:
            cname: p2prouter

          # Status pages
          monitor:
            a: 89.58.43.186
            aaaa: 2a03:4000:66:d57::1
            caa:
              - 0 issue "letsencrypt.org;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1110453857"
              - 1 iodef "mailto:caa@mk16.de"
          "y.monitor":
            aaaa: 219:c95b:8447:2c7a:ce08:fe5:a67b:7f17
          "dn42.monitor":
            a: 172.22.149.248
            aaaa: fd04:234e:fc31:fd1e:ceac:f1c0::1

          status:
            cname: monitor
          status2:
            cname: reports.hetrixtools.com.
          status3:
            cname: marek22k.github.io.
          
          # Search engine verification
          qhj5wdt2ojuc:
            cname: gv-rsjf5emwwkg3zw.dv.googlehosted.com.
          fa0c40ad9b6493a9b0e19b5ca7bc2b8c:
            cname: verify.bing.com.