From c6c854aabf9cc085ab06f59da9b958452c535361 Mon Sep 17 00:00:00 2001 From: h <9pfs@amcforum.wiki> Date: Tue, 28 Jan 2025 22:46:35 -0800 Subject: [PATCH] expand anycast DNS deployment to all routers --- dns.yml | 74 ++++++++++++++++++ dns/igp-dummy-dns.netdev | 3 + dns/igp-dummy-dns.network | 6 ++ dns/named-debian.conf | 1 + dns/named.conf.j2 | 72 +++++++++++++++++ dns/notify-list.j2 | 11 +++ dns/resolv.conf | 5 ++ dns/us1-named.conf.j2 | 161 ++++++++++++++++++++++++++++++++++++++ ext-peer.network.j2 | 1 + inventory.yml | 9 ++- lg.yml | 2 +- ztwfugvwdo.network.j2 | 1 + 12 files changed, 344 insertions(+), 2 deletions(-) create mode 100644 dns.yml create mode 100644 dns/igp-dummy-dns.netdev create mode 100644 dns/igp-dummy-dns.network create mode 100644 dns/named-debian.conf create mode 100644 dns/named.conf.j2 create mode 100644 dns/notify-list.j2 create mode 100644 dns/resolv.conf create mode 100644 dns/us1-named.conf.j2 diff --git a/dns.yml b/dns.yml new file mode 100644 index 0000000..db9435b --- /dev/null +++ b/dns.yml @@ -0,0 +1,74 @@ +- name: Configure DNS servers + hosts: routers + remote_user: root + tasks: + - name: Install bind on Arch + ansible.builtin.package: + name: bind + state: present + when: ansible_distribution == 'Archlinux' + - name: Install bind on Debian + ansible.builtin.package: + name: bind9 + state: present + when: ansible_distribution == 'Debian' + - name: Configure DNS server named.conf files + ansible.builtin.template: + src: dns/named.conf.j2 + dest: /etc/named.conf + mode: '0644' + - name: Use our config file on Debian + ansible.builtin.copy: + src: dns/named-debian.conf + dest: /etc/bind/named.conf + mode: '0644' + when: ansible_distribution == 'Debian' + - name: Ensure /var/named exists on Arch + ansible.builtin.file: + path: /var/named + state: directory + mode: '0770' + owner: root + group: named + when: ansible_distribution == 'Archlinux' + - name: Ensure /var/named exists on Debian + ansible.builtin.file: + path: /var/named + state: directory + mode: '0770' + owner: root + group: bind + when: ansible_distribution == 'Debian' + - name: Add DNS dummy interface netdev + ansible.builtin.copy: + src: dns/igp-dummy-dns.netdev + dest: /etc/systemd/network/igp-dummy-dns.netdev + mode: '0644' + - name: Add DNS dummy interface network + ansible.builtin.copy: + src: dns/igp-dummy-dns.network + dest: /etc/systemd/network/igp-dummy-dns.network + mode: '0644' + - name: Reload named + ansible.builtin.systemd: + name: named + state: reloaded + enabled: true + - name: Reload systemd-networkd + ansible.builtin.command: networkctl reload + - name: Turn off systemd-resolved + ansible.builtin.systemd: + name: systemd-resolved + state: stopped + enabled: false + ignore_errors: true + - name: Push resolv.conf + ansible.builtin.copy: + src: dns/resolv.conf + dest: /etc/resolv.conf + mode: '0644' + - name: Suppress proxmox resolv.conf meddling + ansible.builtin.file: + path: /etc/.pve-ignore-resolv.conf + state: touch + mode: '0644' \ No newline at end of file diff --git a/dns/igp-dummy-dns.netdev b/dns/igp-dummy-dns.netdev new file mode 100644 index 0000000..a8abc64 --- /dev/null +++ b/dns/igp-dummy-dns.netdev @@ -0,0 +1,3 @@ +[NetDev] +Name=igp-dummy-dns +Kind=dummy \ No newline at end of file diff --git a/dns/igp-dummy-dns.network b/dns/igp-dummy-dns.network new file mode 100644 index 0000000..23854e5 --- /dev/null +++ b/dns/igp-dummy-dns.network @@ -0,0 +1,6 @@ +[Match] +Name=igp-dummy-dns + +[Network] +Address=172.22.161.21/32 +Address=fd32:6b0:70a6:53::53/128 \ No newline at end of file diff --git a/dns/named-debian.conf b/dns/named-debian.conf new file mode 100644 index 0000000..c94561e --- /dev/null +++ b/dns/named-debian.conf @@ -0,0 +1 @@ +include "/etc/named.conf"; \ No newline at end of file diff --git a/dns/named.conf.j2 b/dns/named.conf.j2 new file mode 100644 index 0000000..8e1fa46 --- /dev/null +++ b/dns/named.conf.j2 @@ -0,0 +1,72 @@ +// vim:set ts=4 sw=4 et: + +options { + directory "/var/named"; + pid-file "/run/named/named.pid"; + + // Uncomment these to enable IPv6 connections support + // IPv4 will still work: + listen-on-v6 { any; }; + // Add this for no IPv4: + // listen-on { none; }; + + allow-recursion { 127.0.0.1; ::1; 172.22.161.0/27; fd32:6b0:70a6::/48; {% if inventory_hostname == 'us1.routers.9pfs.dn42' %} 192.168.19.0/24; {% endif %} }; + allow-transfer { fd32:6b0:70a6:53::/64; 127.0.0.1; ::1; 172.22.161.10; fd32:6b0:70a6:3000::1; fd32:6b0:70a6:179::/64; }; + allow-update { none; }; + version none; + hostname none; + server-id none; + validate-except { + "3.10.in-addr.arpa"; + "ts.net"; + "dn42"; + "20.172.in-addr.arpa"; + "21.172.in-addr.arpa"; + "22.172.in-addr.arpa"; + "23.172.in-addr.arpa"; + "d.f.ip6.arpa"; + }; + empty-zones-enable no; +{% if inventory_hostname == 'us1.routers.9pfs.dn42' %} + notify-source-v6 fd32:6b0:70a6:53::ffff; +{% else %} + catalog-zones { + zone "catalog.9pfs.dn42" default-primaries { fd32:6b0:70a6:53::ffff; }; + }; +{% endif %} +}; + +{% if inventory_hostname == 'us1.routers.9pfs.dn42' %} +{% include 'us1-named.conf.j2' %} +{% else %} +zone "catalog.9pfs.dn42" { + file "catalog.9pfs.dn42.zone"; + type secondary; + primaries { + fd32:6b0:70a6:53::ffff; + }; +}; + +{% endif %} + +//zone "example.org" IN { +// type secondary; +// file "example.zone"; +// primaries { +// 192.168.1.100; +// }; +// allow-query { any; }; +// allow-transfer { any; }; +//}; + +//logging { +// channel xfer-log { +// file "/var/log/named.log"; +// print-category yes; +// print-severity yes; +// severity info; +// }; +// category xfer-in { xfer-log; }; +// category xfer-out { xfer-log; }; +// category notify { xfer-log; }; +//}; diff --git a/dns/notify-list.j2 b/dns/notify-list.j2 new file mode 100644 index 0000000..5819c8f --- /dev/null +++ b/dns/notify-list.j2 @@ -0,0 +1,11 @@ +also-notify { +{% for host in ansible_play_hosts %} +{% if host != inventory_hostname %} +{{ hostvars[host].unicastv6 }}; +{% endif %} +{% endfor %} +{# TODO: remove these #} +fd32:6b0:70a6:53::1; +fd32:6b0:70a6:53::2; +fd32:6b0:70a6:53::3; +}; \ No newline at end of file diff --git a/dns/resolv.conf b/dns/resolv.conf new file mode 100644 index 0000000..f5c7a82 --- /dev/null +++ b/dns/resolv.conf @@ -0,0 +1,5 @@ +# Resolver configuration file. +# See resolv.conf(5) for details. + +nameserver 172.22.161.21 +nameserver fd32:6b0:70a6:53::53 \ No newline at end of file diff --git a/dns/us1-named.conf.j2 b/dns/us1-named.conf.j2 new file mode 100644 index 0000000..36dd383 --- /dev/null +++ b/dns/us1-named.conf.j2 @@ -0,0 +1,161 @@ +include "/etc/named.conf.d/rndc.conf"; + +controls { + inet 127.0.0.1 port 953 + allow { 127.0.0.1; } keys { "rndc-key"; }; +}; + +// We can't reach IPv6 internet hosts, but *CAN* reach some IPv6 non-internet hosts. +server 2000::/3 { + bogus yes; +}; + +zone "9pfs.dn42" IN { + type primary; + file "9pfs.dn42.zone"; +{% include 'notify-list.j2' %} + dnssec-policy default; + inline-signing yes; +}; + +zone "myip.dn42" IN { + type secondary; + file "myip.dn42.zone"; + primaries { fd63:5d40:47e5::1111; }; +{% include 'notify-list.j2' %} + allow-notify { fd63:5d40:47e5::/64; }; +}; +zone "81/32.0.20.172.in-addr.arpa" IN { + type secondary; + file "myip-dn42-v4-rdns.zone"; + primaries { fd63:5d40:47e5::1111; }; +{% include 'notify-list.j2' %} + allow-notify { fd63:5d40:47e5::/64; }; +}; +zone "1.8.0.0.2.4.d.0.2.4.d.0.2.4.d.f.ip6.arpa" IN { + type secondary; + file "myip-dn42-v6-rdns.zone"; + primaries { fd63:5d40:47e5::1111; }; +{% include 'notify-list.j2' %} + allow-notify { fd63:5d40:47e5::/64; }; +}; + +zone "6.a.0.7.0.b.6.0.2.3.d.f.ip6.arpa" IN { + type primary; + file "9pfs-personal-primary-v6-rdns.zone"; +{% include 'notify-list.j2' %} + dnssec-policy default; + inline-signing yes; +}; + +zone "0/27.161.22.172.in-addr.arpa" IN { + type primary; + file "9pfs-personal-primary-v4-rdns.zone"; +{% include 'notify-list.j2' %} + dnssec-policy default; + inline-signing yes; +}; + +zone "catalog.9pfs.dn42" IN { + type primary; + file "catalog.9pfs.dn42.zone"; +{% include 'notify-list.j2' %} + dnssec-policy default; + inline-signing yes; +}; + +zone "." IN { + type hint; + file "named.root"; +}; + +zone "dn42" IN { + type secondary; + + primaries { + fd42:180:3de0:30::1; +# fd42:180:3de0:10:5054:ff:fe87:ea39; + }; +}; + +zone "20.172.in-addr.arpa" { + type secondary; + file "20.172.in-addr.arpa.zone"; + primaries { + fd42:180:3de0:30::1; +# fd42:180:3de0:10:5054:ff:fe87:ea39; + }; +}; + +zone "21.172.in-addr.arpa" { + type secondary; + file "21.172.in-addr.arpa.zone"; + primaries { + fd42:180:3de0:30::1; +# fd42:180:3de0:10:5054:ff:fe87:ea39; + }; +}; + +zone "22.172.in-addr.arpa" { + type secondary; + file "22.172.in-addr.arpa.zone"; + primaries { + fd42:180:3de0:30::1; +# fd42:180:3de0:10:5054:ff:fe87:ea39; + }; +}; + +zone "23.172.in-addr.arpa" { + type secondary; + file "23.172.in-addr.arpa.zone"; + primaries { + fd42:180:3de0:30::1; +# fd42:180:3de0:10:5054:ff:fe87:ea39; + }; +}; + +zone "d.f.ip6.arpa" { + type secondary; + file "d.f.ip6.arpa.zone"; + primaries { + fd42:180:3de0:30::1; +# fd42:180:3de0:10:5054:ff:fe87:ea39; + }; +}; + + +zone "lan" { + type forward; + forwarders { + 10.3.0.2; + }; +}; + +zone "ts.net" { + type forward; + forwarders { + 100.100.100.100; + }; +}; + +zone "3.10.in-addr.arpa" { + type forward; + forwarders { + 10.3.0.2; + }; +}; + +zone "localhost" IN { + type primary; + file "localhost.zone"; +}; + +zone "0.0.127.in-addr.arpa" IN { + type primary; + file "127.0.0.zone"; +}; + +zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" { + type primary; + file "localhost.ip6.zone"; +}; \ No newline at end of file diff --git a/ext-peer.network.j2 b/ext-peer.network.j2 index 86464ad..cb80ca5 100644 --- a/ext-peer.network.j2 +++ b/ext-peer.network.j2 @@ -12,6 +12,7 @@ IPv4ReversePathFilter=no Description=DN42 peering with AS{{ item.asn }}{% if item.wireguard|default(true) %} @ {% if item.remotehost is defined %}{{ item.remotehost }}[{{ item.remoteip }}]:{{ item.remoteport }}{% else %}[{{ item.remoteip }}]:{{ item.remoteport }}{% endif %} {% endif %} LinkLocalAddressing=false +IPv4AcceptLocal=true [Address] {% if item['llv6'] is defined %} diff --git a/inventory.yml b/inventory.yml index 23cf629..33346d6 100644 --- a/inventory.yml +++ b/inventory.yml @@ -12,9 +12,11 @@ routers: machine_type: vm pop_loc: us1 solanum_sid: '9R1' + ansible_host: fd32:6b0:70a6:179::1 us2.routers.9pfs.dn42: ansible_python_interpreter: "/usr/bin/python3" machine_type: container + ansible_host: fd32:6b0:70a6:179::2 unicastv4: 172.22.161.2 unicastv6: fd32:6b0:70a6:179::2 llv6: fe80::2002:2 @@ -28,6 +30,7 @@ routers: llv6: fe80::2002:4 pop_loc: us3 solanum_sid: '9R4' + ansible_host: fd32:6b0:70a6:179::4 uk1.routers.9pfs.dn42: ansible_python_interpreter: "/usr/bin/python3" machine_type: container @@ -36,6 +39,7 @@ routers: llv6: fe80::2002:3 pop_loc: uk1 solanum_sid: '9R3' + ansible_host: fd32:6b0:70a6:179::3 kix.routers.9pfs.dn42: ansible_python_interpreter: "/usr/bin/python3" machine_type: container @@ -45,6 +49,7 @@ routers: pop_loc: kix solanum_sid: '9R5' shared_net: true + ansible_host: fd32:6b0:70a6:179::5 genesis.routers.9pfs.dn42: ansible_python_interpreter: "/usr/bin/python3" machine_type: container @@ -54,6 +59,7 @@ routers: pop_loc: genesis solanum_sid: '9R6' ibgp_passive: true + ansible_host: fd32:6b0:70a6:179::6 fr1.routers.9pfs.dn42: machine_type: vm unicastv4: 172.22.161.7 @@ -61,8 +67,8 @@ routers: llv6: fe80::2002:7 pop_loc: fr1 solanum_sid: '9R7' - ansible_host: 84.235.232.147 ansible_python_interpreter: "/usr/bin/python3" + ansible_host: fd32:6b0:70a6:179::7 ca1.routers.9pfs.dn42: machine_type: vm unicastv4: 172.22.161.8 @@ -72,6 +78,7 @@ routers: solanum_sid: '9R8' ansible_python_interpreter: "/usr/bin/python3" shared_net: true + ansible_host: fd32:6b0:70a6:179::8 services: hosts: mail.9pfs.dn42: diff --git a/lg.yml b/lg.yml index 8c3870f..1e0aace 100644 --- a/lg.yml +++ b/lg.yml @@ -3,7 +3,7 @@ remote_user: root tasks: - name: Build looking glass destinations list - ansible.builtin.shell: echo {% for host in ansible_play_hosts %}{{ hostvars[host]['unicastv6'] }},{% endfor %}|sed 's/,$//' + ansible.builtin.shell: echo {% for host in ansible_play_hosts %}{{ hostvars[host].inventory_hostname }},{% endfor %}|sed 's/,$//' register: lg_dests run_once: true delegate_to: 127.0.0.1 diff --git a/ztwfugvwdo.network.j2 b/ztwfugvwdo.network.j2 index 1186b98..a0d23bf 100644 --- a/ztwfugvwdo.network.j2 +++ b/ztwfugvwdo.network.j2 @@ -10,6 +10,7 @@ LLDP=true EmitLLDP=customer-bridge LinkLocalAddressing=false IPv4ReversePathFilter=no +IPv4AcceptLocal=true [Address] Address={{ llv6 }}/64