1 files changed, 256 insertions, 0 deletions
diff --git a/bind/builder/zones.yaml b/bind/builder/zones.yaml
new file mode 100644
index 0000000..85fc863
--- /dev/null
+++ b/bind/builder/zones.yaml
@@ -0,0 +1,256 @@
+dynamic-acls:
+  all-masters:
+    generator: servers
+  internal-keys:
+    generator: keys
+    filter: "*-internal"
+  external-keys:
+    generator: keys
+    filter: "*-external"
+static-acls:
+  internal-nets:
+  - 172.16.0.0/16                          # SEA1 (and AWS)
+  - 172.17.0.0/16                          # SEA2
+  - 172.18.0.0/16                          # FKL1
+  - 172.19.0.0/16                          # SEA4
+  - 172.20.0.0/16                          # ORD1
+  - 172.21.0.0/16                          # Mobile Network
+  - 23.149.16.0/24                         # Pomona ARIN Delegation
+  - 192.168.255.0/24                       # Local Docker Bridge
+  - 2602:0803:4000::/40                    # Pomona ARIN Delegation
+  - 2600:1f14:f39:e000::/56                # PDX1
+  - 2600:1f16:33:500::/56                  # CMH1
+  - 2a05:d01c:7ba:b800::/56                # LHR1
+servers:
+  172.16.18.52:                              # PDX1 Legacy Primary
+    type: primary
+    ips:
+    - 50.112.45.116                          # PDX1 Gateway External Legacy
+    - 54.148.70.70                           # PDX1 Gateway External
+    - 172.16.18.73                           # PDX1 Gateway Internal Legacy
+    - 2600:1f14:f39:e000:9fb5:8745:4eec:28b8 # PDX1 Gateway
+    forwarders:
+      amazonaws.com:
+      - 172.16.16.2
+      internal:
+      - 172.16.16.2
+  172.20.0.53:                               # ORD1 Secondary
+    type: secondary
+    key: ord1-transfer
+  172.16.35.10:                              # CMH1 Legacy Secondary
+    type: secondary
+    key: us-east-2-transfer
+    forwarders:
+      amazonaws.com:
+      - 172.16.32.2
+      internal:
+      - 172.16.32.2
+  172.16.66.181:                             # LHR1 Legacy Secondary
+    type: secondary
+    key: eu-west-2-transfer
+views:
+  external:
+    match-clients:
+    - external-keys
+    - "!internal-keys"
+    - "!internal-nets"
+    - any
+    raw-include: |
+      rate-limit {
+          responses-per-second 15;
+          exempt-clients {
+              internal-nets;
+          };
+      };
+  internal:
+    match-clients:
+    - "!external-keys"
+    - internal-nets
+    - internal-keys
+    - localhost
+    raw-include: |
+      response-policy {
+        zone "dns-policy.crute.me" log true;
+      };
+      # https://www.mail-archive.com/bind-users@lists.isc.org/msg25350.html
+      server 63.150.72.5 { send-cookie no; }; # sauthns1.qwest.net
+      server 208.44.130.121 { send-cookie no; }; # sauthns2.qwest.net.
+zones:
+  - name: amazonaws.com
+    type: forward-only
+    master-views:
+    - internal
+    in-views:
+    - internal
+  - name: internal
+    type: forward-only
+    master-views:
+    - internal
+    in-views:
+    - internal
+  # 2602:0803:4000::/40
+  - name: 0.4.3.0.8.0.2.0.6.2.ip6.arpa
+    master-views:
+    - external
+    allow-update-keys:
+    - as398223-net
+    - crute-me
+  # 24.149.16.0/24
+  - name: 16.149.23.in-addr.arpa
+    master-views:
+    - external
+    allow-update-keys:
+    - as398223-net
+  # Global IPv4 Reverse Zone
+  # 172.16.0.0/16
+  - name: 16.172.in-addr.arpa
+    master-views:
+    - internal
+    in-views:
+    - internal
+    allow-update-keys:
+    - crute-me
+    - sea1-dhcpd-key
+  # FKL1 IPv4 Reverse Zone
+  # 172.18.0.0/16
+  - name: 18.172.in-addr.arpa
+    master-views:
+    - internal
+    in-views:
+    - internal
+    allow-update-keys:
+    - fkl1-crute-me
+    - fkl1-dhcpd-key
+  # SEA4 IPv4 Reverse Zone
+  # 172.19.0.0/16
+  - name: 19.172.in-addr.arpa
+    master-views:
+    - internal
+    in-views:
+    - internal
+    allow-update-keys:
+    - crute-me
+  - name: dns-policy.crute.me
+    master-views:
+    - internal
+    in-views:
+    - internal
+    # This is an RPZ policy zone, nothing should be querying it
+    # except BIND internals. Also the zone most be manually
+    # updated and reloaded to allow leaving comments and
+    # preventing errors.
+    allow-query:
+    - none
+  - name: crute.us
+    master-views:
+    - external
+    allow-update-keys:
+    - crute-us
+  - name: crute.me
+    master-views:
+    - external
+    - internal
+    allow-update-keys:
+    - crute-me
+  - name: sea1.crute.me
+    master-views:
+    - internal
+    in-views:
+    - internal
+    allow-update-keys:
+    - sea1-crute-me
+    - crute-me
+    - sea1-dhcpd-key
+  - name: fkl1.crute.me
+    master-views:
+    - internal
+    in-views:
+    - internal
+    allow-update-keys:
+    - fkl1-crute-me
+    - fkl1-dhcpd-key
+  - name: crute.org
+    master-views:
+    - external
+    allow-update-keys:
+    - crute-org
+  - name: crute.dev
+    master-views:
+    - external
+    allow-update-keys:
+    - crute-dev
+  - name: softgroupcorp.com
+    master-views:
+    - external
+    allow-update-keys:
+    - softgroupcorp-com
+  - name: pomonaconsulting.com
+    master-views:
+    - external
+    allow-update-keys:
+    - pomonaconsulting-com
+  - name: pomonaconsulting.net
+    master-views:
+    - external
+    allow-update-keys:
+    - pomonaconsulting-net
+  - name: as398223.net
+    master-views:
+    - external
+    allow-update-keys:
+    - as398223-net
+  - name: 59erdiner.com
+    master-views:
+    - external
+    allow-update-keys:
+    - 59erdiner-com
+  - name: leavenworthsnowmobilerentals.com
+    master-views:
+    - external
+    allow-update-keys:
+    - leavenworthsnowmobilerentals-com
+  - name: lakewenatcheecabins.net
+    master-views:
+    - external
+    allow-update-keys:
+    - lakewenatcheecabins-net
+  - name: frompythonimportpodcast.com
+    master-views:
+    - external
+    allow-update-keys:
+    - frompythonimportpodcast-com

diff --git a/bind/builder/zones.yaml b/bind/builder/zones.yaml new file mode 100644 index 0000000..85fc863 --- /dev/null +++ b/bind/builder/zones.yaml
@@ -0,0 +1,256 @@
	1	dynamic-acls:
	2	all-masters:
	3	generator: servers
	4
	5	internal-keys:
	6	generator: keys
	7	filter: "*-internal"
	8
	9	external-keys:
	10	generator: keys
	11	filter: "*-external"
	12
	13	static-acls:
	14	internal-nets:
	15	- 172.16.0.0/16 # SEA1 (and AWS)
	16	- 172.17.0.0/16 # SEA2
	17	- 172.18.0.0/16 # FKL1
	18	- 172.19.0.0/16 # SEA4
	19	- 172.20.0.0/16 # ORD1
	20	- 172.21.0.0/16 # Mobile Network
	21	- 23.149.16.0/24 # Pomona ARIN Delegation
	22	- 192.168.255.0/24 # Local Docker Bridge
	23	- 2602:0803:4000::/40 # Pomona ARIN Delegation
	24	- 2600:1f14:f39:e000::/56 # PDX1
	25	- 2600:1f16:33:500::/56 # CMH1
	26	- 2a05:d01c:7ba:b800::/56 # LHR1
	27
	28	servers:
	29	172.16.18.52: # PDX1 Legacy Primary
	30	type: primary
	31	ips:
	32	- 50.112.45.116 # PDX1 Gateway External Legacy
	33	- 54.148.70.70 # PDX1 Gateway External
	34	- 172.16.18.73 # PDX1 Gateway Internal Legacy
	35	- 2600:1f14:f39:e000:9fb5:8745:4eec:28b8 # PDX1 Gateway
	36	forwarders:
	37	amazonaws.com:
	38	- 172.16.16.2
	39	internal:
	40	- 172.16.16.2
	41
	42	172.20.0.53: # ORD1 Secondary
	43	type: secondary
	44	key: ord1-transfer
	45
	46	172.16.35.10: # CMH1 Legacy Secondary
	47	type: secondary
	48	key: us-east-2-transfer
	49	forwarders:
	50	amazonaws.com:
	51	- 172.16.32.2
	52	internal:
	53	- 172.16.32.2
	54
	55	172.16.66.181: # LHR1 Legacy Secondary
	56	type: secondary
	57	key: eu-west-2-transfer
	58
	59	views:
	60	external:
	61	match-clients:
	62	- external-keys
	63	- "!internal-keys"
	64	- "!internal-nets"
	65	- any
	66
	67	raw-include: \|
	68	rate-limit {
	69	responses-per-second 15;
	70	exempt-clients {
	71	internal-nets;
	72	};
	73	};
	74
	75	internal:
	76	match-clients:
	77	- "!external-keys"
	78	- internal-nets
	79	- internal-keys
	80	- localhost
	81
	82	raw-include: \|
	83	response-policy {
	84	zone "dns-policy.crute.me" log true;
	85	};
	86
	87	# https://www.mail-archive.com/bind-users@lists.isc.org/msg25350.html
	88	server 63.150.72.5 { send-cookie no; }; # sauthns1.qwest.net
	89	server 208.44.130.121 { send-cookie no; }; # sauthns2.qwest.net.
	90
	91	zones:
	92	- name: amazonaws.com
	93	type: forward-only
	94	master-views:
	95	- internal
	96	in-views:
	97	- internal
	98
	99	- name: internal
	100	type: forward-only
	101	master-views:
	102	- internal
	103	in-views:
	104	- internal
	105
	106	# 2602:0803:4000::/40
	107	- name: 0.4.3.0.8.0.2.0.6.2.ip6.arpa
	108	master-views:
	109	- external
	110	allow-update-keys:
	111	- as398223-net
	112	- crute-me
	113
	114	# 24.149.16.0/24
	115	- name: 16.149.23.in-addr.arpa
	116	master-views:
	117	- external
	118	allow-update-keys:
	119	- as398223-net
	120
	121	# Global IPv4 Reverse Zone
	122	# 172.16.0.0/16
	123	- name: 16.172.in-addr.arpa
	124	master-views:
	125	- internal
	126	in-views:
	127	- internal
	128	allow-update-keys:
	129	- crute-me
	130	- sea1-dhcpd-key
	131
	132	# FKL1 IPv4 Reverse Zone
	133	# 172.18.0.0/16
	134	- name: 18.172.in-addr.arpa
	135	master-views:
	136	- internal
	137	in-views:
	138	- internal
	139	allow-update-keys:
	140	- fkl1-crute-me
	141	- fkl1-dhcpd-key
	142
	143	# SEA4 IPv4 Reverse Zone
	144	# 172.19.0.0/16
	145	- name: 19.172.in-addr.arpa
	146	master-views:
	147	- internal
	148	in-views:
	149	- internal
	150	allow-update-keys:
	151	- crute-me
	152
	153	- name: dns-policy.crute.me
	154	master-views:
	155	- internal
	156	in-views:
	157	- internal
	158
	159	# This is an RPZ policy zone, nothing should be querying it
	160	# except BIND internals. Also the zone most be manually
	161	# updated and reloaded to allow leaving comments and
	162	# preventing errors.
	163	allow-query:
	164	- none
	165
	166	- name: crute.us
	167	master-views:
	168	- external
	169	allow-update-keys:
	170	- crute-us
	171
	172	- name: crute.me
	173	master-views:
	174	- external
	175	- internal
	176	allow-update-keys:
	177	- crute-me
	178
	179	- name: sea1.crute.me
	180	master-views:
	181	- internal
	182	in-views:
	183	- internal
	184	allow-update-keys:
	185	- sea1-crute-me
	186	- crute-me
	187	- sea1-dhcpd-key
	188
	189	- name: fkl1.crute.me
	190	master-views:
	191	- internal
	192	in-views:
	193	- internal
	194	allow-update-keys:
	195	- fkl1-crute-me
	196	- fkl1-dhcpd-key
	197
	198	- name: crute.org
	199	master-views:
	200	- external
	201	allow-update-keys:
	202	- crute-org
	203
	204	- name: crute.dev
	205	master-views:
	206	- external
	207	allow-update-keys:
	208	- crute-dev
	209
	210	- name: softgroupcorp.com
	211	master-views:
	212	- external
	213	allow-update-keys:
	214	- softgroupcorp-com
	215
	216	- name: pomonaconsulting.com
	217	master-views:
	218	- external
	219	allow-update-keys:
	220	- pomonaconsulting-com
	221
	222	- name: pomonaconsulting.net
	223	master-views:
	224	- external
	225	allow-update-keys:
	226	- pomonaconsulting-net
	227
	228	- name: as398223.net
	229	master-views:
	230	- external
	231	allow-update-keys:
	232	- as398223-net
	233
	234	- name: 59erdiner.com
	235	master-views:
	236	- external
	237	allow-update-keys:
	238	- 59erdiner-com
	239
	240	- name: leavenworthsnowmobilerentals.com
	241	master-views:
	242	- external
	243	allow-update-keys:
	244	- leavenworthsnowmobilerentals-com
	245
	246	- name: lakewenatcheecabins.net
	247	master-views:
	248	- external
	249	allow-update-keys:
	250	- lakewenatcheecabins-net
	251
	252	- name: frompythonimportpodcast.com
	253	master-views:
	254	- external
	255	allow-update-keys:
	256	- frompythonimportpodcast-com