d68254915067dac7ea021d84bf87f2c7248603d5
services/dns/Configuration.md
| ... | ... | @@ -255,3 +255,124 @@ system { |
| 255 | 255 | |
| 256 | 256 | ## MS DNS |
| 257 | 257 | Add a "Conditional Forward" (de: "Bedingte Weiterleitung") for each of "dn42", "20.172.in-addr.arpa", "21.172.in-addr.arpa", "22.172.in-addr.arpa", "23.172.in-addr.arpa", "10.in-addr.arpa" using 172.20.0.53 as forwarder. Ignore the error message that the server is not authoritative. |
| 258 | + |
|
| 259 | +# Resolver setup |
|
| 260 | + |
|
| 261 | +Configuration of common resolver softwares to do full recursion DNS queries for `.dn42` (and reverse DNS) IPv4 and IPv6 anycast services. |
|
| 262 | + |
|
| 263 | +You can use any *.delegation-servers.dn42 (where * is a letter) as an authoritative server for .dn42 TLD. The current list is available at the [DN42 registry](https://git.dn42.dev/dn42/registry/src/master/data/dns/delegation-servers.dn42) or through querying NS records of dn42.: |
|
| 264 | + |
|
| 265 | +```sh |
|
| 266 | +dig dn42. NS @172.20.0.53 |
|
| 267 | +``` |
|
| 268 | + |
|
| 269 | +Current list of delegation servers (as of 03/04/2022): |
|
| 270 | + |
|
| 271 | +| Name | IPv4 | IPv6 | |
|
| 272 | +|---|---|---| |
|
| 273 | +| b.delegation-servers.dn42 | 172.20.129.1 | fd42:4242:2601:ac53::1 | |
|
| 274 | +| j.delegation-servers.dn42 | 172.20.1.254 | fd42:5d71:219:0:216:3eff:fe1e:22d6 | |
|
| 275 | +| k.delegation-servers.dn42 | 172.20.14.34 | fdcf:8538:9ad5:1111::2 | |
|
| 276 | + |
|
| 277 | +All the examples here list 172.20.129.1/fd42:4242:2601:ac53::1, but users are encouraged to configure |
|
| 278 | +multiple services from *.delegation-servers.dn42 for redundancy. |
|
| 279 | + |
|
| 280 | +## Dnssec |
|
| 281 | +All delegation servers have DNSSEC support and all record are signed, for more information about DNSSEC visit [New-DNS#dnssec](/services/New-DNS#dnssec). |
|
| 282 | + |
|
| 283 | +Following is a list of links to the DS record for TLD and reverse zone, to configure the key file, extract the value of ds-rdata and format it as follows, you must add all ds-rdata to the key file for dnssec to work. P.S. each ds-rdata or DS record should contain 4 numbers. |
|
| 284 | + |
|
| 285 | +This is an example for dn42. and (fake) ds-rdata of 1 2 3 456 |
|
| 286 | +``` |
|
| 287 | +dn42. 86400 IN DS 1 2 3 456 |
|
| 288 | +``` |
|
| 289 | + |
|
| 290 | +This is an example for 172.20.0.0/16 and (fake) ds-rdata of 1 2 3 456 |
|
| 291 | +``` |
|
| 292 | +20.172.in-addr.arpa. 86400 IN DS 1 2 3 456 |
|
| 293 | +``` |
|
| 294 | + |
|
| 295 | +This is an example for fd00::/8 and (fake) ds-rdata of 1 2 3 456 |
|
| 296 | +``` |
|
| 297 | +d.f.ip6.arpa. 86400 IN DS 1 2 3 456 |
|
| 298 | +``` |
|
| 299 | + |
|
| 300 | +### DN42 DS record |
|
| 301 | +[dn42. TLD](https://git.dn42.dev/dn42/registry/src/branch/master/data/dns/dn42) |
|
| 302 | + |
|
| 303 | +[172.20.0.0/16 range](https://git.dn42.dev/dn42/registry/src/branch/master/data/inetnum/172.20.0.0_16) |
|
| 304 | + |
|
| 305 | +[172.20.0.0/16 range](https://git.dn42.dev/dn42/registry/src/branch/master/data/inetnum/172.21.0.0_16) |
|
| 306 | + |
|
| 307 | +[172.20.0.0/16 range](https://git.dn42.dev/dn42/registry/src/branch/master/data/inetnum/172.22.0.0_16) |
|
| 308 | + |
|
| 309 | +[172.20.0.0/16 range](https://git.dn42.dev/dn42/registry/src/branch/master/data/inetnum/172.23.0.0_16) |
|
| 310 | + |
|
| 311 | +[fd00::/8 range](https://git.dn42.dev/dn42/registry/src/branch/master/data/inet6num/fd00::_8) |
|
| 312 | + |
|
| 313 | +### Non DN42 DS record |
|
| 314 | +[172.31.0.0/16 (chaosvpn) range](https://git.dn42.dev/dn42/registry/src/branch/master/data/inetnum/172.31.0.0_16) |
|
| 315 | + |
|
| 316 | +[10.0.0.0/8 (Freifunk) range](https://git.dn42.dev/dn42/registry/src/branch/master/data/inetnum/10.0.0.0_8) |
|
| 317 | + |
|
| 318 | + |
|
| 319 | +## Unbound |
|
| 320 | +``` |
|
| 321 | +trust-anchor-file: <path to key file> |
|
| 322 | + |
|
| 323 | +server: |
|
| 324 | +local-zone: "dn42" typetransparent |
|
| 325 | +local-zone: "20.172.in-addr.arpa" typetransparent |
|
| 326 | +local-zone: "21.172.in-addr.arpa" typetransparent |
|
| 327 | +local-zone: "22.172.in-addr.arpa" typetransparent |
|
| 328 | +local-zone: "23.172.in-addr.arpa" typetransparent |
|
| 329 | +local-zone: "d.f.ip6.arpa" typetransparent |
|
| 330 | + |
|
| 331 | +private-domain: "dn42" |
|
| 332 | +private-domain: "20.172.in-addr.arpa" |
|
| 333 | +private-domain: "21.172.in-addr.arpa" |
|
| 334 | +private-domain: "22.172.in-addr.arpa" |
|
| 335 | +private-domain: "23.172.in-addr.arpa" |
|
| 336 | +private-domain: "d.f.ip6.arpa" |
|
| 337 | + |
|
| 338 | +stub-zone: |
|
| 339 | + name: "dn42" |
|
| 340 | + stub-addr: fd42:4242:2601:ac53::1 |
|
| 341 | + stub-addr: 172.20.129.1 |
|
| 342 | +stub-zone: |
|
| 343 | + name: "20.172.in-addr.arpa" |
|
| 344 | + stub-addr: fd42:4242:2601:ac53::1 |
|
| 345 | + stub-addr: 172.20.129.1 |
|
| 346 | + |
|
| 347 | +stub-zone: |
|
| 348 | + name: "21.172.in-addr.arpa" |
|
| 349 | + stub-addr: fd42:4242:2601:ac53::1 |
|
| 350 | + stub-addr: 172.20.129.1 |
|
| 351 | + |
|
| 352 | +stub-zone: |
|
| 353 | + name: "22.172.in-addr.arpa" |
|
| 354 | + stub-addr: fd42:4242:2601:ac53::1 |
|
| 355 | + stub-addr: 172.20.129.1 |
|
| 356 | + |
|
| 357 | +stub-zone: |
|
| 358 | + name: "23.172.in-addr.arpa" |
|
| 359 | + stub-addr: fd42:4242:2601:ac53::1 |
|
| 360 | + stub-addr: 172.20.129.1 |
|
| 361 | + |
|
| 362 | +stub-zone: |
|
| 363 | + name: "23.172.in-addr.arpa" |
|
| 364 | + stub-addr: fd42:4242:2601:ac53::1 |
|
| 365 | + stub-addr: 172.20.129.1 |
|
| 366 | + |
|
| 367 | +stub-zone: |
|
| 368 | + name: "10.in-addr.arpa" |
|
| 369 | + stub-addr: fd42:4242:2601:ac53::1 |
|
| 370 | + stub-addr: 172.20.129.1 |
|
| 371 | + |
|
| 372 | +stub-zone: |
|
| 373 | + name: "d.f.ip6.arpa" |
|
| 374 | + stub-addr: fd42:4242:2601:ac53::1 |
|
| 375 | + stub-addr: 172.20.129.1 |
|
| 376 | + |
|
| 377 | +``` |
|
| 378 | + |