PVV-DNS

This repository contains both the code and data needed to generate PVVs DNS configuration. The configuration is generated from this repository, and deployed to https://wiki.pvv.ntnu.no/wiki/Maskiner/smask.

Normal PVV "hosts" (servers, mostly) should be defined in ./hosts.nix, additional configuration and records for pvv.ntnu.no and pvv.org lives in ./pvv-domain.nix, and configuration for all other domains are found in their respective files in ./zones/.

The code in this repository is basically a whole heap of pre-processing to turn the hosts-file and zone-specific options into the format used by nix-community/dns.nix, that in turn generates zone files.

Examples

A host configuration like

  drolsum = {
    ipv4 = pvvv4 217;
    ipv6 = pvvv6 217;
    aliases = [ "login2" ];
  };

  roundrobin = {
    ipv4 = [ (pvvv4 101) (pvvv4 202) ];
    ipv6 = [ (pvvv6 101) (pvvv6 202) ];
  };

... will generate zone files like

drolsum.pvv.ntnu.no. IN A 129.241.210.217
drolsum.pvv.ntnu.no. IN AAAA 2001:700:300:1900::217
login2.pvv.ntnu.no. IN CNAME drolsum

roundrobin.pvv.ntnu.no. IN A 129.241.210.201
roundrobin.pvv.ntnu.no. IN A 129.241.210.202
roundrobin.pvv.ntnu.no. IN AAAA 2001:700:300:1900::201
roundrobin.pvv.ntnu.no. IN AAAA 2001:700:300:1900::202

201.128-255.210.241.129.in-addr.arpa. PTR roundrobin.pvv.ntnu.no
202.128-255.210.241.129.in-addr.arpa. PTR roundrobin.pvv.ntnu.no
217.128-255.210.241.129.in-addr.arpa. PTR drolsum.pvv.ntnu.no

1.0.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.1.0.0.3.0.0.0.7.0.1.0.0.2.ip6.arpa PTR roundrobin.pvv.ntnu.no
2.0.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.1.0.0.3.0.0.0.7.0.1.0.0.2.ip6.arpa PTR roundrobin.pvv.ntnu.no
7.1.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.1.0.0.3.0.0.0.7.0.1.0.0.2.ip6.arpa PTR drolsum.pvv.ntnu.no

Building zone files

Provided you have nix on your system, you should be able to run nix build .#zoneFiles, and the resulting zone files are placed in ./result.

Deployment

Automatic deployment through CI/CD is not yet implemented. See subsections for manual installation.

nsd on OpenBSD

nsd, the high-performance authoritative-only DNS server developed by NLnet Labs, is included in the base OpenBSD system.

The default output, built with nix build .#, includes configuration for nsd:

result
├── etc
│   └── nsd
│       └── nsd.conf
└── zones
    ├── 9.1.0.0.3.0.0.0.7.0.1.0.0.2.ip6.arpa.zone
    ├── 128-255.210.241.129.in-addr.arpa.zone
    ├── 210.241.129.in-addr.arpa.zone
    ├── nuccc.org.zone
    ├── pvv.no.zone
    ├── pvv.ntnu.no.zone
    └── pvv.org.zone

First time setup

• Enable nsd
  • rcctl enable nsd
• Start nsd
  • rcctl start nsd
• Follow the steps below for updating zones and configuration

Updating zones and configuration

(TLDR: Files in /var/nsd, run nsd-control reload)

• If applicable, make changes to ./hosts.nix or the appropriate file in ./zones/
• Build this project (anywhere, on any host with nix)
  • nix build .#
• Install the contents of ./result into /var/nsd
  • ./result/etc/nsd/nsd.conf becomes /var/nsd/etc/nsd.conf
  • ./result/zones/ becomes /var/nsd/zones
• Verify the configuration
  • nsd-checkconf /var/nsd/etc/nsd.conf
• Reload the config file
  • nsd-control reconfig
• Reload the zonefiles
  • nsd-control reload
• Verify operation
  • dig @smask.pvv.ntnu.no SOA pvv.ntnu.no.
  • If something is not working, see /var/log/nsd.log

---

Future plans

• Build and verify with CI/CD
• Automatically push updated configurations to the DNS server
  • Also generate DNS server configuration files
    • NSD, included in OpenBSD
    • Bind9, common alternative
• Per-record or per-host customizable TTL (e.g. for moving a CNAME around when replacing a service/server)
• Improve dns.nix or replace it with a homemade zonefile generator to make the output more human readable
• Also generate DHCP server configurations