SSL CNAME vs DNS/automatic DNS zone creation
ActivePublic
Actions

Authored by Reception123 on Dec 15 2022, 11:56.

Tags

None

Referenced Files

	F2111359: SSL CNAME vs DNS/automatic DNS zone creation
	May 18 2023, 18:34

	F1961730: SSL CNAME vs DNS/automatic DNS zone creation
	Dec 15 2022, 15:34

	F1961729: SSL CNAME vs DNS/automatic DNS zone creation
	Dec 15 2022, 15:28

	F1961728: SSL CNAME vs DNS/automatic DNS zone creation
	Dec 15 2022, 15:27

	F1961675: SSL CNAME vs DNS/automatic DNS zone creation
	Dec 15 2022, 11:59

	F1961674: SSL CNAME vs DNS/automatic DNS zone creation
	Dec 15 2022, 11:56

Subscribers

MacFan4000

	#!/usr/bin/python3 -u

	# Generate a DNS zone

	import argparse
	import os
	import string
	import subprocess
	from dns import resolver
	from datetime import datetime

	# construct the argument parse and parse the arguments
	ap = argparse.ArgumentParser(description="Script to generate a DNS zone.")
	ap.add_argument("-d", "--domain", required=True, help="name of the domain")
	ap.add_argument(
	"-g",
	"--generate",
	required=False,
	action="store_true",
	default=False,
	help="generates DNS zone",
	)
	args = vars(ap.parse_args())


	class DnsZone:
	def __init__(self):
	self.domain = args["domain"]
	timestamp = datetime.now().timestamp()
	dt = datetime.fromtimestamp(timestamp)
	self.date = datetime.strftime(dt, "%Y%m%d000001")
	self.dns_resolver = resolver.Resolver(configure=False)
	self.dns_resolver.nameservers = ["2606:4700:4700::1111"]

	def on_init(self):
	try:
	cname = str(self.dns_resolver.resolve(self.domain, "CNAME")[0])
	except resolver.NoAnswer:
	cname = None
	if cname == "mw-lb.miraheze.org.":
	print("CNAME is pointed at mw-lb.miraheze.org. No further action required")
	elif cname is None:
	print("No CNAME is pointed. Trying NS...")
	try:
	ns = str(self.dns_resolver.resolve(self.domain, "NS")[0])
	except resolver.NoAnswer:
	ns = None
	if ns == "ns1.miraheze.org." and "ns2.miraheze.org.":
	print("Nameservers are pointed to ns1 and ns2. Generating zone file")
	os.system(
	"git config --global core.sshCommand \"ssh -i /var/lib/nagios/id_ed25519 -F /dev/null -o ProxyCommand='nc -6 -X connect -x bast.miraheze.org:8080 %h %p'\""
	)
	os.system("cd /srv/dns/ && git clone git@github.com:miraheze/dns.git")
	os.system('git -C /srv/dns/dns config user.name "MirahezeSSLBot"')
	os.system('git -C /srv/dns/dns config user.email "noreply@miraheze.org"')
	os.system("git -C /srv/dns/dns reset --hard origin/master")
	os.system("git -C /srv/dns/dns pull")
	os.system(f"touch /srv/dns/dns/zones/{self.domain}")

	with open(f"/srv/dns/dns/zones/{self.domain}", "a") as zone:
	zone.write("$TTL 300\n")
	zone.write(f"$ORIGIN {self.domain}\n")
	zone.write("\n")
	zone.write("@\t\tSOA ns1.miraheze.org. hostmaster.miraheze.org. (\n")
	zone.write(f"\t\t{self.date} ; serial\n")
	zone.write("\t\t7200 ; refresh\n")
	zone.write("\t\t30M ; retry\n")
	zone.write("\t\t3D ; expire\n")
	zone.write("\t\t900 ; ncache\n")
	zone.write(")\n")
	zone.write("\n")
	zone.write("; Wildcard services\n")
	zone.write("@\t\tDYNA geoip!cp\n")
	zone.write("\n")
	zone.write("; Name servers\n")
	zone.write("@\t\tNS\tns1.miraheze.org.\n")
	zone.write("@\t\tNS\tns2.miraheze.org.\n")
	zone.write("\n")
	zone.write("; CAA (issue: letsencrypt.com, iodef: operations)\n")
	zone.write(
	"@\t\tTYPE257 \# 22 000569737375656C657473656E63727970742E6F7267\n"
	)
	zone.write(
	"@\t\tTYPE257 \# 37 0005696F6465666D61696C746F3A6F7065726174696F6E73406D69726168657A652E6F7267\n"
	)
	zone.write("\n")
	zone.write("; Mail exchangers\n")
	zone.write("\n")
	zone.write("; Servers\n")
	zone.write("\n")
	zone.write("; Services\n")
	zone.write("www DYNA geoip!cp\n")
	zone.write("\n")
	zone.write("; load balancers\n")
	zone.write("\n")
	zone.write("; Other\n")
	os.system(f"git -C /srv/dns/dns add /srv/dns/{self.domain}")
	os.system(
	f'git -C /srv/dns/dns commit -m "Bot: Add DNS zone for {self.domain}" -m "DNS zone committed by {os.getlogin()}"'
	)
	os.system("git -C /srv/dns/dns push origin master")
	else:
	print("No NS is pointed. Domain is not pointed to Miraheze")


	zone = DnsZone()
	zone.on_init()

Event Timeline

Reception123 created this paste.Dec 15 2022, 11:56

Reception123 mentioned this in T7582: Create automated system for managing SSL requests.

Reception123 edited the content of this paste. (Show Details)Dec 15 2022, 11:59

Unknown Object (User) edited the content of this paste. (Show Details)Dec 15 2022, 15:27

Unknown Object (User) edited the content of this paste. (Show Details)

Unknown Object (User) edited the content of this paste. (Show Details)Dec 15 2022, 15:34

Does this account for CNAME flattening? Because that will be the case with many DNS providers, since you can’t set a CNAME for a root domain. Also it looks like for domains pointed via NS you would have to go back and manually edit the zone if the user had requested a non-www subdomain.

Reception123 edited the content of this paste. (Show Details)May 18 2023, 18:34

SSL CNAME vs DNS/automatic DNS zone creationActivePublicActions

Event Timeline

SSL CNAME vs DNS/automatic DNS zone creation
ActivePublic
Actions