22 files changed, 131 insertions, 189 deletions

diff --git a/README.md b/README.md
index 1274200..f1bd460 100644
--- a/README.md
+++ b/README.md
@@ -46,10 +46,14 @@ dd if=[machine].img | ssh [machine] "dd of=/dev/wd1c"
 - config: machine-specific configuration (e.g. pf.conf)
 - hardware: flash disk geometry for specific machines
 
+## News
+
+- updated to OpenBSD 5.8
+- example shows how to use two nsd's and one unbound to replace a split horizon
+  configuration formerly done with bind views
+
 ## Roadmap
 
-- update to OpenBSD 5.8
-  - this mainly means moving away from `bind` to `nsd` and `unbound`
 - improve update process, preferably an in-situ update via TFTP
 - deal with logging
   - sensord
diff --git a/build.sh b/build.sh
index 38273bf..381dc06 100755
--- a/build.sh
+++ b/build.sh
@@ -321,12 +321,24 @@ if test -d config/$HOSTNAME/joe/; then
 	cp -R /usr/local/bin/joe $MOUNTPOINT/usr/bin/jstar
 fi
 
-# when we run an authorative name server
-if test -d config/$HOSTNAME/nsd/; then
-	cp -R config/$HOSTNAME/nsd $MOUNTPOINT/etc/.
+# when we run an authorative name server for local DNS spoofing,
+# split horizon entries and we don't like to stuff data from
+# zone files into unbound's configuration as local data
+if test -d config/$HOSTNAME/nsd-internal/; then
+	cp -R config/$HOSTNAME/nsd-internal $MOUNTPOINT/etc/.
 	cp -R /usr/sbin/nsd $MOUNTPOINT/usr/sbin/.
 	cp -R /usr/sbin/nsd-{checkconf,checkzone,control,control-setup} $MOUNTPOINT/usr/sbin/.
-	nsd-control-setup -d $MOUNTPOINT/etc/nsd/etc
+	nsd-control-setup -d $MOUNTPOINT/etc/nsd-internal/etc
+	cp -R template/usr/sbin/restart_dns $MOUNTPOINT/usr/sbin/.
+fi
+
+# when we run an authorative name server for public zones (in this
+# case one DNS master and buddyns as public slaves)
+if test -d config/$HOSTNAME/nsd-external/; then
+	cp -R config/$HOSTNAME/nsd-external $MOUNTPOINT/etc/.
+	cp -R /usr/sbin/nsd $MOUNTPOINT/usr/sbin/.
+	cp -R /usr/sbin/nsd-{checkconf,checkzone,control,control-setup} $MOUNTPOINT/usr/sbin/.
+	nsd-control-setup -d $MOUNTPOINT/etc/nsd-external/etc
 	cp -R template/usr/sbin/restart_dns $MOUNTPOINT/usr/sbin/.
 fi
 
@@ -362,6 +374,8 @@ chmod 400 $MOUNTPOINT/etc/ssh/ssh_host_rsa_key
 
 echo "Cleaning up."
 
+find $MOUNTPOINT -name .gitkeep -exec rm {} \;
+
 sync
 sleep 2
 umount $MOUNTPOINT
diff --git a/config/obr/named/etc/named.conf b/config/obr/named/etc/named.conf
deleted file mode 100644
index 24b6a65..0000000
--- a/config/obr/named/etc/named.conf
+++ /dev/null
@@ -1,134 +0,0 @@
-include "/etc/rndc.key";
-
-controls {
-  inet 127.0.0.1 port 953
-  allow { 127.0.0.1; }
-  keys { "rndc-key"; };
-};
-
-acl "BuddyNsTransferDns" {
-  173.244.206.25;
-  173.244.206.26;
-  88.198.106.11;
-};
-
-acl "BuddyNsQueryDns" {
-  173.244.206.25;
-  173.244.206.26;
-  88.198.106.11;
-};
-
-acl "MyClients" {
-  192.168.1.0/24;
-  127.0.0.1;
-  ::1;
-};
-
-options {
-  version "";
-
-  directory "/";
-
-  interface-interval 0;
-
-  listen-on { any; };
-  listen-on-v6 { none; };
-
-  empty-zones-enable yes;
-
-  allow-query {
-    MyClients;
-    BuddyNsQueryDns;
-  };
-
-  allow-transfer {
-    BuddyNsTransferDns;
-  };
-
-  allow-recursion { MyClients; };
-
-  forwarders { 194.246.118.118; 212.25.28.55; };
-};
-
-logging {
-  category lame-servers { null; };
-};
-
-view "internal" {
-  match-clients { MyClients; };
-
-  zone "." {
-    type hint;
-    file "etc/root.hint";
-  }; 
-
-  zone "localhost" {
-    type master;
-    file "standard/localhost";
-    allow-transfer { localhost; };
-  };
-
-  zone "127.in-addr.arpa" {
-    type master;
-    file "standard/loopback";
-    allow-transfer { localhost; };
-  };
-
-  zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
-    type master;
-    file "standard/loopback6.arpa";
-    allow-transfer { localhost; };
-  };
-
-  # TODO: Don't use!! TLDs can be anything nowadays..
-  zone "lan" {
-    type master;
-    file "master/lan";
-  };
-
-  zone "1.168.192.in-addr.arpa" {
-    type master;
-    file "master/1.168.192.in-addr";
-  };
-
-  zone "andreasbaumann.cc" {
-    type master;
-    file "master/andreasbaumann.cc-internal";
-  };
-
-  zone "bikecentum.com" {
-    type master;
-    file "master/bikecentum.com-internal";
-  };
-
-  zone "maschezuoz.ch" {
-    type master;
-    file "master/maschezuoz.ch-internal";
-  };
-
-  zone "project-strus.net" {
-    type master;
-    file "master/project-strus.net-internal";
-  };
-
-};
-
-view "external" {
-  match-clients { BuddyNsQueryDns; };
-
-  zone "andreasbaumann.cc" {
-    type master;
-    file "master/andreasbaumann.cc-external";
-  };
-
-  zone "bikecentum.com" {
-    type master;
-    file "master/bikecentum.com-external";
-  };
-
-  zone "maschezuoz.ch" {
-    type master;
-    file "master/maschezuoz.ch-external";
-  };
-
-};
diff --git a/config/obr/nsd-external/etc/nsd.conf b/config/obr/nsd-external/etc/nsd.conf
new file mode 100644
index 0000000..e0c65cb
--- /dev/null
+++ b/config/obr/nsd-external/etc/nsd.conf
@@ -0,0 +1,43 @@
+# $OpenBSD: nsd.conf,v 1.11 2015/04/12 11:49:39 sthen Exp $
+
+server:
+	hide-version: yes
+	verbosity: 1
+	ip-address: 83.150.2.48@53
+	chroot: "/var/nsd-external"
+	zonesdir: "/var/nsd-external/zones"
+	pidfile: "/var/nsd-external/run/nsd.pid"
+	xfrdfile: "/var/nsd-external/run/xfrd.state"
+	xfrdir: "/var/nsd-external/run/xfr"
+	zonelistfile: "/var/nsd-external/db/zone.list"
+	database: ""
+
+remote-control:
+	control-enable: yes
+	control-interface: 127.0.0.1
+	control-port: 8954
+	server-cert-file: "/var/nsd-external/etc/nsd_server.pem"
+	server-key-file: "/var/nsd-external/etc/nsd_server.key"
+	control-cert-file: "/var/nsd-external/etc/nsd_control.pem"
+	control-key-file: "/var/nsd/etc/nsd_control.key"
+
+zone:
+	name: "andreasbaumann.cc"
+	zonefile: "andreasbaumann.cc"
+	provide-xfr: 173.244.206.25 NOKEY
+	provide-xfr: 173.244.206.26 NOKEY
+	provide-xfr: 88.198.106.11 NOKEY
+
+zone:
+	name: "maschezuoz.ch"
+	zonefile: "maschezuoz.ch"
+	provide-xfr: 173.244.206.25 NOKEY
+	provide-xfr: 173.244.206.26 NOKEY
+	provide-xfr: 88.198.106.11 NOKEY
+
+zone:
+	name: "bikecentum.com"
+	zonefile: "bikecentum.com"
+	provide-xfr: 173.244.206.25 NOKEY
+	provide-xfr: 173.244.206.26 NOKEY
+	provide-xfr: 88.198.106.11 NOKEY
diff --git a/config/obr/nsd/db/.gitkeep b/config/obr/nsd-external/run/xfr/.gitkeep
index e69de29..e69de29 100644
--- a/config/obr/nsd/db/.gitkeep
+++ b/config/obr/nsd-external/run/xfr/.gitkeep
diff --git a/config/obr/nsd/zones/andreasbaumann.cc-external b/config/obr/nsd-external/zones/andreasbaumann.cc
index 5bc48db..5bc48db 100644
--- a/config/obr/nsd/zones/andreasbaumann.cc-external
+++ b/config/obr/nsd-external/zones/andreasbaumann.cc
diff --git a/config/obr/nsd/zones/bikecentum.com-external b/config/obr/nsd-external/zones/bikecentum.com
index 50175f3..50175f3 100644
--- a/config/obr/nsd/zones/bikecentum.com-external
+++ b/config/obr/nsd-external/zones/bikecentum.com
diff --git a/config/obr/nsd/zones/maschezuoz.ch-external b/config/obr/nsd-external/zones/maschezuoz.ch
index 3efa1a3..3efa1a3 100644
--- a/config/obr/nsd/zones/maschezuoz.ch-external
+++ b/config/obr/nsd-external/zones/maschezuoz.ch
diff --git a/config/obr/nsd/run/.gitkeep b/config/obr/nsd-internal/db/.gitkeep
index e69de29..e69de29 100644
--- a/config/obr/nsd/run/.gitkeep
+++ b/config/obr/nsd-internal/db/.gitkeep
diff --git a/config/obr/nsd-internal/etc/nsd.conf b/config/obr/nsd-internal/etc/nsd.conf
new file mode 100644
index 0000000..87d4add
--- /dev/null
+++ b/config/obr/nsd-internal/etc/nsd.conf
@@ -0,0 +1,45 @@
+# $OpenBSD: nsd.conf,v 1.11 2015/04/12 11:49:39 sthen Exp $
+
+server:
+	hide-version: yes
+	verbosity: 1
+	ip-address: 127.0.0.1@8053
+	chroot: "/var/nsd-internal"
+	zonesdir: "/var/nsd-internal/zones"
+	pidfile: "/var/nsd-internal/run/nsd.pid"
+	xfrdfile: "/var/nsd-internal/run/xfrd.state"
+	xfrdir: "/var/nsd-internal/run/xfr"
+	zonelistfile: "/var/nsd-internal/db/zone.list"
+	database: ""
+
+remote-control:
+	control-enable: yes
+	control-interface: 127.0.0.1
+	server-cert-file: "/var/nsd-internal/etc/nsd_server.pem"
+	server-key-file: "/var/nsd-internal/etc/nsd_server.key"
+	control-cert-file: "/var/nsd-internal/etc/nsd_control.pem"
+	control-key-file: "/var/nsd/etc/nsd_control.key"
+
+zone:
+	name: "lan"
+	zonefile: "lan"
+
+zone:
+	name: "1.168.192.in-addr.arpa"
+	zonefile: "1.168.192.in-addr"
+
+zone:
+	name: "andreasbaumann.cc"
+	zonefile: "andreasbaumann.cc"
+
+zone:
+	name: "maschezuoz.ch"
+	zonefile: "maschezuoz.ch"
+
+zone:
+	name: "bikecentum.com"
+	zonefile: "bikecentum.com"
+
+zone:
+	name: "project-strus.net"
+	zonefile: "project-strus.net"
diff --git a/config/obr/nsd/run/xfr/.gitkeep b/config/obr/nsd-internal/run/xfr/.gitkeep
index e69de29..e69de29 100644
--- a/config/obr/nsd/run/xfr/.gitkeep
+++ b/config/obr/nsd-internal/run/xfr/.gitkeep
diff --git a/config/obr/nsd/zones/1.168.192.in-addr b/config/obr/nsd-internal/zones/1.168.192.in-addr
index b70945c..b70945c 100644
--- a/config/obr/nsd/zones/1.168.192.in-addr
+++ b/config/obr/nsd-internal/zones/1.168.192.in-addr
diff --git a/config/obr/nsd/zones/andreasbaumann.cc-internal b/config/obr/nsd-internal/zones/andreasbaumann.cc
index d76a5af..d76a5af 100644
--- a/config/obr/nsd/zones/andreasbaumann.cc-internal
+++ b/config/obr/nsd-internal/zones/andreasbaumann.cc
diff --git a/config/obr/nsd/zones/bikecentum.com-internal b/config/obr/nsd-internal/zones/bikecentum.com
index f954b63..f954b63 100644
--- a/config/obr/nsd/zones/bikecentum.com-internal
+++ b/config/obr/nsd-internal/zones/bikecentum.com
diff --git a/config/obr/nsd/zones/lan b/config/obr/nsd-internal/zones/lan
index b0d12b6..b0d12b6 100644
--- a/config/obr/nsd/zones/lan
+++ b/config/obr/nsd-internal/zones/lan
diff --git a/config/obr/nsd/zones/maschezuoz.ch-internal b/config/obr/nsd-internal/zones/maschezuoz.ch
index cc10a70..cc10a70 100644
--- a/config/obr/nsd/zones/maschezuoz.ch-internal
+++ b/config/obr/nsd-internal/zones/maschezuoz.ch
diff --git a/config/obr/nsd/zones/project-strus.net-internal b/config/obr/nsd-internal/zones/project-strus.net
index edce576..edce576 100644
--- a/config/obr/nsd/zones/project-strus.net-internal
+++ b/config/obr/nsd-internal/zones/project-strus.net
diff --git a/config/obr/nsd/etc/nsd.conf b/config/obr/nsd/etc/nsd.conf
deleted file mode 100644
index c16a481..0000000
--- a/config/obr/nsd/etc/nsd.conf
+++ /dev/null
@@ -1,33 +0,0 @@
-# $OpenBSD: nsd.conf,v 1.11 2015/04/12 11:49:39 sthen Exp $
-
-server:
-	hide-version: yes
-	verbosity: 1
-	ip-address: 127.0.0.1@8053
-
-remote-control:
-	control-enable: yes
-
-zone:
-	name: "lan"
-	zonefile: "lan"
-
-zone:
-	name: "1.168.192.in-addr.arpa"
-	zonefile: "1.168.192.in-addr"
-
-zone:
-	name: "andreasbaumann.cc"
-	zonefile: "andreasbaumann.cc-internal"
-
-zone:
-	name: "maschezuoz.ch"
-	zonefile: "maschezuoz.ch-internal"
-
-zone:
-	name: "bikecentum.com"
-	zonefile: "bikecentum.com-internal"
-
-zone:
-	name: "project-strus.net"
-	zonefile: "project-strus.net-internal"
diff --git a/config/obr/nsd/zones/.gitkeep b/config/obr/nsd/zones/.gitkeep
deleted file mode 100644
index e69de29..0000000
--- a/config/obr/nsd/zones/.gitkeep
+++ /dev/null
diff --git a/config/obr/pf.conf b/config/obr/pf.conf
index 3882898..60d7075 100644
--- a/config/obr/pf.conf
+++ b/config/obr/pf.conf
@@ -20,9 +20,6 @@ euroweb = 192.168.1.15
 # our own networks
 table <intNetworks> const { 192.168.1.0/24 }
 
-# buddyns.org external public DNS servers
-BuddyNsDns = "{ 173.244.206.26, 88.198.106.11 }"
-
 # default rule, block all
 block all
 
@@ -59,9 +56,9 @@ pass in inet proto icmp all icmp-type echoreq
 # allow DHCP from IWay
 pass in quick on $ext_if proto udp from port 67 to port 68
 
-# allow DNS requests from buddyns.org
-pass in quick on $ext_if proto tcp from $BuddyNsDns to port 53
-pass in quick on $ext_if proto udp from $BuddyNsDns to port 53
+# allow DNS requests
+pass in quick on $ext_if proto tcp from any to port 53
+pass in quick on $ext_if proto udp from any to port 53
 
 # sanitize traffic from unknown or illegal sources on the external interface
 #block in quick on $ext_if from no-route to any
diff --git a/config/obr/rc.services b/config/obr/rc.services
index 20b08ef..f65c1b5 100644
--- a/config/obr/rc.services
+++ b/config/obr/rc.services
@@ -1,8 +1,11 @@
 echo nsd: starting authorative name server..
-cp -R /etc/nsd /tmp/var/nsd
-chown -R root:_nsd /tmp/var/nsd/{db,etc,run}
-chmod 0770 /tmp/var/nsd/{db,run,run/xfr}
-/usr/sbin/nsd
+for view in internal external; do
+	cp -R /etc/nsd-$view /tmp/var/nsd-$view
+	chown -R root:_nsd /tmp/var/nsd-$view/{db,etc,run}
+	chmod 0770 /tmp/var/nsd-$view/{db,run,run/xfr}
+done
+/usr/sbin/nsd -c /var/nsd-internal/etc/nsd.conf
+/usr/sbin/nsd -c /var/nsd-external/etc/nsd.conf
 
 echo unbound: starting DNS resolver..
 cp -R /etc/unbound /tmp/var/unbound
diff --git a/template/usr/sbin/restart_dns b/template/usr/sbin/restart_dns
index e36d8d7..8a23111 100755
--- a/template/usr/sbin/restart_dns
+++ b/template/usr/sbin/restart_dns
@@ -8,14 +8,17 @@ echo "unbound: stopping ..."
 pkill unbound
 sleep 3
 
-echo "nsd: starting authorative name server ..."
-rm -rf /tmp/var/nsd
-cp -R /etc/nsd /tmp/var/nsd
-chown -R root:_nsd /tmp/var/nsd/{db,etc,run}
-chmod 0770 /tmp/var/nsd/{db,run,run/xfr}
+echo "nsd: redeploy from persistent /etc/nsd to /var/nsd ..."
+for view in internal external; do
+	rm -rf /tmp/var/nsd-$view
+	cp -R /etc/nsd-$view /tmp/var/nsd-$view
+	chown -R root:_nsd /tmp/var/nsd-$view/{db,etc,run}
+	chmod 0770 /tmp/var/nsd-$view/{db,run,run/xfr}
+done
 
 echo "nsd: restarting ..."
-/usr/sbin/nsd
+/usr/sbin/nsd -c /var/nsd-internal/etc/nsd.conf
+/usr/sbin/nsd -c /var/nsd-external/etc/nsd.conf
 
 echo "unbound: redeploy from persistent /etc/unbound to /var/unboud ..."
 rm -rf /tmp/var/unbound