rsp2k/coredns
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
coredns/scripts/prepare-zones.sh
Ryan Malloy 87eaa27c4c coredns: auto-bump SOA serial (NN counter) on every make prep 
Previously: `SERIAL=$(date +%Y%m%d)01` — same-day re-runs produced the
same serial. HE polled, saw no change, never pulled the update.

Now: scan zones-prepared/ for the highest `YYYYMMDDNN` matching today's
date and increment the NN counter. First run of the day starts at NN=01.
Caps at NN=99 with a clear error message (set SERIAL manually if you
genuinely need >99 changes per day).

`SERIAL=<value> make prep` still overrides the auto-detection, useful
for forcing a specific serial during recovery or for testing.

Verified end-to-end on dell01: prep bumped 2026051601 → 2026051602,
CoreDNS auto-reload picked it up within 30s, all queried zones serve
the new serial. HE will pull on its next refresh poll (SOA refresh
= 3600s, so worst case 1 hour).
2026-05-16 16:25:53 -06:00

124 lines
4.3 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# Injects an SOA record + canonical NS records into each raw Vultr zone
# file, then writes the result to zones-prepared/. Source files in zones/
# are never modified.
#
# Corrections applied to each zone:
# 1. Synthesize SOA — Vultr's export omits it. SOA mname is ns1.he.net
# because Hurricane Electric secondaries serve the public face of
# these zones (hidden-primary architecture).
# 2. Strip the source's ns1.vultr.com / ns2.vultr.com NS records and
# replace with the five HE nameservers, so AXFR-pulled zones at HE
# advertise the correct delegation.
# 3. Apex disambiguation: lines starting with leading-TAB-then-TTL get
# "@" prepended (Vultr's apex convention vs. RFC 1035 inheritance).
# 4. Dot-terminate NS/MX/CNAME rdata (Vultr exports unqualified names).
set -euo pipefail
SRC_DIR="${SRC_DIR:-zones}"
DST_DIR="${DST_DIR:-zones-prepared}"
ADMIN_EMAIL="${ADMIN_EMAIL:-admin}" # becomes admin.<zone>.
# Serial number generation — YYYYMMDDNN format (RFC 1912 §2.2).
#
# Strategy: every `make prep` run produces a strictly-increasing serial
# so that HE slaves notice the change on their next poll. If today's
# previous serials exist in zones-prepared/, increment the 2-digit
# counter. Otherwise start at NN=01.
#
# Honors an explicit override: `SERIAL=2026051699 make prep` skips the
# auto-detection.
TODAY=$(date +%Y%m%d)
if [[ -z "${SERIAL:-}" ]]; then
# Pull the highest YYYYMMDDNN serial from currently-prepared zones
# that starts with today's date. If none, default to NN=01.
highest=$(grep -hE '^[[:space:]]+'"${TODAY}"'[0-9]{2}[[:space:]]+;' "$DST_DIR"/*.zone 2>/dev/null \
| awk '{print $1}' | sort -un | tail -1)
if [[ -n "$highest" ]]; then
nn=$((10#${highest:8:2}))
next_nn=$((nn + 1))
if (( next_nn > 99 )); then
echo "ERROR: serial counter exhausted for ${TODAY} (NN=99 reached)." >&2
echo "Set SERIAL manually or wait until tomorrow." >&2
exit 1
fi
SERIAL=$(printf "%s%02d" "$TODAY" "$next_nn")
else
SERIAL="${TODAY}01"
fi
fi
# Public-facing nameservers (Hurricane Electric free secondary service).
# These appear in NS records inside every zone so that recursive
# resolvers fetching the zone learn the correct delegation.
HE_NAMESERVERS=(
"ns1.he.net."
"ns2.he.net."
"ns3.he.net."
"ns4.he.net."
"ns5.he.net."
)
mkdir -p "$DST_DIR"
count=0
for src in "$SRC_DIR"/*.zone; do
fname=$(basename "$src")
zone="${fname%.zone}"
dst="$DST_DIR/$fname"
{
echo "; Auto-prepared by scripts/prepare-zones.sh on $(date -Iseconds)"
echo "; Source: $src"
echo "\$ORIGIN ${zone}."
echo "\$TTL 3600"
echo "@ 3600 IN SOA ns1.he.net. ${ADMIN_EMAIL}.${zone}. ("
echo " ${SERIAL} ; serial — bump per change (SERIAL=YYYYMMDDNN make prep)"
echo " 3600 ; refresh (1 hour)"
echo " 1800 ; retry (30 minutes)"
echo " 604800 ; expire (1 week)"
echo " 300 ; minimum (5 minutes)"
echo " )"
echo ""
# Inject HE nameservers as the authoritative NS set.
for ns in "${HE_NAMESERVERS[@]}"; do
echo "@ 3600 IN NS ${ns}"
done
echo ""
# Strip source's own $ORIGIN / $TTL / comments AND drop ns?.vultr.com
# NS records (we just emitted HE's NS set above). Then run the awk
# transformations for apex disambiguation and rdata dot-termination.
grep -vE '^\$(ORIGIN|TTL)|^;' "$src" \
| grep -vE '[[:space:]]NS[[:space:]]+ns[12]\.vultr\.com\.?[[:space:]]*$' \
| awk '
NF == 0 { print; next }
{
# (a) Detect Vultr-style apex line: leading whitespace, then TTL,
# then "IN". Prepend "@" so the owner is explicit.
if ($0 ~ /^[[:space:]]+[0-9]+[[:space:]]+IN[[:space:]]/) {
sub(/^[[:space:]]+/, "@\t", $0)
}
# (b) Dot-terminate trailing hostname for NS/CNAME/MX rdata.
type = ""
for (i = 1; i <= NF; i++) {
if ($i == "NS" || $i == "CNAME" || $i == "MX") { type = $i; break }
}
if (type != "") {
target = $NF
if (index(target, ".") > 0 && substr(target, length(target), 1) != ".") {
sub(/[[:space:]]+$/, "", $0)
print $0 "."
next
}
}
print
}
'
} > "$dst"
count=$((count + 1))
done
echo "Prepared ${count} zone files in ${DST_DIR}/ (serial=${SERIAL})"
Reference in New Issue View Git Blame Copy Permalink