From 07871395ef7dfb7cce79c1b97457db4c68c59b7d Mon Sep 17 00:00:00 2001 From: Grant Slater Date: Tue, 1 Jun 2021 00:14:55 +0100 Subject: [PATCH] Use SPF and CAA builder. Normalise TTL --- src/opengeodata.js | 28 +++++++++++++++++++---- src/openstreetmap-uk.js | 24 ++++++++++++++++---- src/openstreetmap-za.js | 24 ++++++++++++++++---- src/openstreetmap.js | 49 ++++++++++++++++++++++++++++++++--------- src/osm2pgsql.js | 22 ++++++++++++------ src/osmfoundation.js | 26 ++++++++++++++++++---- src/stateofthemap-eu.js | 14 +++++++++--- src/stateofthemap.js | 34 +++++++++++++++++++++------- src/switch2osm.js | 26 +++++++++++++++++++--- 9 files changed, 200 insertions(+), 47 deletions(-) diff --git a/src/opengeodata.js b/src/opengeodata.js index 6dfc203..fe35467 100644 --- a/src/opengeodata.js +++ b/src/opengeodata.js @@ -2,9 +2,29 @@ D(DOMAIN, REGISTRAR, DnsProvider(PROVIDER), // Publish CAA records indicating that only letsencrypt should issue certificates - CAA("@", "issue", "letsencrypt.org", CF_TTL_ANY), - CAA("@", "issuewild", "letsencrypt.org", CF_TTL_ANY), - CAA("@", "iodef", "mailto:hostmaster@openstreetmap.org"), + CAA_BUILDER({ + label: "@", + ttl: "1h", + iodef: "mailto:hostmaster@openstreetmap.org", + issue: [ + "letsencrypt.org", + ], + issuewild: [ + "letsencrypt.org", + ], + }), + + // Delegate SPF policy to the main domain + + SPF_BUILDER({ + label: "@", + ttl: "1h", + parts: [ + "v=spf1", + "include:openstreetmap.org", // main openstreetmap.org spf record + "-all" + ] + }), // Main web server and it's aliases @@ -12,4 +32,4 @@ D(DOMAIN, REGISTRAR, DnsProvider(PROVIDER), A("old", RIDLEY_IPV4, TTL("10m")), A("www", RIDLEY_IPV4, TTL("10m")) -); +); \ No newline at end of file diff --git a/src/openstreetmap-uk.js b/src/openstreetmap-uk.js index bfed62e..a8908c2 100644 --- a/src/openstreetmap-uk.js +++ b/src/openstreetmap-uk.js @@ -2,9 +2,17 @@ D(DOMAIN, REGISTRAR, DnsProvider(PROVIDER), // Publish CAA records indicating that only letsencrypt should issue certificates - CAA("@", "issue", "letsencrypt.org", CF_TTL_ANY), - CAA("@", "issuewild", "letsencrypt.org", CF_TTL_ANY), - CAA("@", "iodef", "mailto:hostmaster@openstreetmap.org"), + CAA_BUILDER({ + label: "@", + ttl: "1h", + iodef: "mailto:hostmaster@openstreetmap.org", + issue: [ + "letsencrypt.org", + ], + issuewild: [ + "letsencrypt.org", + ], + }), // Let the main domain handle the email @@ -12,7 +20,15 @@ D(DOMAIN, REGISTRAR, DnsProvider(PROVIDER), // Delegate SPF policy to the main domain - TXT("@", "v=spf1 include:openstreetmap.org -all"), + SPF_BUILDER({ + label: "@", + ttl: "1h", + parts: [ + "v=spf1", + "include:openstreetmap.org", // main openstreetmap.org spf record + "-all" + ] + }), // Delegate MTA-STS policy to the main domain diff --git a/src/openstreetmap-za.js b/src/openstreetmap-za.js index b8904b5..78061ef 100644 --- a/src/openstreetmap-za.js +++ b/src/openstreetmap-za.js @@ -2,9 +2,17 @@ D(DOMAIN, REGISTRAR, DnsProvider(PROVIDER), // Publish CAA records indicating that only letsencrypt should issue certificates - CAA("@", "issue", "letsencrypt.org", CF_TTL_ANY), - CAA("@", "issuewild", "letsencrypt.org", CF_TTL_ANY), - CAA("@", "iodef", "mailto:hostmaster@openstreetmap.org"), + CAA_BUILDER({ + label: "@", + ttl: "1h", + iodef: "mailto:hostmaster@openstreetmap.org", + issue: [ + "letsencrypt.org", + ], + issuewild: [ + "letsencrypt.org", + ], + }), // Let the main domain handle the email @@ -12,7 +20,15 @@ D(DOMAIN, REGISTRAR, DnsProvider(PROVIDER), // Delegate SPF policy to the main domain - TXT("@", "v=spf1 include:openstreetmap.org -all"), + SPF_BUILDER({ + label: "@", + ttl: "1h", + parts: [ + "v=spf1", + "include:openstreetmap.org", // main openstreetmap.org spf record + "-all" + ] + }), // Delegate MTA-STS policy to the main domain diff --git a/src/openstreetmap.js b/src/openstreetmap.js index b25f697..2f21f7f 100644 --- a/src/openstreetmap.js +++ b/src/openstreetmap.js @@ -2,11 +2,19 @@ D(DOMAIN, REGISTRAR, DnsProvider(PROVIDER), // Publish CAA records indicating that only letsencrypt and globalsign (Fastly) should issue certificates - CAA("@", "issue", "letsencrypt.org", CF_TTL_ANY), - CAA("@", "issuewild", "letsencrypt.org", CF_TTL_ANY), - CAA("@", "issue", "globalsign.com", CF_TTL_ANY), - CAA("@", "issuewild", "globalsign.com", CF_TTL_ANY), - CAA("@", "iodef", "mailto:hostmaster@openstreetmap.org"), + CAA_BUILDER({ + label: "@", + ttl: "1h", + iodef: "mailto:hostmaster@openstreetmap.org", + issue: [ + "letsencrypt.org", + "globalsign.com", // Used by Fastly for CDN certificates + ], + issuewild: [ + "letsencrypt.org", + "globalsign.com", // Used by Fastly for CDN certificates + ], + }), // Use shenron as the MX host @@ -19,8 +27,29 @@ D(DOMAIN, REGISTRAR, DnsProvider(PROVIDER), // Publish SPF records indicating that only shenron sends mail - TXT("@", "v=spf1 ip4:212.110.172.32 ip6:2001:41c9:1:400::32 mx -all"), - TXT("otrs", "v=spf1 ip4:212.110.172.32 ip6:2001:41c9:1:400::32 mx -all"), + SPF_BUILDER({ + label: "@", + ttl: "1h", + parts: [ + "v=spf1", + "ip4:212.110.172.32", // shenron ipv4 + "ip6:2001:41c9:1:400::32", // shenron ipv6 + "mx", // safety net if we change mx + "-all" + ] + }), + + SPF_BUILDER({ + label: "otrs", + ttl: "1h", + parts: [ + "v=spf1", + "ip4:212.110.172.32", // shenron ipv4 + "ip6:2001:41c9:1:400::32", // shenron ipv6 + "mx", // safety net if we change mx + "-all" + ] + }), // Publish DKIM public key @@ -30,7 +59,7 @@ D(DOMAIN, REGISTRAR, DnsProvider(PROVIDER), TXT("_mta-sts", "v=STSv1; id=202001291805Z"), TXT("_smtp._tls", "v=TLSRPTv1; rua=mailto:postmaster@openstreetmap.org"), - + // Fastly cert domain ownership confirmation TXT("@", "_globalsign-domain-verification=ps00GlW1BzY9c2_cwH_pFqRkvzZyaCVZ-3RLssRG6S"), @@ -214,7 +243,7 @@ D(DOMAIN, REGISTRAR, DnsProvider(PROVIDER), CNAME("a.tile", "dualstack.osff2.map.fastly.net.", TTL("10m")), CNAME("b.tile", "dualstack.osff2.map.fastly.net.", TTL("10m")), CNAME("c.tile", "dualstack.osff2.map.fastly.net.", TTL("10m")), - + // Services machine A("ironbelly", IRONBELLY_IPV4), @@ -510,7 +539,7 @@ D(DOMAIN, REGISTRAR, DnsProvider(PROVIDER), // Donation site - A("donate", RIDLEY_IPV4, TTL("10m")), + A("donate", RIDLEY_IPV4), // Uptime site at StatusCake diff --git a/src/osm2pgsql.js b/src/osm2pgsql.js index 770979a..070dda9 100644 --- a/src/osm2pgsql.js +++ b/src/osm2pgsql.js @@ -2,15 +2,23 @@ D(DOMAIN, REGISTRAR, DnsProvider(PROVIDER), // Publish CAA records indicating that only letsencrypt should issue certificates - CAA("@", "issue", "letsencrypt.org", CF_TTL_ANY), - CAA("@", "issuewild", "letsencrypt.org", CF_TTL_ANY), - CAA("@", "iodef", "mailto:hostmaster@openstreetmap.org"), + CAA_BUILDER({ + label: "@", + ttl: "1h", + iodef: "mailto:hostmaster@openstreetmap.org", + issue: [ + "letsencrypt.org", + ], + issuewild: [ + "letsencrypt.org", + ], + }), // Main web server and it's aliases - A("@", "138.201.190.130"), - AAAA("@", "2a01:4f8:1c17:6433::1"), - A("www", "138.201.190.130"), - AAAA("www", "2a01:4f8:1c17:6433::1") + A("@", "138.201.190.130", TTL("10m")), + AAAA("@", "2a01:4f8:1c17:6433::1", TTL("10m")), + A("www", "138.201.190.130", TTL("10m")), + AAAA("www", "2a01:4f8:1c17:6433::1", TTL("10m")) ); diff --git a/src/osmfoundation.js b/src/osmfoundation.js index a6a8bcd..b0c7d8a 100644 --- a/src/osmfoundation.js +++ b/src/osmfoundation.js @@ -2,9 +2,17 @@ D(DOMAIN, REGISTRAR, DnsProvider(PROVIDER), // Publish CAA records indicating that only letsencrypt should issue certificates - CAA("@", "issue", "letsencrypt.org", CF_TTL_ANY), - CAA("@", "issuewild", "letsencrypt.org", CF_TTL_ANY), - CAA("@", "iodef", "mailto:hostmaster@openstreetmap.org"), + CAA_BUILDER({ + label: "@", + ttl: "1h", + iodef: "mailto:hostmaster@openstreetmap.org", + issue: [ + "letsencrypt.org", + ], + issuewild: [ + "letsencrypt.org", + ], + }), // Let google handle email @@ -20,7 +28,17 @@ D(DOMAIN, REGISTRAR, DnsProvider(PROVIDER), // SPF policy - TXT("@", "v=spf1 ip4:212.110.172.32 ip6:2001:41c9:1:400::32 a mx include:_spf.google.com -all"), + SPF_BUILDER({ + label: "@", + ttl: "1h", + parts: [ + "v=spf1", + "include:_spf.google.com", // Google GSuite + "ip4:212.110.172.32", // shenron ipv4 + "ip6:2001:41c9:1:400::32", // shenron ipv6 + "-all" + ] + }), // DKIM keys diff --git a/src/stateofthemap-eu.js b/src/stateofthemap-eu.js index 4e83e5d..25cb14a 100644 --- a/src/stateofthemap-eu.js +++ b/src/stateofthemap-eu.js @@ -2,9 +2,17 @@ D(DOMAIN, REGISTRAR, DnsProvider(PROVIDER), // Publish CAA records indicating that only letsencrypt should issue certificates - CAA("@", "issue", "letsencrypt.org", CF_TTL_ANY), - CAA("@", "issuewild", "letsencrypt.org", CF_TTL_ANY), - CAA("@", "iodef", "mailto:hostmaster@openstreetmap.org"), + CAA_BUILDER({ + label: "@", + ttl: "1h", + iodef: "mailto:hostmaster@openstreetmap.org", + issue: [ + "letsencrypt.org", + ], + issuewild: [ + "letsencrypt.org", + ], + }), // Let openstreetmap.at handle email diff --git a/src/stateofthemap.js b/src/stateofthemap.js index a8ca9d4..e13e764 100644 --- a/src/stateofthemap.js +++ b/src/stateofthemap.js @@ -2,9 +2,31 @@ D(DOMAIN, REGISTRAR, DnsProvider(PROVIDER), // Publish CAA records indicating that only letsencrypt should issue certificates - CAA("@", "issue", "letsencrypt.org", CF_TTL_ANY), - CAA("@", "issuewild", "letsencrypt.org", CF_TTL_ANY), - CAA("@", "iodef", "mailto:hostmaster@openstreetmap.org"), + CAA_BUILDER({ + label: "@", + ttl: "1h", + iodef: "mailto:hostmaster@openstreetmap.org", + issue: [ + "letsencrypt.org", + ], + issuewild: [ + "letsencrypt.org", + ], + }), + + // SPF policy + + SPF_BUILDER({ + label: "@", + ttl: "1h", + parts: [ + "v=spf1", + "include:_spf.google.com", // Google GSuite + "ip4:212.110.172.32", // shenron ipv4 + "ip6:2001:41c9:1:400::32", // shenron ipv6 + "-all" + ] + }), // Let google handle email @@ -35,10 +57,6 @@ D(DOMAIN, REGISTRAR, DnsProvider(PROVIDER), A("2010", RIDLEY_IPV4, TTL("10m")), A("2009", RIDLEY_IPV4, TTL("10m")), A("2008", RIDLEY_IPV4, TTL("10m")), - A("2007", RIDLEY_IPV4, TTL("10m")), - - // Video conferencing server - - A("talk", "95.217.113.173") + A("2007", RIDLEY_IPV4, TTL("10m")) ); diff --git a/src/switch2osm.js b/src/switch2osm.js index 71cae23..70e2775 100644 --- a/src/switch2osm.js +++ b/src/switch2osm.js @@ -2,9 +2,29 @@ D(DOMAIN, REGISTRAR, DnsProvider(PROVIDER), // Publish CAA records indicating that only letsencrypt should issue certificates - CAA("@", "issue", "letsencrypt.org", CF_TTL_ANY), - CAA("@", "issuewild", "letsencrypt.org", CF_TTL_ANY), - CAA("@", "iodef", "mailto:hostmaster@openstreetmap.org"), + CAA_BUILDER({ + label: "@", + ttl: "1h", + iodef: "mailto:hostmaster@openstreetmap.org", + issue: [ + "letsencrypt.org", + ], + issuewild: [ + "letsencrypt.org", + ], + }), + + // Delegate SPF policy to the main domain + + SPF_BUILDER({ + label: "@", + ttl: "1h", + parts: [ + "v=spf1", + "include:openstreetmap.org", // main openstreetmap.org spf record + "-all" + ] + }), // Main web server and it's aliases -- 2.39.5