Merge pull request #59 from vedetta-com/wip

- Prefer IPv6 - Update links - Use cp - Use rfc7766
vedetta-com · Mar 23, 2018 · 6283513 · 6283513
2 parents ec9dcb7 + bb1be83
commit 6283513
Show file tree

Hide file tree

Showing 5 changed files with 15 additions and 12 deletions.
diff --git a/INSTALL.md b/INSTALL.md
@@ -277,7 +277,7 @@ Unbound DNS validating resolver from root nameservers, with fallback:
 unbound-anchor -a "/var/unbound/db/root.key"
 ftp -o /var/unbound/etc/root.hints https://FTP.INTERNIC.NET/domain/named.cache
 rcctl restart unbound
-install -o root -g wheel -m 0644 -b src/etc/resolv.conf /etc/
+cp src/etc/resolv.conf /etc/
 ```
 
 ### Sieve

diff --git a/README.md b/README.md
@@ -110,12 +110,10 @@ full sync: replication_full_sync_interval\ =\ 1h
 
 Disklabel: [var/www/htdocs/mercury.example.com/disklabel.min](src/var/www/htdocs/mercury.example.com/disklabel.min)
 
-Permissions are described in [usr/local/bin/hier.sh](src/usr/local/bin/hier.sh)
-
 Ansible: [ansible-role-mailserver](https://github.com/gonzalo-/ansible-role-mailserver/)
 
 ## Prerequisites
-A DNS name server (from a registrar, a free service, VPS host, or self-hosted) is required, which allows editing the following record types: A, AAAA, MX, CAA, TXT, SSHFP
+A DNS name server (from a registrar, a free service, VPS host, or self-hosted) is required, which allows editing the following record types: [A](#forward-confirmed-reverse-dns-fcrdns), [AAAA](#forward-confirmed-reverse-dns-fcrdns), [MX](#mail-exchanger-mx), [CAA](#certification-authority-authorization-caa), [SSHFP](#secure-shell-fingerprint-sshfp), [TXT](#sender-policy-framework-spf)
 
 #### Forward-confirmed reverse DNS ([FCrDNS](https://tools.ietf.org/html/draft-ietf-dnsop-reverse-mapping-considerations-06))
 Each MX subdomain has record types A, and AAAA with the VPS IPv4, and IPv6:

diff --git a/UPGRADE.md b/UPGRADE.md
@@ -14,7 +14,12 @@ sed '/rspamd.log/s|HUP|USR1|' /etc/newsyslog.conf
 
 Disable block log in pf, with small /var/log:
 ```sh
-install -o root -g wheel -m 0600 -b src/etc/pf.conf.anchor.block /etc/
+cp src/etc/pf.conf.anchor.block /etc/
+```
+
+DNS Transport over TCP ([rfc7766](https://tools.ietf.org/html/rfc7766)):
+```sh
+awk '/port domain/{sub(/udp/, "{ tcp udp }", last)} NR>1{print last} {last=$0} END {print last}' /etc/pf.conf > /tmp/pf.conf && cp /tmp/pf.conf /etc/pf.conf && rm /tmp/pf.conf
 ```
 
 Include quota usage in daily stats, with formatting for small screens:
@@ -43,9 +48,9 @@ unbound-anchor -a "/var/unbound/db/root.key"
 ftp -o /var/unbound/etc/root.hints https://FTP.INTERNIC.NET/domain/named.cache
 rcctl restart unbound
 
-install -o root -g wheel -m 0640 -b src/etc/dhclient.conf /etc/
+cp src/etc/dhclient.conf /etc/
 sh /etc/netstart vio0
-install -o root -g wheel -m 0644 -b src/etc/resolv.conf /etc/
+cp src/etc/resolv.conf /etc/
 
 crontab -e
 > 20	2	1,14	*	*	unbound-anchor -a "/var/unbound/db/root.key" && rcctl restart unbound
@@ -54,7 +59,7 @@ crontab -e
 
 *n.b.*: Unbound configured to use ~10MB RAM
 ```sh
-ps -U _unbound -o rss | awk '{sum += $1} END {print "RSS for _unbound", sum/1024 "MB"}'  
+ps -U _unbound -o rss | awk '{sum += $1} END {print "RSS for _unbound", sum/1024 "MB"}'
 > RSS for _unbound 6.66406MB
 ```
 

diff --git a/src/etc/pf.conf b/src/etc/pf.conf
@@ -70,7 +70,7 @@ anchor "external" on egress {
  # Outbound
  anchor out proto { tcp udp } from (egress) {
   # DNS
-  pass log (user) proto udp \
+  pass log (user) proto { tcp udp } \
    to port domain \
    tag SELF_INET
 

diff --git a/src/etc/resolv.conf b/src/etc/resolv.conf
@@ -1,10 +1,10 @@
 # unbound
-nameserver 127.0.0.1
 nameserver ::1
+nameserver 127.0.0.1
 # fallback
-nameserver 74.82.42.42 # he.net
 nameserver 2001:470:20::2 # he.net
-nameserver 8.8.8.8 # google.com
+nameserver 74.82.42.42 # he.net
 nameserver 2001:4860:4860::8888 # google.com
+nameserver 8.8.8.8 # google.com
 family inet6 inet4 # prefer IPv6
 lookup file bind