Reverse Zone Compiler (rzc)

This is a tool to automate the process of maintaining reverse DNS zones given a collection of forward zones. Primary use case is a small operation that runs a few POPs full of VMs for researchers, friends, and various public benefit projects: keeping track of the DNS names of all of one's tenents in this case is a pain, and the desired data is already present in the forward zones, so an automatic tool to construct the reverse zone(s) may help.

Basic model is to configure this tool as a DNS XFR client for all the relevant forward zones, and to specify the reverse zones to be generated. The tool then downloads all of the specified forward zones, trawls them for A and AAAA RRs, and translates those into PTR RRs, throwing away any PTR RRs that don't fall within the specified set of reverse zones. After exhausting this process, the tool writes out a set of reverse zone files and exits.

The tool caches local copies of the downloaded forward zones, both to allow it to ride out temporary transfer failures and to allow it to use IXFR rather than AXFR to save bandwidth when conditions permit.

All of the heavy lifting is done by Bob Halley's excellent dnspython library. You will also need the TOML library.

apt install python3-toml python3-dnspython

All configuration is stored in a TOML file. The default name of the TOML file is the same as the tool, with the .py suffix changed to .toml, but one can override this by passing the name of the configuration file via the RZC_CONFIG environment variable or on the command line.

Sample configuration file:

[output]

directory = "output"
ttl = 3600
soa.mname = "localhost"
soa.rname = "ns0.example.org"
soa.refresh = 10803
soa.retry = 900
soa.expire = 604800
soa.minimum = 600

ns = [
    "ns1.example.org",
    "ns2.example.org",
]

zones = [
    "1.0.10.in-addr.arpa",
    "2.0.10.in-addr.arpa",
    "3.0.10.in-addr.arpa",
    "1.0.a.2.0.0.2.ip6.arpa",
    "2.0.a.2.0.0.2.ip6.arpa",
    "3.0.a.2.0.0.2.ip6.arpa",
]

[input]
xfr_timeout = 300
cache = "cache"

[[input.zone]]
name = "fred.example"
server = "10.100.0.1"
tsig = { "tsig.example.org" = ["hmac-sha256", "36A2xRALPymYl3Q7axrtAk1AICJyPhu2KkK7PxJhTQ8=" ] }

[[input.zone]]
name = "barney.example"
server = "10.200.0.1"

Most of this should be self-explanatory. The configuration is divided into two sections, input and output: input is about fetching the forward zones, output is about generating the reverse zones.

input.cache is where cached copies of the forward zones will be stored. output.directory is where the reverse zones files will be written. Both directories will be created if needed.

output.ns is the list of nameservers to be listed in NS RRs in the output zones. Similarly, output.soa gives all the parameters needed for the SOA rdata, except for the serial value, which will be generated automatically using the seconds-since-epoch convention.

output.zones is the list of reverse zones to be generated.

Each [[input.zone]] block defines one forward zone to be retrieved. name is the name of the zone, server is the IPv4 or IPv6 address from which to retrieve the zone. tsig, if given, specifies the TSIG key data to use when retrieving this zone: the syntax is a little weird, because it's a direct TOML representation of the form dnspython uses for a single-entry TSIG keyring, the general form is

tsig = { "name.of.tsig.key" = [ "tsig-key-type", "tsig-secret-encoded-as-base64" ] }

Since the TSIG secrets are embedded directly in the TOML file, you might want to chmod the TOML file to restrict unauthorized readers.

At some point I might add validation of the TOML via via jsonschema, but the schema required would nearly double the size of the program.