diff --git a/README.md b/README.md index d9552d8..1ac2cac 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,11 @@ * Bind backend support only * DNSSEC support (optional per zone) +# Supported tags and respective `Dockerfile` links + +- [`4.6-bookworm`, `latest`](https://github.com/pommi/docker-powerdns/blob/master/debian/12/Dockerfile) +- [`4.4-bullseye`](https://github.com/pommi/docker-powerdns/blob/master/debian/11/Dockerfile) + # Usage ``` @@ -32,7 +37,7 @@ $ docker run -it \ -v $(pwd)/named.conf:/etc/powerdns/named.conf \ -v $(pwd)/zones/:/var/lib/powerdns/zones/ \ -p 5353:53/udp -p 5353:53 \ - pommib/powerdns:4.4-bullseye + pommib/powerdns:latest $ dig +short @127.0.0.1 -p5353 example.tld A 192.0.2.1 @@ -46,7 +51,7 @@ version: "3" services: powerdns: container_name: powerdns - image: pommib/powerdns:4.4-bullseye + image: pommib/powerdns:latest ports: - "5353:53/tcp" - "5353:53/udp" diff --git a/debian/12/Dockerfile b/debian/12/Dockerfile new file mode 100644 index 0000000..51a730c --- /dev/null +++ b/debian/12/Dockerfile @@ -0,0 +1,21 @@ +FROM debian:bookworm-slim + +RUN set -eux; \ + apt-get update; \ + apt-get install -y --no-install-recommends \ + pdns-server \ + pdns-backend-bind \ + sqlite3 \ + bind9-dnsutils \ + inotify-tools \ + ; \ + rm -rf /var/lib/apt/lists/* + +ADD start.sh / + +EXPOSE 53/tcp 53/udp +VOLUME ["/var/lib/powerdns"] + +CMD /start.sh + +HEALTHCHECK CMD dig +timeout=1 @127.0.0.1 || exit 1 diff --git a/debian/12/start.sh b/debian/12/start.sh new file mode 100755 index 0000000..060842c --- /dev/null +++ b/debian/12/start.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +# create sqlite database for DNSSEC +if test ! -e /var/lib/powerdns/bind-dnssec-db.sqlite3; then + echo [$0] Initializing /var/lib/powerdns/bind-dnssec-db.sqlite3 + /usr/bin/pdnsutil create-bind-db /var/lib/powerdns/bind-dnssec-db.sqlite3 +fi +sed -i 's/^# bind-dnssec-db=/bind-dnssec-db=\/var\/lib\/powerdns\/bind-dnssec-db.sqlite3/' /etc/powerdns/pdns.d/bind.conf + +# start powerdns server +/usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no & + +# watch for zone changes +inotifywait -mqre modify --exclude '\.git' --format '%w%f' "/var/lib/powerdns/zones/" | + while read -r path; do + zone=$(basename $path) + echo [$0] A modification was detected in $path + echo [$0] Executing \`/usr/bin/pdns_control bind-reload-now $zone\` + /usr/bin/pdns_control bind-reload-now $zone + if pdnsutil show-zone $zone 2>/dev/null | grep -q "Zone is not actively secured"; then + echo [$0] Zone is not actively secured, skipping \`pdnsutil rectify-zone $zone\` + else + echo [$0] DNSSEC secured zone. Executing \`pdnsutil rectify-zone $zone\` + /usr/bin/pdnsutil rectify-zone $zone + fi + done & + +wait -n + +exit $?