add DNSSEC support

2022-06-21 14:41:27 +02:00 · 2022-06-21 14:41:27 +02:00 · f55687e58f
parent 699cd35877
commit f55687e58f
2 changed files with 44 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -3,6 +3,7 @@
 * Debian slim based image
 * PowerDNS package from Debian
 * Bind backend support only
+* DNSSEC support (optional per zone)

 # Usage

@ -53,3 +54,31 @@ services:
      - '${PWD}/named.conf:/etc/powerdns/named.conf'
      - '${PWD}/zones/:/var/lib/powerdns/zones/'
 ```
+
+# DNSSEC
+
+Securing a zone:
+```
+$ docker exec -it powerdns pdnsutil secure-zone example.tld
+[bindbackend] Done parsing domains, 0 rejected, 1 new, 0 removed
+Securing zone with default key size
+Adding CSK (257) with algorithm ecdsa256
+Zone example.tld secured
+Adding NSEC ordering information
+```
+
+Show DNSSEC related settings for the secured zone:
+```
+$ docker exec -it powerdns pdnsutil show-zone example.tld
+[bindbackend] Done parsing domains, 0 rejected, 1 new, 0 removed
+This is a Master zone
+Last SOA serial number we notified: 0 != 2022010101 (serial in the database)
+Metadata items: None
+Zone has NSEC semantics
+keys:
+ID = 1 (CSK), flags = 257, tag = 280, algo = 13, bits = 256	  Active	 Published  ( ECDSAP256SHA256 )
+CSK DNSKEY = example.tld. IN DNSKEY 257 3 13 5jAoLVZFaevgJkAKQzLJDdhQKP1i+SPaCrCjhsbsOAypYSsz9l7AyJC75trKdVwUn9ICMNq6Jjta9NQc7Bnktw== ; ( ECDSAP256SHA256 )
+DS = example.tld. IN DS 280 13 1 0dead339b7dacebb6750c7d4e5c9c0f4c19843a9 ; ( SHA1 digest )
+DS = example.tld. IN DS 280 13 2 f340e93c42b3c2c6fa8ef76e044ad2f064c1cd7484e785bdfca0f51cd548c88d ; ( SHA256 digest )
+DS = example.tld. IN DS 280 13 4 a793c7e590a7701c7b39365f99655b865d11961c355a5eb59302282cf653aec8b051ddc9e36a9df0843cad29ca50149a ; ( SHA-384 digest )
+```
--- a/start.sh
+++ b/start.sh
@ -1,13 +1,28 @@
 #!/bin/bash

+# create sqlite database for DNSSEC
+if test ! -e /var/lib/powerdns/bind-dnssec-db.sqlite3; then
+    echo [$0] Initializing /var/lib/powerdns/bind-dnssec-db.sqlite3
+    /usr/bin/pdnsutil create-bind-db /var/lib/powerdns/bind-dnssec-db.sqlite3
+fi
+sed -i 's/^# bind-dnssec-db=/bind-dnssec-db=\/var\/lib\/powerdns\/bind-dnssec-db.sqlite3/' /etc/powerdns/pdns.d/bind.conf
+
+# start powerdns server
 /usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no &

+# watch for zone changes
 inotifywait -mqre modify --exclude '\.git' --format '%w%f' "/var/lib/powerdns/zones/" |
    while read -r path; do
        zone=$(basename $path)
        echo [$0] A modification was detected in $path
        echo [$0] Executing \`/usr/bin/pdns_control bind-reload-now $zone\`
        /usr/bin/pdns_control bind-reload-now $zone
+        if pdnsutil show-zone $zone 2>/dev/null | grep -q "Zone is not actively secured"; then
+            echo [$0] Zone is not actively secured, skipping \`pdnsutil rectify-zone $zone\`
+        else
+            echo [$0] DNSSEC secured zone. Executing \`pdnsutil rectify-zone $zone\`
+            /usr/bin/pdnsutil rectify-zone $zone
+        fi
    done &

 wait -n