From f55687e58f8e106383e24139957eb7437d6a30d2 Mon Sep 17 00:00:00 2001
From: Pim van den Berg <pim@nethuis.nl>
Date: Tue, 21 Jun 2022 14:41:27 +0200
Subject: [PATCH] add DNSSEC support

---
 README.md | 29 +++++++++++++++++++++++++++++
 start.sh  | 15 +++++++++++++++
 2 files changed, 44 insertions(+)

diff --git a/README.md b/README.md
index d328dd4..d9552d8 100644
--- a/README.md
+++ b/README.md
@@ -3,6 +3,7 @@
 * Debian slim based image
 * PowerDNS package from Debian
 * Bind backend support only
+* DNSSEC support (optional per zone)
 
 # Usage
 
@@ -53,3 +54,31 @@ services:
       - '${PWD}/named.conf:/etc/powerdns/named.conf'
       - '${PWD}/zones/:/var/lib/powerdns/zones/'
 ```
+
+# DNSSEC
+
+Securing a zone:
+```
+$ docker exec -it powerdns pdnsutil secure-zone example.tld
+[bindbackend] Done parsing domains, 0 rejected, 1 new, 0 removed
+Securing zone with default key size
+Adding CSK (257) with algorithm ecdsa256
+Zone example.tld secured
+Adding NSEC ordering information
+```
+
+Show DNSSEC related settings for the secured zone:
+```
+$ docker exec -it powerdns pdnsutil show-zone example.tld
+[bindbackend] Done parsing domains, 0 rejected, 1 new, 0 removed
+This is a Master zone
+Last SOA serial number we notified: 0 != 2022010101 (serial in the database)
+Metadata items: None
+Zone has NSEC semantics
+keys:
+ID = 1 (CSK), flags = 257, tag = 280, algo = 13, bits = 256	  Active	 Published  ( ECDSAP256SHA256 )
+CSK DNSKEY = example.tld. IN DNSKEY 257 3 13 5jAoLVZFaevgJkAKQzLJDdhQKP1i+SPaCrCjhsbsOAypYSsz9l7AyJC75trKdVwUn9ICMNq6Jjta9NQc7Bnktw== ; ( ECDSAP256SHA256 )
+DS = example.tld. IN DS 280 13 1 0dead339b7dacebb6750c7d4e5c9c0f4c19843a9 ; ( SHA1 digest )
+DS = example.tld. IN DS 280 13 2 f340e93c42b3c2c6fa8ef76e044ad2f064c1cd7484e785bdfca0f51cd548c88d ; ( SHA256 digest )
+DS = example.tld. IN DS 280 13 4 a793c7e590a7701c7b39365f99655b865d11961c355a5eb59302282cf653aec8b051ddc9e36a9df0843cad29ca50149a ; ( SHA-384 digest )
+```
diff --git a/start.sh b/start.sh
index ed8bf9f..060842c 100755
--- a/start.sh
+++ b/start.sh
@@ -1,13 +1,28 @@
 #!/bin/bash
 
+# create sqlite database for DNSSEC
+if test ! -e /var/lib/powerdns/bind-dnssec-db.sqlite3; then
+    echo [$0] Initializing /var/lib/powerdns/bind-dnssec-db.sqlite3
+    /usr/bin/pdnsutil create-bind-db /var/lib/powerdns/bind-dnssec-db.sqlite3
+fi
+sed -i 's/^# bind-dnssec-db=/bind-dnssec-db=\/var\/lib\/powerdns\/bind-dnssec-db.sqlite3/' /etc/powerdns/pdns.d/bind.conf
+
+# start powerdns server
 /usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no &
 
+# watch for zone changes
 inotifywait -mqre modify --exclude '\.git' --format '%w%f' "/var/lib/powerdns/zones/" |
     while read -r path; do
         zone=$(basename $path)
         echo [$0] A modification was detected in $path
         echo [$0] Executing \`/usr/bin/pdns_control bind-reload-now $zone\`
         /usr/bin/pdns_control bind-reload-now $zone
+        if pdnsutil show-zone $zone 2>/dev/null | grep -q "Zone is not actively secured"; then
+            echo [$0] Zone is not actively secured, skipping \`pdnsutil rectify-zone $zone\`
+        else
+            echo [$0] DNSSEC secured zone. Executing \`pdnsutil rectify-zone $zone\`
+            /usr/bin/pdnsutil rectify-zone $zone
+        fi
     done &
 
 wait -n