From f55687e58f8e106383e24139957eb7437d6a30d2 Mon Sep 17 00:00:00 2001 From: Pim van den Berg Date: Tue, 21 Jun 2022 14:41:27 +0200 Subject: [PATCH] add DNSSEC support --- README.md | 29 +++++++++++++++++++++++++++++ start.sh | 15 +++++++++++++++ 2 files changed, 44 insertions(+) diff --git a/README.md b/README.md index d328dd4..d9552d8 100644 --- a/README.md +++ b/README.md @@ -3,6 +3,7 @@ * Debian slim based image * PowerDNS package from Debian * Bind backend support only +* DNSSEC support (optional per zone) # Usage @@ -53,3 +54,31 @@ services: - '${PWD}/named.conf:/etc/powerdns/named.conf' - '${PWD}/zones/:/var/lib/powerdns/zones/' ``` + +# DNSSEC + +Securing a zone: +``` +$ docker exec -it powerdns pdnsutil secure-zone example.tld +[bindbackend] Done parsing domains, 0 rejected, 1 new, 0 removed +Securing zone with default key size +Adding CSK (257) with algorithm ecdsa256 +Zone example.tld secured +Adding NSEC ordering information +``` + +Show DNSSEC related settings for the secured zone: +``` +$ docker exec -it powerdns pdnsutil show-zone example.tld +[bindbackend] Done parsing domains, 0 rejected, 1 new, 0 removed +This is a Master zone +Last SOA serial number we notified: 0 != 2022010101 (serial in the database) +Metadata items: None +Zone has NSEC semantics +keys: +ID = 1 (CSK), flags = 257, tag = 280, algo = 13, bits = 256 Active Published ( ECDSAP256SHA256 ) +CSK DNSKEY = example.tld. IN DNSKEY 257 3 13 5jAoLVZFaevgJkAKQzLJDdhQKP1i+SPaCrCjhsbsOAypYSsz9l7AyJC75trKdVwUn9ICMNq6Jjta9NQc7Bnktw== ; ( ECDSAP256SHA256 ) +DS = example.tld. IN DS 280 13 1 0dead339b7dacebb6750c7d4e5c9c0f4c19843a9 ; ( SHA1 digest ) +DS = example.tld. IN DS 280 13 2 f340e93c42b3c2c6fa8ef76e044ad2f064c1cd7484e785bdfca0f51cd548c88d ; ( SHA256 digest ) +DS = example.tld. IN DS 280 13 4 a793c7e590a7701c7b39365f99655b865d11961c355a5eb59302282cf653aec8b051ddc9e36a9df0843cad29ca50149a ; ( SHA-384 digest ) +``` diff --git a/start.sh b/start.sh index ed8bf9f..060842c 100755 --- a/start.sh +++ b/start.sh @@ -1,13 +1,28 @@ #!/bin/bash +# create sqlite database for DNSSEC +if test ! -e /var/lib/powerdns/bind-dnssec-db.sqlite3; then + echo [$0] Initializing /var/lib/powerdns/bind-dnssec-db.sqlite3 + /usr/bin/pdnsutil create-bind-db /var/lib/powerdns/bind-dnssec-db.sqlite3 +fi +sed -i 's/^# bind-dnssec-db=/bind-dnssec-db=\/var\/lib\/powerdns\/bind-dnssec-db.sqlite3/' /etc/powerdns/pdns.d/bind.conf + +# start powerdns server /usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no & +# watch for zone changes inotifywait -mqre modify --exclude '\.git' --format '%w%f' "/var/lib/powerdns/zones/" | while read -r path; do zone=$(basename $path) echo [$0] A modification was detected in $path echo [$0] Executing \`/usr/bin/pdns_control bind-reload-now $zone\` /usr/bin/pdns_control bind-reload-now $zone + if pdnsutil show-zone $zone 2>/dev/null | grep -q "Zone is not actively secured"; then + echo [$0] Zone is not actively secured, skipping \`pdnsutil rectify-zone $zone\` + else + echo [$0] DNSSEC secured zone. Executing \`pdnsutil rectify-zone $zone\` + /usr/bin/pdnsutil rectify-zone $zone + fi done & wait -n