1
0

Compare commits

..

No commits in common. "340249494f54b6344dc755f8bdb3673559f581e0" and "699cd358775f4037e1d720486971c75b222f4944" have entirely different histories.

9 changed files with 17 additions and 157 deletions

View File

@ -2,7 +2,6 @@ FROM debian:bullseye-slim
RUN set -eux; \ RUN set -eux; \
apt-get update; \ apt-get update; \
apt-get upgrade -y; \
apt-get install -y --no-install-recommends \ apt-get install -y --no-install-recommends \
pdns-server \ pdns-server \
pdns-backend-bind \ pdns-backend-bind \

View File

@ -3,12 +3,6 @@
* Debian slim based image * Debian slim based image
* PowerDNS package from Debian * PowerDNS package from Debian
* Bind backend support only * Bind backend support only
* DNSSEC support (optional per zone)
# Supported tags and respective `Dockerfile` links
- [`4.6-bookworm`, `latest`](https://github.com/pommi/docker-powerdns/blob/master/debian/12/Dockerfile)
- [`4.4-bullseye`](https://github.com/pommi/docker-powerdns/blob/master/debian/11/Dockerfile)
# Usage # Usage
@ -37,7 +31,7 @@ $ docker run -it \
-v $(pwd)/named.conf:/etc/powerdns/named.conf \ -v $(pwd)/named.conf:/etc/powerdns/named.conf \
-v $(pwd)/zones/:/var/lib/powerdns/zones/ \ -v $(pwd)/zones/:/var/lib/powerdns/zones/ \
-p 5353:53/udp -p 5353:53 \ -p 5353:53/udp -p 5353:53 \
pommib/powerdns:latest pommib/powerdns:4.4-bullseye
$ dig +short @127.0.0.1 -p5353 example.tld A $ dig +short @127.0.0.1 -p5353 example.tld A
192.0.2.1 192.0.2.1
@ -51,7 +45,7 @@ version: "3"
services: services:
powerdns: powerdns:
container_name: powerdns container_name: powerdns
image: pommib/powerdns:latest image: pommib/powerdns:4.4-bullseye
ports: ports:
- "5353:53/tcp" - "5353:53/tcp"
- "5353:53/udp" - "5353:53/udp"
@ -59,31 +53,3 @@ services:
- '${PWD}/named.conf:/etc/powerdns/named.conf' - '${PWD}/named.conf:/etc/powerdns/named.conf'
- '${PWD}/zones/:/var/lib/powerdns/zones/' - '${PWD}/zones/:/var/lib/powerdns/zones/'
``` ```
# DNSSEC
Securing a zone:
```
$ docker exec -it powerdns pdnsutil secure-zone example.tld
[bindbackend] Done parsing domains, 0 rejected, 1 new, 0 removed
Securing zone with default key size
Adding CSK (257) with algorithm ecdsa256
Zone example.tld secured
Adding NSEC ordering information
```
Show DNSSEC related settings for the secured zone:
```
$ docker exec -it powerdns pdnsutil show-zone example.tld
[bindbackend] Done parsing domains, 0 rejected, 1 new, 0 removed
This is a Master zone
Last SOA serial number we notified: 0 != 2022010101 (serial in the database)
Metadata items: None
Zone has NSEC semantics
keys:
ID = 1 (CSK), flags = 257, tag = 280, algo = 13, bits = 256 Active Published ( ECDSAP256SHA256 )
CSK DNSKEY = example.tld. IN DNSKEY 257 3 13 5jAoLVZFaevgJkAKQzLJDdhQKP1i+SPaCrCjhsbsOAypYSsz9l7AyJC75trKdVwUn9ICMNq6Jjta9NQc7Bnktw== ; ( ECDSAP256SHA256 )
DS = example.tld. IN DS 280 13 1 0dead339b7dacebb6750c7d4e5c9c0f4c19843a9 ; ( SHA1 digest )
DS = example.tld. IN DS 280 13 2 f340e93c42b3c2c6fa8ef76e044ad2f064c1cd7484e785bdfca0f51cd548c88d ; ( SHA256 digest )
DS = example.tld. IN DS 280 13 4 a793c7e590a7701c7b39365f99655b865d11961c355a5eb59302282cf653aec8b051ddc9e36a9df0843cad29ca50149a ; ( SHA-384 digest )
```

View File

@ -1,17 +0,0 @@
#!/bin/sh
updates_available () {
if test "$(docker run -it --rm $1 /bin/sh -c 'apt -qqq update && apt -qq list --upgradable')" != ""; then
return 0
else
return 1
fi
}
if updates_available pommib/powerdns:4.4-bullseye; then
./debian/11/build.sh
fi
if updates_available pommib/powerdns:4.6-bookworm; then
./debian/12/build.sh
fi

9
debian/11/build.sh vendored
View File

@ -1,9 +0,0 @@
#!/bin/sh
set -x
IMAGE=pommib/powerdns:4.4-bullseye
docker pull $IMAGE
docker pull debian:bullseye-slim
docker build --no-cache -t $IMAGE ./debian/11/
docker push $IMAGE

30
debian/11/start.sh vendored
View File

@ -1,30 +0,0 @@
#!/bin/bash
# create sqlite database for DNSSEC
if test ! -e /var/lib/powerdns/bind-dnssec-db.sqlite3; then
echo [$0] Initializing /var/lib/powerdns/bind-dnssec-db.sqlite3
/usr/bin/pdnsutil create-bind-db /var/lib/powerdns/bind-dnssec-db.sqlite3
fi
sed -i 's/^# bind-dnssec-db=/bind-dnssec-db=\/var\/lib\/powerdns\/bind-dnssec-db.sqlite3/' /etc/powerdns/pdns.d/bind.conf
# start powerdns server
/usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no &
# watch for zone changes
inotifywait -mqre modify --exclude '\.git' --exclude '.*\.swp' --format '%w%f' "/var/lib/powerdns/zones/" |
while read -r path; do
zone=$(basename $path)
echo [$0] A modification was detected in $path
echo [$0] Executing \`/usr/bin/pdns_control bind-reload-now $zone\`
/usr/bin/pdns_control bind-reload-now $zone
if pdnsutil show-zone $zone 2>/dev/null | grep -q "Zone is not actively secured"; then
echo [$0] Zone is not actively secured, skipping \`pdnsutil rectify-zone $zone\`
else
echo [$0] DNSSEC secured zone. Executing \`pdnsutil rectify-zone $zone\`
/usr/bin/pdnsutil rectify-zone $zone
fi
done &
wait -n
exit $?

22
debian/12/Dockerfile vendored
View File

@ -1,22 +0,0 @@
FROM debian:bookworm-slim
RUN set -eux; \
apt-get update; \
apt-get upgrade -y; \
apt-get install -y --no-install-recommends \
pdns-server \
pdns-backend-bind \
sqlite3 \
bind9-dnsutils \
inotify-tools \
; \
rm -rf /var/lib/apt/lists/*
ADD start.sh /
EXPOSE 53/tcp 53/udp
VOLUME ["/var/lib/powerdns"]
CMD /start.sh
HEALTHCHECK CMD dig +timeout=1 @127.0.0.1 || exit 1

12
debian/12/build.sh vendored
View File

@ -1,12 +0,0 @@
#!/bin/sh
set -x
IMAGE=pommib/powerdns:4.6-bookworm
docker pull $IMAGE
docker pull debian:bookworm-slim
docker build --no-cache -t $IMAGE ./debian/12/
docker push $IMAGE
docker tag $IMAGE pommib/powerdns:latest
docker push pommib/powerdns:latest

30
debian/12/start.sh vendored
View File

@ -1,30 +0,0 @@
#!/bin/bash
# create sqlite database for DNSSEC
if test ! -e /var/lib/powerdns/bind-dnssec-db.sqlite3; then
echo [$0] Initializing /var/lib/powerdns/bind-dnssec-db.sqlite3
/usr/bin/pdnsutil create-bind-db /var/lib/powerdns/bind-dnssec-db.sqlite3
fi
sed -i 's/^# bind-dnssec-db=/bind-dnssec-db=\/var\/lib\/powerdns\/bind-dnssec-db.sqlite3/' /etc/powerdns/pdns.d/bind.conf
# start powerdns server
/usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no &
# watch for zone changes
inotifywait -mqre modify --exclude '\.git' --exclude '.*\.swp' --format '%w%f' "/var/lib/powerdns/zones/" |
while read -r path; do
zone=$(basename $path)
echo [$0] A modification was detected in $path
echo [$0] Executing \`/usr/bin/pdns_control bind-reload-now $zone\`
/usr/bin/pdns_control bind-reload-now $zone
if pdnsutil show-zone $zone 2>/dev/null | grep -q "Zone is not actively secured"; then
echo [$0] Zone is not actively secured, skipping \`pdnsutil rectify-zone $zone\`
else
echo [$0] DNSSEC secured zone. Executing \`pdnsutil rectify-zone $zone\`
/usr/bin/pdnsutil rectify-zone $zone
fi
done &
wait -n
exit $?

15
start.sh Executable file
View File

@ -0,0 +1,15 @@
#!/bin/bash
/usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no &
inotifywait -mqre modify --exclude '\.git' --format '%w%f' "/var/lib/powerdns/zones/" |
while read -r path; do
zone=$(basename $path)
echo [$0] A modification was detected in $path
echo [$0] Executing \`/usr/bin/pdns_control bind-reload-now $zone\`
/usr/bin/pdns_control bind-reload-now $zone
done &
wait -n
exit $?