Compare commits
No commits in common. "340249494f54b6344dc755f8bdb3673559f581e0" and "699cd358775f4037e1d720486971c75b222f4944" have entirely different histories.
340249494f
...
699cd35877
@ -2,7 +2,6 @@ FROM debian:bullseye-slim
|
|||||||
|
|
||||||
RUN set -eux; \
|
RUN set -eux; \
|
||||||
apt-get update; \
|
apt-get update; \
|
||||||
apt-get upgrade -y; \
|
|
||||||
apt-get install -y --no-install-recommends \
|
apt-get install -y --no-install-recommends \
|
||||||
pdns-server \
|
pdns-server \
|
||||||
pdns-backend-bind \
|
pdns-backend-bind \
|
38
README.md
38
README.md
@ -3,12 +3,6 @@
|
|||||||
* Debian slim based image
|
* Debian slim based image
|
||||||
* PowerDNS package from Debian
|
* PowerDNS package from Debian
|
||||||
* Bind backend support only
|
* Bind backend support only
|
||||||
* DNSSEC support (optional per zone)
|
|
||||||
|
|
||||||
# Supported tags and respective `Dockerfile` links
|
|
||||||
|
|
||||||
- [`4.6-bookworm`, `latest`](https://github.com/pommi/docker-powerdns/blob/master/debian/12/Dockerfile)
|
|
||||||
- [`4.4-bullseye`](https://github.com/pommi/docker-powerdns/blob/master/debian/11/Dockerfile)
|
|
||||||
|
|
||||||
# Usage
|
# Usage
|
||||||
|
|
||||||
@ -37,7 +31,7 @@ $ docker run -it \
|
|||||||
-v $(pwd)/named.conf:/etc/powerdns/named.conf \
|
-v $(pwd)/named.conf:/etc/powerdns/named.conf \
|
||||||
-v $(pwd)/zones/:/var/lib/powerdns/zones/ \
|
-v $(pwd)/zones/:/var/lib/powerdns/zones/ \
|
||||||
-p 5353:53/udp -p 5353:53 \
|
-p 5353:53/udp -p 5353:53 \
|
||||||
pommib/powerdns:latest
|
pommib/powerdns:4.4-bullseye
|
||||||
|
|
||||||
$ dig +short @127.0.0.1 -p5353 example.tld A
|
$ dig +short @127.0.0.1 -p5353 example.tld A
|
||||||
192.0.2.1
|
192.0.2.1
|
||||||
@ -51,7 +45,7 @@ version: "3"
|
|||||||
services:
|
services:
|
||||||
powerdns:
|
powerdns:
|
||||||
container_name: powerdns
|
container_name: powerdns
|
||||||
image: pommib/powerdns:latest
|
image: pommib/powerdns:4.4-bullseye
|
||||||
ports:
|
ports:
|
||||||
- "5353:53/tcp"
|
- "5353:53/tcp"
|
||||||
- "5353:53/udp"
|
- "5353:53/udp"
|
||||||
@ -59,31 +53,3 @@ services:
|
|||||||
- '${PWD}/named.conf:/etc/powerdns/named.conf'
|
- '${PWD}/named.conf:/etc/powerdns/named.conf'
|
||||||
- '${PWD}/zones/:/var/lib/powerdns/zones/'
|
- '${PWD}/zones/:/var/lib/powerdns/zones/'
|
||||||
```
|
```
|
||||||
|
|
||||||
# DNSSEC
|
|
||||||
|
|
||||||
Securing a zone:
|
|
||||||
```
|
|
||||||
$ docker exec -it powerdns pdnsutil secure-zone example.tld
|
|
||||||
[bindbackend] Done parsing domains, 0 rejected, 1 new, 0 removed
|
|
||||||
Securing zone with default key size
|
|
||||||
Adding CSK (257) with algorithm ecdsa256
|
|
||||||
Zone example.tld secured
|
|
||||||
Adding NSEC ordering information
|
|
||||||
```
|
|
||||||
|
|
||||||
Show DNSSEC related settings for the secured zone:
|
|
||||||
```
|
|
||||||
$ docker exec -it powerdns pdnsutil show-zone example.tld
|
|
||||||
[bindbackend] Done parsing domains, 0 rejected, 1 new, 0 removed
|
|
||||||
This is a Master zone
|
|
||||||
Last SOA serial number we notified: 0 != 2022010101 (serial in the database)
|
|
||||||
Metadata items: None
|
|
||||||
Zone has NSEC semantics
|
|
||||||
keys:
|
|
||||||
ID = 1 (CSK), flags = 257, tag = 280, algo = 13, bits = 256 Active Published ( ECDSAP256SHA256 )
|
|
||||||
CSK DNSKEY = example.tld. IN DNSKEY 257 3 13 5jAoLVZFaevgJkAKQzLJDdhQKP1i+SPaCrCjhsbsOAypYSsz9l7AyJC75trKdVwUn9ICMNq6Jjta9NQc7Bnktw== ; ( ECDSAP256SHA256 )
|
|
||||||
DS = example.tld. IN DS 280 13 1 0dead339b7dacebb6750c7d4e5c9c0f4c19843a9 ; ( SHA1 digest )
|
|
||||||
DS = example.tld. IN DS 280 13 2 f340e93c42b3c2c6fa8ef76e044ad2f064c1cd7484e785bdfca0f51cd548c88d ; ( SHA256 digest )
|
|
||||||
DS = example.tld. IN DS 280 13 4 a793c7e590a7701c7b39365f99655b865d11961c355a5eb59302282cf653aec8b051ddc9e36a9df0843cad29ca50149a ; ( SHA-384 digest )
|
|
||||||
```
|
|
||||||
|
@ -1,17 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
|
|
||||||
updates_available () {
|
|
||||||
if test "$(docker run -it --rm $1 /bin/sh -c 'apt -qqq update && apt -qq list --upgradable')" != ""; then
|
|
||||||
return 0
|
|
||||||
else
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
if updates_available pommib/powerdns:4.4-bullseye; then
|
|
||||||
./debian/11/build.sh
|
|
||||||
fi
|
|
||||||
|
|
||||||
if updates_available pommib/powerdns:4.6-bookworm; then
|
|
||||||
./debian/12/build.sh
|
|
||||||
fi
|
|
9
debian/11/build.sh
vendored
9
debian/11/build.sh
vendored
@ -1,9 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
|
|
||||||
set -x
|
|
||||||
|
|
||||||
IMAGE=pommib/powerdns:4.4-bullseye
|
|
||||||
docker pull $IMAGE
|
|
||||||
docker pull debian:bullseye-slim
|
|
||||||
docker build --no-cache -t $IMAGE ./debian/11/
|
|
||||||
docker push $IMAGE
|
|
30
debian/11/start.sh
vendored
30
debian/11/start.sh
vendored
@ -1,30 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
# create sqlite database for DNSSEC
|
|
||||||
if test ! -e /var/lib/powerdns/bind-dnssec-db.sqlite3; then
|
|
||||||
echo [$0] Initializing /var/lib/powerdns/bind-dnssec-db.sqlite3
|
|
||||||
/usr/bin/pdnsutil create-bind-db /var/lib/powerdns/bind-dnssec-db.sqlite3
|
|
||||||
fi
|
|
||||||
sed -i 's/^# bind-dnssec-db=/bind-dnssec-db=\/var\/lib\/powerdns\/bind-dnssec-db.sqlite3/' /etc/powerdns/pdns.d/bind.conf
|
|
||||||
|
|
||||||
# start powerdns server
|
|
||||||
/usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no &
|
|
||||||
|
|
||||||
# watch for zone changes
|
|
||||||
inotifywait -mqre modify --exclude '\.git' --exclude '.*\.swp' --format '%w%f' "/var/lib/powerdns/zones/" |
|
|
||||||
while read -r path; do
|
|
||||||
zone=$(basename $path)
|
|
||||||
echo [$0] A modification was detected in $path
|
|
||||||
echo [$0] Executing \`/usr/bin/pdns_control bind-reload-now $zone\`
|
|
||||||
/usr/bin/pdns_control bind-reload-now $zone
|
|
||||||
if pdnsutil show-zone $zone 2>/dev/null | grep -q "Zone is not actively secured"; then
|
|
||||||
echo [$0] Zone is not actively secured, skipping \`pdnsutil rectify-zone $zone\`
|
|
||||||
else
|
|
||||||
echo [$0] DNSSEC secured zone. Executing \`pdnsutil rectify-zone $zone\`
|
|
||||||
/usr/bin/pdnsutil rectify-zone $zone
|
|
||||||
fi
|
|
||||||
done &
|
|
||||||
|
|
||||||
wait -n
|
|
||||||
|
|
||||||
exit $?
|
|
22
debian/12/Dockerfile
vendored
22
debian/12/Dockerfile
vendored
@ -1,22 +0,0 @@
|
|||||||
FROM debian:bookworm-slim
|
|
||||||
|
|
||||||
RUN set -eux; \
|
|
||||||
apt-get update; \
|
|
||||||
apt-get upgrade -y; \
|
|
||||||
apt-get install -y --no-install-recommends \
|
|
||||||
pdns-server \
|
|
||||||
pdns-backend-bind \
|
|
||||||
sqlite3 \
|
|
||||||
bind9-dnsutils \
|
|
||||||
inotify-tools \
|
|
||||||
; \
|
|
||||||
rm -rf /var/lib/apt/lists/*
|
|
||||||
|
|
||||||
ADD start.sh /
|
|
||||||
|
|
||||||
EXPOSE 53/tcp 53/udp
|
|
||||||
VOLUME ["/var/lib/powerdns"]
|
|
||||||
|
|
||||||
CMD /start.sh
|
|
||||||
|
|
||||||
HEALTHCHECK CMD dig +timeout=1 @127.0.0.1 || exit 1
|
|
12
debian/12/build.sh
vendored
12
debian/12/build.sh
vendored
@ -1,12 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
|
|
||||||
set -x
|
|
||||||
|
|
||||||
IMAGE=pommib/powerdns:4.6-bookworm
|
|
||||||
docker pull $IMAGE
|
|
||||||
docker pull debian:bookworm-slim
|
|
||||||
docker build --no-cache -t $IMAGE ./debian/12/
|
|
||||||
docker push $IMAGE
|
|
||||||
|
|
||||||
docker tag $IMAGE pommib/powerdns:latest
|
|
||||||
docker push pommib/powerdns:latest
|
|
30
debian/12/start.sh
vendored
30
debian/12/start.sh
vendored
@ -1,30 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
# create sqlite database for DNSSEC
|
|
||||||
if test ! -e /var/lib/powerdns/bind-dnssec-db.sqlite3; then
|
|
||||||
echo [$0] Initializing /var/lib/powerdns/bind-dnssec-db.sqlite3
|
|
||||||
/usr/bin/pdnsutil create-bind-db /var/lib/powerdns/bind-dnssec-db.sqlite3
|
|
||||||
fi
|
|
||||||
sed -i 's/^# bind-dnssec-db=/bind-dnssec-db=\/var\/lib\/powerdns\/bind-dnssec-db.sqlite3/' /etc/powerdns/pdns.d/bind.conf
|
|
||||||
|
|
||||||
# start powerdns server
|
|
||||||
/usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no &
|
|
||||||
|
|
||||||
# watch for zone changes
|
|
||||||
inotifywait -mqre modify --exclude '\.git' --exclude '.*\.swp' --format '%w%f' "/var/lib/powerdns/zones/" |
|
|
||||||
while read -r path; do
|
|
||||||
zone=$(basename $path)
|
|
||||||
echo [$0] A modification was detected in $path
|
|
||||||
echo [$0] Executing \`/usr/bin/pdns_control bind-reload-now $zone\`
|
|
||||||
/usr/bin/pdns_control bind-reload-now $zone
|
|
||||||
if pdnsutil show-zone $zone 2>/dev/null | grep -q "Zone is not actively secured"; then
|
|
||||||
echo [$0] Zone is not actively secured, skipping \`pdnsutil rectify-zone $zone\`
|
|
||||||
else
|
|
||||||
echo [$0] DNSSEC secured zone. Executing \`pdnsutil rectify-zone $zone\`
|
|
||||||
/usr/bin/pdnsutil rectify-zone $zone
|
|
||||||
fi
|
|
||||||
done &
|
|
||||||
|
|
||||||
wait -n
|
|
||||||
|
|
||||||
exit $?
|
|
15
start.sh
Executable file
15
start.sh
Executable file
@ -0,0 +1,15 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
/usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no &
|
||||||
|
|
||||||
|
inotifywait -mqre modify --exclude '\.git' --format '%w%f' "/var/lib/powerdns/zones/" |
|
||||||
|
while read -r path; do
|
||||||
|
zone=$(basename $path)
|
||||||
|
echo [$0] A modification was detected in $path
|
||||||
|
echo [$0] Executing \`/usr/bin/pdns_control bind-reload-now $zone\`
|
||||||
|
/usr/bin/pdns_control bind-reload-now $zone
|
||||||
|
done &
|
||||||
|
|
||||||
|
wait -n
|
||||||
|
|
||||||
|
exit $?
|
Loading…
Reference in New Issue
Block a user