feat: drop Debian 11 support

inotifywait only takes the last --exclude argument

.drone.yml

@@ -0,0 +1,90 @@
+kind: pipeline
+type: docker
+name: build
+
+steps:
+  - name: build
+    image: docker:dind
+    volumes:
+      - name: dockersock
+        path: /var/run
+    environment:
+      DOCKER_USERNAME:
+        from_secret: docker_username
+      DOCKER_PASSWORD:
+        from_secret: docker_password
+    commands:
+      - sleep 5 # give docker enough time to start
+      - echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin
+      - ./debian/12/build.sh
+    when:
+      branch:
+      - master
+      event:
+      - push
+
+services:
+  - name: docker
+    image: docker:dind
+    privileged: true
+    volumes:
+      - name: dockersock
+        path: /var/run
+    command:
+    - dockerd-entrypoint.sh
+    - dockerd
+    - --host=unix:///var/run/docker.sock
+    - --mtu=1492
+
+volumes:
+  - name: dockersock
+    temp: {}
+
+trigger:
+  branch:
+    - master
+  event:
+    - push
+---
+kind: pipeline
+type: docker
+name: rebuild
+
+steps:
+  - name: rebuild
+    image: docker:dind
+    volumes:
+      - name: dockersock
+        path: /var/run
+    environment:
+      DOCKER_USERNAME:
+        from_secret: docker_username
+      DOCKER_PASSWORD:
+        from_secret: docker_password
+    commands:
+      - sleep 5 # give docker enough time to start
+      - echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin
+      - ./build/rebuild.sh
+
+services:
+  - name: docker
+    image: docker:dind
+    privileged: true
+    volumes:
+      - name: dockersock
+        path: /var/run
+    command:
+    - dockerd-entrypoint.sh
+    - dockerd
+    - --host=unix:///var/run/docker.sock
+    - --mtu=1492
+
+volumes:
+  - name: dockersock
+    temp: {}
+
+trigger:
+  event:
+    - cron
+  cron:
+    - rebuild

README.md

@@ -3,6 +3,11 @@
 * Debian slim based image
 * PowerDNS package from Debian
 * Bind backend support only
+* DNSSEC support (optional per zone)
+
+# Supported tags and respective `Dockerfile` links
+
+-	[`4.6-bookworm`, `latest`](https://github.com/pommi/docker-powerdns/blob/master/debian/12/Dockerfile)
 
 # Usage
 
@@ -31,7 +36,7 @@ $ docker run -it \
     -v $(pwd)/named.conf:/etc/powerdns/named.conf \
     -v $(pwd)/zones/:/var/lib/powerdns/zones/ \
     -p 5353:53/udp -p 5353:53 \
-    pommib/powerdns:4.4-bullseye
+    pommib/powerdns:latest
 
 $ dig +short @127.0.0.1 -p5353 example.tld A
 192.0.2.1
@@ -45,7 +50,7 @@ version: "3"
 services:
   powerdns:
     container_name: powerdns
-    image: pommib/powerdns:4.4-bullseye
+    image: pommib/powerdns:latest
     ports:
       - "5353:53/tcp"
       - "5353:53/udp"
@@ -53,3 +58,43 @@ services:
       - '${PWD}/named.conf:/etc/powerdns/named.conf'
       - '${PWD}/zones/:/var/lib/powerdns/zones/'
 ```
+
+# DNSSEC
+
+Securing a zone:
+```
+$ docker exec -it powerdns pdnsutil secure-zone example.tld
+[bindbackend] Done parsing domains, 0 rejected, 1 new, 0 removed
+Securing zone with default key size
+Adding CSK (257) with algorithm ecdsa256
+Zone example.tld secured
+Adding NSEC ordering information
+```
+
+Show DNSSEC related settings for the secured zone:
+```
+$ docker exec -it powerdns pdnsutil show-zone example.tld
+[bindbackend] Done parsing domains, 0 rejected, 1 new, 0 removed
+This is a Master zone
+Last SOA serial number we notified: 0 != 2022010101 (serial in the database)
+Metadata items: None
+Zone has NSEC semantics
+keys:
+ID = 1 (CSK), flags = 257, tag = 280, algo = 13, bits = 256	  Active	 Published  ( ECDSAP256SHA256 )
+CSK DNSKEY = example.tld. IN DNSKEY 257 3 13 5jAoLVZFaevgJkAKQzLJDdhQKP1i+SPaCrCjhsbsOAypYSsz9l7AyJC75trKdVwUn9ICMNq6Jjta9NQc7Bnktw== ; ( ECDSAP256SHA256 )
+DS = example.tld. IN DS 280 13 1 0dead339b7dacebb6750c7d4e5c9c0f4c19843a9 ; ( SHA1 digest )
+DS = example.tld. IN DS 280 13 2 f340e93c42b3c2c6fa8ef76e044ad2f064c1cd7484e785bdfca0f51cd548c88d ; ( SHA256 digest )
+DS = example.tld. IN DS 280 13 4 a793c7e590a7701c7b39365f99655b865d11961c355a5eb59302282cf653aec8b051ddc9e36a9df0843cad29ca50149a ; ( SHA-384 digest )
+```
+
+Set `SOA-EDIT` to `INCEPTION-INCREMENT` so that slaves get notified when a rollover has taken place:
+```
+$ docker exec -it powerdns pdnsutil set-meta example.tld SOA-EDIT INCEPTION-INCREMENT
+[bindbackend] Done parsing domains, 0 rejected, 1 new, 0 removed
+Set 'example.tld' meta SOA-EDIT = INCEPTION-INCREMENT
+
+$ docker exec -it powerdns pdnsutil get-meta example.tld
+[bindbackend] Done parsing domains, 0 rejected, 1 new, 0 removed
+Metadata for 'example.tld'
+SOA-EDIT = INCEPTION-INCREMENT
+```

build/rebuild.sh

@@ -0,0 +1,16 @@
+#!/bin/sh
+
+set -x
+
+updates_available () {
+    docker pull $1
+    if test "$(docker run --rm $1 /bin/sh -c 'apt -qqq update && apt -qq list --upgradable')" != ""; then
+        return 0
+    else
+        return 1
+    fi
+}
+
+if updates_available pommib/powerdns:4.6-bookworm; then
+    ./debian/12/build.sh
+fi

debian/12/Dockerfile

@@ -1,14 +1,15 @@
-FROM debian:bullseye-slim
+FROM debian:bookworm-slim
 
-RUN set -eux; \
-	apt-get update; \
-	apt-get install -y --no-install-recommends \
+RUN set -eux && \
+	apt-get update && \
+	DEBIAN_FRONTEND=noninteractive apt-get upgrade -y && \
+	DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
 		pdns-server \
 		pdns-backend-bind \
 		sqlite3 \
 		bind9-dnsutils \
 		inotify-tools \
-	; \
+	&& \
 	rm -rf /var/lib/apt/lists/*
 
 ADD start.sh /

debian/12/build.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+set -ex
+
+IMAGE=pommib/powerdns:4.6-bookworm
+docker pull $IMAGE
+docker pull debian:bookworm-slim
+docker build --no-cache -t $IMAGE ./debian/12/
+docker push $IMAGE
+
+docker tag $IMAGE pommib/powerdns:latest
+docker push pommib/powerdns:latest

debian/12/start.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# create sqlite database for DNSSEC
+if test ! -e /var/lib/powerdns/bind-dnssec-db.sqlite3; then
+    echo [$0] Initializing /var/lib/powerdns/bind-dnssec-db.sqlite3
+    /usr/bin/pdnsutil create-bind-db /var/lib/powerdns/bind-dnssec-db.sqlite3
+fi
+sed -i 's/^# bind-dnssec-db=/bind-dnssec-db=\/var\/lib\/powerdns\/bind-dnssec-db.sqlite3/' /etc/powerdns/pdns.d/bind.conf
+
+# start powerdns server
+/usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no &
+
+# watch for zone changes
+inotifywait -mqre modify --exclude '.*(\.git|.*\.swp)' --format '%w%f' "/var/lib/powerdns/zones/" |
+    while read -r path; do
+        zone=$(basename $path)
+        echo [$0] A modification was detected in $path
+        echo [$0] Executing \`/usr/bin/pdns_control bind-reload-now $zone\`
+        /usr/bin/pdns_control bind-reload-now $zone
+        if pdnsutil show-zone $zone 2>/dev/null | grep -q "Zone is not actively secured"; then
+            echo [$0] Zone is not actively secured, skipping \`pdnsutil rectify-zone $zone\`
+        else
+            echo [$0] DNSSEC secured zone. Executing \`pdnsutil rectify-zone $zone\`
+            /usr/bin/pdnsutil rectify-zone $zone
+        fi
+    done &
+
+wait -n
+
+exit $?

start.sh

@@ -1,15 +0,0 @@
-#!/bin/bash
-
-/usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no &
-
-inotifywait -mqre modify --exclude '\.git' --format '%w%f' "/var/lib/powerdns/zones/" |
-    while read -r path; do
-        zone=$(basename $path)
-        echo [$0] A modification was detected in $path
-        echo [$0] Executing \`/usr/bin/pdns_control bind-reload-now $zone\`
-        /usr/bin/pdns_control bind-reload-now $zone
-    done &
-
-wait -n
-
-exit $?