bind: simplify shipped config

author: Mike Crute <mike@crute.us> 2023-10-27 19:01:48 -0700
committer: Mike Crute <mike@crute.us> 2023-10-27 19:01:48 -0700
commit: 0fd8fd6b0b78d0e2fc8cfdd029dad9cbb83c7437 (patch)
tree: 31bde55e6b27dd6b756b0d5cf64385009f88e88e
parent: 2ec55d13b91e63a237f4523c17fe50c81709bb2b (diff)
download: dockerfiles-0fd8fd6b0b78d0e2fc8cfdd029dad9cbb83c7437.tar.bz2
dockerfiles-0fd8fd6b0b78d0e2fc8cfdd029dad9cbb83c7437.tar.xz
dockerfiles-0fd8fd6b0b78d0e2fc8cfdd029dad9cbb83c7437.zip
10 files changed, 12 insertions, 198 deletions
diff --git a/bind/Dockerfile b/bind/Dockerfile
index 3ac7104..cb14681 100644
--- a/bind/Dockerfile
+++ b/bind/Dockerfile
@@ -5,22 +5,11 @@ RUN set -euxo pipefail; \
    apk add --no-cache \
        bind \
        bind-tools \
-        gettext \
    ; \
-    rm -rf /etc/bind/*; \
+    mkdir /var/log/bind; chown named:named /var/log/bind;
-    mkdir -p /etc/bind/local; \
-    ln -s /usr/share/dnssec-root/bind-dnssec-root.keys /etc/bind/bind.keys; \
-    \
-    curl -o /etc/bind/db.root https://www.internic.net/domain/named.cache;
-ADD conf/ /etc/bind/
+ADD db.local /usr/share/bind/db.local
 ADD entrypoint.sh /
-#ADD bind_bootstrap /
-#ADD zones.yaml /etc/bind/zones.yaml
-RUN set -euxo pipefail; \
-    chown -R named:named /etc/bind;
-#ENTRYPOINT [ "/bind_bootstrap" ]
 ENTRYPOINT [ "/entrypoint.sh" ]
 CMD [ "/usr/sbin/named", "-u", "named", "-f" ]
diff --git a/bind/Makefile b/bind/Makefile
index b1e37b4..10c3ca4 100644
--- a/bind/Makefile
+++ b/bind/Makefile
@@ -1,10 +1,8 @@
 IMAGE=docker.crute.me/bind:latest
 all:
-        #CGO_ENABLED=0 go build -o bind_bootstrap main.go
        docker pull alpine:edge
        docker build -t $(IMAGE) .
-        #rm bind_bootstrap
 all-no-cache:
        docker build --no-cache -t $(IMAGE) .
diff --git a/bind/conf/db.0 b/bind/conf/db.0
deleted file mode 100644
index e3aabdb..0000000
--- a/bind/conf/db.0
+++ /dev/null
@@ -1,12 +0,0 @@
-;
-; BIND reverse data file for broadcast zone
-;
-$TTL    604800
-@       IN      SOA     localhost. root.localhost. (
-                              1         ; Serial
-                         604800         ; Refresh
-                          86400         ; Retry
-                        2419200         ; Expire
-                         604800 )       ; Negative Cache TTL
-;
-@       IN      NS      localhost.
diff --git a/bind/conf/db.127 b/bind/conf/db.127
deleted file mode 100644
index cd05bef..0000000
--- a/bind/conf/db.127
+++ /dev/null
@@ -1,13 +0,0 @@
-;
-; BIND reverse data file for local loopback interface
-;
-$TTL    604800
-@       IN      SOA     localhost. root.localhost. (
-                              1         ; Serial
-                         604800         ; Refresh
-                          86400         ; Retry
-                        2419200         ; Expire
-                         604800 )       ; Negative Cache TTL
-;
-@       IN      NS      localhost.
-1.0.0   IN      PTR     localhost.
diff --git a/bind/conf/db.255 b/bind/conf/db.255
deleted file mode 100644
index e3aabdb..0000000
--- a/bind/conf/db.255
+++ /dev/null
@@ -1,12 +0,0 @@
-;
-; BIND reverse data file for broadcast zone
-;
-$TTL    604800
-@       IN      SOA     localhost. root.localhost. (
-                              1         ; Serial
-                         604800         ; Refresh
-                          86400         ; Retry
-                        2419200         ; Expire
-                         604800 )       ; Negative Cache TTL
-;
-@       IN      NS      localhost.
diff --git a/bind/conf/db.empty b/bind/conf/db.empty
deleted file mode 100644
index 8a12858..0000000
--- a/bind/conf/db.empty
+++ /dev/null
@@ -1,14 +0,0 @@
-; BIND reverse data file for empty rfc1918 zone
-;
-; DO NOT EDIT THIS FILE - it is used for multiple zones.
-; Instead, copy it, edit named.conf, and use that copy.
-;
-$TTL    86400
-@       IN      SOA     localhost. root.localhost. (
-                              1         ; Serial
-                         604800         ; Refresh
-                          86400         ; Retry
-                        2419200         ; Expire
-                          86400 )       ; Negative Cache TTL
-;
-@       IN      NS      localhost.
diff --git a/bind/conf/named.conf b/bind/conf/named.conf
deleted file mode 100644
index 54b3ace..0000000
--- a/bind/conf/named.conf
+++ /dev/null
@@ -1,97 +0,0 @@
-// vi:ft=named noexpandtab
-include "/etc/bind/rndc.key";
-//========================================================================
-// If BIND logs error messages about the root key being expired,
-// you will need to update your keys.  See https://www.isc.org/bind-keys
-//========================================================================
-options {
-        directory "/etc/bind/local/zones";
-        managed-keys-directory "/etc/bind/local/managed-keys";
-        bindkeys-file "/etc/bind/bind.keys"; // Default is /etc/bind.keys :-(
-        dnssec-validation no; // AWS resolvers return invalid zone signatures
-        zone-statistics full; // Track full stats for prometheus export
-        masterfile-format text; // Write zonefiles in text even for secondary zones
-        auth-nxdomain no; // conform to RFC1035
-        notify master-only; // don't send NOTIFY from secondaries
-        version none;
-        hostname none;
-        // Force TCP if response would be larger than IPv6 fragment size
-        // see: https://blog.apnic.net/2020/09/17/dns-flag-day-2020-what-you-need-to-know/
-        max-udp-size 1220;
-        edns-udp-size 1220;
-        // Allow more transfers at once to improve secondary convergence
-        transfers-in 50;
-        transfers-out 50;
-        listen-on { any; };
-        listen-on-v6 { any; };
-        allow-update-forwarding { any; };
-        // Typically this ACL is empty but exists so that it can be populated
-        // during an attack to block bad clients.
-        blackhole {
-                blackhole-clients;
-        };
-        allow-notify {
-                internal-keys;
-                external-keys;
-        };
-        allow-recursion {
-                internal-nets;
-                localhost;
-        };
-        allow-transfer {
-                internal-nets;
-                localhost;
-        };
-};
-logging {
-        category default { default_stderr; default_debug; };
-};
-statistics-channels {
-//      inet 127.0.0.1 port 8053 allow { monitoring-hosts; };
-//      inet ::1 port 8053 allow { monitoring-hosts; };
-        inet 0.0.0.0 port 8053 allow { monitoring-hosts; };
-        inet :: port 8053 allow { monitoring-hosts; };
-};
-controls {
-        inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
-        inet ::1 allow { localhost; } keys { "rndc-key"; };
-};
-acl internal-nets {
-        // Internal RFC1918
-        172.16.0.0/12;
-        // Unknown? Maybe Docker bridge?
-        192.168.255.0/24;
-        // Pomona ARIN
-        23.149.16.0/24;
-        104.250.232.0/22;
-        2602:0803:4000::/40;
-};
-acl monitoring-hosts {
-        localhost;
-        // monitoring-1.sea1.crute.me
-        172.16.0.64/32;
-        2602:803:4070:0:5054:9fff:fe55:2cb3/128;
-};
-include "/etc/bind/local/named.conf";
diff --git a/bind/conf/named.conf.default-zones b/bind/conf/named.conf.default-zones
deleted file mode 100644
index 355338b..0000000
--- a/bind/conf/named.conf.default-zones
+++ /dev/null
@@ -1,30 +0,0 @@
-// prime the server with knowledge of the root servers
-zone "." {
-        type hint;
-        file "/etc/bind/db.root";
-};
-// be authoritative for the localhost forward and reverse zones, and for
-// broadcast zones as per RFC 1912
-zone "localhost" {
-        type master;
-        file "/etc/bind/db.local";
-};
-zone "127.in-addr.arpa" {
-        type master;
-        file "/etc/bind/db.127";
-};
-zone "0.in-addr.arpa" {
-        type master;
-        file "/etc/bind/db.0";
-};
-zone "255.in-addr.arpa" {
-        type master;
-        file "/etc/bind/db.255";
-};
diff --git a/bind/conf/db.local b/bind/db.local
index 2f272d4..2f272d4 100644
--- a/bind/conf/db.local
+++ b/bind/db.local
diff --git a/bind/entrypoint.sh b/bind/entrypoint.sh
index b8b5a9c..75e2865 100755
--- a/bind/entrypoint.sh
+++ b/bind/entrypoint.sh
@@ -2,7 +2,9 @@
 set -e
-RNDC_KEY_FILE="/etc/bind/rndc.key"
+RNDC_KEY_FILE="/run/named/rndc.key"
+mkdir -p /run/named
 # Generate an rndc key fresh for every server startup. This is only used for
 # internal management with the rndc command so there's no need to persist it.
@@ -12,12 +14,15 @@ chmod 0660 $RNDC_KEY_FILE
 /usr/sbin/ddns-confgen -q -k rndc-key > $RNDC_KEY_FILE
 # Create directories for secondaries
-for i in $(grep ^view /etc/bind/local/named.conf | cut -d' ' -f2); do
+for i in $(grep ^view /etc/bind/named.conf | cut -d' ' -f2); do
-        mkdir -p /etc/bind/local/zones/$i
+        mkdir -p /etc/bind/zones/$i
 done
-mkdir -p /etc/bind/local/managed-keys
 # Make sure BIND can write everything
-chown -R named:named /etc/bind/local
+chown -R named:named \
+        /etc/bind \
+        /var/log/bind \
+        /run/named
+cd /run/named
 exec "$@"
author	Mike Crute <mike@crute.us>	2023-10-27 19:01:48 -0700
committer	Mike Crute <mike@crute.us>	2023-10-27 19:01:48 -0700
commit	0fd8fd6b0b78d0e2fc8cfdd029dad9cbb83c7437 (patch)
tree	31bde55e6b27dd6b756b0d5cf64385009f88e88e
parent	2ec55d13b91e63a237f4523c17fe50c81709bb2b (diff)
download	dockerfiles-0fd8fd6b0b78d0e2fc8cfdd029dad9cbb83c7437.tar.bz2 dockerfiles-0fd8fd6b0b78d0e2fc8cfdd029dad9cbb83c7437.tar.xz dockerfiles-0fd8fd6b0b78d0e2fc8cfdd029dad9cbb83c7437.zip

diff --git a/bind/Dockerfile b/bind/Dockerfile index 3ac7104..cb14681 100644 --- a/bind/Dockerfile +++ b/bind/Dockerfile
@@ -5,22 +5,11 @@ RUN set -euxo pipefail; \
5	apk add --no-cache \	5	apk add --no-cache \
6	bind \	6	bind \
7	bind-tools \	7	bind-tools \
8	gettext \
9	; \	8	; \
10	rm -rf /etc/bind/*; \	9	mkdir /var/log/bind; chown named:named /var/log/bind;
11	mkdir -p /etc/bind/local; \
12	ln -s /usr/share/dnssec-root/bind-dnssec-root.keys /etc/bind/bind.keys; \
13	\
14	curl -o /etc/bind/db.root https://www.internic.net/domain/named.cache;
15		10
16	ADD conf/ /etc/bind/	11	ADD db.local /usr/share/bind/db.local
17	ADD entrypoint.sh /	12	ADD entrypoint.sh /
18	#ADD bind_bootstrap /
19	#ADD zones.yaml /etc/bind/zones.yaml
20		13
21	RUN set -euxo pipefail; \
22	chown -R named:named /etc/bind;
23
24	#ENTRYPOINT [ "/bind_bootstrap" ]
25	ENTRYPOINT [ "/entrypoint.sh" ]	14	ENTRYPOINT [ "/entrypoint.sh" ]
26	CMD [ "/usr/sbin/named", "-u", "named", "-f" ]	15	CMD [ "/usr/sbin/named", "-u", "named", "-f" ]


diff --git a/bind/Makefile b/bind/Makefile index b1e37b4..10c3ca4 100644 --- a/bind/Makefile +++ b/bind/Makefile
@@ -1,10 +1,8 @@
1	IMAGE=docker.crute.me/bind:latest	1	IMAGE=docker.crute.me/bind:latest
2		2
3	all:	3	all:
4	#CGO_ENABLED=0 go build -o bind_bootstrap main.go
5	docker pull alpine:edge	4	docker pull alpine:edge
6	docker build -t $(IMAGE) .	5	docker build -t $(IMAGE) .
7	#rm bind_bootstrap
8		6
9	all-no-cache:	7	all-no-cache:
10	docker build --no-cache -t $(IMAGE) .	8	docker build --no-cache -t $(IMAGE) .


diff --git a/bind/conf/db.0 b/bind/conf/db.0 deleted file mode 100644 index e3aabdb..0000000 --- a/bind/conf/db.0 +++ /dev/null
@@ -1,12 +0,0 @@
1	;
2	; BIND reverse data file for broadcast zone
3	;
4	$TTL 604800
5	@ IN SOA localhost. root.localhost. (
6	1 ; Serial
7	604800 ; Refresh
8	86400 ; Retry
9	2419200 ; Expire
10	604800 ) ; Negative Cache TTL
11	;
12	@ IN NS localhost.


diff --git a/bind/conf/db.127 b/bind/conf/db.127 deleted file mode 100644 index cd05bef..0000000 --- a/bind/conf/db.127 +++ /dev/null
@@ -1,13 +0,0 @@
1	;
2	; BIND reverse data file for local loopback interface
3	;
4	$TTL 604800
5	@ IN SOA localhost. root.localhost. (
6	1 ; Serial
7	604800 ; Refresh
8	86400 ; Retry
9	2419200 ; Expire
10	604800 ) ; Negative Cache TTL
11	;
12	@ IN NS localhost.
13	1.0.0 IN PTR localhost.


diff --git a/bind/conf/db.255 b/bind/conf/db.255 deleted file mode 100644 index e3aabdb..0000000 --- a/bind/conf/db.255 +++ /dev/null
@@ -1,12 +0,0 @@
1	;
2	; BIND reverse data file for broadcast zone
3	;
4	$TTL 604800
5	@ IN SOA localhost. root.localhost. (
6	1 ; Serial
7	604800 ; Refresh
8	86400 ; Retry
9	2419200 ; Expire
10	604800 ) ; Negative Cache TTL
11	;
12	@ IN NS localhost.


diff --git a/bind/conf/db.empty b/bind/conf/db.empty deleted file mode 100644 index 8a12858..0000000 --- a/bind/conf/db.empty +++ /dev/null
@@ -1,14 +0,0 @@
1	; BIND reverse data file for empty rfc1918 zone
2	;
3	; DO NOT EDIT THIS FILE - it is used for multiple zones.
4	; Instead, copy it, edit named.conf, and use that copy.
5	;
6	$TTL 86400
7	@ IN SOA localhost. root.localhost. (
8	1 ; Serial
9	604800 ; Refresh
10	86400 ; Retry
11	2419200 ; Expire
12	86400 ) ; Negative Cache TTL
13	;
14	@ IN NS localhost.


diff --git a/bind/conf/named.conf b/bind/conf/named.conf deleted file mode 100644 index 54b3ace..0000000 --- a/bind/conf/named.conf +++ /dev/null
@@ -1,97 +0,0 @@
1	// vi:ft=named noexpandtab
2
3	include "/etc/bind/rndc.key";
4
5	//========================================================================
6	// If BIND logs error messages about the root key being expired,
7	// you will need to update your keys. See https://www.isc.org/bind-keys
8	//========================================================================
9
10	options {
11	directory "/etc/bind/local/zones";
12	managed-keys-directory "/etc/bind/local/managed-keys";
13	bindkeys-file "/etc/bind/bind.keys"; // Default is /etc/bind.keys :-(
14
15	dnssec-validation no; // AWS resolvers return invalid zone signatures
16	zone-statistics full; // Track full stats for prometheus export
17	masterfile-format text; // Write zonefiles in text even for secondary zones
18	auth-nxdomain no; // conform to RFC1035
19	notify master-only; // don't send NOTIFY from secondaries
20
21	version none;
22	hostname none;
23
24	// Force TCP if response would be larger than IPv6 fragment size
25	// see: https://blog.apnic.net/2020/09/17/dns-flag-day-2020-what-you-need-to-know/
26	max-udp-size 1220;
27	edns-udp-size 1220;
28
29	// Allow more transfers at once to improve secondary convergence
30	transfers-in 50;
31	transfers-out 50;
32
33	listen-on { any; };
34	listen-on-v6 { any; };
35	allow-update-forwarding { any; };
36
37	// Typically this ACL is empty but exists so that it can be populated
38	// during an attack to block bad clients.
39	blackhole {
40	blackhole-clients;
41	};
42
43	allow-notify {
44	internal-keys;
45	external-keys;
46	};
47
48	allow-recursion {
49	internal-nets;
50	localhost;
51	};
52
53	allow-transfer {
54	internal-nets;
55	localhost;
56	};
57	};
58
59	logging {
60	category default { default_stderr; default_debug; };
61	};
62
63	statistics-channels {
64	// inet 127.0.0.1 port 8053 allow { monitoring-hosts; };
65	// inet ::1 port 8053 allow { monitoring-hosts; };
66
67	inet 0.0.0.0 port 8053 allow { monitoring-hosts; };
68	inet :: port 8053 allow { monitoring-hosts; };
69	};
70
71	controls {
72	inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
73	inet ::1 allow { localhost; } keys { "rndc-key"; };
74	};
75
76	acl internal-nets {
77	// Internal RFC1918
78	172.16.0.0/12;
79
80	// Unknown? Maybe Docker bridge?
81	192.168.255.0/24;
82
83	// Pomona ARIN
84	23.149.16.0/24;
85	104.250.232.0/22;
86	2602:0803:4000::/40;
87	};
88
89	acl monitoring-hosts {
90	localhost;
91
92	// monitoring-1.sea1.crute.me
93	172.16.0.64/32;
94	2602:803:4070:0:5054:9fff:fe55:2cb3/128;
95	};
96
97	include "/etc/bind/local/named.conf";


diff --git a/bind/conf/named.conf.default-zones b/bind/conf/named.conf.default-zones deleted file mode 100644 index 355338b..0000000 --- a/bind/conf/named.conf.default-zones +++ /dev/null
@@ -1,30 +0,0 @@
1	// prime the server with knowledge of the root servers
2	zone "." {
3	type hint;
4	file "/etc/bind/db.root";
5	};
6
7	// be authoritative for the localhost forward and reverse zones, and for
8	// broadcast zones as per RFC 1912
9
10	zone "localhost" {
11	type master;
12	file "/etc/bind/db.local";
13	};
14
15	zone "127.in-addr.arpa" {
16	type master;
17	file "/etc/bind/db.127";
18	};
19
20	zone "0.in-addr.arpa" {
21	type master;
22	file "/etc/bind/db.0";
23	};
24
25	zone "255.in-addr.arpa" {
26	type master;
27	file "/etc/bind/db.255";
28	};
29
30


diff --git a/bind/conf/db.local b/bind/db.local index 2f272d4..2f272d4 100644 --- a/bind/conf/db.local +++ b/bind/db.local


diff --git a/bind/entrypoint.sh b/bind/entrypoint.sh index b8b5a9c..75e2865 100755 --- a/bind/entrypoint.sh +++ b/bind/entrypoint.sh
@@ -2,7 +2,9 @@
2		2
3	set -e	3	set -e
4		4
5	RNDC_KEY_FILE="/etc/bind/rndc.key"	5	RNDC_KEY_FILE="/run/named/rndc.key"
		6
		7	mkdir -p /run/named
6		8
7	# Generate an rndc key fresh for every server startup. This is only used for	9	# Generate an rndc key fresh for every server startup. This is only used for
8	# internal management with the rndc command so there's no need to persist it.	10	# internal management with the rndc command so there's no need to persist it.
@@ -12,12 +14,15 @@ chmod 0660 $RNDC_KEY_FILE
12	/usr/sbin/ddns-confgen -q -k rndc-key > $RNDC_KEY_FILE	14	/usr/sbin/ddns-confgen -q -k rndc-key > $RNDC_KEY_FILE
13		15
14	# Create directories for secondaries	16	# Create directories for secondaries
15	for i in $(grep ^view /etc/bind/local/named.conf \| cut -d' ' -f2); do	17	for i in $(grep ^view /etc/bind/named.conf \| cut -d' ' -f2); do
16	mkdir -p /etc/bind/local/zones/$i	18	mkdir -p /etc/bind/zones/$i
17	done	19	done
18	mkdir -p /etc/bind/local/managed-keys
19		20
20	# Make sure BIND can write everything	21	# Make sure BIND can write everything
21	chown -R named:named /etc/bind/local	22	chown -R named:named \
		23	/etc/bind \
		24	/var/log/bind \
		25	/run/named
22		26
		27	cd /run/named
23	exec "$@"	28	exec "$@"