diff options
author | Mike Crute <mike@crute.us> | 2023-10-27 19:01:48 -0700 |
---|---|---|
committer | Mike Crute <mike@crute.us> | 2023-10-27 19:01:48 -0700 |
commit | 0fd8fd6b0b78d0e2fc8cfdd029dad9cbb83c7437 (patch) | |
tree | 31bde55e6b27dd6b756b0d5cf64385009f88e88e | |
parent | 2ec55d13b91e63a237f4523c17fe50c81709bb2b (diff) | |
download | dockerfiles-0fd8fd6b0b78d0e2fc8cfdd029dad9cbb83c7437.tar.bz2 dockerfiles-0fd8fd6b0b78d0e2fc8cfdd029dad9cbb83c7437.tar.xz dockerfiles-0fd8fd6b0b78d0e2fc8cfdd029dad9cbb83c7437.zip |
bind: simplify shipped config
-rw-r--r-- | bind/Dockerfile | 15 | ||||
-rw-r--r-- | bind/Makefile | 2 | ||||
-rw-r--r-- | bind/conf/db.0 | 12 | ||||
-rw-r--r-- | bind/conf/db.127 | 13 | ||||
-rw-r--r-- | bind/conf/db.255 | 12 | ||||
-rw-r--r-- | bind/conf/db.empty | 14 | ||||
-rw-r--r-- | bind/conf/named.conf | 97 | ||||
-rw-r--r-- | bind/conf/named.conf.default-zones | 30 | ||||
-rw-r--r-- | bind/db.local (renamed from bind/conf/db.local) | 0 | ||||
-rwxr-xr-x | bind/entrypoint.sh | 15 |
10 files changed, 12 insertions, 198 deletions
diff --git a/bind/Dockerfile b/bind/Dockerfile index 3ac7104..cb14681 100644 --- a/bind/Dockerfile +++ b/bind/Dockerfile | |||
@@ -5,22 +5,11 @@ RUN set -euxo pipefail; \ | |||
5 | apk add --no-cache \ | 5 | apk add --no-cache \ |
6 | bind \ | 6 | bind \ |
7 | bind-tools \ | 7 | bind-tools \ |
8 | gettext \ | ||
9 | ; \ | 8 | ; \ |
10 | rm -rf /etc/bind/*; \ | 9 | mkdir /var/log/bind; chown named:named /var/log/bind; |
11 | mkdir -p /etc/bind/local; \ | ||
12 | ln -s /usr/share/dnssec-root/bind-dnssec-root.keys /etc/bind/bind.keys; \ | ||
13 | \ | ||
14 | curl -o /etc/bind/db.root https://www.internic.net/domain/named.cache; | ||
15 | 10 | ||
16 | ADD conf/ /etc/bind/ | 11 | ADD db.local /usr/share/bind/db.local |
17 | ADD entrypoint.sh / | 12 | ADD entrypoint.sh / |
18 | #ADD bind_bootstrap / | ||
19 | #ADD zones.yaml /etc/bind/zones.yaml | ||
20 | 13 | ||
21 | RUN set -euxo pipefail; \ | ||
22 | chown -R named:named /etc/bind; | ||
23 | |||
24 | #ENTRYPOINT [ "/bind_bootstrap" ] | ||
25 | ENTRYPOINT [ "/entrypoint.sh" ] | 14 | ENTRYPOINT [ "/entrypoint.sh" ] |
26 | CMD [ "/usr/sbin/named", "-u", "named", "-f" ] | 15 | CMD [ "/usr/sbin/named", "-u", "named", "-f" ] |
diff --git a/bind/Makefile b/bind/Makefile index b1e37b4..10c3ca4 100644 --- a/bind/Makefile +++ b/bind/Makefile | |||
@@ -1,10 +1,8 @@ | |||
1 | IMAGE=docker.crute.me/bind:latest | 1 | IMAGE=docker.crute.me/bind:latest |
2 | 2 | ||
3 | all: | 3 | all: |
4 | #CGO_ENABLED=0 go build -o bind_bootstrap main.go | ||
5 | docker pull alpine:edge | 4 | docker pull alpine:edge |
6 | docker build -t $(IMAGE) . | 5 | docker build -t $(IMAGE) . |
7 | #rm bind_bootstrap | ||
8 | 6 | ||
9 | all-no-cache: | 7 | all-no-cache: |
10 | docker build --no-cache -t $(IMAGE) . | 8 | docker build --no-cache -t $(IMAGE) . |
diff --git a/bind/conf/db.0 b/bind/conf/db.0 deleted file mode 100644 index e3aabdb..0000000 --- a/bind/conf/db.0 +++ /dev/null | |||
@@ -1,12 +0,0 @@ | |||
1 | ; | ||
2 | ; BIND reverse data file for broadcast zone | ||
3 | ; | ||
4 | $TTL 604800 | ||
5 | @ IN SOA localhost. root.localhost. ( | ||
6 | 1 ; Serial | ||
7 | 604800 ; Refresh | ||
8 | 86400 ; Retry | ||
9 | 2419200 ; Expire | ||
10 | 604800 ) ; Negative Cache TTL | ||
11 | ; | ||
12 | @ IN NS localhost. | ||
diff --git a/bind/conf/db.127 b/bind/conf/db.127 deleted file mode 100644 index cd05bef..0000000 --- a/bind/conf/db.127 +++ /dev/null | |||
@@ -1,13 +0,0 @@ | |||
1 | ; | ||
2 | ; BIND reverse data file for local loopback interface | ||
3 | ; | ||
4 | $TTL 604800 | ||
5 | @ IN SOA localhost. root.localhost. ( | ||
6 | 1 ; Serial | ||
7 | 604800 ; Refresh | ||
8 | 86400 ; Retry | ||
9 | 2419200 ; Expire | ||
10 | 604800 ) ; Negative Cache TTL | ||
11 | ; | ||
12 | @ IN NS localhost. | ||
13 | 1.0.0 IN PTR localhost. | ||
diff --git a/bind/conf/db.255 b/bind/conf/db.255 deleted file mode 100644 index e3aabdb..0000000 --- a/bind/conf/db.255 +++ /dev/null | |||
@@ -1,12 +0,0 @@ | |||
1 | ; | ||
2 | ; BIND reverse data file for broadcast zone | ||
3 | ; | ||
4 | $TTL 604800 | ||
5 | @ IN SOA localhost. root.localhost. ( | ||
6 | 1 ; Serial | ||
7 | 604800 ; Refresh | ||
8 | 86400 ; Retry | ||
9 | 2419200 ; Expire | ||
10 | 604800 ) ; Negative Cache TTL | ||
11 | ; | ||
12 | @ IN NS localhost. | ||
diff --git a/bind/conf/db.empty b/bind/conf/db.empty deleted file mode 100644 index 8a12858..0000000 --- a/bind/conf/db.empty +++ /dev/null | |||
@@ -1,14 +0,0 @@ | |||
1 | ; BIND reverse data file for empty rfc1918 zone | ||
2 | ; | ||
3 | ; DO NOT EDIT THIS FILE - it is used for multiple zones. | ||
4 | ; Instead, copy it, edit named.conf, and use that copy. | ||
5 | ; | ||
6 | $TTL 86400 | ||
7 | @ IN SOA localhost. root.localhost. ( | ||
8 | 1 ; Serial | ||
9 | 604800 ; Refresh | ||
10 | 86400 ; Retry | ||
11 | 2419200 ; Expire | ||
12 | 86400 ) ; Negative Cache TTL | ||
13 | ; | ||
14 | @ IN NS localhost. | ||
diff --git a/bind/conf/named.conf b/bind/conf/named.conf deleted file mode 100644 index 54b3ace..0000000 --- a/bind/conf/named.conf +++ /dev/null | |||
@@ -1,97 +0,0 @@ | |||
1 | // vi:ft=named noexpandtab | ||
2 | |||
3 | include "/etc/bind/rndc.key"; | ||
4 | |||
5 | //======================================================================== | ||
6 | // If BIND logs error messages about the root key being expired, | ||
7 | // you will need to update your keys. See https://www.isc.org/bind-keys | ||
8 | //======================================================================== | ||
9 | |||
10 | options { | ||
11 | directory "/etc/bind/local/zones"; | ||
12 | managed-keys-directory "/etc/bind/local/managed-keys"; | ||
13 | bindkeys-file "/etc/bind/bind.keys"; // Default is /etc/bind.keys :-( | ||
14 | |||
15 | dnssec-validation no; // AWS resolvers return invalid zone signatures | ||
16 | zone-statistics full; // Track full stats for prometheus export | ||
17 | masterfile-format text; // Write zonefiles in text even for secondary zones | ||
18 | auth-nxdomain no; // conform to RFC1035 | ||
19 | notify master-only; // don't send NOTIFY from secondaries | ||
20 | |||
21 | version none; | ||
22 | hostname none; | ||
23 | |||
24 | // Force TCP if response would be larger than IPv6 fragment size | ||
25 | // see: https://blog.apnic.net/2020/09/17/dns-flag-day-2020-what-you-need-to-know/ | ||
26 | max-udp-size 1220; | ||
27 | edns-udp-size 1220; | ||
28 | |||
29 | // Allow more transfers at once to improve secondary convergence | ||
30 | transfers-in 50; | ||
31 | transfers-out 50; | ||
32 | |||
33 | listen-on { any; }; | ||
34 | listen-on-v6 { any; }; | ||
35 | allow-update-forwarding { any; }; | ||
36 | |||
37 | // Typically this ACL is empty but exists so that it can be populated | ||
38 | // during an attack to block bad clients. | ||
39 | blackhole { | ||
40 | blackhole-clients; | ||
41 | }; | ||
42 | |||
43 | allow-notify { | ||
44 | internal-keys; | ||
45 | external-keys; | ||
46 | }; | ||
47 | |||
48 | allow-recursion { | ||
49 | internal-nets; | ||
50 | localhost; | ||
51 | }; | ||
52 | |||
53 | allow-transfer { | ||
54 | internal-nets; | ||
55 | localhost; | ||
56 | }; | ||
57 | }; | ||
58 | |||
59 | logging { | ||
60 | category default { default_stderr; default_debug; }; | ||
61 | }; | ||
62 | |||
63 | statistics-channels { | ||
64 | // inet 127.0.0.1 port 8053 allow { monitoring-hosts; }; | ||
65 | // inet ::1 port 8053 allow { monitoring-hosts; }; | ||
66 | |||
67 | inet 0.0.0.0 port 8053 allow { monitoring-hosts; }; | ||
68 | inet :: port 8053 allow { monitoring-hosts; }; | ||
69 | }; | ||
70 | |||
71 | controls { | ||
72 | inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; }; | ||
73 | inet ::1 allow { localhost; } keys { "rndc-key"; }; | ||
74 | }; | ||
75 | |||
76 | acl internal-nets { | ||
77 | // Internal RFC1918 | ||
78 | 172.16.0.0/12; | ||
79 | |||
80 | // Unknown? Maybe Docker bridge? | ||
81 | 192.168.255.0/24; | ||
82 | |||
83 | // Pomona ARIN | ||
84 | 23.149.16.0/24; | ||
85 | 104.250.232.0/22; | ||
86 | 2602:0803:4000::/40; | ||
87 | }; | ||
88 | |||
89 | acl monitoring-hosts { | ||
90 | localhost; | ||
91 | |||
92 | // monitoring-1.sea1.crute.me | ||
93 | 172.16.0.64/32; | ||
94 | 2602:803:4070:0:5054:9fff:fe55:2cb3/128; | ||
95 | }; | ||
96 | |||
97 | include "/etc/bind/local/named.conf"; | ||
diff --git a/bind/conf/named.conf.default-zones b/bind/conf/named.conf.default-zones deleted file mode 100644 index 355338b..0000000 --- a/bind/conf/named.conf.default-zones +++ /dev/null | |||
@@ -1,30 +0,0 @@ | |||
1 | // prime the server with knowledge of the root servers | ||
2 | zone "." { | ||
3 | type hint; | ||
4 | file "/etc/bind/db.root"; | ||
5 | }; | ||
6 | |||
7 | // be authoritative for the localhost forward and reverse zones, and for | ||
8 | // broadcast zones as per RFC 1912 | ||
9 | |||
10 | zone "localhost" { | ||
11 | type master; | ||
12 | file "/etc/bind/db.local"; | ||
13 | }; | ||
14 | |||
15 | zone "127.in-addr.arpa" { | ||
16 | type master; | ||
17 | file "/etc/bind/db.127"; | ||
18 | }; | ||
19 | |||
20 | zone "0.in-addr.arpa" { | ||
21 | type master; | ||
22 | file "/etc/bind/db.0"; | ||
23 | }; | ||
24 | |||
25 | zone "255.in-addr.arpa" { | ||
26 | type master; | ||
27 | file "/etc/bind/db.255"; | ||
28 | }; | ||
29 | |||
30 | |||
diff --git a/bind/conf/db.local b/bind/db.local index 2f272d4..2f272d4 100644 --- a/bind/conf/db.local +++ b/bind/db.local | |||
diff --git a/bind/entrypoint.sh b/bind/entrypoint.sh index b8b5a9c..75e2865 100755 --- a/bind/entrypoint.sh +++ b/bind/entrypoint.sh | |||
@@ -2,7 +2,9 @@ | |||
2 | 2 | ||
3 | set -e | 3 | set -e |
4 | 4 | ||
5 | RNDC_KEY_FILE="/etc/bind/rndc.key" | 5 | RNDC_KEY_FILE="/run/named/rndc.key" |
6 | |||
7 | mkdir -p /run/named | ||
6 | 8 | ||
7 | # Generate an rndc key fresh for every server startup. This is only used for | 9 | # Generate an rndc key fresh for every server startup. This is only used for |
8 | # internal management with the rndc command so there's no need to persist it. | 10 | # internal management with the rndc command so there's no need to persist it. |
@@ -12,12 +14,15 @@ chmod 0660 $RNDC_KEY_FILE | |||
12 | /usr/sbin/ddns-confgen -q -k rndc-key > $RNDC_KEY_FILE | 14 | /usr/sbin/ddns-confgen -q -k rndc-key > $RNDC_KEY_FILE |
13 | 15 | ||
14 | # Create directories for secondaries | 16 | # Create directories for secondaries |
15 | for i in $(grep ^view /etc/bind/local/named.conf | cut -d' ' -f2); do | 17 | for i in $(grep ^view /etc/bind/named.conf | cut -d' ' -f2); do |
16 | mkdir -p /etc/bind/local/zones/$i | 18 | mkdir -p /etc/bind/zones/$i |
17 | done | 19 | done |
18 | mkdir -p /etc/bind/local/managed-keys | ||
19 | 20 | ||
20 | # Make sure BIND can write everything | 21 | # Make sure BIND can write everything |
21 | chown -R named:named /etc/bind/local | 22 | chown -R named:named \ |
23 | /etc/bind \ | ||
24 | /var/log/bind \ | ||
25 | /run/named | ||
22 | 26 | ||
27 | cd /run/named | ||
23 | exec "$@" | 28 | exec "$@" |