From 0fd8fd6b0b78d0e2fc8cfdd029dad9cbb83c7437 Mon Sep 17 00:00:00 2001 From: Mike Crute Date: Fri, 27 Oct 2023 19:01:48 -0700 Subject: bind: simplify shipped config --- bind/Dockerfile | 15 +----- bind/Makefile | 2 - bind/conf/db.0 | 12 ----- bind/conf/db.127 | 13 ----- bind/conf/db.255 | 12 ----- bind/conf/db.empty | 14 ------ bind/conf/db.local | 14 ------ bind/conf/named.conf | 97 -------------------------------------- bind/conf/named.conf.default-zones | 30 ------------ bind/db.local | 14 ++++++ bind/entrypoint.sh | 15 ++++-- 11 files changed, 26 insertions(+), 212 deletions(-) delete mode 100644 bind/conf/db.0 delete mode 100644 bind/conf/db.127 delete mode 100644 bind/conf/db.255 delete mode 100644 bind/conf/db.empty delete mode 100644 bind/conf/db.local delete mode 100644 bind/conf/named.conf delete mode 100644 bind/conf/named.conf.default-zones create mode 100644 bind/db.local diff --git a/bind/Dockerfile b/bind/Dockerfile index 3ac7104..cb14681 100644 --- a/bind/Dockerfile +++ b/bind/Dockerfile @@ -5,22 +5,11 @@ RUN set -euxo pipefail; \ apk add --no-cache \ bind \ bind-tools \ - gettext \ ; \ - rm -rf /etc/bind/*; \ - mkdir -p /etc/bind/local; \ - ln -s /usr/share/dnssec-root/bind-dnssec-root.keys /etc/bind/bind.keys; \ - \ - curl -o /etc/bind/db.root https://www.internic.net/domain/named.cache; + mkdir /var/log/bind; chown named:named /var/log/bind; -ADD conf/ /etc/bind/ +ADD db.local /usr/share/bind/db.local ADD entrypoint.sh / -#ADD bind_bootstrap / -#ADD zones.yaml /etc/bind/zones.yaml -RUN set -euxo pipefail; \ - chown -R named:named /etc/bind; - -#ENTRYPOINT [ "/bind_bootstrap" ] ENTRYPOINT [ "/entrypoint.sh" ] CMD [ "/usr/sbin/named", "-u", "named", "-f" ] diff --git a/bind/Makefile b/bind/Makefile index b1e37b4..10c3ca4 100644 --- a/bind/Makefile +++ b/bind/Makefile @@ -1,10 +1,8 @@ IMAGE=docker.crute.me/bind:latest all: - #CGO_ENABLED=0 go build -o bind_bootstrap main.go docker pull alpine:edge docker build -t $(IMAGE) . - #rm bind_bootstrap all-no-cache: docker build --no-cache -t $(IMAGE) . diff --git a/bind/conf/db.0 b/bind/conf/db.0 deleted file mode 100644 index e3aabdb..0000000 --- a/bind/conf/db.0 +++ /dev/null @@ -1,12 +0,0 @@ -; -; BIND reverse data file for broadcast zone -; -$TTL 604800 -@ IN SOA localhost. root.localhost. ( - 1 ; Serial - 604800 ; Refresh - 86400 ; Retry - 2419200 ; Expire - 604800 ) ; Negative Cache TTL -; -@ IN NS localhost. diff --git a/bind/conf/db.127 b/bind/conf/db.127 deleted file mode 100644 index cd05bef..0000000 --- a/bind/conf/db.127 +++ /dev/null @@ -1,13 +0,0 @@ -; -; BIND reverse data file for local loopback interface -; -$TTL 604800 -@ IN SOA localhost. root.localhost. ( - 1 ; Serial - 604800 ; Refresh - 86400 ; Retry - 2419200 ; Expire - 604800 ) ; Negative Cache TTL -; -@ IN NS localhost. -1.0.0 IN PTR localhost. diff --git a/bind/conf/db.255 b/bind/conf/db.255 deleted file mode 100644 index e3aabdb..0000000 --- a/bind/conf/db.255 +++ /dev/null @@ -1,12 +0,0 @@ -; -; BIND reverse data file for broadcast zone -; -$TTL 604800 -@ IN SOA localhost. root.localhost. ( - 1 ; Serial - 604800 ; Refresh - 86400 ; Retry - 2419200 ; Expire - 604800 ) ; Negative Cache TTL -; -@ IN NS localhost. diff --git a/bind/conf/db.empty b/bind/conf/db.empty deleted file mode 100644 index 8a12858..0000000 --- a/bind/conf/db.empty +++ /dev/null @@ -1,14 +0,0 @@ -; BIND reverse data file for empty rfc1918 zone -; -; DO NOT EDIT THIS FILE - it is used for multiple zones. -; Instead, copy it, edit named.conf, and use that copy. -; -$TTL 86400 -@ IN SOA localhost. root.localhost. ( - 1 ; Serial - 604800 ; Refresh - 86400 ; Retry - 2419200 ; Expire - 86400 ) ; Negative Cache TTL -; -@ IN NS localhost. diff --git a/bind/conf/db.local b/bind/conf/db.local deleted file mode 100644 index 2f272d4..0000000 --- a/bind/conf/db.local +++ /dev/null @@ -1,14 +0,0 @@ -; -; BIND data file for local loopback interface -; -$TTL 604800 -@ IN SOA localhost. root.localhost. ( - 2 ; Serial - 604800 ; Refresh - 86400 ; Retry - 2419200 ; Expire - 604800 ) ; Negative Cache TTL -; -@ IN NS localhost. -@ IN A 127.0.0.1 -@ IN AAAA ::1 diff --git a/bind/conf/named.conf b/bind/conf/named.conf deleted file mode 100644 index 54b3ace..0000000 --- a/bind/conf/named.conf +++ /dev/null @@ -1,97 +0,0 @@ -// vi:ft=named noexpandtab - -include "/etc/bind/rndc.key"; - -//======================================================================== -// If BIND logs error messages about the root key being expired, -// you will need to update your keys. See https://www.isc.org/bind-keys -//======================================================================== - -options { - directory "/etc/bind/local/zones"; - managed-keys-directory "/etc/bind/local/managed-keys"; - bindkeys-file "/etc/bind/bind.keys"; // Default is /etc/bind.keys :-( - - dnssec-validation no; // AWS resolvers return invalid zone signatures - zone-statistics full; // Track full stats for prometheus export - masterfile-format text; // Write zonefiles in text even for secondary zones - auth-nxdomain no; // conform to RFC1035 - notify master-only; // don't send NOTIFY from secondaries - - version none; - hostname none; - - // Force TCP if response would be larger than IPv6 fragment size - // see: https://blog.apnic.net/2020/09/17/dns-flag-day-2020-what-you-need-to-know/ - max-udp-size 1220; - edns-udp-size 1220; - - // Allow more transfers at once to improve secondary convergence - transfers-in 50; - transfers-out 50; - - listen-on { any; }; - listen-on-v6 { any; }; - allow-update-forwarding { any; }; - - // Typically this ACL is empty but exists so that it can be populated - // during an attack to block bad clients. - blackhole { - blackhole-clients; - }; - - allow-notify { - internal-keys; - external-keys; - }; - - allow-recursion { - internal-nets; - localhost; - }; - - allow-transfer { - internal-nets; - localhost; - }; -}; - -logging { - category default { default_stderr; default_debug; }; -}; - -statistics-channels { -// inet 127.0.0.1 port 8053 allow { monitoring-hosts; }; -// inet ::1 port 8053 allow { monitoring-hosts; }; - - inet 0.0.0.0 port 8053 allow { monitoring-hosts; }; - inet :: port 8053 allow { monitoring-hosts; }; -}; - -controls { - inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; }; - inet ::1 allow { localhost; } keys { "rndc-key"; }; -}; - -acl internal-nets { - // Internal RFC1918 - 172.16.0.0/12; - - // Unknown? Maybe Docker bridge? - 192.168.255.0/24; - - // Pomona ARIN - 23.149.16.0/24; - 104.250.232.0/22; - 2602:0803:4000::/40; -}; - -acl monitoring-hosts { - localhost; - - // monitoring-1.sea1.crute.me - 172.16.0.64/32; - 2602:803:4070:0:5054:9fff:fe55:2cb3/128; -}; - -include "/etc/bind/local/named.conf"; diff --git a/bind/conf/named.conf.default-zones b/bind/conf/named.conf.default-zones deleted file mode 100644 index 355338b..0000000 --- a/bind/conf/named.conf.default-zones +++ /dev/null @@ -1,30 +0,0 @@ -// prime the server with knowledge of the root servers -zone "." { - type hint; - file "/etc/bind/db.root"; -}; - -// be authoritative for the localhost forward and reverse zones, and for -// broadcast zones as per RFC 1912 - -zone "localhost" { - type master; - file "/etc/bind/db.local"; -}; - -zone "127.in-addr.arpa" { - type master; - file "/etc/bind/db.127"; -}; - -zone "0.in-addr.arpa" { - type master; - file "/etc/bind/db.0"; -}; - -zone "255.in-addr.arpa" { - type master; - file "/etc/bind/db.255"; -}; - - diff --git a/bind/db.local b/bind/db.local new file mode 100644 index 0000000..2f272d4 --- /dev/null +++ b/bind/db.local @@ -0,0 +1,14 @@ +; +; BIND data file for local loopback interface +; +$TTL 604800 +@ IN SOA localhost. root.localhost. ( + 2 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS localhost. +@ IN A 127.0.0.1 +@ IN AAAA ::1 diff --git a/bind/entrypoint.sh b/bind/entrypoint.sh index b8b5a9c..75e2865 100755 --- a/bind/entrypoint.sh +++ b/bind/entrypoint.sh @@ -2,7 +2,9 @@ set -e -RNDC_KEY_FILE="/etc/bind/rndc.key" +RNDC_KEY_FILE="/run/named/rndc.key" + +mkdir -p /run/named # Generate an rndc key fresh for every server startup. This is only used for # internal management with the rndc command so there's no need to persist it. @@ -12,12 +14,15 @@ chmod 0660 $RNDC_KEY_FILE /usr/sbin/ddns-confgen -q -k rndc-key > $RNDC_KEY_FILE # Create directories for secondaries -for i in $(grep ^view /etc/bind/local/named.conf | cut -d' ' -f2); do - mkdir -p /etc/bind/local/zones/$i +for i in $(grep ^view /etc/bind/named.conf | cut -d' ' -f2); do + mkdir -p /etc/bind/zones/$i done -mkdir -p /etc/bind/local/managed-keys # Make sure BIND can write everything -chown -R named:named /etc/bind/local +chown -R named:named \ + /etc/bind \ + /var/log/bind \ + /run/named +cd /run/named exec "$@" -- cgit v1.2.3