docker_bind/README.md

# `zeke.ecotroph.net` DNS service

This repo and directory consists of the revamped DNS service for `zeke.ecotroph.net`.  The goals of this service are:

1. Host the primary zones we want.
2. DNSSEC-sign those primary zones, if desired.
3. Provide local recursive service for the host itself.

## Overview

In the past, we just ran the version of BIND that came with our distribution (at this moment, that is CentOS 7, which translates to bind 9.11.)  This new configuration runs a very recent version of BIND 9 via a docker image produced by ISC themselves.  We started with 9.18.12 and now are up to 9.18.20.

This docker image imposes a few requirements:

* Internally, the image runs `named` as the `bind` user (104:105).  Since we bind-mount directories, we do need those directories owned by whatever internal UID it is using.
* We need some way to ensure that our container is run on system reboots, etc.  Here we chose to use `systemd` to do this, although that is not ideal.
* Presumably the normal way to do logging for a docker container is to use the standard journal service, although this image is set up to bind-mount `/var/log`.  On the other hand, the standard command uses the `-g` flag, which is "debug" mode, and causes all of the logs to go to stderr.
* We do want named to stay in the foreground here.  Fortunately, there have always been command line options that do this (`-g` and `-f`).  Thus, in order to log to `/var/log`, we supply a different command: `/usr/sbin/named -f -4 -u bind`.  This will run in the foreground, only do IPv4 (`zeke` does not yet have IPv6 connectivity), and run as the internal `bind` user.

## Source

I have this in a local git repository on `zeke`, however we can see it here: <https://blacka.com/git/docker_bind.git>.

## Design

We have in this repo:

* named configurations.  I've broken this up into sections (options, keys, logging, primary, secondary, etc.), which all just get included in the primary named.conf.  It isn't tricky.
* "keys".  Well, mostly TSIG keys.  Those are encrypted with `git-crypt`.  With a key that is ... somewhere.  I've saved it in my password manager, but it can be extracted from the current checkout in `/etc/bind` with `cd /etc/bind; git-crypt export-key /tmp/docker_bind_crypto.key`.  `git-crypt` doesn't seem to come via RPM and yum, but I built it and installed it into `/usr/local/bin` on `zeke`.
* zone files.  I have all of the zone files we started with, although currently the configuration does not load all of them.
* A script to launch the container (`run_bind_container.sh`).
* A script to use as the internal "command" (`cfg/run.sh`) -- it isn't config, but we need to bind-mount it.  It could possibly be moved to `cache`.
* A helper script to run `rndc` that just runs that inside the container itself (via a docker exec).  You would need to be in the `docker` group to run it.  Another few helper scripts to run other command line tools: `named-checkconf`, `named-compilezone`.
* A helper script to prepare `zeke` to run this container and properly work, in case we want to do this install again (`setup.sh`).

## Installation

1. Clone this repo to `/etc/bind` (clone in `/etc` -- we want the working copy to *be* `/etc/bind`.)
2. Create a user to match the internal user (`uid 104`): `useradd -u 104 -g 105 -M --no-log-init bind`
3. Change the ownership of everything under `/etc/bind` to the `bind` user and group: `chown -R 104:105 /etc/bind`.
4. Copy the supplied `systemd` unit file to `/etc/systemd/system`, and `systemctl enable docker.bind.service`, then `systemctl start docker.bind.service`.

## Zone Changes

All of our zone files are now in this git repo, so we can just make changes and commit them, assuming you have write access to the local repo, that is.  The `bind` user should be able to do it, though.  Once you've changed your zone, you *could* bounce the service via `systemctl`, or we could use `rndc`.  I've made a little script that will do this with `docker exec`, `/etc/bind/run_rndc.sh`.  Thus:

```bash
sudo -u bind -s
cd /etc/bind/zones
vi <zonefile> # remember to update the serial
git commit -a <zonefile>
git push
cd ..
./run_rndc.sh reload <zone>
```

## DNSSEC

More modern BIND releases have changed the configuration for this.  Note *how* your zone is signed is based on a `dnssec-policy` block (I've put those in `cfg/named.dnssec.conf`).  Then, in your zone, you add:

```conf
  dnssec-policy "default_alg13";
  inline-signing yes;
```

in your zone block.  After restarting/reconfiguring BIND, it will create a `<zonefile>.signed` and `<zonefile>.signed.jnl` file, and start serving a DNSSEC signed version of the zone.  It will then take care of resigning activities, key rollovers etc.

### Zone Files

We can find the zone files on `zeke` in `/etc/bind/zones`, although note that your zone may be in BIND's *raw* format.  If you want to see the contents, you can use `named-compilezone` for that (either using a version inside the container or not):

```bash
named-compilezone -f raw -F text -o - blacka.com /etc/bind/zones/blacka.com.signed
```
update README.md, add named-compilezone wrapper 2023-12-02 22:06:45 +00:00			# `zeke.ecotroph.net` DNS service
Add README.md, unit file 2023-02-26 00:30:43 +00:00
update README.md, add named-compilezone wrapper 2023-12-02 22:06:45 +00:00			This repo and directory consists of the revamped DNS service for `zeke.ecotroph.net`. The goals of this service are:
Add README.md, unit file 2023-02-26 00:30:43 +00:00
			`1. Host the primary zones we want.`
			`2. DNSSEC-sign those primary zones, if desired.`
			`3. Provide local recursive service for the host itself.`

			`## Overview`

update README.md, add named-compilezone wrapper 2023-12-02 22:06:45 +00:00			`In the past, we just ran the version of BIND that came with our distribution (at this moment, that is CentOS 7, which translates to bind 9.11.) This new configuration runs a very recent version of BIND 9 via a docker image produced by ISC themselves. We started with 9.18.12 and now are up to 9.18.20.`
Add README.md, unit file 2023-02-26 00:30:43 +00:00
			`This docker image imposes a few requirements:`

Update 'README.md' 2023-03-03 22:04:14 +00:00			* Internally, the image runs `named` as the `bind` user (104:105). Since we bind-mount directories, we do need those directories owned by whatever internal UID it is using.
Add README.md, unit file 2023-02-26 00:30:43 +00:00			* We need some way to ensure that our container is run on system reboots, etc. Here we chose to use `systemd` to do this, although that is not ideal.
Update 'README.md' 2023-03-03 22:04:14 +00:00			* Presumably the normal way to do logging for a docker container is to use the standard journal service, although this image is set up to bind-mount `/var/log`. On the other hand, the standard command uses the `-g` flag, which is "debug" mode, and causes all of the logs to go to stderr.
update README.md, add named-compilezone wrapper 2023-12-02 22:06:45 +00:00			* We do want named to stay in the foreground here. Fortunately, there have always been command line options that do this (`-g` and `-f`). Thus, in order to log to `/var/log`, we supply a different command: `/usr/sbin/named -f -4 -u bind`. This will run in the foreground, only do IPv4 (`zeke` does not yet have IPv6 connectivity), and run as the internal `bind` user.
Add README.md, unit file 2023-02-26 00:30:43 +00:00
			`## Source`

update README.md, add named-compilezone wrapper 2023-12-02 22:06:45 +00:00			I have this in a local git repository on `zeke`, however we can see it here: <https://blacka.com/git/docker_bind.git>.
Add README.md, unit file 2023-02-26 00:30:43 +00:00
			`## Design`

			`We have in this repo:`

			`* named configurations. I've broken this up into sections (options, keys, logging, primary, secondary, etc.), which all just get included in the primary named.conf. It isn't tricky.`
update README.md, add named-compilezone wrapper 2023-12-02 22:06:45 +00:00			* "keys". Well, mostly TSIG keys. Those are encrypted with `git-crypt`. With a key that is ... somewhere. I've saved it in my password manager, but it can be extracted from the current checkout in `/etc/bind` with `cd /etc/bind; git-crypt export-key /tmp/docker_bind_crypto.key`. `git-crypt` doesn't seem to come via RPM and yum, but I built it and installed it into `/usr/local/bin` on `zeke`.
Add README.md, unit file 2023-02-26 00:30:43 +00:00			`* zone files. I have all of the zone files we started with, although currently the configuration does not load all of them.`
update README 2023-02-26 15:47:09 +00:00			* A script to launch the container (`run_bind_container.sh`).
update README.md, add named-compilezone wrapper 2023-12-02 22:06:45 +00:00			* A script to use as the internal "command" (`cfg/run.sh`) -- it isn't config, but we need to bind-mount it. It could possibly be moved to `cache`.
			* A helper script to run `rndc` that just runs that inside the container itself (via a docker exec). You would need to be in the `docker` group to run it. Another few helper scripts to run other command line tools: `named-checkconf`, `named-compilezone`.
			* A helper script to prepare `zeke` to run this container and properly work, in case we want to do this install again (`setup.sh`).
Add README.md, unit file 2023-02-26 00:30:43 +00:00
			`## Installation`

update README 2023-02-26 15:47:09 +00:00			1. Clone this repo to `/etc/bind` (clone in `/etc` -- we want the working copy to be `/etc/bind`.)
update README.md, add named-compilezone wrapper 2023-12-02 22:06:45 +00:00			2. Create a user to match the internal user (`uid 104`): `useradd -u 104 -g 105 -M --no-log-init bind`
Add README.md, unit file 2023-02-26 00:30:43 +00:00			3. Change the ownership of everything under `/etc/bind` to the `bind` user and group: `chown -R 104:105 /etc/bind`.
update README.md, add named-compilezone wrapper 2023-12-02 22:06:45 +00:00			4. Copy the supplied `systemd` unit file to `/etc/systemd/system`, and `systemctl enable docker.bind.service`, then `systemctl start docker.bind.service`.
Add README.md, unit file 2023-02-26 00:30:43 +00:00
			`## Zone Changes`

update README.md, add named-compilezone wrapper 2023-12-02 22:06:45 +00:00			All of our zone files are now in this git repo, so we can just make changes and commit them, assuming you have write access to the local repo, that is. The `bind` user should be able to do it, though. Once you've changed your zone, you could bounce the service via `systemctl`, or we could use `rndc`. I've made a little script that will do this with `docker exec`, `/etc/bind/run_rndc.sh`. Thus:
Add README.md, unit file 2023-02-26 00:30:43 +00:00
			```bash
update README 2023-02-26 15:47:09 +00:00			`sudo -u bind -s`
Add README.md, unit file 2023-02-26 00:30:43 +00:00			`cd /etc/bind/zones`
			`vi <zonefile> # remember to update the serial`
			`git commit -a <zonefile>`
			`git push`
			`cd ..`
			`./run_rndc.sh reload <zone>`
			```

			`## DNSSEC`

Update 'README.md' 2023-03-03 22:04:14 +00:00			More modern BIND releases have changed the configuration for this. Note how your zone is signed is based on a `dnssec-policy` block (I've put those in `cfg/named.dnssec.conf`). Then, in your zone, you add:
Add README.md, unit file 2023-02-26 00:30:43 +00:00
update README.md, add named-compilezone wrapper 2023-12-02 22:06:45 +00:00			```conf
update README 2023-02-26 15:47:09 +00:00			`dnssec-policy "default_alg13";`
Add README.md, unit file 2023-02-26 00:30:43 +00:00			`inline-signing yes;`
			```

update README.md, add named-compilezone wrapper 2023-12-02 22:06:45 +00:00			in your zone block. After restarting/reconfiguring BIND, it will create a `<zonefile>.signed` and `<zonefile>.signed.jnl` file, and start serving a DNSSEC signed version of the zone. It will then take care of resigning activities, key rollovers etc.

			`### Zone Files`

			We can find the zone files on `zeke` in `/etc/bind/zones`, although note that your zone may be in BIND's raw format. If you want to see the contents, you can use `named-compilezone` for that (either using a version inside the container or not):

			```bash
			`named-compilezone -f raw -F text -o - blacka.com /etc/bind/zones/blacka.com.signed`
			```