From 7942b583a7dc0a96971d73b914b62d44ed41145c Mon Sep 17 00:00:00 2001 From: David Blacka Date: Fri, 3 Mar 2023 17:04:14 -0500 Subject: [PATCH] Update 'README.md' --- README.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 7365ef6..0c108d2 100644 --- a/README.md +++ b/README.md @@ -8,28 +8,28 @@ This repo and directory consists of the revamped DNS service for zeke.ecotroph.n ## Overview -In the past, we just ran the version of BIND that came with our distribution (at this moment, that is CentOS 7, which translates to bind 9.11.) This new configuration runs a recent very version of BIND 9 via a docker image produced by ISC themselves. We are staring with 9.18.12. +In the past, we just ran the version of BIND that came with our distribution (at this moment, that is CentOS 7, which translates to bind 9.11.) This new configuration runs a very recent version of BIND 9 via a docker image produced by ISC themselves. We are starting with 9.18.12. This docker image imposes a few requirements: -* Interally, the image runs `named` as the `bind` user, (104:105) by default. Since we bind-mount directories, we do need those directories owned by whatever internal UID it is using. +* Internally, the image runs `named` as the `bind` user (104:105). Since we bind-mount directories, we do need those directories owned by whatever internal UID it is using. * We need some way to ensure that our container is run on system reboots, etc. Here we chose to use `systemd` to do this, although that is not ideal. -* Presumably the normal way to do logging for a docker container is to use the standard journal service, however, this image is set up to bind-mount `/var/log` anyway. On the other hand, the standard command uses the `-g` flag, which is "debug" mode, and causes all of the logs to go to stderr. -* We do want named to stay in the foreground here. Fortunately, there have always been command line options that do this (`-g` and `-f`). +* Presumably the normal way to do logging for a docker container is to use the standard journal service, although this image is set up to bind-mount `/var/log`. On the other hand, the standard command uses the `-g` flag, which is "debug" mode, and causes all of the logs to go to stderr. +* We do want named to stay in the foreground here. Fortunately, there have always been command line options that do this (`-g` and `-f`). Thus, in order to log to `/var/log`, we supply a different command: `/usr/sbin/named -f -4 -u bind`. This will run in the forground, only do IPv4 (zeke does not yet have IPv6 connectivity), and run as the internal `bind` user. ## Source -I have this in a local git repository on zeke, however we can see it (sort of) here: (athough the viewer here is subject to change, and when that does, the URL will change.) +I have this in a local git repository on zeke, however we can see it here: . ## Design We have in this repo: * named configurations. I've broken this up into sections (options, keys, logging, primary, secondary, etc.), which all just get included in the primary named.conf. It isn't tricky. -* "keys". Well, mostly TSIG keys. Those are are but are encrypted with `git-crypt`. With a key that is ... somewhere. I've saved it in my password manager, but it can be extracted from the current checkout in `/etc/bind` with `cd /etc/bind; git-crypt export-key /tmp/docker_bind_crypto.key`. +* "keys". Well, mostly TSIG keys. Those are are but are encrypted with `git-crypt`. With a key that is ... somewhere. I've saved it in my password manager, but it can be extracted from the current checkout in `/etc/bind` with `cd /etc/bind; git-crypt export-key /tmp/docker_bind_crypto.key`. `git-crypt` doesn't seem to come via RPM and yum, but I build the code and installed it into /usr/local/bin on zeke. * zone files. I have all of the zone files we started with, although currently the configuration does not load all of them. * A script to launch the container (`run_bind_container.sh`). -* A script to use as the internal "command" (`cfg/run.sh`) -- it isn't config, but we need to bind-mount it. +* A script to use as the internal "command" (`cfg/run.sh`) -- it isn't config, but we need to bind-mount it. I could possibly be moved to `cache`. * A helper script to run `rndc` that just runs that inside the container itself (via a docker exec). You would need to be in the `docker` group to run it. Another helper script to run `named-checkconf`. * A helper script to prepare zeke to run this container and properly work, in case we want to do this install again (`setup.sh`). @@ -38,7 +38,7 @@ We have in this repo: 1. Clone this repo to `/etc/bind` (clone in `/etc` -- we want the working copy to *be* `/etc/bind`.) 2. Create a user to match the internal user (uid 104): `useradd -u 104 -g 105 -M --no-log-init bind` 3. Change the ownership of everything under `/etc/bind` to the `bind` user and group: `chown -R 104:105 /etc/bind`. -3. Copy the supplied systemd unit file to /etc/systemd/system, and `systemctl enable docker.bind.service`, then `systemctl start docker.bind.service`. +3. Copy the supplied systemd unit file to `/etc/systemd/system`, and `systemctl enable docker.bind.service`, then `systemctl start docker.bind.service`. ## Zone Changes @@ -56,7 +56,7 @@ cd .. ## DNSSEC -More modern BIND releases have changed the configuration for this. Now, *how* your zone is signed is based on a `dnssec-policy` block (I've put those in `cfg/named.dnssec.conf`). Then, in your zone, you add: +More modern BIND releases have changed the configuration for this. Note *how* your zone is signed is based on a `dnssec-policy` block (I've put those in `cfg/named.dnssec.conf`). Then, in your zone, you add: ``` dnssec-policy "default_alg13";