Update 'README.md'

This commit is contained in:
David Blacka 2023-03-03 17:04:14 -05:00
parent 368ca9a934
commit 7942b583a7

View File

@ -8,28 +8,28 @@ This repo and directory consists of the revamped DNS service for zeke.ecotroph.n
## Overview ## Overview
In the past, we just ran the version of BIND that came with our distribution (at this moment, that is CentOS 7, which translates to bind 9.11.) This new configuration runs a recent very version of BIND 9 via a docker image produced by ISC themselves. We are staring with 9.18.12. In the past, we just ran the version of BIND that came with our distribution (at this moment, that is CentOS 7, which translates to bind 9.11.) This new configuration runs a very recent version of BIND 9 via a docker image produced by ISC themselves. We are starting with 9.18.12.
This docker image imposes a few requirements: This docker image imposes a few requirements:
* Interally, the image runs `named` as the `bind` user, (104:105) by default. Since we bind-mount directories, we do need those directories owned by whatever internal UID it is using. * Internally, the image runs `named` as the `bind` user (104:105). Since we bind-mount directories, we do need those directories owned by whatever internal UID it is using.
* We need some way to ensure that our container is run on system reboots, etc. Here we chose to use `systemd` to do this, although that is not ideal. * We need some way to ensure that our container is run on system reboots, etc. Here we chose to use `systemd` to do this, although that is not ideal.
* Presumably the normal way to do logging for a docker container is to use the standard journal service, however, this image is set up to bind-mount `/var/log` anyway. On the other hand, the standard command uses the `-g` flag, which is "debug" mode, and causes all of the logs to go to stderr. * Presumably the normal way to do logging for a docker container is to use the standard journal service, although this image is set up to bind-mount `/var/log`. On the other hand, the standard command uses the `-g` flag, which is "debug" mode, and causes all of the logs to go to stderr.
* We do want named to stay in the foreground here. Fortunately, there have always been command line options that do this (`-g` and `-f`). * We do want named to stay in the foreground here. Fortunately, there have always been command line options that do this (`-g` and `-f`). Thus, in order to log to `/var/log`, we supply a different command: `/usr/sbin/named -f -4 -u bind`. This will run in the forground, only do IPv4 (zeke does not yet have IPv6 connectivity), and run as the internal `bind` user.
## Source ## Source
I have this in a local git repository on zeke, however we can see it (sort of) here: <https://blacka.com/cgit/docker_bind.git/tree/> (athough the viewer here is subject to change, and when that does, the URL will change.) I have this in a local git repository on zeke, however we can see it here: <https://blacka.com/git/docker_bind.git>.
## Design ## Design
We have in this repo: We have in this repo:
* named configurations. I've broken this up into sections (options, keys, logging, primary, secondary, etc.), which all just get included in the primary named.conf. It isn't tricky. * named configurations. I've broken this up into sections (options, keys, logging, primary, secondary, etc.), which all just get included in the primary named.conf. It isn't tricky.
* "keys". Well, mostly TSIG keys. Those are are but are encrypted with `git-crypt`. With a key that is ... somewhere. I've saved it in my password manager, but it can be extracted from the current checkout in `/etc/bind` with `cd /etc/bind; git-crypt export-key /tmp/docker_bind_crypto.key`. * "keys". Well, mostly TSIG keys. Those are are but are encrypted with `git-crypt`. With a key that is ... somewhere. I've saved it in my password manager, but it can be extracted from the current checkout in `/etc/bind` with `cd /etc/bind; git-crypt export-key /tmp/docker_bind_crypto.key`. `git-crypt` doesn't seem to come via RPM and yum, but I build the code and installed it into /usr/local/bin on zeke.
* zone files. I have all of the zone files we started with, although currently the configuration does not load all of them. * zone files. I have all of the zone files we started with, although currently the configuration does not load all of them.
* A script to launch the container (`run_bind_container.sh`). * A script to launch the container (`run_bind_container.sh`).
* A script to use as the internal "command" (`cfg/run.sh`) -- it isn't config, but we need to bind-mount it. * A script to use as the internal "command" (`cfg/run.sh`) -- it isn't config, but we need to bind-mount it. I could possibly be moved to `cache`.
* A helper script to run `rndc` that just runs that inside the container itself (via a docker exec). You would need to be in the `docker` group to run it. Another helper script to run `named-checkconf`. * A helper script to run `rndc` that just runs that inside the container itself (via a docker exec). You would need to be in the `docker` group to run it. Another helper script to run `named-checkconf`.
* A helper script to prepare zeke to run this container and properly work, in case we want to do this install again (`setup.sh`). * A helper script to prepare zeke to run this container and properly work, in case we want to do this install again (`setup.sh`).
@ -38,7 +38,7 @@ We have in this repo:
1. Clone this repo to `/etc/bind` (clone in `/etc` -- we want the working copy to *be* `/etc/bind`.) 1. Clone this repo to `/etc/bind` (clone in `/etc` -- we want the working copy to *be* `/etc/bind`.)
2. Create a user to match the internal user (uid 104): `useradd -u 104 -g 105 -M --no-log-init bind` 2. Create a user to match the internal user (uid 104): `useradd -u 104 -g 105 -M --no-log-init bind`
3. Change the ownership of everything under `/etc/bind` to the `bind` user and group: `chown -R 104:105 /etc/bind`. 3. Change the ownership of everything under `/etc/bind` to the `bind` user and group: `chown -R 104:105 /etc/bind`.
3. Copy the supplied systemd unit file to /etc/systemd/system, and `systemctl enable docker.bind.service`, then `systemctl start docker.bind.service`. 3. Copy the supplied systemd unit file to `/etc/systemd/system`, and `systemctl enable docker.bind.service`, then `systemctl start docker.bind.service`.
## Zone Changes ## Zone Changes
@ -56,7 +56,7 @@ cd ..
## DNSSEC ## DNSSEC
More modern BIND releases have changed the configuration for this. Now, *how* your zone is signed is based on a `dnssec-policy` block (I've put those in `cfg/named.dnssec.conf`). Then, in your zone, you add: More modern BIND releases have changed the configuration for this. Note *how* your zone is signed is based on a `dnssec-policy` block (I've put those in `cfg/named.dnssec.conf`). Then, in your zone, you add:
``` ```
dnssec-policy "default_alg13"; dnssec-policy "default_alg13";