Update 'README.md'
This commit is contained in:
parent
368ca9a934
commit
7942b583a7
18
README.md
18
README.md
@ -8,28 +8,28 @@ This repo and directory consists of the revamped DNS service for zeke.ecotroph.n
|
|||||||
|
|
||||||
## Overview
|
## Overview
|
||||||
|
|
||||||
In the past, we just ran the version of BIND that came with our distribution (at this moment, that is CentOS 7, which translates to bind 9.11.) This new configuration runs a recent very version of BIND 9 via a docker image produced by ISC themselves. We are staring with 9.18.12.
|
In the past, we just ran the version of BIND that came with our distribution (at this moment, that is CentOS 7, which translates to bind 9.11.) This new configuration runs a very recent version of BIND 9 via a docker image produced by ISC themselves. We are starting with 9.18.12.
|
||||||
|
|
||||||
This docker image imposes a few requirements:
|
This docker image imposes a few requirements:
|
||||||
|
|
||||||
* Interally, the image runs `named` as the `bind` user, (104:105) by default. Since we bind-mount directories, we do need those directories owned by whatever internal UID it is using.
|
* Internally, the image runs `named` as the `bind` user (104:105). Since we bind-mount directories, we do need those directories owned by whatever internal UID it is using.
|
||||||
* We need some way to ensure that our container is run on system reboots, etc. Here we chose to use `systemd` to do this, although that is not ideal.
|
* We need some way to ensure that our container is run on system reboots, etc. Here we chose to use `systemd` to do this, although that is not ideal.
|
||||||
* Presumably the normal way to do logging for a docker container is to use the standard journal service, however, this image is set up to bind-mount `/var/log` anyway. On the other hand, the standard command uses the `-g` flag, which is "debug" mode, and causes all of the logs to go to stderr.
|
* Presumably the normal way to do logging for a docker container is to use the standard journal service, although this image is set up to bind-mount `/var/log`. On the other hand, the standard command uses the `-g` flag, which is "debug" mode, and causes all of the logs to go to stderr.
|
||||||
* We do want named to stay in the foreground here. Fortunately, there have always been command line options that do this (`-g` and `-f`).
|
* We do want named to stay in the foreground here. Fortunately, there have always been command line options that do this (`-g` and `-f`). Thus, in order to log to `/var/log`, we supply a different command: `/usr/sbin/named -f -4 -u bind`. This will run in the forground, only do IPv4 (zeke does not yet have IPv6 connectivity), and run as the internal `bind` user.
|
||||||
|
|
||||||
## Source
|
## Source
|
||||||
|
|
||||||
I have this in a local git repository on zeke, however we can see it (sort of) here: <https://blacka.com/cgit/docker_bind.git/tree/> (athough the viewer here is subject to change, and when that does, the URL will change.)
|
I have this in a local git repository on zeke, however we can see it here: <https://blacka.com/git/docker_bind.git>.
|
||||||
|
|
||||||
## Design
|
## Design
|
||||||
|
|
||||||
We have in this repo:
|
We have in this repo:
|
||||||
|
|
||||||
* named configurations. I've broken this up into sections (options, keys, logging, primary, secondary, etc.), which all just get included in the primary named.conf. It isn't tricky.
|
* named configurations. I've broken this up into sections (options, keys, logging, primary, secondary, etc.), which all just get included in the primary named.conf. It isn't tricky.
|
||||||
* "keys". Well, mostly TSIG keys. Those are are but are encrypted with `git-crypt`. With a key that is ... somewhere. I've saved it in my password manager, but it can be extracted from the current checkout in `/etc/bind` with `cd /etc/bind; git-crypt export-key /tmp/docker_bind_crypto.key`.
|
* "keys". Well, mostly TSIG keys. Those are are but are encrypted with `git-crypt`. With a key that is ... somewhere. I've saved it in my password manager, but it can be extracted from the current checkout in `/etc/bind` with `cd /etc/bind; git-crypt export-key /tmp/docker_bind_crypto.key`. `git-crypt` doesn't seem to come via RPM and yum, but I build the code and installed it into /usr/local/bin on zeke.
|
||||||
* zone files. I have all of the zone files we started with, although currently the configuration does not load all of them.
|
* zone files. I have all of the zone files we started with, although currently the configuration does not load all of them.
|
||||||
* A script to launch the container (`run_bind_container.sh`).
|
* A script to launch the container (`run_bind_container.sh`).
|
||||||
* A script to use as the internal "command" (`cfg/run.sh`) -- it isn't config, but we need to bind-mount it.
|
* A script to use as the internal "command" (`cfg/run.sh`) -- it isn't config, but we need to bind-mount it. I could possibly be moved to `cache`.
|
||||||
* A helper script to run `rndc` that just runs that inside the container itself (via a docker exec). You would need to be in the `docker` group to run it. Another helper script to run `named-checkconf`.
|
* A helper script to run `rndc` that just runs that inside the container itself (via a docker exec). You would need to be in the `docker` group to run it. Another helper script to run `named-checkconf`.
|
||||||
* A helper script to prepare zeke to run this container and properly work, in case we want to do this install again (`setup.sh`).
|
* A helper script to prepare zeke to run this container and properly work, in case we want to do this install again (`setup.sh`).
|
||||||
|
|
||||||
@ -38,7 +38,7 @@ We have in this repo:
|
|||||||
1. Clone this repo to `/etc/bind` (clone in `/etc` -- we want the working copy to *be* `/etc/bind`.)
|
1. Clone this repo to `/etc/bind` (clone in `/etc` -- we want the working copy to *be* `/etc/bind`.)
|
||||||
2. Create a user to match the internal user (uid 104): `useradd -u 104 -g 105 -M --no-log-init bind`
|
2. Create a user to match the internal user (uid 104): `useradd -u 104 -g 105 -M --no-log-init bind`
|
||||||
3. Change the ownership of everything under `/etc/bind` to the `bind` user and group: `chown -R 104:105 /etc/bind`.
|
3. Change the ownership of everything under `/etc/bind` to the `bind` user and group: `chown -R 104:105 /etc/bind`.
|
||||||
3. Copy the supplied systemd unit file to /etc/systemd/system, and `systemctl enable docker.bind.service`, then `systemctl start docker.bind.service`.
|
3. Copy the supplied systemd unit file to `/etc/systemd/system`, and `systemctl enable docker.bind.service`, then `systemctl start docker.bind.service`.
|
||||||
|
|
||||||
## Zone Changes
|
## Zone Changes
|
||||||
|
|
||||||
@ -56,7 +56,7 @@ cd ..
|
|||||||
|
|
||||||
## DNSSEC
|
## DNSSEC
|
||||||
|
|
||||||
More modern BIND releases have changed the configuration for this. Now, *how* your zone is signed is based on a `dnssec-policy` block (I've put those in `cfg/named.dnssec.conf`). Then, in your zone, you add:
|
More modern BIND releases have changed the configuration for this. Note *how* your zone is signed is based on a `dnssec-policy` block (I've put those in `cfg/named.dnssec.conf`). Then, in your zone, you add:
|
||||||
|
|
||||||
```
|
```
|
||||||
dnssec-policy "default_alg13";
|
dnssec-policy "default_alg13";
|
||||||
|
Loading…
Reference in New Issue
Block a user