Docker Compose Setup with ISC/Bind9 Image

Pablo pablo at heavenly.cl
Fri Dec 27 20:17:21 UTC 2024


Hello,


I am new to Bind, DNS servers, and mailing lists, please excuse me if I 
have missed something from the documentation or other mailing list 
messages. I have been trying to set up a DNS server using docker 
compose, but I am stuck with a setup that will always "exit with code 
1". I may be trying to bite off more than I can chew, but I think part 
of the main complication is that I am trying to use DNSSEC (though, with 
the relevant sections commented out, the startup still fails).

This is my docker-compose.yml (my start command has to be sudoed for 
some reason, Debian 12 machine: sudo docker compose up -d):

services:
bind9:
image: internetsystemsconsortium/bind9:9.20
ports:
       - "53:53/tcp"
       - "53:53/udp"
       - "127.0.0.1:953:953/tcp"
volumes:
       - ./config:/etc/bind
       - ./cache:/var/cache/bind
       - ./zones:/var/lib/bind
       - ./log:/var/log/named
       - ./keys:/etc/dnssec-keys
restart: always

My config directory contains the named.conf file, my zones directory 
contains the zones: 'db.empty', and 'db.x.com'. I'm not trying to spoof 
x.com, just a censored-ish example.

named.conf:

// Authoritative primary
// Server-wide properties - options
options {
     // All relative paths use this directory as a base
     directory "/var/cache/bind";
     // If there is a firewall between you and nameservers you want
     // to talk to, you may need to fix the firewall to allow multiple
     // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
     
//========================================================================
     // If BIND logs error messages about the root key being expired,
     // you will need to update your keys.  See 
https://www.isc.org/bind-keys
     
//========================================================================
     // Version statement to prevent avoid hacking with known version 
vulnerabilities
     version "not version";
     // Allow user queries fron any IP
     allow-query { any; };
     // User query will not reveal cached items
     allow-query-cache { none; };
     // Do not provide recursive service to user query
     allow-recursion { none; };
     allow-update { none; };
     listen-on { 127.0.0.1; };
     listen-on-v6 { any; };
     dnssec-validation auto;
};
// Logging
logging {
     channel main_log {
         // Relative to directory
         file "log/named/bind.log"versions 3 size 250k;
         // Only log info level and up
         severity info;
     };
     category default {
         main_log;
     };
};
// Control through rndc
controls {
     inet 127.0.0.1 port 953
         allow { localhost; } keys { "rndc-key"; };
};
zone "x.com"{
     type primary;
     file "/var/lib/bind/db.x.com";
     notify yes;
     // DNSSEC Key settings
     inline-signing yes;
     dnssec-policy default;
     key-directory "/etc/dnssec-keys/";
     keys {
         csk key-directory lifetime 365d algorithm ecdsa256;
     };
     parental-agents { #.#.#.#; };
     checkds explicit;
};
// Consider adding the 1918 zones here, if they are not used in your
// organization
zone "10.in-addr.arpa"{
     type master;
     file "/etc/bind/db.empty";
     allow-query { localhost; };
};
zone "168.192.in-addr.arpa"{
     type master;
     file "/etc/bind/db.empty";
     allow-query { localhost; };
};
zone "16-31.172.in-addr.arpa"{
     type master;
     file "/etc/bind/db.empty";
     allow-query { localhost; };
};

I'm not sure that sharing the zones is relevant, as they are just 
records that are transmitted through the server. But maybe I have to 
check they are being parsed correctly?


Are there more details about the image dockerfile or its use somewhere? 
Any help is appreciated.


Best regards and many thanks,

Pablo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20241227/5515e930/attachment.htm>


More information about the bind-users mailing list