Docker Compose Setup with ISC/Bind9 Image
Pablo
pablo at heavenly.cl
Fri Dec 27 20:17:21 UTC 2024
Hello,
I am new to Bind, DNS servers, and mailing lists, please excuse me if I
have missed something from the documentation or other mailing list
messages. I have been trying to set up a DNS server using docker
compose, but I am stuck with a setup that will always "exit with code
1". I may be trying to bite off more than I can chew, but I think part
of the main complication is that I am trying to use DNSSEC (though, with
the relevant sections commented out, the startup still fails).
This is my docker-compose.yml (my start command has to be sudoed for
some reason, Debian 12 machine: sudo docker compose up -d):
services:
bind9:
image: internetsystemsconsortium/bind9:9.20
ports:
- "53:53/tcp"
- "53:53/udp"
- "127.0.0.1:953:953/tcp"
volumes:
- ./config:/etc/bind
- ./cache:/var/cache/bind
- ./zones:/var/lib/bind
- ./log:/var/log/named
- ./keys:/etc/dnssec-keys
restart: always
My config directory contains the named.conf file, my zones directory
contains the zones: 'db.empty', and 'db.x.com'. I'm not trying to spoof
x.com, just a censored-ish example.
named.conf:
// Authoritative primary
// Server-wide properties - options
options {
// All relative paths use this directory as a base
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See
https://www.isc.org/bind-keys
//========================================================================
// Version statement to prevent avoid hacking with known version
vulnerabilities
version "not version";
// Allow user queries fron any IP
allow-query { any; };
// User query will not reveal cached items
allow-query-cache { none; };
// Do not provide recursive service to user query
allow-recursion { none; };
allow-update { none; };
listen-on { 127.0.0.1; };
listen-on-v6 { any; };
dnssec-validation auto;
};
// Logging
logging {
channel main_log {
// Relative to directory
file "log/named/bind.log"versions 3 size 250k;
// Only log info level and up
severity info;
};
category default {
main_log;
};
};
// Control through rndc
controls {
inet 127.0.0.1 port 953
allow { localhost; } keys { "rndc-key"; };
};
zone "x.com"{
type primary;
file "/var/lib/bind/db.x.com";
notify yes;
// DNSSEC Key settings
inline-signing yes;
dnssec-policy default;
key-directory "/etc/dnssec-keys/";
keys {
csk key-directory lifetime 365d algorithm ecdsa256;
};
parental-agents { #.#.#.#; };
checkds explicit;
};
// Consider adding the 1918 zones here, if they are not used in your
// organization
zone "10.in-addr.arpa"{
type master;
file "/etc/bind/db.empty";
allow-query { localhost; };
};
zone "168.192.in-addr.arpa"{
type master;
file "/etc/bind/db.empty";
allow-query { localhost; };
};
zone "16-31.172.in-addr.arpa"{
type master;
file "/etc/bind/db.empty";
allow-query { localhost; };
};
I'm not sure that sharing the zones is relevant, as they are just
records that are transmitted through the server. But maybe I have to
check they are being parsed correctly?
Are there more details about the image dockerfile or its use somewhere?
Any help is appreciated.
Best regards and many thanks,
Pablo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20241227/5515e930/attachment.htm>
More information about the bind-users
mailing list