<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hello,</p>
<p><br>
</p>
<p>I am new to Bind, DNS servers, and mailing lists, please excuse
me if I have missed something from the documentation or other
mailing list messages. I have been trying to set up a DNS server
using docker compose, but I am stuck with a setup that will always
"exit with code 1". I may be trying to bite off more than I can
chew, but I think part of the main complication is that I am
trying to use DNSSEC (though, with the relevant sections commented
out, the startup still fails).</p>
<p>This is my docker-compose.yml (my start command has to be sudoed
for some reason, Debian 12 machine: sudo docker compose up -d):</p>
<div
style="color: #d4d4d4;background-color: #1e1e1e;font-family: Consolas, 'Courier New', monospace;font-weight: normal;font-size: 14px;line-height: 19px;white-space: pre;"><div><span
style="color: #569cd6;">services</span><span style="color: #d4d4d4;">:</span></div><div><span
style="color: #d4d4d4;"> </span><span style="color: #569cd6;">bind9</span><span
style="color: #d4d4d4;">:</span></div><div><span
style="color: #d4d4d4;"> </span><span style="color: #569cd6;">image</span><span
style="color: #d4d4d4;">: </span><span style="color: #ce9178;">internetsystemsconsortium/bind9:9.20</span></div><div><span
style="color: #d4d4d4;"> </span><span style="color: #569cd6;">ports</span><span
style="color: #d4d4d4;">:</span></div><div><span
style="color: #d4d4d4;"> - </span><span style="color: #ce9178;">"53:53/tcp"</span></div><div><span
style="color: #d4d4d4;"> - </span><span style="color: #ce9178;">"53:53/udp"</span></div><div><span
style="color: #d4d4d4;"> - </span><span style="color: #ce9178;">"127.0.0.1:953:953/tcp"</span></div><div><span
style="color: #d4d4d4;"> </span><span style="color: #569cd6;">volumes</span><span
style="color: #d4d4d4;">:</span></div><div><span
style="color: #d4d4d4;"> - </span><span style="color: #ce9178;">./config:/etc/bind</span></div><div><span
style="color: #d4d4d4;"> - </span><span style="color: #ce9178;">./cache:/var/cache/bind</span></div><div><span
style="color: #d4d4d4;"> - </span><span style="color: #ce9178;">./zones:/var/lib/bind</span></div><div><span
style="color: #d4d4d4;"> - </span><span style="color: #ce9178;">./log:/var/log/named</span></div><div><span
style="color: #d4d4d4;"> - </span><span style="color: #ce9178;">./keys:/etc/dnssec-keys</span></div><div><span
style="color: #d4d4d4;"> </span><span style="color: #569cd6;">restart</span><span
style="color: #d4d4d4;">: </span><span style="color: #ce9178;">always</span></div></div>
<p>My config directory contains the named.conf file, my zones
directory contains the zones: 'db.empty', and 'db.x.com'. I'm not
trying to spoof x.com, just a censored-ish example.<br>
</p>
<p>named.conf:<br>
</p>
<div
style="color: #d4d4d4;background-color: #1e1e1e;font-family: Consolas, 'Courier New', monospace;font-weight: normal;font-size: 14px;line-height: 19px;white-space: pre;"><div><span
style="color: #d4d4d4;">// Authoritative primary</span></div>
<div><span style="color: #d4d4d4;">// Server-wide properties - options</span></div><div><span
style="color: #d4d4d4;">options {</span></div><div><span
style="color: #d4d4d4;"> // All relative paths use this directory as a base</span></div><div><span
style="color: #d4d4d4;"> directory </span><span
style="color: #ce9178;">"/var/cache/bind"</span><span
style="color: #6a9955;">;</span></div>
<div><span style="color: #d4d4d4;"> // If there is a firewall between you and nameservers you want</span></div><div><span
style="color: #d4d4d4;"> // to talk to, you may need to fix the firewall to allow multiple</span></div><div><span
style="color: #d4d4d4;"> // ports to talk. See <a
class="moz-txt-link-freetext"
href="http://www.kb.cert.org/vuls/id/800113">http://www.kb.cert.org/vuls/id/800113</a></span></div>
<div><span style="color: #d4d4d4;"> //========================================================================</span></div><div><span
style="color: #d4d4d4;"> // If BIND logs error messages about the root key being expired,</span></div><div><span
style="color: #d4d4d4;"> // you will need to update your keys. See <a
class="moz-txt-link-freetext" href="https://www.isc.org/bind-keys">https://www.isc.org/bind-keys</a></span></div><div><span
style="color: #d4d4d4;"> //========================================================================</span></div><div><span
style="color: #d4d4d4;"> </span></div><div><span
style="color: #d4d4d4;"> // Version statement to prevent avoid hacking with known version vulnerabilities</span></div><div><span
style="color: #d4d4d4;"> version </span><span
style="color: #ce9178;">"not version"</span><span
style="color: #6a9955;">;</span></div><div><span
style="color: #d4d4d4;"> </span></div><div><span
style="color: #d4d4d4;"> // Allow user queries fron any IP</span></div><div><span
style="color: #d4d4d4;"> allow-query { any</span><span
style="color: #6a9955;">; };</span></div>
<div><span style="color: #d4d4d4;"> // User query will not reveal cached items</span></div><div><span
style="color: #d4d4d4;"> allow-query-cache { none</span><span
style="color: #6a9955;">; };</span></div>
<div><span style="color: #d4d4d4;"> // Do not provide recursive service to user query</span></div><div><span
style="color: #d4d4d4;"> allow-recursion { none</span><span
style="color: #6a9955;">; };</span></div>
<div><span style="color: #d4d4d4;"> allow-update { none</span><span
style="color: #6a9955;">; };</span></div><div><span
style="color: #d4d4d4;"> listen-on { 127.0.0.1</span><span
style="color: #6a9955;">; };</span></div><div><span
style="color: #d4d4d4;"> listen-on-v6 { any</span><span
style="color: #6a9955;">; };</span></div><div><span
style="color: #d4d4d4;"> dnssec-validation auto</span><span
style="color: #6a9955;">;</span></div><div><span
style="color: #d4d4d4;">}</span><span style="color: #6a9955;">;</span></div>
<div><span style="color: #d4d4d4;">// Logging</span></div><div><span
style="color: #d4d4d4;">logging {</span></div><div><span
style="color: #d4d4d4;"> channel main_log {</span></div><div><span
style="color: #d4d4d4;"> // Relative to directory</span></div><div><span
style="color: #d4d4d4;"> file </span><span
style="color: #ce9178;">"log/named/bind.log"</span><span
style="color: #d4d4d4;"> versions 3 size 250k</span><span
style="color: #6a9955;">;</span></div><div><span
style="color: #d4d4d4;"> // Only log info level and up</span></div><div><span
style="color: #d4d4d4;"> severity info</span><span
style="color: #6a9955;">;</span></div><div><span
style="color: #d4d4d4;"> }</span><span style="color: #6a9955;">;</span></div><div><span
style="color: #d4d4d4;"> category default {</span></div><div><span
style="color: #d4d4d4;"> main_log</span><span
style="color: #6a9955;">;</span></div><div><span
style="color: #d4d4d4;"> }</span><span style="color: #6a9955;">;</span></div><div><span
style="color: #d4d4d4;">}</span><span style="color: #6a9955;">;</span></div>
<div><span style="color: #d4d4d4;">// Control through rndc</span></div><div><span
style="color: #d4d4d4;">controls {</span></div><div><span
style="color: #d4d4d4;"> inet 127.0.0.1 port 953</span></div><div><span
style="color: #d4d4d4;"> allow { localhost</span><span
style="color: #6a9955;">; } keys { "rndc-key"; };</span></div><div><span
style="color: #d4d4d4;">}</span><span style="color: #6a9955;">;</span></div>
<div><span style="color: #d4d4d4;">zone </span><span
style="color: #ce9178;">"x.com"</span><span style="color: #d4d4d4;"> {</span></div><div><span
style="color: #d4d4d4;"> type primary</span><span
style="color: #6a9955;">;</span></div><div><span
style="color: #d4d4d4;"> file </span><span
style="color: #ce9178;">"/var/lib/bind/db.x.com"</span><span
style="color: #6a9955;">;</span></div><div><span
style="color: #d4d4d4;"> notify yes</span><span
style="color: #6a9955;">;</span></div>
<div><span style="color: #d4d4d4;"> // DNSSEC Key settings</span></div><div><span
style="color: #d4d4d4;"> inline-signing yes</span><span
style="color: #6a9955;">;</span></div><div><span
style="color: #d4d4d4;"> dnssec-policy default</span><span
style="color: #6a9955;">;</span></div><div><span
style="color: #d4d4d4;"> key-directory </span><span
style="color: #ce9178;">"/etc/dnssec-keys/"</span><span
style="color: #6a9955;">;</span></div><div><span
style="color: #d4d4d4;"> keys {</span></div><div><span
style="color: #d4d4d4;"> csk key-directory lifetime 365d algorithm ecdsa256</span><span
style="color: #6a9955;">;</span></div><div><span
style="color: #d4d4d4;"> }</span><span style="color: #6a9955;">;</span></div><div><span
style="color: #d4d4d4;"> parental-agents { #.#.#.#</span><span
style="color: #6a9955;">; };</span></div><div><span
style="color: #d4d4d4;"> checkds explicit</span><span
style="color: #6a9955;">;</span></div><div><span
style="color: #d4d4d4;">}</span><span style="color: #6a9955;">;</span></div>
<div><span style="color: #d4d4d4;">// Consider adding the 1918 zones here, if they are not used in your</span></div><div><span
style="color: #d4d4d4;">// organization</span></div>
<div><span style="color: #d4d4d4;">zone </span><span
style="color: #ce9178;">"10.in-addr.arpa"</span><span
style="color: #d4d4d4;"> {</span></div><div><span
style="color: #d4d4d4;"> type master</span><span
style="color: #6a9955;">;</span></div><div><span
style="color: #d4d4d4;"> file </span><span
style="color: #ce9178;">"/etc/bind/db.empty"</span><span
style="color: #6a9955;">;</span></div><div><span
style="color: #d4d4d4;"> allow-query { localhost</span><span
style="color: #6a9955;">; };</span></div><div><span
style="color: #d4d4d4;">}</span><span style="color: #6a9955;">;</span></div>
<div><span style="color: #d4d4d4;">zone </span><span
style="color: #ce9178;">"168.192.in-addr.arpa"</span><span
style="color: #d4d4d4;"> {</span></div><div><span
style="color: #d4d4d4;"> type master</span><span
style="color: #6a9955;">;</span></div><div><span
style="color: #d4d4d4;"> file </span><span
style="color: #ce9178;">"/etc/bind/db.empty"</span><span
style="color: #6a9955;">;</span></div><div><span
style="color: #d4d4d4;"> allow-query { localhost</span><span
style="color: #6a9955;">; };</span></div><div><span
style="color: #d4d4d4;">}</span><span style="color: #6a9955;">;</span></div>
<div><span style="color: #d4d4d4;">zone </span><span
style="color: #ce9178;">"16-31.172.in-addr.arpa"</span><span
style="color: #d4d4d4;"> {</span></div><div><span
style="color: #d4d4d4;"> type master</span><span
style="color: #6a9955;">;</span></div><div><span
style="color: #d4d4d4;"> file </span><span
style="color: #ce9178;">"/etc/bind/db.empty"</span><span
style="color: #6a9955;">;</span></div><div><span
style="color: #d4d4d4;"> allow-query { localhost</span><span
style="color: #6a9955;">; };</span></div><div><span
style="color: #d4d4d4;">}</span><span style="color: #6a9955;">;</span></div></div>
<p>I'm not sure that sharing the zones is relevant, as they are just
records that are transmitted through the server. But maybe I have
to check they are being parsed correctly?</p>
<p><br>
</p>
<p>Are there more details about the image dockerfile or its use
somewhere? Any help is appreciated.<br>
</p>
<p><br>
</p>
<p>Best regards and many thanks,<br>
</p>
<p>Pablo<br>
</p>
</body>
</html>