<!DOCTYPE html>
<html>
  <head>
    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <p>Hello,</p>
    <p><br>
    </p>
    <p>I am new to Bind, DNS servers, and mailing lists, please excuse
      me if I have missed something from the documentation or other
      mailing list messages. I have been trying to set up a DNS server
      using docker compose, but I am stuck with a setup that will always
      "exit with code 1". I may be trying to bite off more than I can
      chew, but I think part of the main complication is that I am
      trying to use DNSSEC (though, with the relevant sections commented
      out, the startup still fails).</p>
    <p>This is my docker-compose.yml (my start command has to be sudoed
      for some reason, Debian 12 machine: sudo docker compose up -d):</p>
    <div
style="color: #d4d4d4;background-color: #1e1e1e;font-family: Consolas, 'Courier New', monospace;font-weight: normal;font-size: 14px;line-height: 19px;white-space: pre;"><div><span
    style="color: #569cd6;">services</span><span style="color: #d4d4d4;">:</span></div><div><span
    style="color: #d4d4d4;">  </span><span style="color: #569cd6;">bind9</span><span
    style="color: #d4d4d4;">:</span></div><div><span
    style="color: #d4d4d4;">    </span><span style="color: #569cd6;">image</span><span
    style="color: #d4d4d4;">: </span><span style="color: #ce9178;">internetsystemsconsortium/bind9:9.20</span></div><div><span
    style="color: #d4d4d4;">    </span><span style="color: #569cd6;">ports</span><span
    style="color: #d4d4d4;">:</span></div><div><span
    style="color: #d4d4d4;">      - </span><span style="color: #ce9178;">"53:53/tcp"</span></div><div><span
    style="color: #d4d4d4;">      - </span><span style="color: #ce9178;">"53:53/udp"</span></div><div><span
    style="color: #d4d4d4;">      - </span><span style="color: #ce9178;">"127.0.0.1:953:953/tcp"</span></div><div><span
    style="color: #d4d4d4;">    </span><span style="color: #569cd6;">volumes</span><span
    style="color: #d4d4d4;">:</span></div><div><span
    style="color: #d4d4d4;">      - </span><span style="color: #ce9178;">./config:/etc/bind</span></div><div><span
    style="color: #d4d4d4;">      - </span><span style="color: #ce9178;">./cache:/var/cache/bind</span></div><div><span
    style="color: #d4d4d4;">      - </span><span style="color: #ce9178;">./zones:/var/lib/bind</span></div><div><span
    style="color: #d4d4d4;">      - </span><span style="color: #ce9178;">./log:/var/log/named</span></div><div><span
    style="color: #d4d4d4;">      - </span><span style="color: #ce9178;">./keys:/etc/dnssec-keys</span></div><div><span
    style="color: #d4d4d4;">    </span><span style="color: #569cd6;">restart</span><span
    style="color: #d4d4d4;">: </span><span style="color: #ce9178;">always</span></div></div>
    <p>My config directory contains the named.conf file, my zones
      directory contains the zones: 'db.empty', and 'db.x.com'. I'm not
      trying to spoof x.com, just a censored-ish example.<br>
    </p>
    <p>named.conf:<br>
    </p>
    <div
style="color: #d4d4d4;background-color: #1e1e1e;font-family: Consolas, 'Courier New', monospace;font-weight: normal;font-size: 14px;line-height: 19px;white-space: pre;"><div><span
    style="color: #d4d4d4;">// Authoritative primary</span></div>
<div><span style="color: #d4d4d4;">// Server-wide properties - options</span></div><div><span
    style="color: #d4d4d4;">options {</span></div><div><span
    style="color: #d4d4d4;">    // All relative paths use this directory as a base</span></div><div><span
    style="color: #d4d4d4;">    directory </span><span
    style="color: #ce9178;">"/var/cache/bind"</span><span
    style="color: #6a9955;">;</span></div>
<div><span style="color: #d4d4d4;">    // If there is a firewall between you and nameservers you want</span></div><div><span
    style="color: #d4d4d4;">    // to talk to, you may need to fix the firewall to allow multiple</span></div><div><span
    style="color: #d4d4d4;">    // ports to talk.  See <a
    class="moz-txt-link-freetext"
    href="http://www.kb.cert.org/vuls/id/800113">http://www.kb.cert.org/vuls/id/800113</a></span></div>
<div><span style="color: #d4d4d4;">    //========================================================================</span></div><div><span
    style="color: #d4d4d4;">    // If BIND logs error messages about the root key being expired,</span></div><div><span
    style="color: #d4d4d4;">    // you will need to update your keys.  See <a
    class="moz-txt-link-freetext" href="https://www.isc.org/bind-keys">https://www.isc.org/bind-keys</a></span></div><div><span
    style="color: #d4d4d4;">    //========================================================================</span></div><div><span
    style="color: #d4d4d4;">    </span></div><div><span
    style="color: #d4d4d4;">    // Version statement to prevent avoid hacking with known version vulnerabilities</span></div><div><span
    style="color: #d4d4d4;">    version </span><span
    style="color: #ce9178;">"not version"</span><span
    style="color: #6a9955;">;</span></div><div><span
    style="color: #d4d4d4;">    </span></div><div><span
    style="color: #d4d4d4;">    // Allow user queries fron any IP</span></div><div><span
    style="color: #d4d4d4;">    allow-query { any</span><span
    style="color: #6a9955;">; };</span></div>
<div><span style="color: #d4d4d4;">    // User query will not reveal cached items</span></div><div><span
    style="color: #d4d4d4;">    allow-query-cache { none</span><span
    style="color: #6a9955;">; };</span></div>
<div><span style="color: #d4d4d4;">    // Do not provide recursive service to user query</span></div><div><span
    style="color: #d4d4d4;">    allow-recursion { none</span><span
    style="color: #6a9955;">; };</span></div>
<div><span style="color: #d4d4d4;">    allow-update { none</span><span
    style="color: #6a9955;">; };</span></div><div><span
    style="color: #d4d4d4;">    listen-on { 127.0.0.1</span><span
    style="color: #6a9955;">; };</span></div><div><span
    style="color: #d4d4d4;">    listen-on-v6 { any</span><span
    style="color: #6a9955;">; };</span></div><div><span
    style="color: #d4d4d4;">    dnssec-validation auto</span><span
    style="color: #6a9955;">;</span></div><div><span
    style="color: #d4d4d4;">}</span><span style="color: #6a9955;">;</span></div>
<div><span style="color: #d4d4d4;">// Logging</span></div><div><span
    style="color: #d4d4d4;">logging {</span></div><div><span
    style="color: #d4d4d4;">    channel main_log {</span></div><div><span
    style="color: #d4d4d4;">        // Relative to directory</span></div><div><span
    style="color: #d4d4d4;">        file </span><span
    style="color: #ce9178;">"log/named/bind.log"</span><span
    style="color: #d4d4d4;"> versions 3 size 250k</span><span
    style="color: #6a9955;">;</span></div><div><span
    style="color: #d4d4d4;">        // Only log info level and up</span></div><div><span
    style="color: #d4d4d4;">        severity info</span><span
    style="color: #6a9955;">;</span></div><div><span
    style="color: #d4d4d4;">    }</span><span style="color: #6a9955;">;</span></div><div><span
    style="color: #d4d4d4;">    category default {</span></div><div><span
    style="color: #d4d4d4;">        main_log</span><span
    style="color: #6a9955;">;</span></div><div><span
    style="color: #d4d4d4;">    }</span><span style="color: #6a9955;">;</span></div><div><span
    style="color: #d4d4d4;">}</span><span style="color: #6a9955;">;</span></div>
<div><span style="color: #d4d4d4;">// Control through rndc</span></div><div><span
    style="color: #d4d4d4;">controls {</span></div><div><span
    style="color: #d4d4d4;">    inet 127.0.0.1 port 953</span></div><div><span
    style="color: #d4d4d4;">        allow { localhost</span><span
    style="color: #6a9955;">; } keys { "rndc-key"; };</span></div><div><span
    style="color: #d4d4d4;">}</span><span style="color: #6a9955;">;</span></div>
<div><span style="color: #d4d4d4;">zone </span><span
    style="color: #ce9178;">"x.com"</span><span style="color: #d4d4d4;"> {</span></div><div><span
    style="color: #d4d4d4;">    type primary</span><span
    style="color: #6a9955;">;</span></div><div><span
    style="color: #d4d4d4;">    file </span><span
    style="color: #ce9178;">"/var/lib/bind/db.x.com"</span><span
    style="color: #6a9955;">;</span></div><div><span
    style="color: #d4d4d4;">    notify yes</span><span
    style="color: #6a9955;">;</span></div>
<div><span style="color: #d4d4d4;">    // DNSSEC Key settings</span></div><div><span
    style="color: #d4d4d4;">    inline-signing yes</span><span
    style="color: #6a9955;">;</span></div><div><span
    style="color: #d4d4d4;">    dnssec-policy default</span><span
    style="color: #6a9955;">;</span></div><div><span
    style="color: #d4d4d4;">    key-directory </span><span
    style="color: #ce9178;">"/etc/dnssec-keys/"</span><span
    style="color: #6a9955;">;</span></div><div><span
    style="color: #d4d4d4;">    keys {</span></div><div><span
    style="color: #d4d4d4;">        csk key-directory lifetime 365d algorithm ecdsa256</span><span
    style="color: #6a9955;">;</span></div><div><span
    style="color: #d4d4d4;">    }</span><span style="color: #6a9955;">;</span></div><div><span
    style="color: #d4d4d4;">    parental-agents { #.#.#.#</span><span
    style="color: #6a9955;">; };</span></div><div><span
    style="color: #d4d4d4;">    checkds explicit</span><span
    style="color: #6a9955;">;</span></div><div><span
    style="color: #d4d4d4;">}</span><span style="color: #6a9955;">;</span></div>
<div><span style="color: #d4d4d4;">// Consider adding the 1918 zones here, if they are not used in your</span></div><div><span
    style="color: #d4d4d4;">// organization</span></div>
<div><span style="color: #d4d4d4;">zone </span><span
    style="color: #ce9178;">"10.in-addr.arpa"</span><span
    style="color: #d4d4d4;"> {</span></div><div><span
    style="color: #d4d4d4;">    type master</span><span
    style="color: #6a9955;">;</span></div><div><span
    style="color: #d4d4d4;">    file </span><span
    style="color: #ce9178;">"/etc/bind/db.empty"</span><span
    style="color: #6a9955;">;</span></div><div><span
    style="color: #d4d4d4;">    allow-query { localhost</span><span
    style="color: #6a9955;">; };</span></div><div><span
    style="color: #d4d4d4;">}</span><span style="color: #6a9955;">;</span></div>
<div><span style="color: #d4d4d4;">zone </span><span
    style="color: #ce9178;">"168.192.in-addr.arpa"</span><span
    style="color: #d4d4d4;"> {</span></div><div><span
    style="color: #d4d4d4;">    type master</span><span
    style="color: #6a9955;">;</span></div><div><span
    style="color: #d4d4d4;">    file </span><span
    style="color: #ce9178;">"/etc/bind/db.empty"</span><span
    style="color: #6a9955;">;</span></div><div><span
    style="color: #d4d4d4;">    allow-query { localhost</span><span
    style="color: #6a9955;">; };</span></div><div><span
    style="color: #d4d4d4;">}</span><span style="color: #6a9955;">;</span></div>
<div><span style="color: #d4d4d4;">zone </span><span
    style="color: #ce9178;">"16-31.172.in-addr.arpa"</span><span
    style="color: #d4d4d4;"> {</span></div><div><span
    style="color: #d4d4d4;">    type master</span><span
    style="color: #6a9955;">;</span></div><div><span
    style="color: #d4d4d4;">    file </span><span
    style="color: #ce9178;">"/etc/bind/db.empty"</span><span
    style="color: #6a9955;">;</span></div><div><span
    style="color: #d4d4d4;">    allow-query { localhost</span><span
    style="color: #6a9955;">; };</span></div><div><span
    style="color: #d4d4d4;">}</span><span style="color: #6a9955;">;</span></div></div>
    <p>I'm not sure that sharing the zones is relevant, as they are just
      records that are transmitted through the server. But maybe I have
      to check they are being parsed correctly?</p>
    <p><br>
    </p>
    <p>Are there more details about the image dockerfile or its use
      somewhere? Any help is appreciated.<br>
    </p>
    <p><br>
    </p>
    <p>Best regards and many thanks,<br>
    </p>
    <p>Pablo<br>
    </p>
  </body>
</html>