Skip to content
This repository has been archived by the owner on Nov 10, 2023. It is now read-only.

mondediefr/docker-nsd-dnssec

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

mondedie/nsd-dnssec

nsd

Features

  • Lightweight & secure image (no root process)
  • Based on Alpine Linux 3.13
  • Latest NSD version 4.3.5
  • ZSK and KSK keys, DS-Records management and zone signature with ldns

NSD is an authoritative only, high performance, simple and open source name server.
Website: https://www.nlnetlabs.nl/projects/nsd/about/

Tag available

Build-time variables

  • NSD_VERSION : version of NSD
  • GPG_SHORTID : short gpg key ID
  • GPG_FINGERPRINT : fingerprint of signing key

Ports

  • 53/tcp
  • 53/udp (for AXFR zones transfer queries)

Environment variables

Variable Description Type Default value
UID nsd user id optional 991
GID nsd group id optional 991

Setup

Put your dns zone file in /mnt/docker/nsd/zones/db.domain.tld.

Example:

$ORIGIN domain.tld.
$TTL 7200

; SOA

@       IN      SOA    ns1.domain.tld. hostmaster.domain.tld. (
    2016020202 ; Serial
    7200       ; Refresh
    1800       ; Retry
    1209600    ; Expire
    86400      ; Minimum
)

; NAMESERVERS

@                   IN                NS                   ns1.domain.tld.
@                   IN                NS                   ns2.domain.tld.

; A RECORDS

@                   IN                A                    IPv4
hostname            IN                A                    IPv4
ns1                 IN                A                    IPv4
ns2                 IN                A                    IPv4

; CNAME RECORDS

www                 IN                CNAME                hostname

; MAIL RECORDS

@                   IN                MX          10       hostname.domain.tld.

...

Put the nsd config in /mnt/docker/nsd/conf/nsd.conf.

Primary server example:

server:
  server-count: 1
  ip4-only: yes
  hide-version: yes
  identity: ""
  zonesdir: "/zones"

remote-control:
  control-enable: yes

key:
  name: "sec_key"
  algorithm: hmac-sha256
  secret: "WU9VUl9TRUNSRVRfS0VZCg==" # echo "YOUR_SECRET_KEY" | base64

zone:
  name: domain.tld
  zonefile: db.domain.tld.signed
  notify: ip_of_secondary_server sec_key
  notify: ip_of_secondary_public_server NOKEY
  provide-xfr: ip_of_secondary_server sec_key
  provide-xfr: ip_of_secondary_public_server NOKEY

# "ip_of_secondary_server" is your secondary nameserver IP
# "ip_of_secondary_public_server" can be your registrar's nameserver IP

Secondary server example (optional):

server:
  server-count: 1
  ip4-only: yes
  hide-version: yes
  identity: ""
  zonesdir: "/zones"

remote-control:
  control-enable: yes

key:
  name: "sec_key"
  algorithm: hmac-sha256
  secret: "WU9VUl9TRUNSRVRfS0VZCg=="

zone:
  name: domain.tld
  zonefile: db.domain.tld.signed
  allow-notify: ip_of_primary_server sec_key
  request-xfr: AXFR ip_of_primary_server sec_key

# "ip_of_primary_server" is your primary nameserver IP

Check your zone and nsd configuration:

cd /mnt/docker/nsd
docker run --rm -v "$(pwd)/zones:/zones" -ti mondedie/nsd-dnssec nsd-checkzone domain.tld /zones/db.domain.tld
docker run --rm -v "$(pwd)/conf:/etc/nsd" -ti mondedie/nsd-dnssec nsd-checkconf /etc/nsd/nsd.conf

Docker-compose

Docker-compose.yml

nsd:
  image: mondedie/nsd-dnssec
  container_name: nsd
  ports:
    - "PUBLIC_IP_ADDRESS:53:53"
    - "PUBLIC_IP_ADDRESS:53:53/udp"
  volumes:
    - /mnt/docker/nsd/conf:/etc/nsd
    - /mnt/docker/nsd/zones:/zones
    - /mnt/docker/nsd/db:/var/db/nsd

Note : replace PUBLIC_IP_ADDRESS with your public IP address.

Run it

docker-compose up -d

Generating DNSSEC keys and signed zone

Generate ZSK and KSK keys with ECDSAP384SHA384 algorithm (it may take some time; you can install haveged in your base system to speed it up):

docker-compose exec nsd keygen domain.tld

Generating ZSK & KSK keys for 'domain.tld'
Done.

Then sign your dns zone (default expiration date is 1 month):

docker-compose exec nsd signzone domain.tld

Signing zone for domain.tld
NSD configuration rebuild... reconfig start, read /etc/nsd/nsd.conf
ok
Reloading zone for domain.tld... ok
Notify slave servers... ok
Done.

# or set custom RRSIG RR expiration date :

docker-compose exec nsd signzone domain.tld [YYYYMMDDhhmmss]
docker-compose exec nsd signzone domain.tld 20170205220210

⚠️ Do not forget to add a cron task to increment the serial and sign your zone periodically to avoid the expiration of RRSIG RR records!

This example shows how to update the serial and your TLSA record (if you have one) programmatically :

#!/bin/bash

LETS_ENCRYPT_LIVE_PATH=/path/to/your/lets/encrypt/folder
fingerprint=$(openssl x509 -noout -in "${LETS_ENCRYPT_LIVE_PATH}/cert.pem" -fingerprint -sha256 | cut -c 20- | sed s/://g)

domain="domain.tld"
zonename="db.${domain}"
zonefile="/mnt/docker/nsd/zones/${zonename}"
serial=$(date -d "+1 day" +'%Y%m%d%H')
tlsa_line_number=$(grep -n TLSA $zonefile | cut -d : -f 1)
tlsa_dns_record="_dane IN TLSA 3 0 1 ${fingerprint}"
expiration_date=$(date -d "+6 months" +'%Y%m%d%H%M%S')

sed -i -e "s/20[0-9][0-9]\{7\} ; Serial/${serial} ; Serial/g" \
       -e "${tlsa_line_number}s/.*/${tlsa_dns_record}/" $zonefile

if docker exec nsd nsd-checkzone "$domain" /zones/"$zonename" | grep -q "zone ${domain} is ok"; then
  docker exec nsd signzone "$domain" "$expiration_date"
fi

Show your DS-Records (Delegation Signer):

docker-compose exec nsd ds-records domain.tld

> DS record 1 [Digest Type = SHA1] :
domain.tld. 600 IN DS xxxx 14 1 xxxxxxxxxxxxxx

> DS record 2 [Digest Type = SHA256] :
domain.tld. 600 IN DS xxxx 14 2 xxxxxxxxxxxxxx

> Public KSK Key :
domain.tld. IN DNSKEY 257 3 14 xxxxxxxxxxxxxx ; {id = xxxx (ksk), size = 384b}

Restart the DNS server to take the changes into account:

docker-compose restart nsd

License

Docker image mondedie/nsd-dnssec is released under MIT License

About

📡 🐳 Docker image of NSD name server

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published