🗃️ Committing everything that changed 🗃️

rootfs/tmp/ rootfs/usr/local/etc/docker/init.d/00-named.sh
2025-11-04 01:02:38 -05:00 · 2024-08-27 10:37:59 -04:00
parent 02d064b722
commit 28b60bf0d6
4 changed files with 197 additions and 8 deletions
--- a/rootfs/tmp/etc/bind/named.conf
+++ b/rootfs/tmp/etc/bind/named.conf
@@ -0,0 +1,87 @@
+# default options - https://bind9.readthedocs.io/en/latest/chapter3.html
+#####################################################################
+# rndc keys
+key "dhcp-key" { algorithm hmac-md5; secret "REPLACE_KEY_DHCP"; };
+key "rndc-key" { algorithm hmac-sha256; secret "REPLACE_KEY_RNDC"; };
+key "backup-key" { algorithm hmac-sha256; secret "MKEQ/REPLACE_KEY_BACKUP"; };
+key "certbot." { algorithm hmac-sha512; secret "REPLACE_KEY_CERTBOT"; };
+#####################################################################
+# rndc settings
+controls { inet 127.0.0.1 allow { trusted; } keys { "rndc-key"; }; };
+#####################################################################
+# access settings
+acl "all" { 0.0.0.0/0; ::/0; };
+acl "secondary" { DNS_SERVER_SECONDARY; };
+acl "trusted" { 10.0.0.0/8; 127.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
+acl "updates" { key "dhcp-key"; key "certbot."; };
+acl "transfers" {key "dhcp-key"; key "certbot."; key "backup-key"; secondary; };
+acl "forward" { 1.1.1.1; 8.8.8.8; 4.4.4.4; };
+#####################################################################
+options {
+  version "9";
+  listen-on { any; };
+  listen-on-v6 { any; };
+  zone-statistics yes;
+  max-cache-size 60m;
+  interface-interval 60;
+  max-ncache-ttl 10800;
+  max-udp-size 4096;
+  notify yes;
+  also-notify { DNS_SERVER_SECONDARY; };
+  allow-update { updates; };
+  allow-update-forwarding { DNS_SERVER_SECONDARY; };
+  allow-transfer { trusted; };
+  transfer-format many-answers;
+  allow-query { any; };
+  allow-recursion { any; };
+  allow-query-cache { any; };
+  auth-nxdomain no;
+  dnssec-validation auto;
+  directory "REPLACE_VAR_DIR";
+  managed-keys-directory "REPLACE_ETC_DIR/keys";
+  pid-file "REPLACE_RUN_DIR/named.pid";
+  dump-file "REPLACE_DATA_DIR/stats/dump.txt";
+  statistics-file "REPLACE_DATA_DIR/stats/stats.txt";
+  memstatistics-file "REPLACE_DATA_DIR/stats/mem.txt";
+  forwarders { 1.1.1.1; 8.8.8.8; 4.4.4.4; };
+};
+#####################################################################
+# named logging options
+logging {
+channel debug { file "REPLACE_LOG_DIR/debug.info" versions 0 size 5m; severity debug; };
+channel querylog { file "REPLACE_LOG_DIR/querylog.log" versions 0 size 5m; severity info; print-time yes; };
+channel security { file "REPLACE_LOG_DIR/security.log" versions 0 size 5m; severity dynamic; print-severity yes; print-time yes; };
+channel xfer-in { file "REPLACE_LOG_DIR/xfer.log" versions 0 size 5m; severity info; print-category yes; print-severity yes; print-time yes; };
+channel xfer-out { file "REPLACE_LOG_DIR/xfer.log" versions 0 size 5m; severity info; print-category yes; print-severity yes; print-time yes; };
+channel update { file "REPLACE_LOG_DIR/update.log" versions 0 size 5m; severity info; print-category yes; print-severity yes; print-time yes; };
+channel notify { file "REPLACE_LOG_DIR/notify.log" versions 0 size 5m; severity info; print-category yes; print-severity yes; print-time yes; };
+channel client { file "REPLACE_LOG_DIR/client.log" versions 0 size 5m; severity debug; print-category yes; print-severity yes; print-time yes; };
+channel default { file "REPLACE_LOG_DIR/default.log" versions 0 size 5m; severity debug; print-category yes; print-severity yes; print-time yes; };
+channel general { file "REPLACE_LOG_DIR/general.log" versions 0 size 5m; severity info; print-category yes; print-severity yes; print-time yes; };
+channel database { file "REPLACE_LOG_DIR/database.log" versions 0 size 5m; severity info; print-category yes; print-severity yes; print-time yes; };
+category lame-servers { default; debug; };
+category dispatch { default; debug; };
+category queries { querylog; default; debug; };
+category update { update; default; debug; };
+category network { default; debug; };
+category unmatched { default; debug; };
+category client { client; default; debug; };
+category notify { notify; default; debug; };
+category xfer-out { xfer-out; default; debug; };
+category xfer-in { xfer-in; default; debug; };
+category resolver { default; debug; };
+category config { default; debug; };
+category security { security; default; debug; };
+category database { database; default; debug; };
+category general { general; default; debug; };
+category default { default; debug; };
+category dnssec { security; default; debug; };
+};
+#####################################################################
+#  ********** begin root info **********
+zone "." {
+    type hint;
+    file "REPLACE_VAR_DIR/root.cache";
+};
+#  ********** end root info **********
+# end
--- a/rootfs/tmp/etc/bind/rndc.key
+++ b/rootfs/tmp/etc/bind/rndc.key
@@ -0,0 +1 @@
+key "rndc-key" { algorithm hmac-sha256; secret "REPLACE_KEY_RNDC"; };
--- a/rootfs/tmp/var/bind/root.cache
+++ b/rootfs/tmp/var/bind/root.cache
@@ -0,0 +1,92 @@
+;       This file holds the information on root name servers needed to 
+;       initialize cache of Internet domain name servers
+;       (e.g. reference this file in the "cache  .  <file>"
+;       configuration file of BIND domain name servers). 
+; 
+;       This file is made available by InterNIC 
+;       under anonymous FTP as
+;           file                /domain/named.cache 
+;           on server           FTP.INTERNIC.NET
+;       -OR-                    RS.INTERNIC.NET
+;
+;       last update:     August 14, 2024
+;       related version of root zone:     2024081401
+; 
+; FORMERLY NS.INTERNIC.NET 
+;
+.                        3600000      NS    A.ROOT-SERVERS.NET.
+A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
+A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:ba3e::2:30
+; 
+; FORMERLY NS1.ISI.EDU 
+;
+.                        3600000      NS    B.ROOT-SERVERS.NET.
+B.ROOT-SERVERS.NET.      3600000      A     170.247.170.2
+B.ROOT-SERVERS.NET.      3600000      AAAA  2801:1b8:10::b
+; 
+; FORMERLY C.PSI.NET 
+;
+.                        3600000      NS    C.ROOT-SERVERS.NET.
+C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
+C.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2::c
+; 
+; FORMERLY TERP.UMD.EDU 
+;
+.                        3600000      NS    D.ROOT-SERVERS.NET.
+D.ROOT-SERVERS.NET.      3600000      A     199.7.91.13
+D.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2d::d
+; 
+; FORMERLY NS.NASA.GOV
+;
+.                        3600000      NS    E.ROOT-SERVERS.NET.
+E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
+E.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:a8::e
+; 
+; FORMERLY NS.ISC.ORG
+;
+.                        3600000      NS    F.ROOT-SERVERS.NET.
+F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
+F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2f::f
+; 
+; FORMERLY NS.NIC.DDN.MIL
+;
+.                        3600000      NS    G.ROOT-SERVERS.NET.
+G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
+G.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:12::d0d
+; 
+; FORMERLY AOS.ARL.ARMY.MIL
+;
+.                        3600000      NS    H.ROOT-SERVERS.NET.
+H.ROOT-SERVERS.NET.      3600000      A     198.97.190.53
+H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::53
+; 
+; FORMERLY NIC.NORDU.NET
+;
+.                        3600000      NS    I.ROOT-SERVERS.NET.
+I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
+I.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fe::53
+; 
+; OPERATED BY VERISIGN, INC.
+;
+.                        3600000      NS    J.ROOT-SERVERS.NET.
+J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
+J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:c27::2:30
+; 
+; OPERATED BY RIPE NCC
+;
+.                        3600000      NS    K.ROOT-SERVERS.NET.
+K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
+K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fd::1
+; 
+; OPERATED BY ICANN
+;
+.                        3600000      NS    L.ROOT-SERVERS.NET.
+L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
+L.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:9f::42
+; 
+; OPERATED BY WIDE
+;
+.                        3600000      NS    M.ROOT-SERVERS.NET.
+M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
+M.ROOT-SERVERS.NET.      3600000      AAAA  2001:dc3::35
+; End of file
--- a/rootfs/usr/local/etc/docker/init.d/00-named.sh
+++ b/rootfs/usr/local/etc/docker/init.d/00-named.sh
@@ -59,8 +59,10 @@ printf '%s\n' "# - - - Initializing $SERVICE_NAME - - - #"
 # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 # Custom functions
 __rndc_key() { grep -s 'key "rndc-key" ' /etc/named.conf | grep -v 'KEY_RNDC' | sed 's|.*secret ||g;s|"||g;s|;.*||g' | grep '^' || return 1; }
+__dhcp_key() { grep -s 'key "dhcp-key" ' /etc/named.conf | grep -v 'KEY_DHCP' | sed 's|.*secret ||g;s|"||g;s|;.*||g' | grep '^' || return 1; }
+__certbot_key() { grep -s 'key "certbot" ' /etc/named.conf | grep -v 'KEY_CERTBOT' | sed 's|.*secret ||g;s|"||g;s|;.*||g' | grep '^' || return 1; }
+__backup_key() { grep -s 'key "backup-key" ' /etc/named.conf | grep -v 'KEY_BACKUP' | sed 's|.*secret ||g;s|"||g;s|;.*||g' | grep '^' || return 1; }
 __tsig_key() { tsig-keygen -a hmac-sha256 | grep 'secret' | sed 's|.*secret "||g;s|"||g;s|;||g' | grep '^' || echo 'wp/HApbthaVPjwqgp6ziLlmnkyLSNbRTehkdARBDcpI='; }
-
 # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 # Script to execute
 START_SCRIPT="/usr/local/etc/docker/exec/$SERVICE_NAME"
@@ -155,15 +157,16 @@ user_pass="${NAMED_USER_PASS_WORD:-}" # normal user password
 [ -f "/config/env/named.sh" ] && . "/config/env/named.sh"               # Overwrite the variabes
 # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 # Additional predefined variables
-KEY_RNDC="${KEY_RNDC:-$(__tsig_key)}"
-KEY_DHCP="${KEY_DHCP:-$(__tsig_key)}"
-KEY_BACKUP="${KEY_BACKUP:-$(__tsig_key)}"
-KEY_CERTBOT="${KEY_CERTBOT:-$(__tsig_key)}"
+KEY_RNDC="${KEY_RNDC:-$(__rndc_key || __tsig_key)}"
+KEY_DHCP="${KEY_DHCP:-$(__dhcp_key || __tsig_key)}"
+KEY_BACKUP="${KEY_BACKUP:-$(__backup_key || __tsig_key)}"
+KEY_CERTBOT="${KEY_CERTBOT:-$(__certbot_key || __tsig_key)}"
 DNS_SERIAL="$(date +'%Y%m%d%S')"
 # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 # Additional variables
-DNS_SERVER_PRIMARY="${DNS_SERVER_PRIMARY:-}"
-DNS_SERVER_SECONDARY="${DNS_SERVER_SECONDARY:-}"
+DNS_TYPE="${DNS_TYPE:-primary}"
+DNS_SERVER_PRIMARY="${DNS_SERVER_PRIMARY:-127.0.0.1}"
+DNS_SERVER_SECONDARY="${DNS_SERVER_SECONDARY:-127.0.0.1}"
 # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 # Specifiy custom directories to be created
 ADD_APPLICATION_FILES=""
@@ -233,13 +236,19 @@ __update_conf_files() {

  # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  # custom commands
-  mkdir -p "$ETC_DIR/keys" "$CONF_DIR/keys" "$VAR_DIR/zones" "$DATA_DIR/zones"
+  mkdir -p "$ETC_DIR/keys" "$CONF_DIR/keys" "$VAR_DIR/zones" "$DATA_DIR/zones" "$DATA_DIR/stats"
  for logfile in xfer update notify querylog default debug security; do
    touch "$LOG_DIR/$logfile.log"
    chmod -Rf 777 "$logfile"
  done
  # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  # replace variables
+  __replace "REPLACE_KEY_RNDC" "$KEY_RNDC" "$ETC_DIR/rndc.key"
+  __replace "REPLACE_KEY_RNDC" "$KEY_RNDC" "$ETC_DIR/named.conf"
+  __replace "REPLACE_KEY_DHCP" "$KEY_DHCP" "$ETC_DIR/named.conf"
+  __replace "REPLACE_KEY_BACKUP" "$KEY_BACKUP" "$ETC_DIR/named.conf"
+  __replace "REPLACE_KEY_CERTBOT" "$KEY_CERTBOT" "$ETC_DIR/named.conf"
+
  __replace "REPLACE_KEY_RNDC" "$KEY_RNDC" "$CONF_DIR/rndc.key"
  __replace "REPLACE_KEY_RNDC" "$KEY_RNDC" "$CONF_DIR/named.conf"
  __replace "REPLACE_KEY_DHCP" "$KEY_DHCP" "$CONF_DIR/named.conf"
				`@@ -0,0 +1 @@`
				`key "rndc-key" { algorithm hmac-sha256; secret "REPLACE_KEY_RNDC"; };`