diff --git a/INSTRUCTIONS.md b/INSTRUCTIONS.md index 1aca28c..0d5b4fe 100644 --- a/INSTRUCTIONS.md +++ b/INSTRUCTIONS.md @@ -83,7 +83,7 @@ Pour cela : 5. De retour à l’invite de commandes, rechargez le fichier de zones avec la commande : - nsd-control reload expediteur.example + rndc reload expediteur.example Vous devriez voir le message « ok ». Sinon, cela signifie qu’une erreur de syntaxe s’est glissée dans le fichier de zone. @@ -200,7 +200,7 @@ L’étape suivante est donc de publier les clefs publiques dans le DNS : 6. Sauvegardez et quittez l’éditeur. Rechargez la zone : - nsd-control reload expediteur.example + rndc reload expediteur.example 7. Vérifiez la bonne présence de clefs DKIM avec `dig` : diff --git a/dns/Dockerfile b/dns/Dockerfile index 8e9a6f8..471d9cc 100644 --- a/dns/Dockerfile +++ b/dns/Dockerfile @@ -2,19 +2,18 @@ FROM alpine:latest RUN apk add \ bash \ + bind \ bind-tools \ execline \ nano \ nano-syntax \ - nsd \ openssl \ s6-overlay \ - unbound \ vim -COPY etc/unbound/unbound.conf /etc/unbound -COPY etc/nsd/nsd.conf /etc/nsd/nsd.conf -COPY zones /etc/nsd/zones +RUN install -o named -g root -m 0755 -d /var/db/bind +COPY --chown=named:root etc/bind/named.conf /etc/bind/named.conf +COPY --chown=named:root zones /etc/bind/zones COPY etc/s6-overlay /etc/s6-overlay diff --git a/dns/etc/bind/named.conf b/dns/etc/bind/named.conf new file mode 100644 index 0000000..e5dd93f --- /dev/null +++ b/dns/etc/bind/named.conf @@ -0,0 +1,27 @@ +options { + directory "/var/db/bind"; + dnssec-validation no; + recursion no; +}; + +zone example IN { + type master; + file "/etc/bind/zones/example.zone"; +}; + +zone attaquant.example IN { + type master; + file "/etc/bind/zones/example/attaquant.zone"; +}; + +zone destinataire.example IN { + type master; + file "/etc/bind/zones/example/destinataire.zone"; +}; + +zone expediteur.example IN { + type master; + file "/etc/bind/zones/example/expediteur.zone"; + update-policy local; +}; + diff --git a/dns/etc/nsd/nsd.conf b/dns/etc/nsd/nsd.conf deleted file mode 100644 index 0f59ea8..0000000 --- a/dns/etc/nsd/nsd.conf +++ /dev/null @@ -1,31 +0,0 @@ -server: - ip-address: 0.0.0.0 - port: 1053 - debug-mode: yes - - zonesdir: "/etc/nsd/zones" - database: "" - -remote-control: - control-enable: yes - control-interface: 127.0.0.1 - -zone: - name: "example" - zonefile: "example.zone" - -zone: - name: "destinataire.example" - zonefile: "example/destinataire.zone" - -zone: - name: "expediteur.example" - zonefile: "example/expediteur.zone" - -zone: - name: "attaquant.example" - zonefile: "example/attaquant.zone" - -zone: - name: "31.172.in-addr.arpa" - zonefile: "arpa/31.172.in-addr.zone" diff --git a/dns/etc/s6-overlay/s6-rc.d/nsd/dependencies.d/base b/dns/etc/s6-overlay/s6-rc.d/bind/dependencies.d/base similarity index 100% rename from dns/etc/s6-overlay/s6-rc.d/nsd/dependencies.d/base rename to dns/etc/s6-overlay/s6-rc.d/bind/dependencies.d/base diff --git a/dns/etc/s6-overlay/s6-rc.d/nsd/dependencies.d/nsd-control-setup b/dns/etc/s6-overlay/s6-rc.d/bind/dependencies.d/rndc-confgen similarity index 100% rename from dns/etc/s6-overlay/s6-rc.d/nsd/dependencies.d/nsd-control-setup rename to dns/etc/s6-overlay/s6-rc.d/bind/dependencies.d/rndc-confgen diff --git a/dns/etc/s6-overlay/s6-rc.d/bind/run b/dns/etc/s6-overlay/s6-rc.d/bind/run new file mode 100644 index 0000000..b902e13 --- /dev/null +++ b/dns/etc/s6-overlay/s6-rc.d/bind/run @@ -0,0 +1,2 @@ +#!/bin/execlineb -P +/usr/sbin/named -g -n 1 -U 1 -u named \ No newline at end of file diff --git a/dns/etc/s6-overlay/s6-rc.d/nsd/type b/dns/etc/s6-overlay/s6-rc.d/bind/type similarity index 100% rename from dns/etc/s6-overlay/s6-rc.d/nsd/type rename to dns/etc/s6-overlay/s6-rc.d/bind/type diff --git a/dns/etc/s6-overlay/s6-rc.d/nsd-control-setup/up b/dns/etc/s6-overlay/s6-rc.d/nsd-control-setup/up deleted file mode 100644 index d7f5dc0..0000000 --- a/dns/etc/s6-overlay/s6-rc.d/nsd-control-setup/up +++ /dev/null @@ -1 +0,0 @@ -/usr/sbin/nsd-control-setup \ No newline at end of file diff --git a/dns/etc/s6-overlay/s6-rc.d/nsd/run b/dns/etc/s6-overlay/s6-rc.d/nsd/run deleted file mode 100644 index c16d26a..0000000 --- a/dns/etc/s6-overlay/s6-rc.d/nsd/run +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/execlineb -P -/usr/sbin/nsd -d -c /etc/nsd/nsd.conf -P /run/nsd.pid \ No newline at end of file diff --git a/dns/etc/s6-overlay/s6-rc.d/nsd-control-setup/type b/dns/etc/s6-overlay/s6-rc.d/rndc-confgen/type similarity index 100% rename from dns/etc/s6-overlay/s6-rc.d/nsd-control-setup/type rename to dns/etc/s6-overlay/s6-rc.d/rndc-confgen/type diff --git a/dns/etc/s6-overlay/s6-rc.d/rndc-confgen/up b/dns/etc/s6-overlay/s6-rc.d/rndc-confgen/up new file mode 100644 index 0000000..bc0a7aa --- /dev/null +++ b/dns/etc/s6-overlay/s6-rc.d/rndc-confgen/up @@ -0,0 +1 @@ +/usr/sbin/rndc-confgen -a \ No newline at end of file diff --git a/dns/etc/s6-overlay/s6-rc.d/unbound/run b/dns/etc/s6-overlay/s6-rc.d/unbound/run deleted file mode 100644 index 81e99fd..0000000 --- a/dns/etc/s6-overlay/s6-rc.d/unbound/run +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/execlineb -P -/usr/sbin/unbound -d -c /etc/unbound/unbound.conf diff --git a/dns/etc/s6-overlay/s6-rc.d/unbound/type b/dns/etc/s6-overlay/s6-rc.d/unbound/type deleted file mode 100644 index 1780f9f..0000000 --- a/dns/etc/s6-overlay/s6-rc.d/unbound/type +++ /dev/null @@ -1 +0,0 @@ -longrun \ No newline at end of file diff --git a/dns/etc/s6-overlay/s6-rc.d/unbound/dependencies.d/base b/dns/etc/s6-overlay/s6-rc.d/user/contents.d/bind similarity index 100% rename from dns/etc/s6-overlay/s6-rc.d/unbound/dependencies.d/base rename to dns/etc/s6-overlay/s6-rc.d/user/contents.d/bind diff --git a/dns/etc/s6-overlay/s6-rc.d/user/contents.d/nsd b/dns/etc/s6-overlay/s6-rc.d/user/contents.d/nsd deleted file mode 100644 index e69de29..0000000 diff --git a/dns/etc/s6-overlay/s6-rc.d/user/contents.d/unbound b/dns/etc/s6-overlay/s6-rc.d/user/contents.d/unbound deleted file mode 100644 index e69de29..0000000 diff --git a/dns/etc/unbound/unbound.conf b/dns/etc/unbound/unbound.conf deleted file mode 100644 index 3efcf21..0000000 --- a/dns/etc/unbound/unbound.conf +++ /dev/null @@ -1,37 +0,0 @@ -server: - do-daemonize: no - - interface: 0.0.0.0 - interface: :: - access-control: 172.31.0.0/16 allow - access-control: fd4a:8c4:c28b::/48 allow - - log-queries: yes - log-replies: yes - log-servfail: yes - logfile: "" - - local-zone: "31.172.in-addr.arpa" nodefault - local-zone: "d.f.ip6.arpa" nodefault - - domain-insecure: "example" - domain-insecure: "31.172.in-addr.arpa" - domain-insecure: "b.8.2.c.4.c.8.0.a.4.d.f.ip6.arpa" - -# Pour une raison que j’ignore, mettre stub-addr: 127.0.0.1@1053 entraîne -# un SERVFAIL. On dirait qu’unbound n’arrive pas à communiquer avec nsd. -# Il faut que nsd écoute sur toutes les interfaces dans le conteneur et -# que, dans la configuration d’unbound, le stub-addr soit l’IP privée et pas -# la boucle locale, pour que ça marche. - -stub-zone: - name: "example" - stub-addr: 172.31.0.53@1053 - -stub-zone: - name: "31.172.in-addr.arpa" - stub-addr: 172.31.0.53@1053 - -stub-zone: - name: "b.8.2.c.4.c.8.0.a.4.d.f.ip6.arpa" - stub-addr: 172.31.0.53@1053