Code Monkey home page Code Monkey logo

nsd's Introduction

NSD on Kubernetes

Docker Project Status: Active – The project has reached a stable, usable state and is being actively developed.

What is this software

NSD is an authoritative only, high performance, simple and open source name server released under the BSD licence. This work is originally based on hardware/nsd-dnssec.

Features

  • Lightweight & secure image (based on Alpine & multi-stage build: 4MB, no root process)
  • Latest NSD version with hardening compilation options
  • Helper scripts for generating ZSK and KSK keys, DS-Records management and zone signature
  • Optimized to be run on Kubernetes with ConfigMap

Run on Kubernetes

See docs/KUBERNETES.md

Run with Docker-compose

version: '3.7'

services:
  nsd:
    container_name: nsd
    restart: always
    image: ghcr.io/the-kube-way/nsd:latest  # or nsd:vX.X.X
    read_only: true
    tmpfs:
      - /tmp
      - /var/db/nsd
    volumes:
      - /mnt/nsd/conf:/etc/nsd:ro
      - /mnt/nsd/zones:/zones
      - /mnt/nsd/keys:/keys:ro
    ports:
      - 53:53
      - 53:53/udp

Ensure mount points match UID/GID (991 by default) used by nsd.

/etc/nsd should be mounted read-only.
/zones can be mounted read-only if helper scripts (e.g. for dnssec) are not used.
/keys should be mounted read-only if keygen helper script is not used.

Configuration example

Put your dns zone file in /mnt/nsd/zones/domain.tld.

$ORIGIN domain.tld.
$TTL 3600

; SOA
; SOA record should be on one line to use provided helper scripts
@   IN   SOA   ns1.domain.tld. hostmaster.domain.tld. 2016020202 7200 1800 1209600 86400

; NAMESERVERS
@                   IN                NS                   ns1.domain.tld.
@                   IN                NS                   ns2.domain.tld.

; A RECORDS
@                   IN                A                    1.2.3.4
www                 IN                A                    5.6.7.8

...

Put the nsd config in /mnt/nsd/conf/nsd.conf.

server:
  server-count: 1
  verbosity: 1
  hide-version: yes
  zonesdir: "/zones"

zone:
  name: domain.tld
  #zonefile: domain.tld  # if not signed
  zonefile: domain.tld.signed

Check the documentation to see all options.

Check the configuration

Check your zone and nsd configuration:

cd /mnt/nsd
docker run -it --rm -v $(pwd)/zones:/zones selfhostingtools/nsd nsd-checkzone domain.tld /zones/domain.tld
docker run -it --rm -v $(pwd)/conf:/etc/nsd selfhostingtools/nsd nsd-checkconf /etc/nsd/nsd.conf

Environment variables

You may want to change the running user:

Variable Description Type Default value
UID nsd user id optional 991
GID nsd group id optional 991

Generating DNSSEC keys and signed zone

Generate ZSK and KSK keys with ECDSAP384SHA384 algorithm:

docker-compose exec nsd keygen domain.tld

Keys will be stored in /keys/Kdomain.tld.{zsk,ksk}.{key,private}

Then sign your dns zone (default expiration date is 1 month):

docker-compose exec nsd signzone domain.tld

# or set custom RRSIG RR expiration date:
docker-compose exec nsd signzone domain.tld [YYYYMMDDhhmmss]

⚠️ Do not forget to add a cron task to sign your zone periodically to avoid the expiration of RRSIG RR records!

This can be done using systemd timer on the host:

/etc/systemd/system/nsd_update_signature.service

[Unit]
Description=NSD update signature

[Service]
Type=oneshot
ExecStart=docker exec nsd signzone domain.tld

/etc/systemd/system/nsd_update_signature.timer

[Timer]
OnCalendar=weekly

[Install]
WantedBy=multi-user.target

Don't forget to enable and start the timer!

Show your DS-Records (Delegation Signer):

docker-compose exec nsd ds-records domain.tld

Ensure zonefile parameter is correctly set (e.g. domain.tld.signed) in nsd.conf.

Restart nsd to take the changes into account:

docker-compose restart nsd

Build the image

Build-time variables:

  • NSD_VERSION : version of NSD
  • SHA256_HASH : SHA256 hash of NSD archive

nsd's People

Contributors

fl42 avatar masebb avatar philippkuntschik avatar rohmilchkaese avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

dpunkturban fbettag masebb philippkuntschik alexandre-abrioux rohmilchkaese doornoc rgatti

nsd's Issues

configure multiple zones in nsd.conf

Hey @fl42,

Thanks for the work! I finally got it to work in my kubernetes cluster, although there have to be some changes made for kubernetes version 1.25 that I could provide a pull request for in the future.

My question is about configuring zones, and if it is possible to define multiple zones in the nsd-conf. I found some examples online, but they just use a format that seems to be invalid for yaml syntax (having duplicate keys). Do you know how I could provide multiple zones?

My use case is having a zone dev and a zone prod on the same nsd-server

Unable to change the running user

No matter how I set the environment variable UID and GID, the container starts as 991 and then fails because it's unable to chown the mounted volumes. Is there anything you would recommend I test on my side to verify if this is a user error or not?

Steps to recreate:

  1. Create docker-compose.yml
version: '3.7'

services:
  nsd:
    container_name: nsd
    restart: always
    image: ghcr.io/the-kube-way/nsd:test
    read_only: true
    tmpfs:
      - /tmp
      - /var/db/nsd
    volumes:
      - /opt/nsd/conf:/etc/nsd:ro
      - /opt/nsd/zones:/zones
      - /opt/nsd/keys:/keys:ro
    ports:
      - "8554:53"
      - "8554:53/udp"
  1. Set environment variables
export UID=${UID}
export GID=${GID}
  1. Start the container
docker-compose up

The error I am getting:

user@localhost:/opt/nsd$ docker logs -f nsd
+ UID=991
+ GID=991
+ chown -R 991:991 /var/db/nsd /tmp
chown: /var/db/nsd: Operation not permitted
chown: /var/db/nsd: Operation not permitted
chown: /tmp: Operation not permitted
chown: /tmp: Operation not permitted

System information:

OS: Ubuntu 20.04.3 LTS
Docker version 20.10.11, build dea9396
docker-compose version 1.29.2, build 5becea4c

Please let me know if you are able to recreate this.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.