Приведение в соответствие

Dockerfile

@@ -1,9 +1,11 @@
-FROM alpine:latest
+FROM alpine:3.7
 
 RUN apk add --no-cache bind
 
 EXPOSE 53/tcp 53/udp
 
-VOLUME ["/etc/bind", "/var/lib/bind"]
+VOLUME ["/var/lib/bind"]
+
+COPY workdir/* /var/lib/bind/
 
 CMD ["/usr/sbin/named", "-f", "-g"]

README.md

@@ -5,21 +5,3 @@
 ## Configuration
 
 See [example directory](https://git.sdsys.ru/sdsys/bind/src/master/example) for sample config file.
-
-## Quickstart
-
-```yml
-bind:
-  image: registry.sdsys.ru/bind
-
-  volumes:
-    # You must provide a config file
-    - ./named.conf:/etc/bind/named.conf
-
-    # Zone files
-    - ./zones:/var/lib/bind
-
-  ports:
-    - "53:53/tcp"
-    - "53:53/udp"
-```

example/bind.yml

@@ -0,0 +1,35 @@
+version: "3.3"
+
+services:
+
+  bind:
+     image: ${REGISTRY:-registry.sdsys.ru}/bind:${BINDTAG:-latest}
+     ports:
+       - 53:53
+       - 53:53/UDP
+     deploy:
+       replicas: 1
+       resources:
+         limits:
+           memory: 300M
+         reservations:
+           memory: 50M
+     volumes:
+       - bind:/var/lib/bind
+     configs:
+       - source: named.conf
+         target: /etc/bind/named.conf
+volumes:
+  bind:
+    driver: local
+    driver_opts:
+      device: "/dev/disk/by-label/bind"
+      type: "xfs"
+
+configs:
+  named.conf:
+    file: ./config/named.conf
+
+networks:
+  proxy:
+    external: true

example/config/named.conf

@@ -0,0 +1,81 @@
+//
+// named.conf
+//
+// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
+// server as a caching only nameserver (as a localhost DNS resolver only).
+//
+// See /usr/share/doc/bind*/sample/ for example named configuration files.
+//
+// See the BIND Administrator's Reference Manual (ARM) for details about the
+// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
+
+options {
+	listen-on port 53 { any; };
+	listen-on-v6 port 53 { ::1; };
+	directory 	"/var/lib/bind";
+	dump-file 	"/var/lib/bind/data/cache_dump.db";
+	statistics-file "/var/lib/bind/data/named_stats.txt";
+	memstatistics-file "/var/lib/bind/data/named_mem_stats.txt";
+	allow-query     { any; };
+
+	/* 
+	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
+	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
+	   recursion. 
+	 - If your recursive DNS server has a public IP address, you MUST enable access 
+	   control to limit queries to your legitimate users. Failing to do so will
+	   cause your server to become part of large scale DNS amplification 
+	   attacks. Implementing BCP38 within your network would greatly
+	   reduce such attack surface 
+	*/
+	recursion yes;
+
+	dnssec-enable yes;
+	dnssec-validation yes;
+
+	/* Path to ISC DLV key */
+	bindkeys-file "/etc/bind/bind.keys";
+
+	pid-file "/run/named/named.pid";
+	session-keyfile "/run/named/session.key";
+};
+
+logging {
+        channel default_debug {
+                stderr;
+                severity dynamic;
+        };
+};
+
+zone "." IN {
+	type hint;
+	file "named.ca";
+};
+
+zone "infoclinica.lan" {
+    type master;
+    file "infoclinica/infoclinica.lan.zone";
+    notify yes;
+    allow-transfer { any; };
+};
+
+zone "201.168.192.in-addr.arpa" {
+        type master;
+        notify yes;
+        file "infoclinica/201.168.192.in-addr.arpa.zone";
+        allow-transfer { any; };
+};
+
+zone "204.168.192.in-addr.arpa" {
+        type master;
+        notify yes;
+        file "infoclinica/204.168.192.in-addr.arpa.zone";
+        allow-transfer { any; };
+};
+
+zone "205.168.192.in-addr.arpa" {
+        type master;
+        notify yes;
+        file "infoclinica/205.168.192.in-addr.arpa.zone";
+        allow-transfer { any; };
+};

example/docker-compose.yml

@@ -1,13 +0,0 @@
-bind:
-  image: joebiellik/bind
-
-  volumes:
-    # You must provide a config file
-    - ./named.conf:/etc/bind/named.conf
-
-    # Zone files
-    - ./zones:/var/lib/bind
-
-  ports:
-    - "53:53/tcp"
-    - "53:53/udp"

example/named.conf

@@ -1,18 +0,0 @@
-options {
-	directory "/var/lib/bind";
-
-	listen-on { any; };
-	listen-on-v6 { any; };
-
-	allow-query { any; };
-	allow-transfer { none; };
-	allow-update { none; };
-	allow-recursion { none; };
-
-	recursion no;
-};
-
-zone "example.com" IN {
-	type master;
-	file "example.com.zone";
-};

example/zones/example.com.zone

@@ -1,24 +0,0 @@
-$TTL 1d
-@ IN SOA ns1.example.com. root.example.com. (
-        2016010101      ; serial
-        28800           ; refresh (8 hours)
-        7200            ; retry (2 hours)
-        2419200         ; expire (4 weeks)
-        86400           ; minimum (1 day)
-)
-                NS      ns1.example.com.
-                NS      ns2.example.net.
-                NS      ns3.example.org.
-                NS      ns4.example.com.
-ns1             IN      A               1.2.3.4
-ns2             IN      A               1.2.3.4
-ns3             IN      A               1.2.3.4
-ns4             IN      A               1.2.3.4
-@               IN      A               1.2.3.4
-www             IN      CNAME   @
-@               IN      MX      1       aspmx.l.google.com.
-@               IN      MX      5       alt1.aspmx.l.google.com.
-@               IN      MX      5       alt2.aspmx.l.google.com.
-@               IN      MX      10      aspmx2.googlemail.com.
-@               IN      MX      10      aspmx3.googlemail.com.
-@               IN      TXT             "v=spf1 mx a include:_spf.google.com ~all"

workdir/named.ca

@@ -0,0 +1,57 @@
+
+; <<>> DiG 9.9.2-P1-RedHat-9.9.2-6.P1.fc18 <<>> +bufsize=1200 +norec @a.root-servers.net
+; (2 servers found)
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25828
+;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 23
+
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 512
+;; QUESTION SECTION:
+;.				IN	NS
+
+;; ANSWER SECTION:
+.			518400	IN	NS	a.root-servers.net.
+.			518400	IN	NS	b.root-servers.net.
+.			518400	IN	NS	c.root-servers.net.
+.			518400	IN	NS	d.root-servers.net.
+.			518400	IN	NS	e.root-servers.net.
+.			518400	IN	NS	f.root-servers.net.
+.			518400	IN	NS	g.root-servers.net.
+.			518400	IN	NS	h.root-servers.net.
+.			518400	IN	NS	i.root-servers.net.
+.			518400	IN	NS	j.root-servers.net.
+.			518400	IN	NS	k.root-servers.net.
+.			518400	IN	NS	l.root-servers.net.
+.			518400	IN	NS	m.root-servers.net.
+
+;; ADDITIONAL SECTION:
+a.root-servers.net.	3600000	IN	A	198.41.0.4
+a.root-servers.net.	3600000	IN	AAAA	2001:503:ba3e::2:30
+b.root-servers.net.	3600000	IN	A	192.228.79.201
+c.root-servers.net.	3600000	IN	A	192.33.4.12
+d.root-servers.net.	3600000	IN	A	199.7.91.13
+d.root-servers.net.	3600000	IN	AAAA	2001:500:2d::d
+e.root-servers.net.	3600000	IN	A	192.203.230.10
+f.root-servers.net.	3600000	IN	A	192.5.5.241
+f.root-servers.net.	3600000	IN	AAAA	2001:500:2f::f
+g.root-servers.net.	3600000	IN	A	192.112.36.4
+h.root-servers.net.	3600000	IN	A	128.63.2.53
+h.root-servers.net.	3600000	IN	AAAA	2001:500:1::803f:235
+i.root-servers.net.	3600000	IN	A	192.36.148.17
+i.root-servers.net.	3600000	IN	AAAA	2001:7fe::53
+j.root-servers.net.	3600000	IN	A	192.58.128.30
+j.root-servers.net.	3600000	IN	AAAA	2001:503:c27::2:30
+k.root-servers.net.	3600000	IN	A	193.0.14.129
+k.root-servers.net.	3600000	IN	AAAA	2001:7fd::1
+l.root-servers.net.	3600000	IN	A	199.7.83.42
+l.root-servers.net.	3600000	IN	AAAA	2001:500:3::42
+m.root-servers.net.	3600000	IN	A	202.12.27.33
+m.root-servers.net.	3600000	IN	AAAA	2001:dc3::35
+
+;; Query time: 78 msec
+;; SERVER: 198.41.0.4#53(198.41.0.4)
+;; WHEN: Mon Jan 28 15:33:31 2013
+;; MSG SIZE  rcvd: 699
+

workdir/named.empty

@@ -0,0 +1,10 @@
+$TTL 3H
+@	IN SOA	@ rname.invalid. (
+					0	; serial
+					1D	; refresh
+					1H	; retry
+					1W	; expire
+					3H )	; minimum
+	NS	@
+	A	127.0.0.1
+	AAAA	::1

workdir/named.localhost

@@ -0,0 +1,10 @@
+$TTL 1D
+@	IN SOA	@ rname.invalid. (
+					0	; serial
+					1D	; refresh
+					1H	; retry
+					1W	; expire
+					3H )	; minimum
+	NS	@
+	A	127.0.0.1
+	AAAA	::1

workdir/named.loopback

@@ -0,0 +1,11 @@
+$TTL 1D
+@	IN SOA	@ rname.invalid. (
+					0	; serial
+					1D	; refresh
+					1H	; retry
+					1W	; expire
+					3H )	; minimum
+	NS	@
+	A	127.0.0.1
+	AAAA	::1
+	PTR	localhost.