- Notifications
You must be signed in to change notification settings - Fork8
The-Kube-Way/nsd
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
NSD is an authoritative only, high performance, simple and open source name server released under the BSD licence.This work is originally based onhardware/nsd-dnssec.
- Lightweight & secure image (based on Alpine & multi-stage build: 4MB, no root process)
- Latest NSD version with hardening compilation options
- Helper scripts for generating ZSK and KSK keys, DS-Records management and zone signature
- Optimized to be run on Kubernetes with ConfigMap
version:'3.7'services:nsd:container_name:nsdrestart:alwaysimage:ghcr.io/the-kube-way/nsd:latest# or nsd:vX.X.Xread_only:truetmpfs: -/tmp -/var/db/nsdvolumes: -/mnt/nsd/conf:/etc/nsd:ro -/mnt/nsd/zones:/zones -/mnt/nsd/keys:/keys:roports: -53:53 -53:53/udp
Ensure mount points match UID/GID (991 by default) used by nsd.
/etc/nsd should be mounted read-only./zones can be mounted read-only if helper scripts (e.g. for dnssec) are not used./keys should be mounted read-only if keygen helper script is not used.
Put your dns zone file in/mnt/nsd/zones/domain.tld.
$ORIGIN domain.tld.$TTL 3600; SOA; SOA record should be on one line to use provided helper scripts@ IN SOA ns1.domain.tld. hostmaster.domain.tld. 2016020202 7200 1800 1209600 86400; NAMESERVERS@ IN NS ns1.domain.tld.@ IN NS ns2.domain.tld.; A RECORDS@ IN A 1.2.3.4www IN A 5.6.7.8...Put the nsd config in/mnt/nsd/conf/nsd.conf.
server:server-count:1verbosity:1hide-version:yeszonesdir:"/zones"zone:name:domain.tld#zonefile: domain.tld # if not signedzonefile:domain.tld.signed
Check thedocumentation to see all options.
Check your zone and nsd configuration:
cd /mnt/nsddocker run -it --rm -v$(pwd)/zones:/zones selfhostingtools/nsd nsd-checkzone domain.tld /zones/domain.tlddocker run -it --rm -v$(pwd)/conf:/etc/nsd selfhostingtools/nsd nsd-checkconf /etc/nsd/nsd.conf
You may want to change the running user:
| Variable | Description | Type | Default value |
|---|---|---|---|
| UID | nsd user id | optional | 991 |
| GID | nsd group id | optional | 991 |
Generate ZSK and KSK keys with ECDSAP384SHA384 algorithm:
docker-composeexec nsd keygen domain.tldKeys will be stored in/keys/Kdomain.tld.{zsk,ksk}.{key,private}
Then sign your dns zone (default expiration date is 1 month):
docker-composeexec nsd signzone domain.tld# or set custom RRSIG RR expiration date:docker-composeexec nsd signzone domain.tld [YYYYMMDDhhmmss]
This can be done using systemd timer on the host:
/etc/systemd/system/nsd_update_signature.service
[Unit]Description=NSD update signature[Service]Type=oneshotExecStart=docker exec nsd signzone domain.tld/etc/systemd/system/nsd_update_signature.timer
[Timer]OnCalendar=weekly[Install]WantedBy=multi-user.targetDon't forget to enable and start the timer!
Show your DS-Records (Delegation Signer):
docker-composeexec nsd ds-records domain.tldEnsure zonefile parameter is correctly set (e.g. domain.tld.signed) innsd.conf.
Restart nsd to take the changes into account:
docker-compose restart nsd
Build-time variables:
- NSD_VERSION : version of NSD
- SHA256_HASH : SHA256 hash of NSD archive
About
Running NSD on Kubernetes
Topics
Resources
License
Uh oh!
There was an error while loading.Please reload this page.
Stars
Watchers
Forks
Uh oh!
There was an error while loading.Please reload this page.
Contributors4
Uh oh!
There was an error while loading.Please reload this page.