- Notifications
You must be signed in to change notification settings - Fork8
The-Kube-Way/nsd
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
NSD is an authoritative only, high performance, simple and open source name server released under the BSD licence.This work is originally based onhardware/nsd-dnssec.
- Lightweight & secure image (based on Alpine & multi-stage build: 4MB, no root process)
- Latest NSD version with hardening compilation options
- Helper scripts for generating ZSK and KSK keys, DS-Records management and zone signature
- Optimized to be run on Kubernetes with ConfigMap
version:'3.7'services:nsd:container_name:nsdrestart:alwaysimage:ghcr.io/the-kube-way/nsd:latest# or nsd:vX.X.Xread_only:truetmpfs: -/tmp -/var/db/nsdvolumes: -/mnt/nsd/conf:/etc/nsd:ro -/mnt/nsd/zones:/zones -/mnt/nsd/keys:/keys:roports: -53:53 -53:53/udp
Ensure mount points match UID/GID (991 by default) used by nsd.
/etc/nsd should be mounted read-only./zones can be mounted read-only if helper scripts (e.g. for dnssec) are not used./keys should be mounted read-only if keygen helper script is not used.
Put your dns zone file in/mnt/nsd/zones/domain.tld.
$ORIGIN domain.tld.$TTL 3600; SOA; SOA record should be on one line to use provided helper scripts@ IN SOA ns1.domain.tld. hostmaster.domain.tld. 2016020202 7200 1800 1209600 86400; NAMESERVERS@ IN NS ns1.domain.tld.@ IN NS ns2.domain.tld.; A RECORDS@ IN A 1.2.3.4www IN A 5.6.7.8...Put the nsd config in/mnt/nsd/conf/nsd.conf.
server:server-count:1verbosity:1hide-version:yeszonesdir:"/zones"zone:name:domain.tld#zonefile: domain.tld # if not signedzonefile:domain.tld.signed
Check thedocumentation to see all options.
Check your zone and nsd configuration:
cd /mnt/nsddocker run -it --rm -v$(pwd)/zones:/zones selfhostingtools/nsd nsd-checkzone domain.tld /zones/domain.tlddocker run -it --rm -v$(pwd)/conf:/etc/nsd selfhostingtools/nsd nsd-checkconf /etc/nsd/nsd.conf
You may want to change the running user:
| Variable | Description | Type | Default value |
|---|---|---|---|
| UID | nsd user id | optional | 991 |
| GID | nsd group id | optional | 991 |
Generate ZSK and KSK keys with ECDSAP384SHA384 algorithm:
docker-composeexec nsd keygen domain.tldKeys will be stored in/keys/Kdomain.tld.{zsk,ksk}.{key,private}
Then sign your dns zone (default expiration date is 1 month):
docker-composeexec nsd signzone domain.tld# or set custom RRSIG RR expiration date:docker-composeexec nsd signzone domain.tld [YYYYMMDDhhmmss]
This can be done using systemd timer on the host:
/etc/systemd/system/nsd_update_signature.service
[Unit]Description=NSD update signature[Service]Type=oneshotExecStart=docker exec nsd signzone domain.tld/etc/systemd/system/nsd_update_signature.timer
[Timer]OnCalendar=weekly[Install]WantedBy=multi-user.targetDon't forget to enable and start the timer!
Show your DS-Records (Delegation Signer):
docker-composeexec nsd ds-records domain.tldEnsure zonefile parameter is correctly set (e.g. domain.tld.signed) innsd.conf.
Restart nsd to take the changes into account:
docker-compose restart nsd
Build-time variables:
- NSD_VERSION : version of NSD
- SHA256_HASH : SHA256 hash of NSD archive
About
Running NSD on Kubernetes