dns01.smr.dev

Welcome to dns01.smr.dev, the primary authoritative server for smr.dev

Initial configuration

This server is running bind9 with the following initial configuration:

/etc/bind/smr.dev/keys

To perform updates and zone transfers corresponding keys must be created.

They can be generated with the following command:

/usr/sbin/rndc-confgen -a -c /etc/bind/smr.dev/keys/transfer.key -k smr.dev.tsig
/usr/sbin/rndc-confgen -a -c /etc/bind/smr.dev/keys/update.key -k smr.dev.usig

The keys have the following content:

key "<keyname>" {
        algorithm hmac-sha256;
        secret "<redacted>";
};

/etc/bind/named.conf

The following changes have been made to the default file:

For simplicity the named.conf.options file has been inlined.
Since this is a server for smr.dev only recursion and default-zones have been removed.

// include "/etc/bind/named.conf.options";
options {
        directory "/var/cache/bind";
        dnssec-validation auto;
        auth-nxdomain no;
        recursion no;
        allow-transfer { none; };
        listen-on-v6 { any; };
};

include "/etc/bind/named.conf.local";

/etc/bind/named.conf.local

We use distinct KSK and ZSK and allow transfer and update using a secrect key.

dnssec-policy "ksk-zsk" {
	keys {
		ksk lifetime unlimited algorithm rsasha256 4096;
		zsk lifetime P60D algorithm rsasha256 1024;
	};
};

include "/etc/bind/smr.dev/keys/transfer.key";
include "/etc/bind/smr.dev/keys/update.key";
zone "smr.dev" in {
	type master;
	file "/etc/bind/smr.dev/db";
	key-directory "/etc/bind/smr.dev/keys";
	dnssec-policy "ksk-zsk";
	inline-signing yes;
	allow-transfer { key "smr.dev.tsig"; };
	allow-update { key "smr.dev.usig"; };
};

/etc/bind/smr.dev/db

The initial records file for the zone contains the following entries:

$TTL 60	; 1 minute
smr.dev. IN SOA dns01.smr.dev. root.smr.dev. (
	1 ; serial
	60 ; refresh (1 minute)
	60 ; retry (1 minute)
	60 ; expire (1 minute)
	60 ; minimum (1 minute)
)
@	60	IN	NS	dns01.smr.dev.
@	60	IN	NS	dns02.smr.dev.
dns01	60	IN	A	144.24.245.91
dns02	60	IN	A	152.67.79.172

First startup

Before starting the container disabling the resolve deamon listening on the dns port (53) might be necessary:

Edit the file /etc/systemd/resolved.conf by adding the following line:

DNSStubListener=no

Then restart the service:

sudo systemctl restart systemd-resolved

The docker image can then be pulled and the container started:

docker image pull ubuntu/bind9:latest
docker run \
	--detach \
	--name bind9 \
	--restart always \
	--publish 53:53/tcp --publish 53:53/udp --publish 953:953/tcp \
	--volume /opt/bind9/etc/bind:/etc/bind \
	--volume /opt/bind9/var/lib/bind:/var/lib/bind \
	--volume /opt/bind9/var/cache/bind:/var/cache/bind \
	ubuntu/bind9:latest

KSK and ZSK

Since auto signing has been enabled (inline-signing) and since a KSK/ZSK policy has been set two assymetric keys are created in during the first statup.

A DS record can be created from the KSK using the following command:

dnssec-dsfromkey /etc/bind/smr.dev/keys/Ksmr.dev.<...>.key

A DS record like this is displayed and must be inserted in the parent DNS to create the chain of trust:

smr.dev. IN DS 13642 8 2 79D154A483E158E75C5DD62CC1CD8982F5A3B03123C316EB56EF87130C36E520

This completes the configuration of the primary DNS server.