upgraded to pdns 4.1; enabled webserver and api

docker-compose.yml

@@ -37,6 +37,7 @@ services:
         ports:
             - "0.0.0.0:53:53/udp"
             - "0.0.0.0:53:53/tcp"
+            - "127.0.0.1:34022:80"
         env_file:
             - env
 

env

@@ -4,6 +4,8 @@ POSTGRES_PASSWORD=pg_password
 POSTGRES_DB=poweradmin
 
 PDNS_RECURSOR_HOST=pdns-recursor.pdns.internal.docker
+PDNS_API_KEY=change_it
+PDNS_WEBSERVER_PASSWORD=change_it
 
 SESSION_KEY=change_it
 

pdns/Dockerfile

@@ -2,6 +2,14 @@ FROM debian:jessie
 
 MAINTAINER Robin Thoni <robin@rthoni.com>
 
+RUN apt-get update && \
+    apt-get install -y curl && \
+    apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+RUN echo 'deb http://repo.powerdns.com/debian jessie-auth-40 main' > /etc/apt/sources.list.d/pdns.list && \
+    echo 'Package: pdns-*\nPin: origin repo.powerdns.com\nPin-Priority: 600' > /etc/apt/preferences.d/pdns && \
+    curl https://repo.powerdns.com/FD380FBB-pub.asc | apt-key add -
+
 COPY ./preseed.txt /tmp/preseed.txt
 
 RUN debconf-set-selections /tmp/preseed.txt

pdns/config/pdns.conf

@@ -1,518 +1,577 @@
+# Autogenerated configuration file template
 #################################
-# allow-axfr-ips	Allow zonetransfers only to these subnets
+# 8bit-dns  Allow 8bit dns queries
 #
-# allow-axfr-ips=
+# 8bit-dns=no
 
 #################################
-# allow-dnsupdate-from	A global setting to allow DNS updates from these IP ranges.
+# allow-axfr-ips  Allow zonetransfers only to these subnets
+#
+allow-axfr-ips=127.0.0.1,172.0.0.0/8,192.168.0.0/16
+
+#################################
+# allow-dnsupdate-from  A global setting to allow DNS updates from these IP ranges.
 #
 # allow-dnsupdate-from=127.0.0.0/8,::1
 
 #################################
-# allow-recursion	List of subnets that are allowed to recurse
+# allow-notify-from Allow AXFR NOTIFY from these IP ranges. If empty, drop all incoming notifies.
+#
+# allow-notify-from=0.0.0.0/0,::/0
+
+#################################
+# allow-recursion List of subnets that are allowed to recurse
 #
 allow-recursion=127.0.0.1,172.0.0.0/8,192.168.0.0/16
 
 #################################
-# also-notify	When notifying a domain, also notify these nameservers
+# allow-unsigned-notify Allow unsigned notifications for TSIG secured domains
+#
+# allow-unsigned-notify=yes
+
+#################################
+# allow-unsigned-supermaster  Allow supermasters to create zones without TSIG signed NOTIFY
+#
+# allow-unsigned-supermaster=yes
+
+#################################
+# also-notify When notifying a domain, also notify these nameservers
 #
 # also-notify=
 
 #################################
-# any-to-tcp	Answer ANY queries with tc=1, shunting to TCP
+# any-to-tcp  Answer ANY queries with tc=1, shunting to TCP
 #
 # any-to-tcp=no
 
 #################################
-# cache-ttl	Seconds to store packets in the PacketCache
+# api Enable/disable the REST API
+#
+api=yes
+
+#################################
+# api-key Static pre-shared authentication key for access to the REST API
+#
+api-key=PDNS_API_KEY
+
+#################################
+# api-logfile Location of the server logfile (used by the REST API)
+#
+# api-logfile=/var/log/pdns.log
+
+#################################
+# api-readonly  Disallow data modification through the REST API when set
+#
+api-readonly=no
+
+#################################
+# cache-ttl Seconds to store packets in the PacketCache
 #
 # cache-ttl=20
 
 #################################
-# carbon-interval	Number of seconds between carbon (graphite) updates
+# carbon-interval Number of seconds between carbon (graphite) updates
 #
 # carbon-interval=30
 
 #################################
-# carbon-ourname	If set, overrides our reported hostname for carbon stats
+# carbon-ourname  If set, overrides our reported hostname for carbon stats
 #
 # carbon-ourname=
 
 #################################
-# carbon-server	If set, send metrics in carbon (graphite) format to this server
+# carbon-server If set, send metrics in carbon (graphite) format to this server
 #
 # carbon-server=
 
 #################################
-# chroot	If set, chroot to this directory for more security
+# chroot  If set, chroot to this directory for more security
 #
 # chroot=
 
 #################################
-# config-dir	Location of configuration directory (pdns.conf)
+# config-dir  Location of configuration directory (pdns.conf)
 #
 config-dir=/etc/powerdns
 
 #################################
-# config-name	Name of this virtual configuration - will rename the binary image
+# config-name Name of this virtual configuration - will rename the binary image
 #
 # config-name=
 
 #################################
-# control-console	Debugging switch - don't use
+# control-console Debugging switch - don't use
 #
 # control-console=no
 
 #################################
-# daemon	Operate as a daemon
+# daemon  Operate as a daemon
 #
-# daemon=yes
+# daemon=no
 
 #################################
-# default-ksk-algorithms	Default KSK algorithms
+# default-ksk-algorithms  Default KSK algorithms
 #
-# default-ksk-algorithms=rsasha256
+# default-ksk-algorithms=ecdsa256
 
 #################################
-# default-ksk-size	Default KSK size (0 means default)
+# default-ksk-size  Default KSK size (0 means default)
 #
 # default-ksk-size=0
 
 #################################
-# default-soa-mail	mail address to insert in the SOA record if none set in the backend
+# default-soa-edit  Default SOA-EDIT value
+#
+# default-soa-edit=
+
+#################################
+# default-soa-edit-signed Default SOA-EDIT value for signed zones
+#
+# default-soa-edit-signed=
+
+#################################
+# default-soa-mail  mail address to insert in the SOA record if none set in the backend
 #
 # default-soa-mail=
 
 #################################
-# default-soa-name	name to insert in the SOA record if none set in the backend
+# default-soa-name  name to insert in the SOA record if none set in the backend
 #
 # default-soa-name=a.misconfigured.powerdns.server
 
 #################################
-# default-ttl	Seconds a result is valid if not set otherwise
+# default-ttl Seconds a result is valid if not set otherwise
 #
 # default-ttl=3600
 
 #################################
-# default-zsk-algorithms	Default ZSK algorithms
+# default-zsk-algorithms  Default ZSK algorithms
 #
-# default-zsk-algorithms=rsasha256
+# default-zsk-algorithms=
 
 #################################
-# default-zsk-size	Default ZSK size (0 means default)
+# default-zsk-size  Default ZSK size (0 means default)
 #
 # default-zsk-size=0
 
 #################################
-# direct-dnskey	Fetch DNSKEY RRs from backend during DNSKEY synthesis
+# direct-dnskey Fetch DNSKEY RRs from backend during DNSKEY synthesis
 #
 # direct-dnskey=no
 
 #################################
-# disable-axfr	Disable zonetransfers but do allow TCP queries
+# disable-axfr  Disable zonetransfers but do allow TCP queries
 #
 disable-axfr=no
 
 #################################
-# disable-axfr-rectify	Disable the rectify step during an outgoing AXFR. Only required for regression testing.
+# disable-axfr-rectify  Disable the rectify step during an outgoing AXFR. Only required for regression testing.
 #
 # disable-axfr-rectify=no
 
 #################################
-# disable-tcp	Do not listen to TCP queries
+# disable-syslog  Disable logging to syslog, useful when running inside a supervisor that logs stdout
 #
-# disable-tcp=no
+# disable-syslog=no
 
 #################################
-# distributor-threads	Default number of Distributor (backend) threads to start
+# disable-tcp Do not listen to TCP queries
 #
-# distributor-threads=3
+# disable-tcp=no
 
 #################################
-# do-ipv6-additional-processing	Do AAAA additional processing
+# distributor-threads Default number of Distributor (backend) threads to start
 #
-# do-ipv6-additional-processing=yes
+# distributor-threads=3
 
 #################################
-# edns-subnet-processing	If we should act on EDNS Subnet options
+# dname-processing  If we should support DNAME records
 #
-# edns-subnet-processing=no
+# dname-processing=no
 
 #################################
-# entropy-source	If set, read entropy from this file
+# dnssec-key-cache-ttl  Seconds to cache DNSSEC keys from the database
 #
-# entropy-source=/dev/urandom
+# dnssec-key-cache-ttl=30
 
 #################################
-# experimental-api-key	REST API Static authentication key (required for API use)
+# dnsupdate Enable/Disable DNS update (RFC2136) support. Default is no.
 #
-# experimental-api-key=
+# dnsupdate=no
 
 #################################
-# experimental-api-readonly	If the JSON API should disallow data modification
+# do-ipv6-additional-processing Do AAAA additional processing
 #
-# experimental-api-readonly=no
+# do-ipv6-additional-processing=yes
 
 #################################
-# experimental-dname-processing	If we should support DNAME records
+# domain-metadata-cache-ttl Seconds to cache domain metadata from the database
 #
-# experimental-dname-processing=no
+# domain-metadata-cache-ttl=60
 
 #################################
-# experimental-dnsupdate	Enable/Disable DNS update (RFC2136) support. Default is no.
+# edns-subnet-processing  If we should act on EDNS Subnet options
 #
-# experimental-dnsupdate=no
+# edns-subnet-processing=no
 
 #################################
-# experimental-json-interface	If the webserver should serve JSON data
+# entropy-source  If set, read entropy from this file
 #
-# experimental-json-interface=no
+# entropy-source=/dev/urandom
 
 #################################
-# experimental-logfile	Filename of the log file for JSON parser
+# experimental-lua-policy-script  Lua script for the policy engine
 #
-# experimental-logfile=/var/log/pdns.log
+# experimental-lua-policy-script=
 
 #################################
-# forward-dnsupdate	A global setting to allow DNS update packages that are for a Slave domain, to be forwarded to the master.
+# forward-dnsupdate A global setting to allow DNS update packages that are for a Slave domain, to be forwarded to the master.
 #
 # forward-dnsupdate=yes
 
 #################################
-# guardian	Run within a guardian process
+# guardian  Run within a guardian process
 #
 guardian=yes
 
 #################################
-# include-dir	Include *.conf files from this directory
+# include-dir Include *.conf files from this directory
 #
 # include-dir=
 include-dir=/etc/powerdns/pdns.d
 
 #################################
-# launch	Which backends to launch and order to query them in
+# launch  Which backends to launch and order to query them in
 #
 # launch=
-launch=gpgsql
+launch=
 
 #################################
-# load-modules	Load this module - supply absolute or relative path
+# load-modules  Load this module - supply absolute or relative path
 #
 # load-modules=
 
 #################################
-# local-address	Local IP addresses to which we bind
+# local-address Local IP addresses to which we bind
 #
 local-address=0.0.0.0
 
 #################################
-# local-address-nonexist-fail	Fail to start if one or more of the local-address's do not exist on this server
+# local-address-nonexist-fail Fail to start if one or more of the local-address's do not exist on this server
 #
 # local-address-nonexist-fail=yes
 
 #################################
-# local-ipv6	Local IP address to which we bind
+# local-ipv6  Local IP address to which we bind
 #
-# local-ipv6=
+# local-ipv6=::
 
 #################################
-# local-ipv6-nonexist-fail	Fail to start if one or more of the local-ipv6 addresses do not exist on this server
+# local-ipv6-nonexist-fail  Fail to start if one or more of the local-ipv6 addresses do not exist on this server
 #
 # local-ipv6-nonexist-fail=yes
 
 #################################
-# local-port	The port on which we listen
+# local-port  The port on which we listen
 #
 # local-port=53
 
 #################################
-# log-dns-details	If PDNS should log DNS non-erroneous details
+# log-dns-details If PDNS should log DNS non-erroneous details
 #
 # log-dns-details=no
 
 #################################
-# log-dns-queries	If PDNS should log all incoming DNS queries
+# log-dns-queries If PDNS should log all incoming DNS queries
 #
 # log-dns-queries=no
 
 #################################
-# logging-facility	Log under a specific facility
+# logging-facility  Log under a specific facility
 #
 # logging-facility=
 
 #################################
-# loglevel	Amount of logging. Higher is more. Do not set below 3
+# loglevel  Amount of logging. Higher is more. Do not set below 3
 #
 # loglevel=4
 
 #################################
-# lua-prequery-script	Lua script with prequery handler
+# lua-prequery-script Lua script with prequery handler (DO NOT USE)
 #
 # lua-prequery-script=
 
 #################################
-# master	Act as a master
+# master  Act as a master
 #
 master=yes
 
 #################################
-# max-cache-entries	Maximum number of cache entries
+# max-cache-entries Maximum number of cache entries
 #
 # max-cache-entries=1000000
 
 #################################
-# max-ent-entries	Maximum number of empty non-terminals in a zone
+# max-ent-entries Maximum number of empty non-terminals in a zone
 #
 # max-ent-entries=100000
 
 #################################
-# max-nsec3-iterations	Limit the number of NSEC3 hash iterations
+# max-nsec3-iterations  Limit the number of NSEC3 hash iterations
 #
 # max-nsec3-iterations=500
 
 #################################
-# max-queue-length	Maximum queuelength before considering situation lost
+# max-queue-length  Maximum queuelength before considering situation lost
 #
 # max-queue-length=5000
 
 #################################
-# max-signature-cache-entries	Maximum number of signatures cache entries
+# max-signature-cache-entries Maximum number of signatures cache entries
 #
 # max-signature-cache-entries=
 
 #################################
-# max-tcp-connections	Maximum number of TCP connections
+# max-tcp-connections Maximum number of TCP connections
 #
-# max-tcp-connections=10
+# max-tcp-connections=20
 
 #################################
-# module-dir	Default directory for modules
+# module-dir  Default directory for modules
 #
-# module-dir=/usr/lib/TRIPLET/pdns
+
 
 #################################
-# negquery-cache-ttl	Seconds to store negative query results in the QueryCache
+# negquery-cache-ttl  Seconds to store negative query results in the QueryCache
 #
 # negquery-cache-ttl=60
 
 #################################
-# no-shuffle	Set this to prevent random shuffling of answers - for regression testing
+# no-shuffle  Set this to prevent random shuffling of answers - for regression testing
 #
 # no-shuffle=off
 
 #################################
-# only-notify	Only send AXFR NOTIFY to these IP addresses or netmasks
+# non-local-bind  Enable binding to non-local addresses by using FREEBIND / BINDANY socket options
+#
+# non-local-bind=no
+
+#################################
+# only-notify Only send AXFR NOTIFY to these IP addresses or netmasks
 #
 # only-notify=0.0.0.0/0,::/0
 
 #################################
-# out-of-zone-additional-processing	Do out of zone additional processing
+# out-of-zone-additional-processing Do out of zone additional processing
 #
 # out-of-zone-additional-processing=yes
 
 #################################
-# overload-queue-length	Maximum queuelength moving to packetcache only
+# outgoing-axfr-expand-alias  Expand ALIAS records during outgoing AXFR
 #
-# overload-queue-length=0
+# outgoing-axfr-expand-alias=no
 
 #################################
-# pipebackend-abi-version	Version of the pipe backend ABI
+# overload-queue-length Maximum queuelength moving to packetcache only
 #
-# pipebackend-abi-version=1
+# overload-queue-length=0
 
 #################################
-# prevent-self-notification	Don't send notifications to what we think is ourself
+# prevent-self-notification Don't send notifications to what we think is ourself
 #
 # prevent-self-notification=yes
 
 #################################
-# query-cache-ttl	Seconds to store query results in the QueryCache
+# query-cache-ttl Seconds to store query results in the QueryCache
 #
 # query-cache-ttl=20
 
 #################################
-# query-local-address	Source IP address for sending queries
+# query-local-address Source IP address for sending queries
 #
 # query-local-address=0.0.0.0
 
 #################################
-# query-local-address6	Source IPv6 address for sending queries
+# query-local-address6  Source IPv6 address for sending queries
 #
 # query-local-address6=::
 
 #################################
-# query-logging	Hint backends that queries should be logged
+# query-logging Hint backends that queries should be logged
 #
 # query-logging=no
 
 #################################
-# queue-limit	Maximum number of milliseconds to queue a query
+# queue-limit Maximum number of milliseconds to queue a query
 #
 # queue-limit=1500
 
 #################################
-# receiver-threads	Default number of receiver threads to start
+# receiver-threads  Default number of receiver threads to start
 #
 # receiver-threads=1
 
 #################################
-# recursive-cache-ttl	Seconds to store packets for recursive queries in the PacketCache
+# recursive-cache-ttl Seconds to store packets for recursive queries in the PacketCache
 #
 # recursive-cache-ttl=10
 
 #################################
-# recursor	If recursion is desired, IP address of a recursing nameserver
+# recursor  If recursion is desired, IP address of a recursing nameserver
 #
 recursor=PDNS_RECURSOR_HOST:53
 
 #################################
-# retrieval-threads	Number of AXFR-retrieval threads for slave operation
+# retrieval-threads Number of AXFR-retrieval threads for slave operation
 #
 # retrieval-threads=2
 
 #################################
-# reuseport	Enable higher performance on compliant kernels by using SO_REUSEPORT allowing each receiver thread to open its own socket
+# reuseport Enable higher performance on compliant kernels by using SO_REUSEPORT allowing each receiver thread to open its own socket
 #
 # reuseport=no
 
 #################################
-# security-poll-suffix	Domain name from which to query security update notifications
+# security-poll-suffix  Domain name from which to query security update notifications
 #
 # security-poll-suffix=secpoll.powerdns.com.
 
 #################################
-# send-root-referral	Send out old-fashioned root-referral instead of ServFail in case of no authority
-#
-# send-root-referral=no
-
-#################################
-# server-id	Returned when queried for 'server.id' TXT or NSID, defaults to hostname - disabled or custom
+# server-id Returned when queried for 'server.id' TXT or NSID, defaults to hostname - disabled or custom
 #
 # server-id=
 
 #################################
-# setgid	If set, change group id to this gid for more security
+# setgid  If set, change group id to this gid for more security
 #
 setgid=pdns
 
 #################################
-# setuid	If set, change user id to this uid for more security
+# setuid  If set, change user id to this uid for more security
 #
 setuid=pdns
 
 #################################
-# signing-threads	Default number of signer threads to start
+# signing-threads Default number of signer threads to start
 #
 # signing-threads=3
 
 #################################
-# slave	Act as a slave
+# slave Act as a slave
 #
 # slave=no
 
 #################################
-# slave-cycle-interval	Reschedule failed SOA serial checks once every .. seconds
+# slave-cycle-interval  Schedule slave freshness checks once every .. seconds
 #
 # slave-cycle-interval=60
 
 #################################
-# slave-renotify	If we should send out notifications for slaved updates
+# slave-renotify  If we should send out notifications for slaved updates
 #
 # slave-renotify=no
 
 #################################
-# soa-expire-default	Default SOA expire
+# soa-expire-default  Default SOA expire
 #
 # soa-expire-default=604800
 
 #################################
-# soa-minimum-ttl	Default SOA minimum ttl
+# soa-minimum-ttl Default SOA minimum ttl
 #
 # soa-minimum-ttl=3600
 
 #################################
-# soa-refresh-default	Default SOA refresh
+# soa-refresh-default Default SOA refresh
 #
 # soa-refresh-default=10800
 
 #################################
-# soa-retry-default	Default SOA retry
+# soa-retry-default Default SOA retry
 #
 # soa-retry-default=3600
 
 #################################
-# socket-dir	Where the controlsocket will live
+# socket-dir  Where the controlsocket will live, /var/run when unset and not chrooted
 #
-# socket-dir=/var/run
+# socket-dir=
 
 #################################
-# tcp-control-address	If set, PowerDNS can be controlled over TCP on this address
+# tcp-control-address If set, PowerDNS can be controlled over TCP on this address
 #
 # tcp-control-address=
 
 #################################
-# tcp-control-port	If set, PowerDNS can be controlled over TCP on this address
+# tcp-control-port  If set, PowerDNS can be controlled over TCP on this address
 #
 # tcp-control-port=53000
 
 #################################
-# tcp-control-range	If set, remote control of PowerDNS is possible over these networks only
+# tcp-control-range If set, remote control of PowerDNS is possible over these networks only
 #
 # tcp-control-range=127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10
 
 #################################
-# tcp-control-secret	If set, PowerDNS can be controlled over TCP after passing this secret
+# tcp-control-secret  If set, PowerDNS can be controlled over TCP after passing this secret
 #
 # tcp-control-secret=
 
 #################################
-# traceback-handler	Enable the traceback handler (Linux only)
+# traceback-handler Enable the traceback handler (Linux only)
 #
 # traceback-handler=yes
 
 #################################
-# trusted-notification-proxy	IP address of incoming notification proxy
+# trusted-notification-proxy  IP address of incoming notification proxy
 #
 # trusted-notification-proxy=
 
 #################################
-# udp-truncation-threshold	Maximum UDP response size before we truncate
+# udp-truncation-threshold  Maximum UDP response size before we truncate
 #
 # udp-truncation-threshold=1680
 
 #################################
-# version-string	PowerDNS version in packets - full, anonymous, powerdns or custom
+# version-string  PowerDNS version in packets - full, anonymous, powerdns or custom
 #
 # version-string=full
 
 #################################
-# webserver	Start a webserver for monitoring
+# webserver Start a webserver for monitoring
 #
-# webserver=no
+webserver=yes
 
 #################################
-# webserver-address	IP Address of webserver to listen on
+# webserver-address IP Address of webserver to listen on
 #
-# webserver-address=127.0.0.1
+webserver-address=0.0.0.0
 
 #################################
-# webserver-allow-from	Webserver access is only allowed from these subnets
+# webserver-allow-from  Webserver access is only allowed from these subnets
 #
-# webserver-allow-from=0.0.0.0/0,::/0
+webserver-allow-from=0.0.0.0/0,::/0
 
 #################################
-# webserver-password	Password required for accessing the webserver
+# webserver-password  Password required for accessing the webserver
 #
-# webserver-password=
+webserver-password=PDNS_WEBSERVER_PASSWORD
 
 #################################
-# webserver-port	Port of webserver to listen on
+# webserver-port  Port of webserver to listen on
 #
-# webserver-port=8081
+webserver-port=80
 
 #################################
-# webserver-print-arguments	If the webserver should print arguments
+# webserver-print-arguments If the webserver should print arguments
 #
-# webserver-print-arguments=no
+webserver-print-arguments=yes
 
+#################################
+# write-pid Write a PID file
+#
+# write-pid=yes
 
+#################################
+# xfr-max-received-mbytes Maximum number of megabytes received from an incoming XFR
+#
+# xfr-max-received-mbytes=100

pdns/vars-vars

@@ -4,6 +4,8 @@ POSTGRES_PASSWORD
 POSTGRES_DB
 
 PDNS_RECURSOR_HOST
+PDNS_API_KEY
+PDNS_WEBSERVER_PASSWORD
 
 SESSION_KEY
 

poweradmin/vars-vars

@@ -4,6 +4,8 @@ POSTGRES_PASSWORD
 POSTGRES_DB
 
 PDNS_RECURSOR_HOST
+PDNS_API_KEY
+PDNS_WEBSERVER_PASSWORD
 
 SESSION_KEY