begin pdns

01_init.sql

@@ -1,95 +0,0 @@
-CREATE TABLE domains (
-  id                    SERIAL PRIMARY KEY,
-  name                  VARCHAR(255) NOT NULL,
-  master                VARCHAR(128) DEFAULT NULL,
-  last_check            INT DEFAULT NULL,
-  type                  VARCHAR(6) NOT NULL,
-  notified_serial       INT DEFAULT NULL,
-  account               VARCHAR(40) DEFAULT NULL,
-  CONSTRAINT c_lowercase_name CHECK (((name)::TEXT = LOWER((name)::TEXT)))
-);
-
-CREATE UNIQUE INDEX name_index ON domains(name);
-
-
-CREATE TABLE records (
-  id                    SERIAL PRIMARY KEY,
-  domain_id             INT DEFAULT NULL,
-  name                  VARCHAR(255) DEFAULT NULL,
-  type                  VARCHAR(10) DEFAULT NULL,
-  content               VARCHAR(65535) DEFAULT NULL,
-  ttl                   INT DEFAULT NULL,
-  prio                  INT DEFAULT NULL,
-  change_date           INT DEFAULT NULL,
-  disabled              BOOL DEFAULT 'f',
-  ordername             VARCHAR(255),
-  auth                  BOOL DEFAULT 't',
-  CONSTRAINT domain_exists
-  FOREIGN KEY(domain_id) REFERENCES domains(id)
-  ON DELETE CASCADE,
-  CONSTRAINT c_lowercase_name CHECK (((name)::TEXT = LOWER((name)::TEXT)))
-);
-
-CREATE INDEX rec_name_index ON records(name);
-CREATE INDEX nametype_index ON records(name,type);
-CREATE INDEX domain_id ON records(domain_id);
-CREATE INDEX recordorder ON records (domain_id, ordername text_pattern_ops);
-
-
-CREATE TABLE supermasters (
-  ip                    INET NOT NULL,
-  nameserver            VARCHAR(255) NOT NULL,
-  account               VARCHAR(40) NOT NULL,
-  PRIMARY KEY(ip, nameserver)
-);
-
-
-CREATE TABLE comments (
-  id                    SERIAL PRIMARY KEY,
-  domain_id             INT NOT NULL,
-  name                  VARCHAR(255) NOT NULL,
-  type                  VARCHAR(10) NOT NULL,
-  modified_at           INT NOT NULL,
-  account               VARCHAR(40) DEFAULT NULL,
-  comment               VARCHAR(65535) NOT NULL,
-  CONSTRAINT domain_exists
-  FOREIGN KEY(domain_id) REFERENCES domains(id)
-  ON DELETE CASCADE,
-  CONSTRAINT c_lowercase_name CHECK (((name)::TEXT = LOWER((name)::TEXT)))
-);
-
-CREATE INDEX comments_domain_id_idx ON comments (domain_id);
-CREATE INDEX comments_name_type_idx ON comments (name, type);
-CREATE INDEX comments_order_idx ON comments (domain_id, modified_at);
-
-
-CREATE TABLE domainmetadata (
-  id                    SERIAL PRIMARY KEY,
-  domain_id             INT REFERENCES domains(id) ON DELETE CASCADE,
-  kind                  VARCHAR(32),
-  content               TEXT
-);
-
-CREATE INDEX domainidmetaindex ON domainmetadata(domain_id);
-
-
-CREATE TABLE cryptokeys (
-  id                    SERIAL PRIMARY KEY,
-  domain_id             INT REFERENCES domains(id) ON DELETE CASCADE,
-  flags                 INT NOT NULL,
-  active                BOOL,
-  content               TEXT
-);
-
-CREATE INDEX domainidindex ON cryptokeys(domain_id);
-
-
-CREATE TABLE tsigkeys (
-  id                    SERIAL PRIMARY KEY,
-  name                  VARCHAR(255),
-  algorithm             VARCHAR(50),
-  secret                VARCHAR(255),
-  CONSTRAINT c_lowercase_name CHECK (((name)::TEXT = LOWER((name)::TEXT)))
-);
-
-CREATE UNIQUE INDEX namealgoindex ON tsigkeys(name, algorithm);

docker-compose.yml

@@ -27,17 +27,17 @@ services:
         env_file:
             - env
 
-#    pdns:
-#        build: ./pdns
-#        container_name: pdns-pdns
-#        networks:
-#            pdns.internal.docker:
-#                aliases:
-#                    - pdns.pdns.internal.docker
-#        ports:
-#            - "0.0.0.0:53:53/udp"
-#        env_file:
-#            - env
+    pdns:
+        build: ./pdns
+        container_name: pdns-pdns
+        networks:
+            pdns.internal.docker:
+                aliases:
+                    - pdns.pdns.internal.docker
+        ports:
+            - "0.0.0.0:53:53/udp"
+        env_file:
+            - env
 #
 #    pdns-recursor:
 #      build: ./pdns-recursor

pdns/Dockerfile

@@ -0,0 +1,32 @@
+FROM debian:jessie
+
+MAINTAINER Robin Thoni <robin@rthoni.com>
+
+COPY ./preseed.txt /tmp/preseed.txt
+
+RUN debconf-set-selections /tmp/preseed.txt
+
+RUN DEBIAN_FRONTEND=noninteractive apt-get update &&\
+    apt-get install -y pdns-server pdns-backend-pgsql rsyslog &&\
+    apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+RUN rm -rf /etc/powerdns/*
+
+RUN rm -rf /var/log/* &&\
+    mkfifo /var/log/mail.info &&\
+    ln -s /dev/null /var/log/mail.log &&\
+    ln -s /dev/stderr /var/log/mail.err &&\
+    ln -s /dev/null /var/log/syslog &&\
+    ln -s /dev/null /var/log/messages
+
+COPY ./config/ /etc/powerdns/
+
+COPY ./vars-vars /etc/vars-vars
+
+COPY ./vars-files /etc/vars-files
+
+COPY ./run.sh /run.sh
+
+EXPOSE 53/udp
+
+CMD ["/run.sh"]

pdns/config/pdns.conf

@@ -0,0 +1,518 @@
+#################################
+# allow-axfr-ips	Allow zonetransfers only to these subnets
+#
+allow-axfr-ips=10.15.42.0/24
+
+#################################
+# allow-dnsupdate-from	A global setting to allow DNS updates from these IP ranges.
+#
+# allow-dnsupdate-from=127.0.0.0/8,::1
+
+#################################
+# allow-recursion	List of subnets that are allowed to recurse
+#
+allow-recursion=178.170.0.0/16,127.0.0.1,213.246.52.61,52.28.227.93,52.58.80.7,10.15.42.0/24,10.8.0.0/24
+
+#################################
+# also-notify	When notifying a domain, also notify these nameservers
+#
+also-notify=10.15.42.6,10.15.42.15,10.15.42.16,10.15.42.17,10.15.42.18
+
+#################################
+# any-to-tcp	Answer ANY queries with tc=1, shunting to TCP
+#
+# any-to-tcp=no
+
+#################################
+# cache-ttl	Seconds to store packets in the PacketCache
+#
+# cache-ttl=20
+
+#################################
+# carbon-interval	Number of seconds between carbon (graphite) updates
+#
+# carbon-interval=30
+
+#################################
+# carbon-ourname	If set, overrides our reported hostname for carbon stats
+#
+# carbon-ourname=
+
+#################################
+# carbon-server	If set, send metrics in carbon (graphite) format to this server
+#
+# carbon-server=
+
+#################################
+# chroot	If set, chroot to this directory for more security
+#
+# chroot=
+
+#################################
+# config-dir	Location of configuration directory (pdns.conf)
+#
+config-dir=/etc/powerdns
+
+#################################
+# config-name	Name of this virtual configuration - will rename the binary image
+#
+# config-name=
+
+#################################
+# control-console	Debugging switch - don't use
+#
+# control-console=no
+
+#################################
+# daemon	Operate as a daemon
+#
+daemon=yes
+
+#################################
+# default-ksk-algorithms	Default KSK algorithms
+#
+# default-ksk-algorithms=rsasha256
+
+#################################
+# default-ksk-size	Default KSK size (0 means default)
+#
+# default-ksk-size=0
+
+#################################
+# default-soa-mail	mail address to insert in the SOA record if none set in the backend
+#
+# default-soa-mail=
+
+#################################
+# default-soa-name	name to insert in the SOA record if none set in the backend
+#
+# default-soa-name=a.misconfigured.powerdns.server
+
+#################################
+# default-ttl	Seconds a result is valid if not set otherwise
+#
+# default-ttl=3600
+
+#################################
+# default-zsk-algorithms	Default ZSK algorithms
+#
+# default-zsk-algorithms=rsasha256
+
+#################################
+# default-zsk-size	Default ZSK size (0 means default)
+#
+# default-zsk-size=0
+
+#################################
+# direct-dnskey	Fetch DNSKEY RRs from backend during DNSKEY synthesis
+#
+# direct-dnskey=no
+
+#################################
+# disable-axfr	Disable zonetransfers but do allow TCP queries
+#
+disable-axfr=no
+
+#################################
+# disable-axfr-rectify	Disable the rectify step during an outgoing AXFR. Only required for regression testing.
+#
+# disable-axfr-rectify=no
+
+#################################
+# disable-tcp	Do not listen to TCP queries
+#
+# disable-tcp=no
+
+#################################
+# distributor-threads	Default number of Distributor (backend) threads to start
+#
+# distributor-threads=3
+
+#################################
+# do-ipv6-additional-processing	Do AAAA additional processing
+#
+# do-ipv6-additional-processing=yes
+
+#################################
+# edns-subnet-processing	If we should act on EDNS Subnet options
+#
+# edns-subnet-processing=no
+
+#################################
+# entropy-source	If set, read entropy from this file
+#
+# entropy-source=/dev/urandom
+
+#################################
+# experimental-api-key	REST API Static authentication key (required for API use)
+#
+# experimental-api-key=
+
+#################################
+# experimental-api-readonly	If the JSON API should disallow data modification
+#
+# experimental-api-readonly=no
+
+#################################
+# experimental-dname-processing	If we should support DNAME records
+#
+# experimental-dname-processing=no
+
+#################################
+# experimental-dnsupdate	Enable/Disable DNS update (RFC2136) support. Default is no.
+#
+# experimental-dnsupdate=no
+
+#################################
+# experimental-json-interface	If the webserver should serve JSON data
+#
+# experimental-json-interface=no
+
+#################################
+# experimental-logfile	Filename of the log file for JSON parser
+#
+# experimental-logfile=/var/log/pdns.log
+
+#################################
+# forward-dnsupdate	A global setting to allow DNS update packages that are for a Slave domain, to be forwarded to the master.
+#
+# forward-dnsupdate=yes
+
+#################################
+# guardian	Run within a guardian process
+#
+guardian=yes
+
+#################################
+# include-dir	Include *.conf files from this directory
+#
+# include-dir=
+include-dir=/etc/powerdns/pdns.d
+
+#################################
+# launch	Which backends to launch and order to query them in
+#
+# launch=
+launch=gpgsql
+
+#################################
+# load-modules	Load this module - supply absolute or relative path
+#
+# load-modules=
+
+#################################
+# local-address	Local IP addresses to which we bind
+#
+local-address=0.0.0.0
+
+#################################
+# local-address-nonexist-fail	Fail to start if one or more of the local-address's do not exist on this server
+#
+# local-address-nonexist-fail=yes
+
+#################################
+# local-ipv6	Local IP address to which we bind
+#
+# local-ipv6=
+
+#################################
+# local-ipv6-nonexist-fail	Fail to start if one or more of the local-ipv6 addresses do not exist on this server
+#
+# local-ipv6-nonexist-fail=yes
+
+#################################
+# local-port	The port on which we listen
+#
+# local-port=53
+
+#################################
+# log-dns-details	If PDNS should log DNS non-erroneous details
+#
+# log-dns-details=no
+
+#################################
+# log-dns-queries	If PDNS should log all incoming DNS queries
+#
+# log-dns-queries=no
+
+#################################
+# logging-facility	Log under a specific facility
+#
+# logging-facility=
+
+#################################
+# loglevel	Amount of logging. Higher is more. Do not set below 3
+#
+# loglevel=4
+
+#################################
+# lua-prequery-script	Lua script with prequery handler
+#
+# lua-prequery-script=
+
+#################################
+# master	Act as a master
+#
+master=yes
+
+#################################
+# max-cache-entries	Maximum number of cache entries
+#
+# max-cache-entries=1000000
+
+#################################
+# max-ent-entries	Maximum number of empty non-terminals in a zone
+#
+# max-ent-entries=100000
+
+#################################
+# max-nsec3-iterations	Limit the number of NSEC3 hash iterations
+#
+# max-nsec3-iterations=500
+
+#################################
+# max-queue-length	Maximum queuelength before considering situation lost
+#
+# max-queue-length=5000
+
+#################################
+# max-signature-cache-entries	Maximum number of signatures cache entries
+#
+# max-signature-cache-entries=
+
+#################################
+# max-tcp-connections	Maximum number of TCP connections
+#
+# max-tcp-connections=10
+
+#################################
+# module-dir	Default directory for modules
+#
+# module-dir=/usr/lib/TRIPLET/pdns
+
+#################################
+# negquery-cache-ttl	Seconds to store negative query results in the QueryCache
+#
+# negquery-cache-ttl=60
+
+#################################
+# no-shuffle	Set this to prevent random shuffling of answers - for regression testing
+#
+# no-shuffle=off
+
+#################################
+# only-notify	Only send AXFR NOTIFY to these IP addresses or netmasks
+#
+# only-notify=0.0.0.0/0,::/0
+
+#################################
+# out-of-zone-additional-processing	Do out of zone additional processing
+#
+# out-of-zone-additional-processing=yes
+
+#################################
+# overload-queue-length	Maximum queuelength moving to packetcache only
+#
+# overload-queue-length=0
+
+#################################
+# pipebackend-abi-version	Version of the pipe backend ABI
+#
+# pipebackend-abi-version=1
+
+#################################
+# prevent-self-notification	Don't send notifications to what we think is ourself
+#
+# prevent-self-notification=yes
+
+#################################
+# query-cache-ttl	Seconds to store query results in the QueryCache
+#
+# query-cache-ttl=20
+
+#################################
+# query-local-address	Source IP address for sending queries
+#
+# query-local-address=0.0.0.0
+
+#################################
+# query-local-address6	Source IPv6 address for sending queries
+#
+# query-local-address6=::
+
+#################################
+# query-logging	Hint backends that queries should be logged
+#
+# query-logging=no
+
+#################################
+# queue-limit	Maximum number of milliseconds to queue a query
+#
+# queue-limit=1500
+
+#################################
+# receiver-threads	Default number of receiver threads to start
+#
+# receiver-threads=1
+
+#################################
+# recursive-cache-ttl	Seconds to store packets for recursive queries in the PacketCache
+#
+# recursive-cache-ttl=10
+
+#################################
+# recursor	If recursion is desired, IP address of a recursing nameserver
+#
+recursor=127.0.0.1:54
+
+#################################
+# retrieval-threads	Number of AXFR-retrieval threads for slave operation
+#
+# retrieval-threads=2
+
+#################################
+# reuseport	Enable higher performance on compliant kernels by using SO_REUSEPORT allowing each receiver thread to open its own socket
+#
+# reuseport=no
+
+#################################
+# security-poll-suffix	Domain name from which to query security update notifications
+#
+# security-poll-suffix=secpoll.powerdns.com.
+
+#################################
+# send-root-referral	Send out old-fashioned root-referral instead of ServFail in case of no authority
+#
+# send-root-referral=no
+
+#################################
+# server-id	Returned when queried for 'server.id' TXT or NSID, defaults to hostname - disabled or custom
+#
+# server-id=
+
+#################################
+# setgid	If set, change group id to this gid for more security
+#
+setgid=pdns
+
+#################################
+# setuid	If set, change user id to this uid for more security
+#
+setuid=pdns
+
+#################################
+# signing-threads	Default number of signer threads to start
+#
+# signing-threads=3
+
+#################################
+# slave	Act as a slave
+#
+# slave=no
+
+#################################
+# slave-cycle-interval	Reschedule failed SOA serial checks once every .. seconds
+#
+# slave-cycle-interval=60
+
+#################################
+# slave-renotify	If we should send out notifications for slaved updates
+#
+# slave-renotify=no
+
+#################################
+# soa-expire-default	Default SOA expire
+#
+# soa-expire-default=604800
+
+#################################
+# soa-minimum-ttl	Default SOA minimum ttl
+#
+# soa-minimum-ttl=3600
+
+#################################
+# soa-refresh-default	Default SOA refresh
+#
+# soa-refresh-default=10800
+
+#################################
+# soa-retry-default	Default SOA retry
+#
+# soa-retry-default=3600
+
+#################################
+# socket-dir	Where the controlsocket will live
+#
+# socket-dir=/var/run
+
+#################################
+# tcp-control-address	If set, PowerDNS can be controlled over TCP on this address
+#
+# tcp-control-address=
+
+#################################
+# tcp-control-port	If set, PowerDNS can be controlled over TCP on this address
+#
+# tcp-control-port=53000
+
+#################################
+# tcp-control-range	If set, remote control of PowerDNS is possible over these networks only
+#
+# tcp-control-range=127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10
+
+#################################
+# tcp-control-secret	If set, PowerDNS can be controlled over TCP after passing this secret
+#
+# tcp-control-secret=
+
+#################################
+# traceback-handler	Enable the traceback handler (Linux only)
+#
+# traceback-handler=yes
+
+#################################
+# trusted-notification-proxy	IP address of incoming notification proxy
+#
+# trusted-notification-proxy=
+
+#################################
+# udp-truncation-threshold	Maximum UDP response size before we truncate
+#
+# udp-truncation-threshold=1680
+
+#################################
+# version-string	PowerDNS version in packets - full, anonymous, powerdns or custom
+#
+# version-string=full
+
+#################################
+# webserver	Start a webserver for monitoring
+#
+# webserver=no
+
+#################################
+# webserver-address	IP Address of webserver to listen on
+#
+# webserver-address=127.0.0.1
+
+#################################
+# webserver-allow-from	Webserver access is only allowed from these subnets
+#
+# webserver-allow-from=0.0.0.0/0,::/0
+
+#################################
+# webserver-password	Password required for accessing the webserver
+#
+# webserver-password=
+
+#################################
+# webserver-port	Port of webserver to listen on
+#
+# webserver-port=8081
+
+#################################
+# webserver-print-arguments	If the webserver should print arguments
+#
+# webserver-print-arguments=no
+
+

pdns/config/pdns.d/pdns.local.gpgsql.conf

@@ -0,0 +1,12 @@
+# PostgreSQL Configuration
+#
+# Launch gpgsql backend
+launch+=gpgsql
+
+# gpgsql parameters
+gpgsql-host=POSTGRES_HOST
+gpgsql-port=
+gpgsql-dbname=POSTGRES_DB
+gpgsql-user=POSTGRES_USER
+gpgsql-password=POSTGRES_PASSWORD
+gpgsql-dnssec=yes

pdns/preseed.txt

@@ -0,0 +1,28 @@
+pdns-backend-pgsql  pdns-backend-pgsql/app-password-confirm password  
+pdns-backend-pgsql  pdns-backend-pgsql/password-confirm password  
+pdns-backend-pgsql  pdns-backend-pgsql/pgsql/admin-pass password  
+pdns-backend-pgsql  pdns-backend-pgsql/pgsql/app-pass password  
+pdns-backend-pgsql  pdns-backend-pgsql/dbconfig-upgrade boolean true
+pdns-backend-pgsql  pdns-backend-pgsql/remote/port  string  
+pdns-backend-pgsql  pdns-backend-pgsql/dbconfig-reinstall boolean false
+pdns-backend-pgsql  pdns-backend-pgsql/pgsql/authmethod-user  select  
+pdns-backend-pgsql  pdns-backend-pgsql/purge  boolean false
+pdns-backend-pgsql  pdns-backend-pgsql/upgrade-error  select  abort
+pdns-backend-pgsql  pdns-backend-pgsql/dbconfig-install boolean false
+pdns-backend-pgsql  pdns-backend-pgsql/db/app-user  string  pdns
+pdns-backend-pgsql  pdns-backend-pgsql/remote/newhost string  
+pdns-backend-pgsql  pdns-backend-pgsql/pgsql/manualconf note  
+pdns-backend-pgsql  pdns-backend-pgsql/remote/host  select  
+pdns-backend-pgsql  pdns-backend-pgsql/pgsql/admin-user string  postgres
+pdns-backend-pgsql  pdns-backend-pgsql/database-type  select  pgsql
+pdns-backend-pgsql  pdns-backend-pgsql/upgrade-backup boolean true
+pdns-backend-pgsql  pdns-backend-pgsql/internal/skip-preseed  boolean true
+pdns-backend-pgsql  pdns-backend-pgsql/remove-error select  abort
+pdns-backend-pgsql  pdns-backend-pgsql/missing-db-package-error select  abort
+pdns-backend-pgsql  pdns-backend-pgsql/pgsql/changeconf boolean false
+pdns-backend-pgsql  pdns-backend-pgsql/dbconfig-remove  boolean 
+pdns-backend-pgsql  pdns-backend-pgsql/pgsql/method select  unix socket
+pdns-backend-pgsql  pdns-backend-pgsql/pgsql/authmethod-admin select  ident
+pdns-backend-pgsql  pdns-backend-pgsql/install-error  select  abort
+pdns-backend-pgsql  pdns-backend-pgsql/internal/reconfiguring boolean false
+pdns-backend-pgsql  pdns-backend-pgsql/db/dbname  string  pdns

pdns/run.sh

@@ -0,0 +1,34 @@
+#! /usr/bin/env bash
+
+replace_var()
+{
+  file="${1}"
+  var="${2}"
+  sed -e "s?${var}?${!var}?g" -i "${file}"
+}
+
+replace_vars()
+{
+  file="${1}"
+  for var in $(cat /etc/vars-vars)
+  do
+    replace_var "${file}" "${var}"
+  done
+}
+
+replace_files()
+{
+  for file in $(cat /etc/vars-files)
+  do
+    replace_vars "${file}"
+  done
+}
+
+replace_files
+
+
+rm -f /var/run/rsyslogd.pid
+service rsyslog start &&
+service pdns start &&
+
+sleep 3600

pdns/vars-files

@@ -0,0 +1 @@
+/etc/powerdns/pdns.d/pdns.local.gpgsql.conf