dns02.smr.dev

Welcome to dns02.smr.dev, the secondary authoritative server for smr.dev

Initial configuration

This server is running bind9 with the following initial configuration:

/etc/bind/keys/smr.dev/rndc.key

To perform updates via zone transfers a transfer key must be imported.

The key was generated on the primary server with the following command:

/usr/sbin/rndc-confgen -a -c /etc/bind/keys/smr.dev/transfer.key -k smr.dev.tsig

The key has the following content:

key "smr.dev.tsig" {
        algorithm hmac-sha256;
        secret "<redacted>";
};

/etc/bind/named.conf

The following changes have been made to the default file:

• For simplicity the named.conf.options file has been inlined.
• Since this is a server for smr.dev only recursion and default-zones have been disabled.

// include "/etc/bind/named.conf.options";
options {
        directory "/var/cache/bind";
        dnssec-validation auto;
        auth-nxdomain no;
        recursion no;
        allow-transfer { none; };
        listen-on-v6 { any; };
};

include "/etc/bind/named.conf.local";

/etc/bind/named.conf.local

include "/etc/bind/keys/smr.dev/transfer.key";

dnssec-policy "ksk-zsk" {
	keys {
		ksk lifetime unlimited algorithm rsasha256 4096;
		zsk lifetime P60D algorithm rsasha256 1024;
	};
};

zone "smr.dev" in {
	type slave;
	file "/etc/bind/db.smr.dev";
	key-directory "/etc/bind/keys/smr.dev";
	dnssec-policy "ksk-zsk";
	inline-signing yes;
	primaries { 144.24.245.91 key "smr.dev.tsig"; };
};

/etc/bind/db.smr.dev

The initial records file for the zone contains the following entries:

$TTL 60	; 1 minute
smr.dev. IN SOA dns01.smr.dev. root.smr.dev. (
	1 ; serial
	60 ; refresh (1 minute)
	60 ; retry (1 minute)
	60 ; expire (1 minute)
	60 ; minimum (1 minute)
)
@	60	IN	NS	dns01.smr.dev.
@	60	IN	NS	dns02.smr.dev.
dns01	60	IN	A	144.24.245.91
dns02	60	IN	A	152.67.79.172

First startup

Before starting the container disabling the resolve deamon listening on the dns port (53) might be necessary:

sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved

The docker image can then be pulled and the container started:

docker image pull ubuntu/bind9:latest
docker run \
	--detach \
	--name bind9 \
	--restart always \
	--publish 53:53/tcp --publish 53:53/udp --publish 953:953/tcp \
	--volume /opt/bind9/etc/bind:/etc/bind \
	--volume /opt/bind9/var/lib/bind:/var/lib/bind \
	--volume /opt/bind9/var/cache/bind:/var/cache/bind \
	ubuntu/bind9:latest

KSK and ZSK

Since auto signing has been enabled (inline-signing) the server will sign the records using the imported assymetric keys.

This completes the configuration of the secondary DNS server.