Add setup.sh script to create initial records in primary dns

[humphd]

Fixes #2.

This isn't complete yet, but I made more progress, and now it can create all the necessary records. The replication to the secondary DNS is sort-of working, but I get an error.

To test this, do the following:

First, running the three containers together:

$ docker-compose up
[+] Running 4/4
 ⠿ Network starchart_private_net  Created                                                                                        0.0s
 ⠿ Container secondary            Created                                                                                        0.0s
 ⠿ Container web                  Created                                                                                        0.0s
 ⠿ Container primary              Created                                                                                        0.0s
Attaching to primary, secondary, web
web        | /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
web        | /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
web        | /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
web        | 10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
web        | 10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
web        | /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
web        | /docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
web        | /docker-entrypoint.sh: Configuration complete; ready for start up
web        | 2022/11/27 02:36:43 [notice] 1#1: using the "epoll" event method
web        | 2022/11/27 02:36:43 [notice] 1#1: nginx/1.20.2
web        | 2022/11/27 02:36:43 [notice] 1#1: built by gcc 10.3.1 20210424 (Alpine 10.3.1_git20210424)
web        | 2022/11/27 02:36:43 [notice] 1#1: OS: Linux 5.15.49-linuxkit
web        | 2022/11/27 02:36:43 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
web        | 2022/11/27 02:36:43 [notice] 1#1: start worker processes
web        | 2022/11/27 02:36:43 [notice] 1#1: start worker process 32
web        | 2022/11/27 02:36:43 [notice] 1#1: start worker process 33
web        | 2022/11/27 02:36:43 [notice] 1#1: start worker process 34
web        | 2022/11/27 02:36:43 [notice] 1#1: start worker process 35
web        | 2022/11/27 02:36:43 [notice] 1#1: start worker process 36
web        | 2022/11/27 02:36:43 [notice] 1#1: start worker process 37
web        | 2022/11/27 02:36:43 [notice] 1#1: start worker process 38
web        | 2022/11/27 02:36:43 [notice] 1#1: start worker process 39
primary    | Nov 27 02:36:43 Loading '/usr/local/lib/pdns/libgsqlite3backend.so'
primary    | Nov 27 02:36:43 This is a standalone pdns
primary    | Nov 27 02:36:43 Listening on controlsocket in '/var/run/pdns/pdns.controlsocket'
primary    | Nov 27 02:36:43 UDP server bound to 10.5.0.20:53
primary    | Nov 27 02:36:43 TCP server bound to 10.5.0.20:53
primary    | Nov 27 02:36:43 PowerDNS Authoritative Server 4.7.2 (C) 2001-2022 PowerDNS.COM BV
primary    | Nov 27 02:36:43 Using 64-bits mode. Built using gcc 10.2.1 20210110 on Nov  2 2022 08:26:10 by root@52b1d43e0211.
primary    | Nov 27 02:36:43 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2.
primary    | Nov 27 02:36:43 [webserver] Listening for HTTP requests on 10.5.0.20:8081
secondary  | Nov 27 02:36:43 Loading '/usr/local/lib/pdns/libgsqlite3backend.so'
secondary  | Nov 27 02:36:43 This is a standalone pdns
secondary  | Nov 27 02:36:43 Listening on controlsocket in '/var/run/pdns/pdns.controlsocket'
secondary  | Nov 27 02:36:43 UDP server bound to 10.5.0.80:53
secondary  | Nov 27 02:36:43 TCP server bound to 10.5.0.80:53
secondary  | Nov 27 02:36:43 PowerDNS Authoritative Server 4.7.2 (C) 2001-2022 PowerDNS.COM BV
secondary  | Nov 27 02:36:43 Using 64-bits mode. Built using gcc 10.2.1 20210110 on Nov  2 2022 08:26:10 by root@52b1d43e0211.
secondary  | Nov 27 02:36:43 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2.
primary    | Nov 27 02:36:43 Polled security status of version 4.7.2 at startup, no known issues reported: OK
secondary  | Nov 27 02:36:43 [webserver] Listening for HTTP requests on 10.5.0.80:8081
secondary  | Nov 27 02:36:43 Polled security status of version 4.7.2 at startup, no known issues reported: OK
primary    | Nov 27 02:36:43 Creating backend connection for TCP
primary    | Nov 27 02:36:43 Primary/secondary communicator launching
primary    | Nov 27 02:36:43 About to create 3 backend threads for UDP
secondary  | Nov 27 02:36:43 Primary/secondary communicator launching
secondary  | Nov 27 02:36:43 Creating backend connection for TCP
secondary  | Nov 27 02:36:43 About to create 3 backend threads for UDP
primary    | Nov 27 02:36:44 Done launching threads, ready to distribute questions
secondary  | Nov 27 02:36:44 Done launching threads, ready to distribute questions

Next, in a second shell, run the setup.sh script on the primary DNS conatiner:

$ docker exec -it primary /home/pdns/setup.sh
Creating empty zone 'starchart.com'
New rrset:
starchart.com. 3600 IN NS ns2.starchart.com
New rrset:
starchart.com. 3600 IN NS ns2.starchart.com
starchart.com. 3600 IN NS ns1.starchart.com
New rrset:
ns1.starchart.com. 3600 IN A 10.5.0.20
New rrset:
ns2.starchart.com. 3600 IN A 10.5.0.80
New rrset:
www.starchart.com. 3600 IN A 10.5.0.100
Current records for starchart.com IN SOA will be replaced
New rrset:
starchart.com. 3600 IN SOA ns1.starchart.com mail.domain.com 1 10800 3600 604800 3600
Securing zone with default key size
Adding CSK (257) with algorithm ecdsa256
Zone starchart.com secured
Adding NSEC ordering information for zone 'starchart.com', 4 updates
SOA serial for zone starchart.com set to 2
Added to queue
Checked 6 records of 'starchart.com', 0 errors, 0 warnings.
Checked 1 zones, 0 had errors.
$ORIGIN .
ns1.starchart.com	3600	IN	A	10.5.0.20
ns2.starchart.com	3600	IN	A	10.5.0.80
starchart.com	3600	IN	NS	ns2.starchart.com.
starchart.com	3600	IN	NS	ns1.starchart.com.
starchart.com	3600	IN	SOA	ns1.starchart.com mail.domain.com 2 10800 3600 604800 3600
www.starchart.com	3600	IN	A	10.5.0.100

Notice the logs in the primary and secondary DNS containers as this happens:

primary    | Nov 27 02:37:58 Notification request for zone 'starchart.com' received from operator
secondary  | Nov 27 02:37:59 Received NOTIFY for starchart.com from 10.5.0.20 for which we are not authoritative, trying supermaster
secondary  | Nov 27 02:38:00 Error resolving SOA or NS for starchart.com at: 10.5.0.20: Query to '10.5.0.20' for SOA of 'starchart.com' produced no answers

So it's seeing the primary is notifying the secondary, and it tries to get the details, but 10.5.0.20 doesn't respond to the query for some reason.

I suspect it's something to do with PowerDNS not being the DNS running on that instance (i.e., my Docker host is likely providing the DNS instead). I'm not sure how to override.

[humphd]

Doing some more debugging:

/ # dig @10.5.0.20 starchart.com

; <<>> DiG 9.16.33 <<>> @10.5.0.20 starchart.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 61456
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;starchart.com.			IN	A

;; Query time: 3 msec
;; SERVER: 10.5.0.20#53(10.5.0.20)
;; WHEN: Sun Nov 27 16:54:22 UTC 2022
;; MSG SIZE  rcvd: 42

Based on status: REFUSED and WARNING: recursion requested but not available, I think my issue is that I need the Recursor running in addition to the Authoritative server, see https://doc.powerdns.com/authoritative/guides/recursion.html.

[humphd]

Actually, I think it's working. Here I can get the IP for www.starchart.com:

# dig @10.5.0.20 www.starchart.com

; <<>> DiG 9.16.33 <<>> @10.5.0.20 www.starchart.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18321
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.starchart.com.		IN	A

;; ANSWER SECTION:
www.starchart.com.	3600	IN	A	10.5.0.100

;; Query time: 9 msec
;; SERVER: 10.5.0.20#53(10.5.0.20)
;; WHEN: Sun Nov 27 17:09:22 UTC 2022
;; MSG SIZE  rcvd: 62

Also:

/ # nslookup www.starchart.com
Server:		127.0.0.11
Address:	127.0.0.11#53

Name:	www.starchart.com
Address: 10.5.0.100

And, I can get the web page from the nginx container via the domain name:

# curl http://www.starchart.com
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

Do make this work, I had to alter the web container's DNS like so:

  web-server:
    container_name: web
    image: nginx:stable-alpine
    expose:
      - "80"
    dns:
      # Use the primary dns server
      - 10.5.0.20
      - 8.8.8.8
    networks:
      private_net:
        ipv4_address: 10.5.0.100

I then did the following so I had the proper network access and tools within the web container:

$ docker exec -it web /bin/sh
/ # apk add bind-tools
fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/main/aarch64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/community/aarch64/APKINDEX.tar.gz
(1/11) Installing fstrm (0.6.1-r0)
(2/11) Installing krb5-conf (1.0-r2)
(3/11) Installing libcom_err (1.46.2-r0)
(4/11) Installing keyutils-libs (1.6.3-r0)
(5/11) Installing libverto (0.3.2-r0)
(6/11) Installing krb5-libs (1.18.5-r0)
(7/11) Installing json-c (0.15-r1)
(8/11) Installing protobuf-c (1.3.3-r6)
(9/11) Installing libuv (1.41.0-r0)
(10/11) Installing bind-libs (9.16.33-r0)
(11/11) Installing bind-tools (9.16.33-r0)
Executing busybox-1.33.1-r6.trigger
OK: 30 MiB in 53 packages

Then I could experiment with the domains.

If I switch the DNS so it uses the secondary (10.5.0.80) instead, it can't get the record (i.e., it hasn't replicated to the secondary).

So I'm closer than I thought, but still stuck on the right way to arrange all this.

[humphd]

I have a basic demo working now, and I've recorded a short video to show what this does (cc @mehrdadziaei):

https://www.youtube.com/watch?v=Xa7vx3GCXX8

I think this is going to work :). Now I have something to demo to the students in January.

@ctyler, I'm going to split the DNS primary/secondary syncing off to another issue and deal with it later. I can't get it to work, and I suspect you would be able to do it if we spent some time on it over a call or something later on (it's not critical for development).

[humphd]

Switched to use starchart.invalid so we don't collide with the existing domain.

I also tried 75,000 things to get the replication work, but I have no idea what's wrong.

[humphd]

Added the ability to create A and CNAME records in the web UI for further testing:

[humphd]

I think I should merge this to a prototype branch (i.e., not main) and leave it. It can be a reference for later, but very little if any of the code in here is needed on main.

Are people OK with this?

[humphd]

Closing this, since we don't need it going forward. If anyone wants it, the branch is on my fork.