{"id":14110686,"url":"https://github.com/hardware/nsd-dnssec","last_synced_at":"2025-08-01T10:35:15.515Z","repository":{"id":81947840,"uuid":"51031753","full_name":"hardware/nsd-dnssec","owner":"hardware","description":":warning: UNMAINTAINED -Simple authoritative name server with DNSSEC support using Docker","archived":true,"fork":false,"pushed_at":"2019-08-15T09:32:50.000Z","size":71,"stargazers_count":70,"open_issues_count":1,"forks_count":39,"subscribers_count":12,"default_branch":"master","last_synced_at":"2024-12-01T07:37:32.663Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://hub.docker.com/r/hardware/nsd-dnssec/","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hardware.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2016-02-03T21:27:10.000Z","updated_at":"2024-04-04T08:55:45.000Z","dependencies_parsed_at":null,"dependency_job_id":"ade56e8f-fc9a-4f97-9b56-9af85973d302","html_url":"https://github.com/hardware/nsd-dnssec","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hardware%2Fnsd-dnssec","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hardware%2Fnsd-dnssec/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hardware%2Fnsd-dnssec/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hardware%2Fnsd-dnssec/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hardware","download_url":"https://codeload.github.com/hardware/nsd-dnssec/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":228369478,"owners_count":17909262,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-14T10:02:57.304Z","updated_at":"2024-12-05T20:31:09.549Z","avatar_url":"https://github.com/hardware.png","language":"Shell","funding_links":[],"categories":["Shell"],"sub_categories":[],"readme":"# hardware/nsd-dnssec\n\n![nsd](https://i.imgur.com/tPgkQVB.png \"nsd\")\n\n### What is this?\n\nNSD is an authoritative only, high performance, simple and open source name server.\n\n### Features\n\n- Lightweight \u0026 secure image (no root process)\n- Based on Alpine Linux\n- Latest NSD version (4.2.1 - Jul 9, 2019)\n- ZSK and KSK keys, DS-Records management and zone signature with ldns\n\n### Build-time variables\n\n- **NSD_VERSION** : version of NSD\n- **GPG_SHORTID** : short gpg key ID\n- **GPG_FINGERPRINT** : fingerprint of signing key\n- **SHA256_HASH** : SHA256 hash of NSD archive\n\n### Ports\n\n- **53/tcp**\n- **53/udp** (for AXFR zones transfer queries)\n\n### Environment variables\n\n| Variable | Description | Type | Default value |\n| -------- | ----------- | ---- | ------------- |\n| **UID** | nsd user id | *optional* | 991\n| **GID** | nsd group id | *optional* | 991\n\n### Setup\n\nPut your dns zone file in `/mnt/docker/nsd/zones/db.domain.tld`.\n\nExample:\n\n```\n$ORIGIN domain.tld.\n$TTL 7200\n\n; SOA\n\n@       IN      SOA    ns1.domain.tld. hostmaster.domain.tld. (\n                                        2016020202 ; Serial\n                                        7200       ; Refresh\n                                        1800       ; Retry\n                                        1209600    ; Expire\n                                        86400 )    ; Minimum\n\n; NAMESERVERS\n\n@                   IN                NS                   ns1.domain.tld.\n@                   IN                NS                   ns2.domain.tld.\n\n; A RECORDS\n\n@                   IN                A                    IPv4\nhostname            IN                A                    IPv4\nns1                 IN                A                    IPv4\nns2                 IN                A                    IPv4\n\n; CNAME RECORDS\n\nwww                 IN                CNAME                hostname\n\n; MAIL RECORDS\n\n@                   IN                MX          10       hostname.domain.tld.\n\n...\n```\n\nPut the nsd config in `/mnt/docker/nsd/conf/nsd.conf`.\n\nPrimary server example:\n\n```yaml\nserver:\n  server-count: 1\n  ip4-only: yes\n  hide-version: yes\n  identity: \"\"\n  zonesdir: \"/zones\"\n\nremote-control:\n  control-enable: yes\n\nkey:\n  name: \"sec_key\"\n  algorithm: hmac-sha256\n  secret: \"WU9VUl9TRUNSRVRfS0VZCg==\" # echo \"YOUR_SECRET_KEY\" | base64\n\nzone:\n  name: domain.tld\n  zonefile: db.domain.tld.signed\n  notify: ip_of_secondary_server sec_key\n  notify: ip_of_secondary_public_server NOKEY\n  provide-xfr: ip_of_secondary_server sec_key\n  provide-xfr: ip_of_secondary_public_server NOKEY\n\n# \"ip_of_secondary_server\" is your secondary nameserver IP\n# \"ip_of_secondary_public_server\" can be your registrar's nameserver IP\n```\n\nSecondary server example (optional):\n\n```yaml\nserver:\n  server-count: 1\n  ip4-only: yes\n  hide-version: yes\n  identity: \"\"\n  zonesdir: \"/zones\"\n\nremote-control:\n  control-enable: yes\n\nkey:\n  name: \"sec_key\"\n  algorithm: hmac-sha256\n  secret: \"WU9VUl9TRUNSRVRfS0VZCg==\"\n\nzone:\n  name: domain.tld\n  zonefile: db.domain.tld.signed\n  allow-notify: ip_of_primary_server sec_key\n  request-xfr: AXFR ip_of_primary_server sec_key\n\n# \"ip_of_primary_server\" is your primary nameserver IP\n```\n\nCheck your zone and nsd configuration:\n\n```\ncd /mnt/docker/nsd\ndocker run --rm -v `pwd`/zones:/zones -ti hardware/nsd-dnssec nsd-checkzone domain.tld /zones/db.domain.tld\ndocker run --rm -v `pwd`/conf:/etc/nsd -ti hardware/nsd-dnssec nsd-checkconf /etc/nsd/nsd.conf\n```\n\n### Docker-compose\n\n#### Docker-compose.yml\n\n```yaml\nnsd:\n  image: hardware/nsd-dnssec\n  container_name: nsd\n  ports:\n    - \"PUBLIC_IP_ADDRESS:53:53\"\n    - \"PUBLIC_IP_ADDRESS:53:53/udp\"\n  volumes:\n    - /mnt/docker/nsd/conf:/etc/nsd\n    - /mnt/docker/nsd/zones:/zones\n    - /mnt/docker/nsd/db:/var/db/nsd\n```\n\n**Note** : replace `PUBLIC_IP_ADDRESS` with your public IP address.\n\n#### Run it\n\n```\ndocker-compose up -d\n```\n\n### Generating DNSSEC keys and signed zone\n\nGenerate ZSK and KSK keys with ECDSAP384SHA384 algorithm (it may take some time; you can install `haveged` in your base system to speed it up):\n\n```\ndocker-compose exec nsd keygen domain.tld\n\nGenerating ZSK \u0026 KSK keys for 'domain.tld'\nDone.\n```\n\nThen sign your dns zone (default expiration date is 1 month):\n\n```\ndocker-compose exec nsd signzone domain.tld\n\nSigning zone for domain.tld\nNSD configuration rebuild... reconfig start, read /etc/nsd/nsd.conf\nok\nReloading zone for domain.tld... ok\nNotify slave servers... ok\nDone.\n\n# or set custom RRSIG RR expiration date :\n\ndocker-compose exec nsd signzone domain.tld [YYYYMMDDhhmmss]\ndocker-compose exec nsd signzone domain.tld 20170205220210\n```\n\n:warning: **Do not forget to add a cron task to increment the serial and sign your zone periodically to avoid the expiration of RRSIG RR records!**\n\nThis example shows how to update the serial and your TLSA record (if you have one) programmatically :\n\n```bash\n#!/bin/bash\n\nLETS_ENCRYPT_LIVE_PATH=/path/to/your/lets/encrypt/folder\nfingerprint=$(openssl x509 -noout -in \"${LETS_ENCRYPT_LIVE_PATH}/cert.pem\" -fingerprint -sha256 | cut -c 20- | sed s/://g)\n\ndomain=\"domain.tld\"\nzonename=\"db.${domain}\"\nzonefile=\"/mnt/docker/nsd/zones/${zonename}\"\nserial=$(date -d \"+1 day\" +'%Y%m%d%H')\ntlsa_line_number=$(grep -n TLSA $zonefile | cut -d : -f 1)\ntlsa_dns_record=\"_dane IN TLSA 3 0 1 ${fingerprint}\"\nexpiration_date=$(date -d \"+6 months\" +'%Y%m%d%H%M%S')\n\nsed -i -e \"s/20[0-9][0-9]\\{7\\} ; Serial/${serial} ; Serial/g\" \\\n       -e \"${tlsa_line_number}s/.*/${tlsa_dns_record}/\" $zonefile\n\nif docker exec nsd nsd-checkzone \"$domain\" /zones/\"$zonename\" | grep -q \"zone ${domain} is ok\"; then\n  docker exec nsd signzone \"$domain\" \"$expiration_date\"\nfi\n```\n\nShow your DS-Records (Delegation Signer):\n\n```\ndocker-compose exec nsd ds-records domain.tld\n\n\u003e DS record 1 [Digest Type = SHA1] :\ndomain.tld. 600 IN DS xxxx 14 1 xxxxxxxxxxxxxx\n\n\u003e DS record 2 [Digest Type = SHA256] :\ndomain.tld. 600 IN DS xxxx 14 2 xxxxxxxxxxxxxx\n\n\u003e Public KSK Key :\ndomain.tld. IN DNSKEY 257 3 14 xxxxxxxxxxxxxx ; {id = xxxx (ksk), size = 384b}\n```\n\nRestart the DNS server to take the changes into account:\n\n```\ndocker-compose restart nsd\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhardware%2Fnsd-dnssec","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhardware%2Fnsd-dnssec","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhardware%2Fnsd-dnssec/lists"}