From 234a7f98ec69d44c520a215f087a0bf056cac605 Mon Sep 17 00:00:00 2001
From: root <root@ns.info46.net>
Date: Mon, 4 Dec 2017 15:29:20 +0100
Subject: [PATCH 1/5] Add DNSSEC

---
 Dockerfile         | 4 ++++
 named.conf.options | 6 ++++--
 setup.sh           | 6 ++++--
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 9b9ea54..3020157 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -15,6 +15,10 @@ RUN DEBIAN_FRONTEND=noninteractive apt-get update && \
 	apt-get install -q -y bind9 dnsutils && \
 	apt-get clean
 
+RUN DEBIAN_FRONTEND=noninteractive apt-get update && \
+        apt-get install -q -y vim udev cron && \
+        apt-get clean
+
 RUN chmod 770 /var/cache/bind
 COPY setup.sh /root/setup.sh
 RUN chmod +x /root/setup.sh
diff --git a/named.conf.options b/named.conf.options
index 9c0925d..6393c05 100644
--- a/named.conf.options
+++ b/named.conf.options
@@ -1,8 +1,10 @@
 options {
         directory "/var/cache/bind";
-        dnssec-validation auto;
+        dnssec-enable yes;
+        dnssec-validation yes;
+        dnssec-lookaside auto;
         recursion no;
         allow-transfer { none; };
         auth-nxdomain no;
         listen-on-v6 { any; };
-};
\ No newline at end of file
+};
diff --git a/setup.sh b/setup.sh
index c373bc7..f067ebd 100755
--- a/setup.sh
+++ b/setup.sh
@@ -10,7 +10,7 @@ then
 	cat >> /etc/bind/named.conf <<EOF
 zone "$ZONE" {
 	type master;
-	file "$ZONE.zone";
+	file "$ZONE.zone.signed";
 	allow-query { any; };
 	allow-transfer { none; };
 	allow-update { localhost; };
@@ -47,4 +47,6 @@ then
 	"RecordTTL": ${RECORD_TTL}
 }
 EOF
-fi
\ No newline at end of file
+fi
+
+chown -R bind:bind /var/cache/bind

From b1e3bb419042ee6425e380639986f0c9fa93e46f Mon Sep 17 00:00:00 2001
From: root <root@ns.info46.net>
Date: Mon, 4 Dec 2017 15:35:53 +0100
Subject: [PATCH 2/5] Finalize DNSSEC

---
 envfile  |  3 +-
 setup.sh | 89 ++++++++++++++++++++++++++++++++++++++++++++++++++++++--
 2 files changed, 88 insertions(+), 4 deletions(-)

diff --git a/envfile b/envfile
index fc51a2d..db36003 100644
--- a/envfile
+++ b/envfile
@@ -1,3 +1,4 @@
 SHARED_SECRET=changeme
 ZONE=example.org
-RECORD_TTL=3600
\ No newline at end of file
+RECORD_TTL=3600
+NS=ns.example.org
diff --git a/setup.sh b/setup.sh
index f067ebd..d56c590 100755
--- a/setup.sh
+++ b/setup.sh
@@ -18,17 +18,29 @@ zone "$ZONE" {
 EOF
 	
 	echo "creating zone file..."
+	if [ 'z "$NS" ]
+	then
+		IFS="," read -r -a elements <<< "$NS"
+		for element in ${elements[@]}
+		do
+			SHORT+="${element%%.*}. "
+			LONG+="$element. "
+		done
+	else
+		SHORT="${NS%%.*}."
+		LONG+="$NS."
+	fi
 	cat > /var/cache/bind/$ZONE.zone <<EOF
 \$ORIGIN .
 \$TTL 86400	; 1 day
-$ZONE		IN SOA	localhost. root.localhost. (
+$ZONE		IN SOA	$SHORT $LONG (
 				74         ; serial
 				3600       ; refresh (1 hour)
 				900        ; retry (15 minutes)
 				604800     ; expire (1 week)
 				86400      ; minimum (1 day)
 				)
-			NS	localhost.
+			NS	$SHORT
 \$ORIGIN ${ZONE}.
 \$TTL ${RECORD_TTL}
 EOF
@@ -44,9 +56,80 @@ then
     "Zone": "${ZONE}.",
     "Domain": "${ZONE}",
     "NsupdateBinary": "/usr/bin/nsupdate",
-	"RecordTTL": ${RECORD_TTL}
+    "RecordTTL": ${RECORD_TTL}
 }
 EOF
 fi
 
 chown -R bind:bind /var/cache/bind
+
+# DNSSEC configuration
+if [ ! -f /var/cache/bind/$ZONE.zone.signed ]
+then
+    echo "Signing zone..."
+    cd /var/cache/bind
+    dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE $ZONE
+    dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE $ZONE
+    for key in `ls K${ZONE}*.key`
+    do
+        echo "\$INCLUDE $key">> $ZONE.zone
+    done
+
+    dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o $ZONE -t $ZONE.zone
+fi
+
+# Increase safety to prevents hacks with raindow tables
+if [ ! -f /usr/sbin/zonesigner.sh ]
+then
+    echo "Creating /usr/sbin/zonesigner.sh..."
+    cat > /usr/sbin/zonesigner.sh <<EOF
+#!/bin/sh
+
+PDIR=\`pwd\`
+ZONEDIR="/var/cache/bind" #location of your zone files
+ZONE=\$1
+ZONEFILE=\$2
+DNSSERVICE="bind9" #On CentOS/Fedora replace this with "named"
+cd \$ZONEDIR
+SERIAL=\`/usr/sbin/named-checkzone \$ZONE \$ZONEFILE | egrep -ho '[0-9]{10}'\`
+sed -i 's/'\$SERIAL'/'\$((\$SERIAL+1))'/' \$ZONEFILE
+/usr/sbin/dnssec-signzone -A -3 \$(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N increment -o \$1 -t \$2
+service \$DNSSERVICE reload
+cd \$PDIR
+EOF
+
+    chmod +x /usr/sbin/zonesigner.sh
+fi
+
+if [ ! -f /var/spool/cron/crontabs/root ]
+then
+    echo "Implements crontab..."
+    cat > /var/spool/cron/crontabs/root <<EOF
+# Edit this file to introduce tasks to be run by cron.
+#
+# Each task to run has to be defined through a single line
+# indicating with different fields when the task will be run
+# and what command to run for the task
+#
+# To define the time you can provide concrete values for
+# minute (m), hour (h), day of month (dom), month (mon),
+# and day of week (dow) or use '*' in these fields (for 'any').#
+# Notice that tasks will be started based on the cron's system
+# daemon's notion of time and timezones.
+#
+# Output of the crontab jobs (including errors) is sent through
+# email to the user the crontab file belongs to (unless redirected).
+#
+# For example, you can run a backup of all your user accounts
+# at 5 a.m every week with:
+# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
+#
+# For more information see the manual pages of crontab(5) and cron(8)
+#
+# m h  dom mon dow   command
+0 0 */3 0 0 /usr/sbin/zonesigner.sh $ZONE $ZONE.zone
+EOF
+fi
+
+echo "Service Bind9 restart..."
+service bind9 restart

From 9a5ea5c705cabb5ccbfa82150f46711a021541ec Mon Sep 17 00:00:00 2001
From: root <root@ns.info46.net>
Date: Mon, 4 Dec 2017 15:37:17 +0100
Subject: [PATCH 3/5] Typo

---
 setup.sh | 66 ++++++++++++++++++++++++++++----------------------------
 1 file changed, 33 insertions(+), 33 deletions(-)

diff --git a/setup.sh b/setup.sh
index d56c590..e727618 100755
--- a/setup.sh
+++ b/setup.sh
@@ -6,41 +6,41 @@
 
 if [ ! -f /var/cache/bind/$ZONE.zone ]
 then
-	echo "creating zone...";
-	cat >> /etc/bind/named.conf <<EOF
+    echo "creating zone...";
+    cat >> /etc/bind/named.conf <<EOF
 zone "$ZONE" {
-	type master;
-	file "$ZONE.zone.signed";
-	allow-query { any; };
-	allow-transfer { none; };
-	allow-update { localhost; };
+    type master;
+    file "$ZONE.zone.signed";
+    allow-query { any; };
+    allow-transfer { none; };
+    allow-update { localhost; };
 };
 EOF
-	
-	echo "creating zone file..."
-	if [ 'z "$NS" ]
-	then
-		IFS="," read -r -a elements <<< "$NS"
-		for element in ${elements[@]}
-		do
-			SHORT+="${element%%.*}. "
-			LONG+="$element. "
-		done
-	else
-		SHORT="${NS%%.*}."
-		LONG+="$NS."
-	fi
-	cat > /var/cache/bind/$ZONE.zone <<EOF
+    
+    echo "creating zone file..."
+    if [ 'z "$NS" ]
+    then
+        IFS="," read -r -a elements <<< "$NS"
+        for element in ${elements[@]}
+        do
+            SHORT+="${element%%.*}. "
+            LONG+="$element. "
+        done
+    else
+        SHORT="${NS%%.*}."
+        LONG+="$NS."
+    fi
+    cat > /var/cache/bind/$ZONE.zone <<EOF
 \$ORIGIN .
-\$TTL 86400	; 1 day
-$ZONE		IN SOA	$SHORT $LONG (
-				74         ; serial
-				3600       ; refresh (1 hour)
-				900        ; retry (15 minutes)
-				604800     ; expire (1 week)
-				86400      ; minimum (1 day)
-				)
-			NS	$SHORT
+\$TTL 86400    ; 1 day
+$ZONE        IN SOA    $SHORT $LONG (
+                74         ; serial
+                3600       ; refresh (1 hour)
+                900        ; retry (15 minutes)
+                604800     ; expire (1 week)
+                86400      ; minimum (1 day)
+                )
+            NS    $SHORT
 \$ORIGIN ${ZONE}.
 \$TTL ${RECORD_TTL}
 EOF
@@ -48,8 +48,8 @@ fi
 
 if [ ! -f /etc/dyndns.json ]
 then
-	echo "creating REST api config..."
-	cat > /etc/dyndns.json <<EOF
+    echo "creating REST api config..."
+    cat > /etc/dyndns.json <<EOF
 {
     "SharedSecret": "${SHARED_SECRET}",
     "Server": "localhost",

From db105aef8ea734291093d636de015db226933b6c Mon Sep 17 00:00:00 2001
From: root <root@ns.info46.net>
Date: Mon, 4 Dec 2017 15:38:35 +0100
Subject: [PATCH 4/5] Add pessistant and restart always

---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index d3af69e..d8ad9bb 100644
--- a/Makefile
+++ b/Makefile
@@ -25,4 +25,4 @@ api_test_recursion:
 	dig @docker.local google.com
 
 deploy: image
-	docker run -it -d -p 8080:8080 -p 53:53 -p 53:53/udp --env-file envfile --name=dyndns davd/docker-ddns:latest
+	docker run -it -d --restart="always" -p 8080:8080 -p 53:53 -p 53:53/udp -v /opt/bind:/var/cache/bind --env-file envfile --name=dyndns davd/docker-ddns:latest

From fc590e32dd928d2f1088423d6e7ce355e105a5a2 Mon Sep 17 00:00:00 2001
From: root <root@ns.info46.net>
Date: Wed, 6 Dec 2017 13:08:36 +0100
Subject: [PATCH 5/5] Fix typo

---
 setup.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/setup.sh b/setup.sh
index e727618..f8dbc3b 100755
--- a/setup.sh
+++ b/setup.sh
@@ -18,7 +18,7 @@ zone "$ZONE" {
 EOF
     
     echo "creating zone file..."
-    if [ 'z "$NS" ]
+    if [ -z "$NS" ]
     then
         IFS="," read -r -a elements <<< "$NS"
         for element in ${elements[@]}
@@ -28,7 +28,7 @@ EOF
         done
     else
         SHORT="${NS%%.*}."
-        LONG+="$NS."
+        LONG="$NS."
     fi
     cat > /var/cache/bind/$ZONE.zone <<EOF
 \$ORIGIN .