From c1cc59a24fc4ee9aa1d37c3143d6d453dcd0010e Mon Sep 17 00:00:00 2001
From: Ventz Petkov <ventz@vpetkov.net>
Date: Thu, 6 Feb 2020 16:36:36 -0500
Subject: [PATCH] Updated for: 9.14.8-r0 and added FAQs and clarifications in
 documentation

---
 README.md | 92 ++++++++++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 85 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index dd47ffc..5193a2b 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
-### ISC BIND9 Container (Stable: 9.14.7_xx) built on top of Alpine
-### Last update: 10-24-19
-### Latest Stable Docker Tag: 9.14.7-r0
+### ISC BIND9 Container (Stable: 9.14.8_xx) built on top of Alpine
+### Last update: 2-6-20
+### Latest Stable Docker Tag: 9.14.8-r0
 
 NOTE: "Last Update" is the date of the latest DockerHub build.
 
@@ -11,20 +11,22 @@ It is ideal for an extremely secure and fast master (authoritative server),
 slave, recursive server/resolver, RPZ "dns firewall", or just
 about any other purpose you can use bind for.
 
-# Security - always on the latest stable BIND release!
+To get started quickly, skip to step "D".
+
+# (A.) Security - always on the latest stable BIND release!
 This container will _always_ be up to date on the latest
 stable+patched version, usually within 24 hours of it being available
 in Alpine. In fact, most of the BIND vulnerabilities so far have been
 reported by me to the Alpine developers.
 
-# How to deploy a Bind (DNS) server?
+# (B.) How to deploy a Bind (DNS) server?
 This container contains everything needed in terms of configuration to
 run as an authoritative server or a recursive resolver/forwarding cacher.
 
 However, the default config permits queries and recursion only from 127.0.0.1 - which will not be too useful :)
 But the assumption is that you will override ```/etc/bind``` with your configs, and ```/var/cache/bind``` with your zones.
 
-# Required "DATA" directory - for configs and zone data:
+# (C.) Required "DATA" directory - for configs and zone data:
 This container assumes you have a "/DATA" folder with with your container specific data.
 (You can change that folder, sub-folders, and file points as needed, but make sure you update the "-v" mounts for the run.)
 
@@ -39,7 +41,7 @@ A "/DATA/var/cache/bind" directory for all of the master or slave zones. If it's
 ```
 
 
-# How to run a BIND ("named") Docker Container?
+# (D.) How to run a BIND ("named") Docker Container?
 
 ## Default Example:
 This is just to test it out - by default only allows queries from
@@ -79,3 +81,79 @@ ventz/bind
 
 Additional options may be passed to the bind daemon via the `OPTIONS` argument, provided as:
 `docker run --env OPTIONS='...'
+
+# (E.) FAQs
+
+## How do I generate an RNDC Key?
+```
+docker run -it --rm --entrypoint "/usr/sbin/rndc-confgen" ventz/bind
+```
+
+Take the portion that looks like this and save to "/etc/bind/rndc.key":
+```
+# Start of rndc.conf
+key "rndc-key" {
+    algorithm hmac-sha256;
+    # Note: the secret will be different, this is just an example
+    secret "zjVC59ehGxbbB6OhYhGaqUTIXu8Imcg3VKzvoMwIMzY=";
+};
+```
+
+## What configuration files do I need to get started?
+
+I highly recommend reading more about bind if this is your question. Here are some useful resources:
+
+* https://www.bind9.net/manuals
+* https://wiki.debian.org/Bind9
+* https://help.ubuntu.com/community/BIND9ServerHowto
+* https://www.zytrax.com/books/dns/ch7/
+* https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-private-network-dns-server-on-ubuntu-18-04
+
+That said, as a bare minimum (and depending on what you want - recursive, authoritative, etc), you need:
+
+[note: all of these are provided in `container/configs` folder]
+
+1.) Main config: `/etc/bind/named.conf`
+
+2.) Options: `/etc/bind/named.conf.options` (note: sane and secure defaults for recursive! If for authoritative, turn off recursive at least!)
+
+3.) Local zones: `/etc/bind/named.conf.local` (for your zone configs if authoritative/slave/etc)
+
+4.) Optional: `/etc/bind/named.conf.rfc1918` (for your RFC1918 "private IP" zone definitions - this is optional, and while recommended, you may comment out the last line in `named.conf.local` that utilizes it)
+
+5.) Optional: `/etc/bind/default-zones` (folder for rfc1918 definitions - not needed if `named.conf.rfc1918` is not used)
+
+## How do I log everything:
+
+1.) Add to your `named.conf`:
+```
+...
+include "/etc/bind/named.conf.logging";
+...
+```
+
+and
+
+2.) Create a file `named.conf.logging` with:
+```
+logging {
+    channel stdout {
+        stderr;
+        severity info;
+        print-category no;
+        print-severity no;
+        print-time yes;
+    };
+	# Customize categories as needed
+    # To log everything, keep at least "default"
+    category security { stdout; };
+    category queries  { stdout; };
+    category dnssec   { stdout; };
+    category xfer-in  { stdout; };
+    category xfer-out { stdout; };
+    category default  { stdout; };
+};
+
+```
+
+For more information, see: https://www.slideshare.net/MenandMice/bind-9-logging-best-practices