feat: add NSD backend and Topology C (multi-instance with peer sync) 🏗️

- New NSDBackend: zone files + nsd-control reload, zone registration via
  nsd.conf.d include file; mirrors BIND backend interface exactly
- BackendRegistry now supports type "nsd"; config defaults for nsd.zones_dir
  and nsd.nsd_conf
- Dockerfile installs both NSD and BIND9 — entrypoint detects configured
  backend type(s) and starts only the required daemon; CoreDNS MySQL
  deployments start neither
- docker/nsd.conf: minimal NSD base config with remote-control and
  zones.conf include
- entrypoint.sh: reads config file + env vars to determine which daemon
  to start; runs nsd-control-setup on first boot
- 20 new NSD backend tests (117 total, all passing)
- README: Topology C (multi-instance + peer sync) documented as most robust
  HA option; NSD config reference; updated topology comparison table;
  NSD env-var-only compose examples; version 2.5.0

Dockerfile

@@ -1,16 +1,22 @@
 FROM python:3.11.12-slim
 
-# Install system dependencies
-RUN apt-get update && apt-get install -y \
+# Install system dependencies.
+# Both NSD and BIND are installed so the image works with any DNS backend type.
+# The entrypoint detects which one is configured and starts only that daemon.
+# CoreDNS MySQL users: neither daemon is started — the image is still usable.
+RUN apt-get update && apt-get install -y --no-install-recommends \
     bind9 \
     bind9utils \
+    nsd \
     dnsutils \
     gcc \
     python3-dev \
     default-libmysqlclient-dev \
     && rm -rf /var/lib/apt/lists/*
 
-# Configure BIND
+# ---------------------------------------------------------------------------
+# BIND setup
+# ---------------------------------------------------------------------------
 RUN mkdir -p /etc/named/zones && \
     chown -R bind:bind /etc/named && \
     chmod 755 /etc/named/zones
@@ -19,34 +25,37 @@ COPY docker/named.conf.local /etc/bind/
 COPY docker/named.conf.options /etc/bind/
 RUN chown root:bind /etc/bind/named.conf.*
 
-# Install Python dependencies
+# ---------------------------------------------------------------------------
+# NSD setup
+# ---------------------------------------------------------------------------
+RUN mkdir -p /etc/nsd/zones /etc/nsd/nsd.conf.d && \
+    chown -R nsd:nsd /etc/nsd && \
+    chmod 755 /etc/nsd/zones
+
+COPY docker/nsd.conf /etc/nsd/nsd.conf
+RUN chown nsd:nsd /etc/nsd/nsd.conf
+
+# ---------------------------------------------------------------------------
+# Application
+# ---------------------------------------------------------------------------
 WORKDIR /app
 COPY pyproject.toml poetry.lock README.md ./
 
-# Install specific Poetry version that matches your lock file
-RUN pip install "poetry==2.1.2"  # Adjust version to match your lock file
+RUN pip install "poetry==2.1.2"
 
-# Copy application files
 COPY directdnsonly ./directdnsonly
 COPY schema ./schema
 
 RUN poetry config virtualenvs.create false && \
     poetry install
 
-
-
 # Create data directories
-RUN mkdir -p /app/data/queues && \
-    mkdir -p /app/data/zones && \
-    mkdir -p /app/logs && \
+RUN mkdir -p /app/data/queues /app/data/zones /app/logs && \
     chmod -R 755 /app/data
 
-# Configure BIND zone directory to match app config
-#RUN ln -s /app/data/zones /etc/named/zones/dadns
-
 # Start script
 COPY docker/entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
 
 EXPOSE 2222 53/udp
-CMD ["/entrypoint.sh"]
+CMD ["/entrypoint.sh"]