From 2706632f549727fa67341a39789ac5fa04f874a0 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 12 Jul 2026 22:13:50 +1000 Subject: [PATCH] Exempt internal split-horizon zones from resolver DNSSEC validation Resolver queries for unkin.net records returned SERVFAIL (broken trust chain): the in-cluster authoritative serves unkin.net UNSIGNED, but the public parent publishes a DS record (unkin.net is DNSSEC-signed on the Internet), so the validating resolver rejects the insecure answer. Add validate-except for the forwarded internal domains so the resolver treats them as insecure and does not validate them. unkin.net covers all *.unkin.net (incl. k8s.syd1.au.unkin.net); 18.198.in-addr.arpa covers every NN.18.198.in-addr.arpa reverse zone; consul covers the consul TLD. --- apps/base/bind-internal/resolvers/cluster.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/apps/base/bind-internal/resolvers/cluster.yaml b/apps/base/bind-internal/resolvers/cluster.yaml index cfefc58..2fc2888 100644 --- a/apps/base/bind-internal/resolvers/cluster.yaml +++ b/apps/base/bind-internal/resolvers/cluster.yaml @@ -21,6 +21,15 @@ spec: forwarders: - 8.8.8.8 - 1.1.1.1 + # The internal split-horizon zones are served UNSIGNED by the in-cluster + # authoritative, but their public parents publish DS records (e.g. unkin.net + # is DNSSEC-signed on the Internet). With dnssec-validation on, the validator + # sees "parent indicates secure" but gets an insecure answer and returns + # SERVFAIL (broken trust chain). Treat the forwarded internal domains as + # insecure so they are not validated. unkin.net covers all *.unkin.net + # (incl. k8s.syd1.au.unkin.net); 18.198.in-addr.arpa covers every reverse zone. + extraOptions: + - "validate-except { unkin.net; 18.198.in-addr.arpa; consul }" resources: requests: cpu: 20m