Exempt internal split-horizon zones from resolver DNSSEC validation
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful

Resolver queries for unkin.net records returned SERVFAIL (broken trust
chain): the in-cluster authoritative serves unkin.net UNSIGNED, but the
public parent publishes a DS record (unkin.net is DNSSEC-signed on the
Internet), so the validating resolver rejects the insecure answer.

Add validate-except for the forwarded internal domains so the resolver
treats them as insecure and does not validate them. unkin.net covers all
*.unkin.net (incl. k8s.syd1.au.unkin.net); 18.198.in-addr.arpa covers
every NN.18.198.in-addr.arpa reverse zone; consul covers the consul TLD.
This commit is contained in:
2026-07-12 22:13:50 +10:00
parent 65f18a6380
commit 2706632f54
@@ -21,6 +21,15 @@ spec:
forwarders:
- 8.8.8.8
- 1.1.1.1
# The internal split-horizon zones are served UNSIGNED by the in-cluster
# authoritative, but their public parents publish DS records (e.g. unkin.net
# is DNSSEC-signed on the Internet). With dnssec-validation on, the validator
# sees "parent indicates secure" but gets an insecure answer and returns
# SERVFAIL (broken trust chain). Treat the forwarded internal domains as
# insecure so they are not validated. unkin.net covers all *.unkin.net
# (incl. k8s.syd1.au.unkin.net); 18.198.in-addr.arpa covers every reverse zone.
extraOptions:
- "validate-except { unkin.net; 18.198.in-addr.arpa; consul }"
resources:
requests:
cpu: 20m