Exempt internal split-horizon zones from resolver DNSSEC validation
Resolver queries for unkin.net records returned SERVFAIL (broken trust chain): the in-cluster authoritative serves unkin.net UNSIGNED, but the public parent publishes a DS record (unkin.net is DNSSEC-signed on the Internet), so the validating resolver rejects the insecure answer. Add validate-except for the forwarded internal domains so the resolver treats them as insecure and does not validate them. unkin.net covers all *.unkin.net (incl. k8s.syd1.au.unkin.net); 18.198.in-addr.arpa covers every NN.18.198.in-addr.arpa reverse zone; consul covers the consul TLD.
This commit is contained in:
@@ -21,6 +21,15 @@ spec:
|
||||
forwarders:
|
||||
- 8.8.8.8
|
||||
- 1.1.1.1
|
||||
# The internal split-horizon zones are served UNSIGNED by the in-cluster
|
||||
# authoritative, but their public parents publish DS records (e.g. unkin.net
|
||||
# is DNSSEC-signed on the Internet). With dnssec-validation on, the validator
|
||||
# sees "parent indicates secure" but gets an insecure answer and returns
|
||||
# SERVFAIL (broken trust chain). Treat the forwarded internal domains as
|
||||
# insecure so they are not validated. unkin.net covers all *.unkin.net
|
||||
# (incl. k8s.syd1.au.unkin.net); 18.198.in-addr.arpa covers every reverse zone.
|
||||
extraOptions:
|
||||
- "validate-except { unkin.net; 18.198.in-addr.arpa; consul }"
|
||||
resources:
|
||||
requests:
|
||||
cpu: 20m
|
||||
|
||||
Reference in New Issue
Block a user