From 8886fe71eebe50dec7cc0a1bd69d38de1d2b33ce Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 4 Jul 2026 11:59:37 +1000 Subject: [PATCH] Configure resolvers like puppet (openforwarder view + forward zones) Fixes recursion being refused for external clients: the resolver had no allow-recursion, so BIND defaulted to localnets. Mirrors the puppet resolver config exactly. - add openforwarder BindView: match-clients = internal ACLs, recursion yes, allow-recursion/allow-query any (match-clients gates access) - add 4 BindACLs (acl-main.unkin.net / acl-dmz / acl-common / acl-nomad-jobs) from puppet acls.conf - add 26 conditional forward zones (unkin/consul/k8s/dmz upstreams), bound to the openforwarder view; needs operator v0.1.4 to render them on every pod - global forwarders 8.8.8.8/1.1.1.1 (puppet default) - bump operator image to v0.1.4 --- apps/base/bind-internal/resolvers/acls.yaml | 65 +++ .../base/bind-internal/resolvers/cluster.yaml | 2 +- .../resolvers/forward-zones.yaml | 374 ++++++++++++++++++ .../resolvers/kustomization.yaml | 3 + apps/base/bind-internal/resolvers/view.yaml | 23 ++ apps/base/bind-system/deployment.yaml | 2 +- 6 files changed, 467 insertions(+), 2 deletions(-) create mode 100644 apps/base/bind-internal/resolvers/acls.yaml create mode 100644 apps/base/bind-internal/resolvers/forward-zones.yaml create mode 100644 apps/base/bind-internal/resolvers/view.yaml diff --git a/apps/base/bind-internal/resolvers/acls.yaml b/apps/base/bind-internal/resolvers/acls.yaml new file mode 100644 index 0000000..66b8ad5 --- /dev/null +++ b/apps/base/bind-internal/resolvers/acls.yaml @@ -0,0 +1,65 @@ +# Internal client ACLs, mirrored from puppet /etc/named/acls.conf. +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindACL +metadata: + name: acl-main.unkin.net + namespace: bind-internal +spec: + clusterRef: bind-resolvers + entries: + - 198.18.1.10/32 + - 198.18.2.160/27 + - 198.18.21.160/27 + - 198.18.2.192/27 + - 198.18.21.192/27 + - 198.18.13.0/24 + - 198.18.14.0/24 + - 198.18.15.0/24 + - 198.18.16.0/24 + - 198.18.17.0/24 + - 198.18.18.0/24 + - 198.18.19.0/24 + - 198.18.20.0/24 + - 198.18.21.0/24 + - 198.18.22.0/24 + - 198.18.23.0/24 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindACL +metadata: + name: acl-dmz + namespace: bind-internal +spec: + clusterRef: bind-resolvers + entries: + - 198.18.24.0/24 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindACL +metadata: + name: acl-common + namespace: bind-internal +spec: + clusterRef: bind-resolvers + entries: + - 198.18.25.0/24 + - 198.18.26.0/24 + - 198.18.27.0/24 + - 198.18.28.0/24 + - 198.18.29.0/24 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindACL +metadata: + name: acl-nomad-jobs + namespace: bind-internal +spec: + clusterRef: bind-resolvers + entries: + - 198.18.64.0/24 + - 198.18.65.0/24 + - 198.18.66.0/24 + - 198.18.67.0/24 + - 198.18.68.0/24 + - 198.18.69.0/24 diff --git a/apps/base/bind-internal/resolvers/cluster.yaml b/apps/base/bind-internal/resolvers/cluster.yaml index 83f9035..f99b8b9 100644 --- a/apps/base/bind-internal/resolvers/cluster.yaml +++ b/apps/base/bind-internal/resolvers/cluster.yaml @@ -18,8 +18,8 @@ spec: purelb.io/addresses: 198.18.200.7 external-dns.alpha.kubernetes.io/hostname: bind-resolvers.k8s.syd1.au.unkin.net forwarders: + - 8.8.8.8 - 1.1.1.1 - - 9.9.9.9 resources: requests: cpu: 100m diff --git a/apps/base/bind-internal/resolvers/forward-zones.yaml b/apps/base/bind-internal/resolvers/forward-zones.yaml new file mode 100644 index 0000000..ac2a37b --- /dev/null +++ b/apps/base/bind-internal/resolvers/forward-zones.yaml @@ -0,0 +1,374 @@ +# Conditional forward zones, mirrored from puppet openforwarder view. +# Upstreams are the puppet anycast servers (unkin 198.18.19.15, consul .14, +# k8s .20); flip to the in-cluster authoritative/externaldns LBs once zone +# data is migrated. +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-unkin-net + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: unkin.net + type: forward + catalog: false + forwarders: + - 198.18.19.15 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-main-unkin-net + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: main.unkin.net + type: forward + catalog: false + forwarders: + - 198.18.19.15 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-dmz-unkin-net + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: dmz.unkin.net + type: forward + catalog: false + forwarders: + - 10.10.16.32 + - 10.10.16.33 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-network-unkin-net + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: network.unkin.net + type: forward + catalog: false + forwarders: + - 10.10.16.32 + - 10.10.16.33 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-prod-unkin-net + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: prod.unkin.net + type: forward + catalog: false + forwarders: + - 10.10.16.32 + - 10.10.16.33 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-consul + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: consul + type: forward + catalog: false + forwarders: + - 198.18.19.14 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-k8s-syd1-au-unkin-net + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: k8s.syd1.au.unkin.net + type: forward + catalog: false + forwarders: + - 198.18.19.20 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-13-18-198-in-addr-arpa + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: 13.18.198.in-addr.arpa + type: forward + catalog: false + forwarders: + - 198.18.19.15 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-14-18-198-in-addr-arpa + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: 14.18.198.in-addr.arpa + type: forward + catalog: false + forwarders: + - 198.18.19.15 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-15-18-198-in-addr-arpa + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: 15.18.198.in-addr.arpa + type: forward + catalog: false + forwarders: + - 198.18.19.15 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-16-18-198-in-addr-arpa + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: 16.18.198.in-addr.arpa + type: forward + catalog: false + forwarders: + - 198.18.19.15 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-17-18-198-in-addr-arpa + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: 17.18.198.in-addr.arpa + type: forward + catalog: false + forwarders: + - 198.18.19.15 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-19-18-198-in-addr-arpa + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: 19.18.198.in-addr.arpa + type: forward + catalog: false + forwarders: + - 198.18.19.15 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-20-18-198-in-addr-arpa + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: 20.18.198.in-addr.arpa + type: forward + catalog: false + forwarders: + - 198.18.19.15 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-21-18-198-in-addr-arpa + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: 21.18.198.in-addr.arpa + type: forward + catalog: false + forwarders: + - 198.18.19.15 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-22-18-198-in-addr-arpa + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: 22.18.198.in-addr.arpa + type: forward + catalog: false + forwarders: + - 198.18.19.15 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-23-18-198-in-addr-arpa + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: 23.18.198.in-addr.arpa + type: forward + catalog: false + forwarders: + - 198.18.19.15 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-24-18-198-in-addr-arpa + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: 24.18.198.in-addr.arpa + type: forward + catalog: false + forwarders: + - 198.18.19.15 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-25-18-198-in-addr-arpa + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: 25.18.198.in-addr.arpa + type: forward + catalog: false + forwarders: + - 198.18.19.15 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-26-18-198-in-addr-arpa + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: 26.18.198.in-addr.arpa + type: forward + catalog: false + forwarders: + - 198.18.19.15 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-27-18-198-in-addr-arpa + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: 27.18.198.in-addr.arpa + type: forward + catalog: false + forwarders: + - 198.18.19.15 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-28-18-198-in-addr-arpa + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: 28.18.198.in-addr.arpa + type: forward + catalog: false + forwarders: + - 198.18.19.15 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-29-18-198-in-addr-arpa + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: 29.18.198.in-addr.arpa + type: forward + catalog: false + forwarders: + - 198.18.19.15 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-8-10-10-in-addr-arpa + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: 8.10.10.in-addr.arpa + type: forward + catalog: false + forwarders: + - 10.10.16.32 + - 10.10.16.33 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-16-10-10-in-addr-arpa + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: 16.10.10.in-addr.arpa + type: forward + catalog: false + forwarders: + - 10.10.16.32 + - 10.10.16.33 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-20-10-10-in-addr-arpa + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: 20.10.10.in-addr.arpa + type: forward + catalog: false + forwarders: + - 10.10.16.32 + - 10.10.16.33 diff --git a/apps/base/bind-internal/resolvers/kustomization.yaml b/apps/base/bind-internal/resolvers/kustomization.yaml index da7cf1f..51fc92e 100644 --- a/apps/base/bind-internal/resolvers/kustomization.yaml +++ b/apps/base/bind-internal/resolvers/kustomization.yaml @@ -4,3 +4,6 @@ kind: Kustomization resources: - cluster.yaml + - acls.yaml + - view.yaml + - forward-zones.yaml diff --git a/apps/base/bind-internal/resolvers/view.yaml b/apps/base/bind-internal/resolvers/view.yaml new file mode 100644 index 0000000..d0c2a60 --- /dev/null +++ b/apps/base/bind-internal/resolvers/view.yaml @@ -0,0 +1,23 @@ +--- +# openforwarder view, mirrored from puppet /etc/named/views.conf. +# match-clients gates access to internal networks; recursion/query are 'any' +# within the view since match-clients already restricts who reaches it. +apiVersion: bind.unkin.net/v1alpha1 +kind: BindView +metadata: + name: openforwarder + namespace: bind-internal +spec: + clusterRef: bind-resolvers + order: 100 + matchClients: + - acl-main.unkin.net + - acl-nomad-jobs + - acl-common + - acl-dmz + recursion: true + allowQuery: + - any + extraOptions: + - "allow-recursion { any; }" + - "allow-query-cache { any; }" diff --git a/apps/base/bind-system/deployment.yaml b/apps/base/bind-system/deployment.yaml index e8e5d41..c090504 100644 --- a/apps/base/bind-system/deployment.yaml +++ b/apps/base/bind-system/deployment.yaml @@ -21,7 +21,7 @@ spec: runAsNonRoot: true containers: - name: operator - image: git.unkin.net/unkin/bind-operator:v0.1.3 + image: git.unkin.net/unkin/bind-operator:v0.1.4 args: - --metrics-bind-address=:8080 - --health-probe-bind-address=:8081