Restrict authoritative queries to internal networks
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful

Mirrors the puppet authoritative master-zones view (match-clients
acl-main.unkin.net) using a global allow-query instead of a view, since
dynamic primary zones in a view would need per-view allow-new-zones.

- add auth-acl-main BindACL (the puppet acl-main.unkin.net networks)
- allow-query { auth-acl-main; 10.42.0.0/16; } on bind-authoritative
  (pod net included so secondaries can SOA-refresh from the primary)
This commit is contained in:
2026-07-04 21:58:13 +10:00
parent c8d61205ce
commit f9dd90a6b0
3 changed files with 32 additions and 0 deletions
@@ -11,6 +11,11 @@ spec:
replicas: 3
storageClassName: cephrbd-fast-delete
storageSize: 2Gi
# Restrict queries to internal networks (puppet acl-main.unkin.net).
# 10.42.0.0/16 (pod net) is required so secondaries can SOA-refresh
# from the primary during catalog replication.
extraOptions:
- "allow-query { auth-acl-main; 10.42.0.0/16; }"
service:
type: LoadBalancer
annotations: