Configure resolvers like puppet (openforwarder view + forward zones) #226

Merged
benvin merged 4 commits from benvin/resolver-openforwarder into main 2026-07-04 21:55:33 +10:00
Owner

Why

dig google.com @198.18.200.7 was refused: the resolver never set allow-recursion, so BIND defaulted to localnets/localhost. This mirrors the puppet resolver (/etc/named/views.conf + acls.conf) exactly.

Changes

  • openforwarder BindView: match-clients = the 4 internal ACLs, recursion yes, allow-recursion/allow-query any (match-clients gates)
  • 4 BindACLs from puppet acls.conf (acl-main.unkin.net/acl-dmz/acl-common/acl-nomad-jobs)
  • 26 conditional forward zones in the view (unkin→198.18.19.15, consul→.14, k8s→.20, dmz/network/prod + 10.10.x reverse → 10.10.16.32/33)
  • global forwarders 8.8.8.8/1.1.1.1
  • operator image → v0.1.4

Note

Forward-zone upstreams point at the puppet anycast servers (still authoritative during migration); flip to the in-cluster authoritative/externaldns LBs once zone data is migrated.

Validated

kustomize build (59 docs), kubeconform clean.

## Why `dig google.com @198.18.200.7` was refused: the resolver never set allow-recursion, so BIND defaulted to localnets/localhost. This mirrors the puppet resolver (/etc/named/views.conf + acls.conf) exactly. ## Changes - `openforwarder` BindView: `match-clients` = the 4 internal ACLs, recursion yes, allow-recursion/allow-query `any` (match-clients gates) - 4 BindACLs from puppet acls.conf (acl-main.unkin.net/acl-dmz/acl-common/acl-nomad-jobs) - 26 conditional forward zones in the view (unkin→198.18.19.15, consul→.14, k8s→.20, dmz/network/prod + 10.10.x reverse → 10.10.16.32/33) - global forwarders 8.8.8.8/1.1.1.1 - operator image → v0.1.4 ## Note Forward-zone upstreams point at the **puppet anycast** servers (still authoritative during migration); flip to the in-cluster authoritative/externaldns LBs once zone data is migrated. ## Validated kustomize build (59 docs), kubeconform clean.
unkinben added 1 commit 2026-07-04 11:59:39 +10:00
Configure resolvers like puppet (openforwarder view + forward zones)
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
8886fe71ee
Fixes recursion being refused for external clients: the resolver had no
allow-recursion, so BIND defaulted to localnets. Mirrors the puppet
resolver config exactly.

- add openforwarder BindView: match-clients = internal ACLs, recursion
  yes, allow-recursion/allow-query any (match-clients gates access)
- add 4 BindACLs (acl-main.unkin.net / acl-dmz / acl-common /
  acl-nomad-jobs) from puppet acls.conf
- add 26 conditional forward zones (unkin/consul/k8s/dmz upstreams),
  bound to the openforwarder view; needs operator v0.1.4 to render them
  on every pod
- global forwarders 8.8.8.8/1.1.1.1 (puppet default)
- bump operator image to v0.1.4
unkinben added 1 commit 2026-07-04 21:25:10 +10:00
Trim resolver forward zones to internal upstreams
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
5d08e604d2
Drops the six forward zones that pointed at the 10.10.16.x upstreams
(dmz/network/prod.unkin.net + 8/16/20.10.10.in-addr.arpa); 198.18.19.15
is the authoritative for the remaining unkin zones. Consul left as-is.
unkinben added 1 commit 2026-07-04 21:51:06 +10:00
Forward k8s.syd1.au.unkin.net to the in-cluster externaldns service
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
ee7e6c87e3
Points the resolver's k8s zone at the bind-externaldns LoadBalancer
198.18.200.8 instead of the puppet k8s anycast 198.18.19.20.
unkinben added 1 commit 2026-07-04 21:52:13 +10:00
Forward unkin zones to the in-cluster authoritative service
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
6e657d76e4
Points unkin.net / main.unkin.net / 13-29.18.198.in-addr.arpa at the
bind-authoritative LoadBalancer 198.18.200.6 instead of the puppet
anycast 198.18.19.15. Consul left on 198.18.19.14.
benvin merged commit c8d61205ce into main 2026-07-04 21:55:33 +10:00
benvin deleted branch benvin/resolver-openforwarder 2026-07-04 21:55:34 +10:00
Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unkin/argocd-apps#226