Restrict authoritative queries to internal networks #227

Merged
benvin merged 1 commits from benvin/auth-allow-query into main 2026-07-04 22:15:43 +10:00
Owner

Mirrors the puppet authoritative master-zones view (match-clients acl-main.unkin.net, recursion no) — restricting who can query bind-authoritative.

Changes

  • add auth-acl-main BindACL with the puppet authoritative acl-main.unkin.net networks (13-17,19,20,24-29)
  • allow-query { auth-acl-main; 10.42.0.0/16; } on bind-authoritative via extraOptions

Notes

  • Implemented as a global allow-query rather than a BindView: dynamic primary zones inside a view would need per-view allow-new-zones (an operator gap). Functionally equivalent for the single master-zones view.
  • 10.42.0.0/16 (pod network) is included so secondaries can SOA-refresh from the primary during catalog replication — without it, replication breaks.
  • Works on the current operator (no HOLD).

Caveat

The DNS Services use externalTrafficPolicy: Cluster, which SNATs external clients to node IPs (198.18.19.x, already in acl-main), so this ACL doesn't truly restrict external clients yet. True source-IP restriction needs externalTrafficPolicy: Local — happy to switch if wanted.

Mirrors the puppet authoritative `master-zones` view (match-clients `acl-main.unkin.net`, recursion no) — restricting who can query bind-authoritative. ## Changes - add `auth-acl-main` BindACL with the puppet authoritative acl-main.unkin.net networks (13-17,19,20,24-29) - `allow-query { auth-acl-main; 10.42.0.0/16; }` on bind-authoritative via extraOptions ## Notes - Implemented as a global `allow-query` rather than a BindView: dynamic *primary* zones inside a view would need per-view `allow-new-zones` (an operator gap). Functionally equivalent for the single master-zones view. - `10.42.0.0/16` (pod network) is included so secondaries can SOA-refresh from the primary during catalog replication — without it, replication breaks. - Works on the current operator (no HOLD). ## Caveat The DNS Services use externalTrafficPolicy: Cluster, which SNATs external clients to node IPs (198.18.19.x, already in acl-main), so this ACL doesn't truly restrict *external* clients yet. True source-IP restriction needs externalTrafficPolicy: Local — happy to switch if wanted.
unkinben added 1 commit 2026-07-04 21:58:16 +10:00
Restrict authoritative queries to internal networks
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
f9dd90a6b0
Mirrors the puppet authoritative master-zones view (match-clients
acl-main.unkin.net) using a global allow-query instead of a view, since
dynamic primary zones in a view would need per-view allow-new-zones.

- add auth-acl-main BindACL (the puppet acl-main.unkin.net networks)
- allow-query { auth-acl-main; 10.42.0.0/16; } on bind-authoritative
  (pod net included so secondaries can SOA-refresh from the primary)
benvin merged commit 3ab8bcc34b into main 2026-07-04 22:15:43 +10:00
benvin deleted branch benvin/auth-allow-query 2026-07-04 22:15:43 +10:00
Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unkin/argocd-apps#227