Exempt internal split-horizon zones from resolver DNSSEC validation #251
Reference in New Issue
Block a user
Delete Branch "benvin/resolver-validate-except"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Why
Resolving any
unkin.netrecord through the resolver (.7) returns SERVFAIL, while the authoritative (.6) answers fine. Confirmed from the resolver's querylog:The resolver runs
dnssec-validation auto. The publicunkin.netis DNSSEC-signed (the.netparent publishes a DS), but the in-cluster split-horizon authoritative servesunkin.netunsigned. The validator sees "parent says secure" + an insecure answer → treats it as spoofing → SERVFAIL. The authoritative works directly because it does no validation.Fix
Add
validate-except(viaspec.extraOptions) for the forwarded internal domains, so the resolver treats them as insecure and skips validation:unkin.netcovers all*.unkin.net(incl.main.unkin.net,k8s.syd1.au.unkin.net)18.198.in-addr.arpacovers everyNN.18.198.in-addr.arpareverse zone (subtree)consulcovers the consul TLDThis also makes internal resolution independent of Internet egress (no DNSSEC chain-walk needed). External-name validation is unchanged. No operator change required.
Validation
bind-internalrenders and passeskubeconform(56/56); pre-commit clean.Activation
After merge + operator reconcile, the resolver ConfigMap re-renders; the running pods hold a startup snapshot, so they need a reload:
kubectl -n bind-internal rollout restart statefulset/bind-resolvers.