bind-internal: allow admin workstation + router to query authoritative #258
Reference in New Issue
Block a user
Delete Branch "benvin/bind-acl-admin-access"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Why
Allow the operator's workstation and router to query the bind-authoritative servers directly. Their source addresses are outside the existing
auth-acl-mainclient subnets, so named returns REFUSED to them today. The router sits on 198.18.21.0/24 which is not in the ACL at all.Changes
10.10.12.200/32(workstation, over wireguard) toauth-acl-main198.18.21.160/32(router) toauth-acl-mainNote
This grants query permission only. Reaching the LoadBalancer VIP (198.18.200.6) from off-datacenter paths is separately gated by
externalTrafficPolicy: Local; the workstation-over-wireguard path still needs its L4 routing addressed to actually land on a node with a ready endpoint.