Restrict authoritative queries to internal networks #227

Merged
benvin merged 1 commits from benvin/auth-allow-query into main 2026-07-04 22:15:43 +10:00
3 changed files with 32 additions and 0 deletions
@@ -0,0 +1,26 @@
---
# Internal client networks allowed to query the authoritative servers,
# mirrored from the puppet authoritative /etc/named/acls.conf
# (acl-main.unkin.net). Named auth-acl-main because the resolver has its own,
# differently-scoped acl-main.unkin.net in the same namespace.
apiVersion: bind.unkin.net/v1alpha1
kind: BindACL
metadata:
name: auth-acl-main
namespace: bind-internal
spec:
clusterRef: bind-authoritative
entries:
- 198.18.13.0/24
- 198.18.14.0/24
- 198.18.15.0/24
- 198.18.16.0/24
- 198.18.17.0/24
- 198.18.19.0/24
- 198.18.20.0/24
- 198.18.24.0/24
- 198.18.25.0/24
- 198.18.26.0/24
- 198.18.27.0/24
- 198.18.28.0/24
- 198.18.29.0/24
@@ -11,6 +11,11 @@ spec:
replicas: 3 replicas: 3
storageClassName: cephrbd-fast-delete storageClassName: cephrbd-fast-delete
storageSize: 2Gi storageSize: 2Gi
# Restrict queries to internal networks (puppet acl-main.unkin.net).
# 10.42.0.0/16 (pod net) is required so secondaries can SOA-refresh
# from the primary during catalog replication.
extraOptions:
- "allow-query { auth-acl-main; 10.42.0.0/16; }"
service: service:
type: LoadBalancer type: LoadBalancer
annotations: annotations:
@@ -6,3 +6,4 @@ resources:
- cluster.yaml - cluster.yaml
- tsigkey.yaml - tsigkey.yaml
- zones.yaml - zones.yaml
- acls.yaml