2706632f54
Resolver queries for unkin.net records returned SERVFAIL (broken trust chain): the in-cluster authoritative serves unkin.net UNSIGNED, but the public parent publishes a DS record (unkin.net is DNSSEC-signed on the Internet), so the validating resolver rejects the insecure answer. Add validate-except for the forwarded internal domains so the resolver treats them as insecure and does not validate them. unkin.net covers all *.unkin.net (incl. k8s.syd1.au.unkin.net); 18.198.in-addr.arpa covers every NN.18.198.in-addr.arpa reverse zone; consul covers the consul TLD.
40 lines
1.3 KiB
YAML
40 lines
1.3 KiB
YAML
---
|
|
# Recursive resolvers (replaces the 3x Puppet only-resolver servers).
|
|
# Three identical recursive servers; no zone replication.
|
|
apiVersion: bind.unkin.net/v1alpha1
|
|
kind: BindCluster
|
|
metadata:
|
|
name: bind-resolvers
|
|
namespace: bind-internal
|
|
spec:
|
|
mode: resolver
|
|
replicas: 3
|
|
storageClassName: cephrbd-fast-delete
|
|
storageSize: 1Gi
|
|
service:
|
|
type: LoadBalancer
|
|
externalTrafficPolicy: Local
|
|
annotations:
|
|
purelb.io/service-group: common
|
|
purelb.io/addresses: 198.18.200.7
|
|
external-dns.alpha.kubernetes.io/hostname: bind-resolvers.k8s.syd1.au.unkin.net
|
|
forwarders:
|
|
- 8.8.8.8
|
|
- 1.1.1.1
|
|
# The internal split-horizon zones are served UNSIGNED by the in-cluster
|
|
# authoritative, but their public parents publish DS records (e.g. unkin.net
|
|
# is DNSSEC-signed on the Internet). With dnssec-validation on, the validator
|
|
# sees "parent indicates secure" but gets an insecure answer and returns
|
|
# SERVFAIL (broken trust chain). Treat the forwarded internal domains as
|
|
# insecure so they are not validated. unkin.net covers all *.unkin.net
|
|
# (incl. k8s.syd1.au.unkin.net); 18.198.in-addr.arpa covers every reverse zone.
|
|
extraOptions:
|
|
- "validate-except { unkin.net; 18.198.in-addr.arpa; consul }"
|
|
resources:
|
|
requests:
|
|
cpu: 20m
|
|
memory: 128Mi
|
|
limits:
|
|
cpu: "1"
|
|
memory: 512Mi
|