5e7dc580b7
## Why
Resolving any `unkin.net` record through the resolver (`.7`) returns **SERVFAIL**, while the authoritative (`.6`) answers fine. Confirmed from the resolver's querylog:
```
view openforwarder: validating unkin.net/SOA: got insecure response; parent indicates it should be secure
broken trust chain resolving 'ausyd1nxvm2120.main.unkin.net/A/IN': 198.18.200.6#53
query failed (broken trust chain)
```
The resolver runs `dnssec-validation auto`. The public `unkin.net` is DNSSEC-signed (the `.net` parent publishes a DS), but the in-cluster split-horizon authoritative serves `unkin.net` **unsigned**. The validator sees "parent says secure" + an insecure answer → treats it as spoofing → SERVFAIL. The authoritative works directly because it does no validation.
## Fix
Add `validate-except` (via `spec.extraOptions`) for the forwarded internal domains, so the resolver treats them as insecure and skips validation:
```
validate-except { unkin.net; 18.198.in-addr.arpa; consul }
```
- `unkin.net` covers all `*.unkin.net` (incl. `main.unkin.net`, `k8s.syd1.au.unkin.net`)
- `18.198.in-addr.arpa` covers every `NN.18.198.in-addr.arpa` reverse zone (subtree)
- `consul` covers the consul TLD
This also makes internal resolution independent of Internet egress (no DNSSEC chain-walk needed). External-name validation is unchanged. No operator change required.
## Validation
`bind-internal` renders and passes `kubeconform` (56/56); pre-commit clean.
## Activation
After merge + operator reconcile, the resolver ConfigMap re-renders; the running pods hold a startup snapshot, so they need a reload: `kubectl -n bind-internal rollout restart statefulset/bind-resolvers`.
Reviewed-on: #251
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
40 lines
1.3 KiB
YAML
40 lines
1.3 KiB
YAML
---
|
|
# Recursive resolvers (replaces the 3x Puppet only-resolver servers).
|
|
# Three identical recursive servers; no zone replication.
|
|
apiVersion: bind.unkin.net/v1alpha1
|
|
kind: BindCluster
|
|
metadata:
|
|
name: bind-resolvers
|
|
namespace: bind-internal
|
|
spec:
|
|
mode: resolver
|
|
replicas: 3
|
|
storageClassName: cephrbd-fast-delete
|
|
storageSize: 1Gi
|
|
service:
|
|
type: LoadBalancer
|
|
externalTrafficPolicy: Local
|
|
annotations:
|
|
purelb.io/service-group: common
|
|
purelb.io/addresses: 198.18.200.7
|
|
external-dns.alpha.kubernetes.io/hostname: bind-resolvers.k8s.syd1.au.unkin.net
|
|
forwarders:
|
|
- 8.8.8.8
|
|
- 1.1.1.1
|
|
# The internal split-horizon zones are served UNSIGNED by the in-cluster
|
|
# authoritative, but their public parents publish DS records (e.g. unkin.net
|
|
# is DNSSEC-signed on the Internet). With dnssec-validation on, the validator
|
|
# sees "parent indicates secure" but gets an insecure answer and returns
|
|
# SERVFAIL (broken trust chain). Treat the forwarded internal domains as
|
|
# insecure so they are not validated. unkin.net covers all *.unkin.net
|
|
# (incl. k8s.syd1.au.unkin.net); 18.198.in-addr.arpa covers every reverse zone.
|
|
extraOptions:
|
|
- "validate-except { unkin.net; 18.198.in-addr.arpa; consul }"
|
|
resources:
|
|
requests:
|
|
cpu: 20m
|
|
memory: 128Mi
|
|
limits:
|
|
cpu: "1"
|
|
memory: 512Mi
|