Elaborate how to configure additional domains for Bind

ansible-bind-primary.yml

@@ -5,6 +5,7 @@
     ansible.builtin.apt:
       name: bind9
       state: present
+
   - name: Configure Bind
     register: bind
     copy:
@@ -14,11 +15,24 @@
         # https://git.k-space.ee/k-space/kube/src/branch/master/ansible-bind-primary.yml
         # Do NOT modify manually
 
-        include "/etc/bind/named.conf.options";
         include "/etc/bind/named.conf.local";
         include "/etc/bind/readwrite.key";
         include "/etc/bind/readonly.key";
 
+        options {
+            directory "/var/cache/bind";
+            version "";
+            listen-on { any; };
+            listen-on-v6 { any; };
+            pid-file "/var/run/named/named.pid";
+            notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; };
+            allow-recursion { none; };
+            recursion no;
+            check-names master ignore;
+            dnssec-validation no;
+            auth-nxdomain no;
+        };
+
         # https://kb.isc.org/docs/aa-00723
 
         acl allowed {
@@ -38,7 +52,6 @@
             file "/var/lib/bind/db.k-space.ee";
             allow-update { !rejected; key readwrite; };
             allow-transfer { !rejected; key readonly; key readwrite; };
-            notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; };
         };
 
         zone "k6.ee" {
@@ -46,7 +59,6 @@
             file "/var/lib/bind/db.k6.ee";
             allow-update { !rejected; key readwrite; };
             allow-transfer { !rejected; key readonly; key readwrite; };
-            notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; };
         };
 
         zone "kspace.ee" {
@@ -54,7 +66,6 @@
             file "/var/lib/bind/db.kspace.ee";
             allow-update { !rejected; key readwrite; };
             allow-transfer { !rejected; key readonly; key readwrite; };
-            notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; };
         };
   - name: Check Bind config
     ansible.builtin.shell: "named-checkconf"

bind/README.md

@@ -29,3 +29,75 @@ kubectl -n cert-manager create secret generic tsig-secret \
     --from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2)
 ```
 
+# Serving additional zones
+
+## Bind primary configuration
+
+To serve additional domains from this Bind setup add following
+section to `named.conf.local` on primary `ns1.k-space.ee`:
+
+```
+key "foobar" {
+	  algorithm hmac-sha512;
+	  secret "...";
+};
+
+zone "foobar.com" {
+    type master;
+    file "/var/lib/bind/db.foobar.com";
+    allow-update { !rejected; key foobar; };
+    allow-transfer { !rejected; key readonly; key foobar; };
+    notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; };
+};
+```
+
+Initiate empty zonefile in `/var/lib/bind/db.foobar.com` on the primary `ns1.k-space.ee`:
+
+```
+foobar.com				IN SOA	ns1.foobar.com. hostmaster.foobar.com. (1 300 300 2592000 300)
+									NS	ns1.foobar.com.
+									NS	ns2.foobar.com.
+ns1.foobar.com.		A	193.40.103.2
+ns2.foobar.com.		A	62.65.250.2
+```
+
+Reload Bind config:
+
+```
+named-checkconf
+systemctl reload bind9
+```
+
+## Bind secondary config
+
+Add section to `bind-secondary-config-local` under key `named.conf.local`:
+
+```
+zone "foobar.com" { type slave; masters { 172.20.0.2 key readonly; }; };
+```
+
+And restart secondaries:
+
+```
+kubectl rollout restart -n bind statefulset/bind-secondary
+```
+
+## Registrar config
+
+At your DNS registrar point your glue records to:
+
+```
+foobar.com.				NS ns1.foobar.com.
+foobar.com.				NS ns2.foobar.com.
+ns1.foobar.com.		A	193.40.103.2
+ns2.foobar.com.		A	62.65.250.2
+```
+
+## Updating DNS records
+
+With the configured TSIG key `foobar` you can now:
+
+* Obtain Let's Encrypt certificates with DNS challenge.
+  Inside Kubernetes use `cert-manager` with RFC2136 provider.
+* Update DNS records.
+  Inside Kubernetes use `external-dns` with RFC2136 provider.

bind/bind-secondary.yaml

@@ -1,10 +1,21 @@
 ---
 apiVersion: v1
 kind: ConfigMap
+metadata:
+  name: bind-secondary-config-local
+data:
+  named.conf.local: |
+    zone "codemowers.ee" { type slave; masters { 172.20.0.2 key readonly; }; };
+    zone "codemowers.eu" { type slave; masters { 172.20.0.2 key readonly; }; };
+    zone "codemowers.cloud" { type slave; masters { 172.20.0.2 key readonly; }; };
+---
+apiVersion: v1
+kind: ConfigMap
 metadata:
   name: bind-secondary-config
 data:
   named.conf: |
+    include "/etc/bind/named.conf.local";
     include "/etc/bind/readonly.key";
     options {
         recursion no;
@@ -13,6 +24,7 @@ data:
         allow-notify { 172.20.0.2; };
         allow-transfer { none; };
         check-names slave ignore;
+        notify no;
     };
     zone "k-space.ee" { type slave; masters { 172.20.0.2 key readonly; }; };
     zone "k6.ee" { type slave; masters { 172.20.0.2 key readonly; }; };
@@ -60,6 +72,9 @@ spec:
             sources:
               - configMap:
                   name: bind-secondary-config
+              - configMap:
+                  name: bind-secondary-config-local
+                  optional: true
               - secret:
                   name: bind-readonly-secret
         - name: bind-data