diff --git a/ansible-bind-primary.yml b/ansible-bind-primary.yml index 8658f7d..87b9505 100644 --- a/ansible-bind-primary.yml +++ b/ansible-bind-primary.yml @@ -5,6 +5,7 @@ ansible.builtin.apt: name: bind9 state: present + - name: Configure Bind register: bind copy: @@ -14,11 +15,24 @@ # https://git.k-space.ee/k-space/kube/src/branch/master/ansible-bind-primary.yml # Do NOT modify manually - include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/readwrite.key"; include "/etc/bind/readonly.key"; + options { + directory "/var/cache/bind"; + version ""; + listen-on { any; }; + listen-on-v6 { any; }; + pid-file "/var/run/named/named.pid"; + notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; }; + allow-recursion { none; }; + recursion no; + check-names master ignore; + dnssec-validation no; + auth-nxdomain no; + }; + # https://kb.isc.org/docs/aa-00723 acl allowed { @@ -38,7 +52,6 @@ file "/var/lib/bind/db.k-space.ee"; allow-update { !rejected; key readwrite; }; allow-transfer { !rejected; key readonly; key readwrite; }; - notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; }; }; zone "k6.ee" { @@ -46,7 +59,6 @@ file "/var/lib/bind/db.k6.ee"; allow-update { !rejected; key readwrite; }; allow-transfer { !rejected; key readonly; key readwrite; }; - notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; }; }; zone "kspace.ee" { @@ -54,7 +66,6 @@ file "/var/lib/bind/db.kspace.ee"; allow-update { !rejected; key readwrite; }; allow-transfer { !rejected; key readonly; key readwrite; }; - notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; }; }; - name: Check Bind config ansible.builtin.shell: "named-checkconf" diff --git a/bind/README.md b/bind/README.md index 2e99b0b..450c036 100644 --- a/bind/README.md +++ b/bind/README.md @@ -29,3 +29,75 @@ kubectl -n cert-manager create secret generic tsig-secret \ --from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2) ``` +# Serving additional zones + +## Bind primary configuration + +To serve additional domains from this Bind setup add following +section to `named.conf.local` on primary `ns1.k-space.ee`: + +``` +key "foobar" { + algorithm hmac-sha512; + secret "..."; +}; + +zone "foobar.com" { + type master; + file "/var/lib/bind/db.foobar.com"; + allow-update { !rejected; key foobar; }; + allow-transfer { !rejected; key readonly; key foobar; }; + notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; }; +}; +``` + +Initiate empty zonefile in `/var/lib/bind/db.foobar.com` on the primary `ns1.k-space.ee`: + +``` +foobar.com IN SOA ns1.foobar.com. hostmaster.foobar.com. (1 300 300 2592000 300) + NS ns1.foobar.com. + NS ns2.foobar.com. +ns1.foobar.com. A 193.40.103.2 +ns2.foobar.com. A 62.65.250.2 +``` + +Reload Bind config: + +``` +named-checkconf +systemctl reload bind9 +``` + +## Bind secondary config + +Add section to `bind-secondary-config-local` under key `named.conf.local`: + +``` +zone "foobar.com" { type slave; masters { 172.20.0.2 key readonly; }; }; +``` + +And restart secondaries: + +``` +kubectl rollout restart -n bind statefulset/bind-secondary +``` + +## Registrar config + +At your DNS registrar point your glue records to: + +``` +foobar.com. NS ns1.foobar.com. +foobar.com. NS ns2.foobar.com. +ns1.foobar.com. A 193.40.103.2 +ns2.foobar.com. A 62.65.250.2 +``` + +## Updating DNS records + +With the configured TSIG key `foobar` you can now: + +* Obtain Let's Encrypt certificates with DNS challenge. + Inside Kubernetes use `cert-manager` with RFC2136 provider. +* Update DNS records. + Inside Kubernetes use `external-dns` with RFC2136 provider. diff --git a/bind/bind-secondary.yaml b/bind/bind-secondary.yaml index 4b56c67..1e12418 100644 --- a/bind/bind-secondary.yaml +++ b/bind/bind-secondary.yaml @@ -1,10 +1,21 @@ --- apiVersion: v1 kind: ConfigMap +metadata: + name: bind-secondary-config-local +data: + named.conf.local: | + zone "codemowers.ee" { type slave; masters { 172.20.0.2 key readonly; }; }; + zone "codemowers.eu" { type slave; masters { 172.20.0.2 key readonly; }; }; + zone "codemowers.cloud" { type slave; masters { 172.20.0.2 key readonly; }; }; +--- +apiVersion: v1 +kind: ConfigMap metadata: name: bind-secondary-config data: named.conf: | + include "/etc/bind/named.conf.local"; include "/etc/bind/readonly.key"; options { recursion no; @@ -13,6 +24,7 @@ data: allow-notify { 172.20.0.2; }; allow-transfer { none; }; check-names slave ignore; + notify no; }; zone "k-space.ee" { type slave; masters { 172.20.0.2 key readonly; }; }; zone "k6.ee" { type slave; masters { 172.20.0.2 key readonly; }; }; @@ -60,6 +72,9 @@ spec: sources: - configMap: name: bind-secondary-config + - configMap: + name: bind-secondary-config-local + optional: true - secret: name: bind-readonly-secret - name: bind-data