Elaborate how to configure additional domains for Bind

2023-08-20 09:35:26 +03:00 · 2023-08-20 09:35:26 +03:00 · cc51f3731a
commit cc51f3731a
parent 9dae1a832b
3 changed files with 102 additions and 4 deletions
--- a/ansible-bind-primary.yml
+++ b/ansible-bind-primary.yml
@ -5,6 +5,7 @@
    ansible.builtin.apt:
      name: bind9
      state: present
+
  - name: Configure Bind
    register: bind
    copy:
@ -14,11 +15,24 @@
        # https://git.k-space.ee/k-space/kube/src/branch/master/ansible-bind-primary.yml
        # Do NOT modify manually

-        include "/etc/bind/named.conf.options";
        include "/etc/bind/named.conf.local";
        include "/etc/bind/readwrite.key";
        include "/etc/bind/readonly.key";

+        options {
+            directory "/var/cache/bind";
+            version "";
+            listen-on { any; };
+            listen-on-v6 { any; };
+            pid-file "/var/run/named/named.pid";
+            notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; };
+            allow-recursion { none; };
+            recursion no;
+            check-names master ignore;
+            dnssec-validation no;
+            auth-nxdomain no;
+        };
+
        # https://kb.isc.org/docs/aa-00723

        acl allowed {
@ -38,7 +52,6 @@
            file "/var/lib/bind/db.k-space.ee";
            allow-update { !rejected; key readwrite; };
            allow-transfer { !rejected; key readonly; key readwrite; };
-            notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; };
        };

        zone "k6.ee" {
@ -46,7 +59,6 @@
            file "/var/lib/bind/db.k6.ee";
            allow-update { !rejected; key readwrite; };
            allow-transfer { !rejected; key readonly; key readwrite; };
-            notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; };
        };

        zone "kspace.ee" {
@ -54,7 +66,6 @@
            file "/var/lib/bind/db.kspace.ee";
            allow-update { !rejected; key readwrite; };
            allow-transfer { !rejected; key readonly; key readwrite; };
-            notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; };
        };
  - name: Check Bind config
    ansible.builtin.shell: "named-checkconf"
--- a/bind/README.md
+++ b/bind/README.md
@ -29,3 +29,75 @@ kubectl -n cert-manager create secret generic tsig-secret \
    --from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2)
 ```

+# Serving additional zones
+
+## Bind primary configuration
+
+To serve additional domains from this Bind setup add following
+section to `named.conf.local` on primary `ns1.k-space.ee`:
+
+```
+key "foobar" {
+	  algorithm hmac-sha512;
+	  secret "...";
+};
+
+zone "foobar.com" {
+    type master;
+    file "/var/lib/bind/db.foobar.com";
+    allow-update { !rejected; key foobar; };
+    allow-transfer { !rejected; key readonly; key foobar; };
+    notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; };
+};
+```
+
+Initiate empty zonefile in `/var/lib/bind/db.foobar.com` on the primary `ns1.k-space.ee`:
+
+```
+foobar.com				IN SOA	ns1.foobar.com. hostmaster.foobar.com. (1 300 300 2592000 300)
+									NS	ns1.foobar.com.
+									NS	ns2.foobar.com.
+ns1.foobar.com.		A	193.40.103.2
+ns2.foobar.com.		A	62.65.250.2
+```
+
+Reload Bind config:
+
+```
+named-checkconf
+systemctl reload bind9
+```
+
+## Bind secondary config
+
+Add section to `bind-secondary-config-local` under key `named.conf.local`:
+
+```
+zone "foobar.com" { type slave; masters { 172.20.0.2 key readonly; }; };
+```
+
+And restart secondaries:
+
+```
+kubectl rollout restart -n bind statefulset/bind-secondary
+```
+
+## Registrar config
+
+At your DNS registrar point your glue records to:
+
+```
+foobar.com.				NS ns1.foobar.com.
+foobar.com.				NS ns2.foobar.com.
+ns1.foobar.com.		A	193.40.103.2
+ns2.foobar.com.		A	62.65.250.2
+```
+
+## Updating DNS records
+
+With the configured TSIG key `foobar` you can now:
+
+* Obtain Let's Encrypt certificates with DNS challenge.
+  Inside Kubernetes use `cert-manager` with RFC2136 provider.
+* Update DNS records.
+  Inside Kubernetes use `external-dns` with RFC2136 provider.
--- a/bind/bind-secondary.yaml
+++ b/bind/bind-secondary.yaml
@ -1,10 +1,21 @@
 ---
 apiVersion: v1
 kind: ConfigMap
+metadata:
+  name: bind-secondary-config-local
+data:
+  named.conf.local: |
+    zone "codemowers.ee" { type slave; masters { 172.20.0.2 key readonly; }; };
+    zone "codemowers.eu" { type slave; masters { 172.20.0.2 key readonly; }; };
+    zone "codemowers.cloud" { type slave; masters { 172.20.0.2 key readonly; }; };
+---
+apiVersion: v1
+kind: ConfigMap
 metadata:
  name: bind-secondary-config
 data:
  named.conf: |
+    include "/etc/bind/named.conf.local";
    include "/etc/bind/readonly.key";
    options {
        recursion no;
@ -13,6 +24,7 @@ data:
        allow-notify { 172.20.0.2; };
        allow-transfer { none; };
        check-names slave ignore;
+        notify no;
    };
    zone "k-space.ee" { type slave; masters { 172.20.0.2 key readonly; }; };
    zone "k6.ee" { type slave; masters { 172.20.0.2 key readonly; }; };
@ -60,6 +72,9 @@ spec:
            sources:
              - configMap:
                  name: bind-secondary-config
+              - configMap:
+                  name: bind-secondary-config-local
+                  optional: true
              - secret:
                  name: bind-readonly-secret
        - name: bind-data