# Bind setup The Bind primary resides outside Kubernetes at `193.40.103.2` and it's internally reachable via `172.20.0.2` Bind secondaries are hosted inside Kubernetes and load balanced behind `62.65.250.2` Ingresses and DNSEndpoints referring to `k-space.ee`, `kspace.ee`, `k6.ee` are picked up automatically by `external-dns` and updated on primary. The primary triggers notification events to `172.20.53.{1..3}` which are internally exposed IP-s of the secondaries. # Secrets To configure TSIG secrets: ``` kubectl create secret generic -n bind bind-readonly-secret \ --from-file=readonly.key kubectl create secret generic -n bind bind-readwrite-secret \ --from-file=readwrite.key kubectl create secret generic -n bind external-dns kubectl -n bind delete secret tsig-secret kubectl -n bind create secret generic tsig-secret \ --from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2) kubectl -n cert-manager delete secret tsig-secret kubectl -n cert-manager create secret generic tsig-secret \ --from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2) ``` # Serving additional zones ## Bind primary configuration To serve additional domains from this Bind setup add following section to `named.conf.local` on primary `ns1.k-space.ee`: ``` key "foobar" { algorithm hmac-sha512; secret "..."; }; zone "foobar.com" { type master; file "/var/lib/bind/db.foobar.com"; allow-update { !rejected; key foobar; }; allow-transfer { !rejected; key readonly; key foobar; }; notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; }; }; ``` Initiate empty zonefile in `/var/lib/bind/db.foobar.com` on the primary `ns1.k-space.ee`: ``` foobar.com IN SOA ns1.foobar.com. hostmaster.foobar.com. (1 300 300 2592000 300) NS ns1.foobar.com. NS ns2.foobar.com. ns1.foobar.com. A 193.40.103.2 ns2.foobar.com. A 62.65.250.2 ``` Reload Bind config: ``` named-checkconf systemctl reload bind9 ``` ## Bind secondary config Add section to `bind-secondary-config-local` under key `named.conf.local`: ``` zone "foobar.com" { type slave; masters { 172.20.0.2 key readonly; }; }; ``` And restart secondaries: ``` kubectl rollout restart -n bind statefulset/bind-secondary ``` ## Registrar config At your DNS registrar point your glue records to: ``` foobar.com. NS ns1.foobar.com. foobar.com. NS ns2.foobar.com. ns1.foobar.com. A 193.40.103.2 ns2.foobar.com. A 62.65.250.2 ``` ## Updating DNS records With the configured TSIG key `foobar` you can now: * Obtain Let's Encrypt certificates with DNS challenge. Inside Kubernetes use `cert-manager` with RFC2136 provider. * Update DNS records. Inside Kubernetes use `external-dns` with RFC2136 provider.