# Bind namespace The Bind secondary servers and `external-dns` service pods are running in this namespace. The `external-dns` pods are used to declaratively update DNS records on the [Bind primary](https://git.k-space.ee/k-space/ansible/src/branch/main/authoritative-nameserver.yaml). The Bind primary `ns1.k-space.ee` resides outside Kubernetes at `193.40.103.2` and it's internally reachable via `172.20.0.2`. Bind secondaries perform AXFR (zone transfer) from `ns1.k-space.ee` using shared secret autentication. The primary triggers notification events to `172.20.53.{1..3}` which are internally exposed IP-s of the secondaries. Bind secondaries are hosted inside Kubernetes, load balanced behind `62.65.250.2` and under normal circumstances managed by [ArgoCD](https://argocd.k-space.ee/applications/argocd/bind). Note that [cert-manager](https://git.k-space.ee/k-space/kube/src/branch/master/cert-manager/) also performs DNS updates on the Bind primary. # For user `Ingresses` and `DNSEndpoint` resources under `k-space.ee`, `kspace.ee`, `k6.ee` domains are picked up automatically by `external-dns` and updated on the Bind primary. To find usage examples in this repository use `grep -r -A25 "^kind: Ingress" .` and `grep -R -r -A100 "^kind: DNSEndpoint" .` # For administrator Ingresses and DNSEndpoints referring to `k-space.ee`, `kspace.ee`, `k6.ee` are picked up automatically by `external-dns` and updated on primary. The primary triggers notification events to `172.21.53.{1..3}` which are internally exposed IP-s of the secondaries. # Secrets To configure TSIG secrets: ``` kubectl create secret generic -n bind bind-readonly-secret \ --from-file=readonly.key kubectl create secret generic -n bind bind-readwrite-secret \ --from-file=readwrite.key kubectl create secret generic -n bind external-dns kubectl -n bind delete secret tsig-secret kubectl -n bind create secret generic tsig-secret \ --from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2) kubectl -n cert-manager delete secret tsig-secret kubectl -n cert-manager create secret generic tsig-secret \ --from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2) ``` # Serving additional zones ## Bind primary configuration To serve additional domains from this Bind setup add following section to `named.conf.local` on primary `ns1.k-space.ee`: ``` key "foobar" { algorithm hmac-sha512; secret "..."; }; zone "foobar.com" { type master; file "/var/lib/bind/db.foobar.com"; allow-update { !rejected; key foobar; }; allow-transfer { !rejected; key readonly; key foobar; }; notify explicit; also-notify { 172.21.53.1; 172.21.53.2; 172.21.53.3; }; }; ``` Initiate empty zonefile in `/var/lib/bind/db.foobar.com` on the primary `ns1.k-space.ee`: ``` foobar.com IN SOA ns1.foobar.com. hostmaster.foobar.com. (1 300 300 2592000 300) NS ns1.foobar.com. NS ns2.foobar.com. ns1.foobar.com. A 193.40.103.2 ns2.foobar.com. A 62.65.250.2 ``` Reload Bind config: ``` named-checkconf systemctl reload bind9 ``` ## Bind secondary config Add section to `bind-secondary-config-local` under key `named.conf.local`: ``` zone "foobar.com" { type slave; masters { 172.20.0.2 key readonly; }; }; ``` And restart secondaries: ``` kubectl rollout restart -n bind statefulset/bind-secondary ``` ## Registrar config At your DNS registrar point your glue records to: ``` foobar.com. NS ns1.foobar.com. foobar.com. NS ns2.foobar.com. ns1.foobar.com. A 193.40.103.2 ns2.foobar.com. A 62.65.250.2 ``` ## Updating DNS records With the configured TSIG key `foobar` you can now: * Obtain Let's Encrypt certificates with DNS challenge. Inside Kubernetes use `cert-manager` with RFC2136 provider. * Update DNS records. Inside Kubernetes use `external-dns` with RFC2136 provider.