# Bind setup

The Bind primary resides outside Kubernetes at `193.40.103.2` and
it's internally reachable via `172.20.0.2`.

Bind secondaries are hosted inside Kubernetes, load balanced behind `62.65.250.2` and
under normal circumstances managed by [ArgoCD](https://argocd.k-space.ee/applications/argocd/bind).

Ingresses and DNSEndpoints referring to `k-space.ee`, `kspace.ee`, `k6.ee`
are picked up automatically by `external-dns` and updated on primary.

The primary triggers notification events to `172.20.53.{1..3}`
which are internally exposed IP-s of the secondaries.

# Secrets

To configure TSIG secrets:

```
kubectl create secret generic -n bind bind-readonly-secret \
  --from-file=readonly.key
kubectl create secret generic -n bind bind-readwrite-secret \
  --from-file=readwrite.key
kubectl create secret generic -n bind external-dns
kubectl -n bind delete secret tsig-secret
kubectl -n bind create secret generic tsig-secret \
    --from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2)
kubectl -n cert-manager delete secret tsig-secret
kubectl -n cert-manager create secret generic tsig-secret \
    --from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2)
```

# Serving additional zones

## Bind primary configuration

To serve additional domains from this Bind setup add following
section to `named.conf.local` on primary `ns1.k-space.ee`:

```
key "foobar" {
	  algorithm hmac-sha512;
	  secret "...";
};

zone "foobar.com" {
    type master;
    file "/var/lib/bind/db.foobar.com";
    allow-update { !rejected; key foobar; };
    allow-transfer { !rejected; key readonly; key foobar; };
    notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; };
};
```

Initiate empty zonefile in `/var/lib/bind/db.foobar.com` on the primary `ns1.k-space.ee`:

```
foobar.com				IN SOA	ns1.foobar.com. hostmaster.foobar.com. (1 300 300 2592000 300)
									NS	ns1.foobar.com.
									NS	ns2.foobar.com.
ns1.foobar.com.		A	193.40.103.2
ns2.foobar.com.		A	62.65.250.2
```

Reload Bind config:

```
named-checkconf
systemctl reload bind9
```

## Bind secondary config

Add section to `bind-secondary-config-local` under key `named.conf.local`:

```
zone "foobar.com" { type slave; masters { 172.20.0.2 key readonly; }; };
```

And restart secondaries:

```
kubectl rollout restart -n bind statefulset/bind-secondary
```

## Registrar config

At your DNS registrar point your glue records to:

```
foobar.com.				NS ns1.foobar.com.
foobar.com.				NS ns2.foobar.com.
ns1.foobar.com.		A	193.40.103.2
ns2.foobar.com.		A	62.65.250.2
```

## Updating DNS records

With the configured TSIG key `foobar` you can now:

* Obtain Let's Encrypt certificates with DNS challenge.
  Inside Kubernetes use `cert-manager` with RFC2136 provider.
* Update DNS records.
  Inside Kubernetes use `external-dns` with RFC2136 provider.